implementation by October 2024
The Network and Information Security (NIS) Directive is an EU directive and an element of the European cyber security strategy. It seeks to harmonise and improve the level of security in the EU Member States. In Germany, the Federal Ministry of the Interior has just submitted a draft bill for transposition of this Directive into national law - the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). It is scheduled to be adopted in April 2024 and enter into force on 18 October 2024. This means that the companies affected will have to focus more on topics such as cyber risk management and business continuity going forward. The law also greatly expands the scope of application, which means that in addition to operators of critical infrastructures (KRITIS), numerous other sectors and companies will be subject to its requirements. These companies now need to take action, as the requirements of the NIS-2 Directive must be met by October 2024.
The NIS-2 Directive is based on the number of employees or the sales revenue of the company. The standardised assessment criteria that have been introduced mean that individual threshold values no longer apply, as was previously the case with the BSI Criticality Regulation. In future, a distinction is to be made between "particularly important organisations and facilities" and "important organisations and facilities". Whether a particularly important organisation or facility is deemed to be a KRITIS organisation will continue to be based on threshold criteria. This means that the requirements that NIS-2 lays down on particularly important organisations and facilities will also apply to KRITIS organisations and facilities. In addition to the NIS-2 requirements, these are subject to additional regulations, e.g. the German Telecommunications Act (TKG) and the German KRITIS Umbrella Act.
Affected businesses and companies are required to take technical and organisational measures to ensure the security of their IT infrastructure and thus the services they provide and to minimise the impact of (cyber) security incidents. The NIS2 Directive provides for the following measures:
Our IT experts will of course be happy to support you in all these areas. Just get in touch with us.
NIS-2 lays down numerous requirements. It is therefore advisable to place your trust in experts who have been successfully supporting and implementing processes like these for many years. Let us be your sparring partner when it comes to risk management, IT and cyber security, and we will keep an eye on related legal and data protection issues for you.
As an element of an auditing, legal and tax consultancy, IT security is part of our DNA. With dhpg at your side, you can be sure of meeting legal and compliance requirements at all times.
We pool our IT expertise with the know-how of lawyers and data protection specialists, so we always have an expert at the ready for related issues. This allows you to not only keep abreast of complex issues in all their facets, but to also keep them under control.
We have many years of extensive project experience in all aspects of IT and cyber security. With our best-practice approaches, methods and experience, we build on the processes and structures already in place at your company.
Would you like to arrange a personal meeting to discuss the implementation of NIS-2 at your company? It would be our pleasure to arrange an appointment with you - no strings attached - to get to know each other. We look forward to a phone call or e-mail and to hearing from you.
The requirements laid down in the NIS-2 Directive are complex and multifaceted. Keeping a clear overview of the situation and tackling the implementation process can pose major challenges to organisations. A solid structure is also needed to meet the short implementation deadline - 17 October 2024. We recommend starting with a GAP analysis and extrapolating specific fields of action to be taken on this basis and then gradually ratcheting up the level of cybersecurity in the organisation. The experts at dhpg IT Services will be glad to support you in this process and work with you to ensure that your organisation meets the requirements laid down in NIS-2. Feel free to get in touch with us if you need support in the following areas:
If a company falling under the scope of the NIS-2 Directive fails to meet its requirements, the draft bill from the German Federal Ministry of the Interior provides for fines. The amount of these fines depends on whether the company is a particularly important organisation and operator of critical infrastructure or an important organisation.
It is imperative that the affected company or institution be able to demonstrate that it has not acted negligently or intentionally. It is therefore essential to take appropriate technical and institutional measures in areas such as cyber security, supply chain security and encryption and to ensure diligence in reporting to the BSI.
Yes, the management can also be held liable for breaches of the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG). If requirements are not met, managing directors are to be held liable with their private assets. The upper limit here is 2% of the company's global annual sales revenue.
Foto: Andreas Pohlmann/EvonikOnly operators of critical infrastructures (KRITIS) are obliged to report regularly to the BSI. Spelled out in concrete terms, this means that these organisations must submit evidence of proper implementation within a period of three years following entry into force of the national NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) - i.e. by 17 October 2027 at the latest. This is to be repeated every three years thereafter.
The situation is different when it comes to security incidents. If a security incident occurs in an organisation, both KRITIS operators and important as well as particularly important institutions are obliged to submit a report to the BSI. A three-stage reporting system is provided for:
If the security incident cannot be rectified within a period of one month, a progress report must be submitted within the period of one additional month (and additional months in each case). The final report is then due one month after rectification.
Generally speaking, the BSI, in its capacity as a supervisory institution, is only to perform inspections of important organisations if there is suspicion of a security incident. In the case of KRITIS and particularly important organisations, the BSI may also perform checks and controls or request evidence even in the absence of suspicion. The check-and-control measures include the following items:
On 18 October 2024, the European NIS-2 Directive will enter into force in the form of the national NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). It seeks to harmonise and improve the level of security in the EU Member States and obliges affected businesses to comply with minimum standards to protect their network and information systems. The act greatly expands the scope of application to include numerous sectors and companies. In future, affected companies will therefore have to devote more attention to cyber security and the security of their supply chain while ensuring secure encryption. There is therefore an urgent need for action, as implementation by October 2024 is a multifaceted and complex endeavour. Our IT experts will be glad to support you in this process.
Contact form 
+49 228 81000 0