ISMS becomes mandatory
The Network and Information Security (NIS) Directive is an EU directive that is part of the European cyber security strategy. Its aim is to harmonise and improve the level of security in the EU member states. EU countries were required to implement it by 17 October 2024. In Germany, a bill for its transposition into national law is currently on the table – the NIS 2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). From now on, affected companies will have to devote more attention to topics such as cyber risk management and business continuity. The law also significantly expands the scope of application, so that in addition to operators of critical infrastructures (KRITIS), numerous other industries and companies will be covered.
The NIS-2 guideline is based on the number of employees and the company's turnover. In the future, a distinction will be made between ‘particularly important institutions’ and ‘important institutions’. Critical infrastructure facilities remain in place and will continue to be measured against the known thresholds. Critical infrastructure facilities must implement more comprehensive measures in addition to the requirements of NIS-2 for particularly important institutions.
Affected businesses and companies are required to take technical and organisational measures to ensure the security of their IT infrastructure and thus the services they provide and to minimise the impact of (cyber) security incidents. The NIS2 Directive provides for the following measures:
In summary, companies affected by NIS-2 should strive to implement, execute and document an effective information security management system (ISMS).
In addition, the directive requires, for example, processes and tools for automated and continuous monitoring and logging of information. In the event of an alert, appropriate incident response processes must be initiated. These are all measures that companies take to rectify a security incident as quickly as possible. The use of systems for attack detection (SzA) in the NIS2UmsV is explicitly required only for operators of critical facilities, but particularly important or important facilities will apparently also have to implement SzA at the latest on the basis of corresponding implementing acts. Provisions for this must be made at an early stage.
Our IT experts will be happy to support you in all these matters. Just get in touch.
NIS-2 lays down numerous requirements. It is therefore advisable to place your trust in experts who have been successfully supporting and implementing processes like these for many years. Let us be your sparring partner when it comes to risk management, IT and cyber security, and we will keep an eye on related legal and data protection issues for you.
As an element of an auditing, legal and tax consultancy, IT security is part of our DNA. With dhpg at your side, you can be sure of meeting legal and compliance requirements at all times.
We pool our IT expertise with the know-how of lawyers and data protection specialists, so we always have an expert at the ready for related issues. This allows you to not only keep abreast of complex issues in all their facets, but to also keep them under control.
We have many years of extensive project experience in all aspects of IT and cyber security. With our best-practice approaches, methods and experience, we build on the processes and structures already in place at your company.
Would you like to arrange a personal meeting to discuss the implementation of NIS-2 at your company? It would be our pleasure to arrange an appointment with you - no strings attached - to get to know each other. We look forward to a phone call or e-mail and to hearing from you.
The requirements of the NIS-2 directive are complex and multi-layered. Maintaining an overview and tackling the implementation process can pose major challenges for affected organisations. Since no implementation period is planned after the law is passed, a good structure is required. We recommend starting with a gap analysis and deriving specific fields of action from this, successively increasing the level of cyber security in the organisation. The experts at dhpg IT-Services will be happy to support you in this process and work with you to ensure that your organisation meets the requirements of NIS-2. Please feel free to contact us if you require assistance with the following:
If a company falling under the scope of the NIS-2 Directive fails to meet its requirements, the draft bill from the German Federal Ministry of the Interior provides for fines. The amount of these fines depends on whether the company is a particularly important organisation and operator of critical infrastructure or an important organisation.
It is imperative that the affected company or institution be able to demonstrate that it has not acted negligently or intentionally. It is therefore essential to take appropriate technical and institutional measures in areas such as cyber security, supply chain security and encryption and to ensure diligence in reporting to the BSI.
Yes, the management can also be held liable for breaches of the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG). If requirements are not met, managing directors are to be held liable with their private assets. The upper limit here is 2% of the company's global annual sales revenue.
Foto: Andreas Pohlmann/EvonikOnly operators of critical infrastructures (KRITIS) are obliged to report regularly to the BSI. Spelled out in concrete terms, this means that these organisations must submit evidence of proper implementation within a period of three years following entry into force of the national NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) - i.e. by 17 October 2027 at the latest. This is to be repeated every three years thereafter.
The situation is different when it comes to security incidents. If a security incident occurs in an organisation, both KRITIS operators and important as well as particularly important institutions are obliged to submit a report to the BSI. A three-stage reporting system is provided for:
If the security incident cannot be rectified within a period of one month, a progress report must be submitted within the period of one additional month (and additional months in each case). The final report is then due one month after rectification.
Generally speaking, the BSI, in its capacity as a supervisory institution, is only to perform inspections of important organisations if there is suspicion of a security incident. In the case of KRITIS and particularly important organisations, the BSI may also perform checks and controls or request evidence even in the absence of suspicion. The check-and-control measures include the following items:
The European NIS 2 Directive, in the form of the national NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), aims to harmonise and improve the level of security in EU member states and requires affected companies to comply with minimum standards for the protection of their network and information systems. The law greatly expands the scope of application, so that numerous industries and companies are covered. In the future, affected companies will therefore have to pay more attention to cyber security, the security of their supply chain and secure encryption. There is an urgent need for action, because implementation is multi-layered and complex. The IT experts at dhpg will be happy to support you in this process.