NIS2

New security requirements: Directive NIS2 – what companies should know

From spring 2025, compliance with the NIS2 directive is expected to be mandatory for many affected companies in Germany. The regulation strengthens security measures for critical infrastructures and IT service providers. Whether energy, transport, healthcare or even the manufacturing industry – the law will have an impact on a large number of companies.

Starting in October 2024, countries will have to adopt NIS2, the latest EU directive on cybersecurity, into national law. We show how NIS2 will affect companies and how to comply with the regulations safely.

Not in the mood to read? You can also watch our webinar.

What is behind the NIS2 guideline?

The abbreviation NIS stands for “Network and Information Systems Security Act”. Network and information security includes, but is not limited to, protecting computer networks, information systems, and data from unauthorized access, misuse, disclosure, destruction, or failure. The general goal of network and information security is to ensure the confidentiality, integrity and availability of information and systems. Various technologies, processes and methods are used for this purpose.

“NIS2” refers to the second stage of the EU Directive for NIS. The first NIS Directive already establishes a common security framework for network and information systems within the EU. It requires member states to establish national cybersecurity policies and regulations and requires operators of essential services and digital service providers to take appropriate security measures and report incidents.

NIS2 builds on NIS1, expanding the scope of the directive and the requirements placed on the security of network and information systems. The expansion serves to further harmonize cybersecurity requirements within the EU. It also aims to further strengthen the resilience of critical infrastructure against cyberattacks.

To which companies does the EU directive NIS2 apply?

The more stringent security requirements for network and information systems in the NIS2 Directive are aimed at providers or operators of services of general economic importance. NIS2 thus affects companies that are classified as operators of critical infrastructure or producers or service providers of significant economic importance. These include, for example, classic critical infrastructure operators such as energy providers, transport companies, healthcare service providers, digital service providers or online marketplaces and now also, for example, manufacturing industry in certain sectors or postal and courier services.

In addition, direct suppliers of IT products and services must also expect more stringent requirements: NIS2 places great emphasis on supply chain risk management, so increased cybersecurity requirements for suppliers can be expected. The exact definition and classification of the companies concerned will still be determined in the context of legal ordinances when they are implemented in German legislation.

What requirements does NIS2 bring with it?

NIS2 introduces stricter security requirements for affected companies. These include:

Preparation for NIS2

To meet the requirements of the NIS2 directive, you can start preparing now:

1. companies should inform themselves about the NIS2 directive and its requirements in order to find out whether their own company is classified as a critical infrastructure, operator or provider with economic significance.

2. A thorough inventory and gap analysis is the first step in assessing a company’s security situation. A responsible person should be appointed who has the task of identifying critical assets and recognizing possible security gaps. A comprehensive gap analysis can be used to assess the maturity level of IT security measures and uncover optimization potential.

3. In addition, cyber risk management plays a central role in compliance with the NIS2 directive. It is important to review existing policies or introduce new ones as appropriate to adequately assess and address risks. Risks in the supply chain should also be taken into account in order to minimize vulnerabilities.

4. Setting up a Security Information and Event Management (SIEM) system or an attack detection system can be crucial for detecting potential security incidents at an early stage. In addition, incident management processes should be established to ensure effective incident response. Contacting Computer Security Incident Response Teams (CSIRTs) can help to ensure a coordinated and professional response to security incidents.

5. In order to maintain business operations at all times, the establishment of business continuity processes is of great importance. These processes should ensure that critical functions and services continue to be available even in crisis situations. In addition, it is also advisable to establish contact with CSIRTs in order to be able to draw on their support in the event of an emergency.

Consequences of non-compliance with NIS2 requirements

Failure to comply with NIS2 requirements can have significant consequences for organizations. These can be fines and penalties in comparable amounts to the penalties for data protection violations. Management is held personally liable by NIS2 for compliance with the requirements. In addition, failure to comply with requirements can lead to cybersecurity incidents that can result in financial losses, data leaks, and business continuity impairments.

It is therefore critical to take the requirements of NIS2 seriously and take appropriate measures to ensure the security of your network and information systems. As a trusted partner, COCUS AG develops customized solutions to meet the requirements of NIS2 and guarantee the security of network and information systems.

Share this post