NIS2
More cybersecurity in Europe –
and new obligations for companies
NIS2 - What now?
With the NIS2 Directive (Network and Information Security Directive 2) The European Union is significantly raising the requirements for cyber and information security. The directive considerably expands the scope of the previous NIS regulation and will in future oblige Significantly more companies and organisations, to implement effective security measures.
What is often overlooked: security is a comprehensive concept that goes far beyond protection against unauthorised access, data theft and data loss.
The aim of NIS2 is:
one high and uniform level of cybersecurity in the EU,
die Cyber resilience to strengthen sustainably and
Clear responsibilities at management level to establish.
Die NIS2-Richtlinie betrifft eine breite Palette von Einrichtungen. Im Wesentlichen zielt sie darauf ab, die Cybersicherheit in kritischen Sektoren und anderen wichtigen Sektoren zu verbessern. Dies umfasst Sektoren wie: * Energie * Transport * Bankwesen * Gesundheitswesen * Digitale Infrastruktur * Öffentliche Verwaltung * Raumfahrt * Abfallwirtschaft * Herstellung von Lebensmitteln * Herstellung von bestimmten chemischen Produkten Die Richtlinie ist in zwei Kategorien unterteilt: „wesentliche Einrichtungen“ und „wichtige Einrichtungen“, wobei wesentliche Einrichtungen strengeren Anforderungen unterliegen. Die genauen Kriterien für die Einstufung als wesentliche oder wichtige Einrichtung basieren auf der Grösse und der Kritikalität ihrer Tätigkeit. Kurz gesagt, jedes Unternehmen oder jede Organisation, die kritische Dienstleistungen erbringt oder in einem Sektor tätig ist, der für das Funktionieren der Gesellschaft unerlässlich ist, fällt unter die NIS2-Richtlinie.
The NIS2 Directive targets companies and organisations of increased importance for cybersecurity and supply chain security. The scope of application has been significantly broadened compared to the previous NIS Directive.
Affected types of companies
Fundamentally, NIS2 applies to medium and large organisations that: have at least 50 employees employ and/or have an annual turnover or annual balance sheet total of over €10 million reach.
(Small businesses are generally exempt – with certain exceptions, e.g. for particular criticality.)
Affected industries (selection)
The directive distinguishes between „especially important“ and „important“ facilities. These include, among others, companies from the following sectors:
Energy & Utilities
(e.g. electricity, gas, water, district heating)IT and digital services
(e.g. data centres, cloud services, managed service providers)Industry & Production
(particularly in a systemically relevant role)Transport and Logistics
(e.g. traffic, warehousing, supply chains)Healthcare
(e.g. hospitals, laboratories, healthcare providers)Financial and Insurance Services
Public and private infrastructure
(e.g. waste management, waste water, critical services)
If you have already carried out an internal assessment and have been classified as an „important“ or „especially important“ company, you can register. PREREQUISITE: You will need an „ELSTER business account“ and an organisational certificate issued through it beforehand.
Start registration:
NIS2 Information Pack from the Federal Government
The difference between Microsoft NAV and Microsoft Dynamics 365 Business Central
The NIS2 Roadmap – structured implementation for businesses
The BSI's roadmap guides NIS2-affected companies through clear steps from initial assessment to the permanent establishment of effective security measures.
Objective Create clarity on involvement, duties, and responsibility.
Check for impact
Classification as a „significant“ or „particularly significant institution“, examination of thresholds and documentation of results.Register
Support with registration in the BSI portal, assignment of responsibilities and complete documentation.Understanding NIS2
Analysis of the relevant requirements, industry-specific particularities, transitional periods, sanctions, and national implementation requirements.Clarifying legal and liability issues
Review of responsibilities, executive liability risks, adaptation of governance structures and internal policies.Involve management and leadership bodies
Raising awareness at management level, establishing reporting duties and embedding cybersecurity as a leadership task.Set up the NIS2 programme
Setting up a clear project and governance structure with milestones, responsibilities, and quality controls.
Objective Establish clear structures, roles, and traceability.
Define stakeholders and responsibilities
Definition of roles for IT security, legal, data protection, procurement, BCM and incident response, as well as establishment of an interdisciplinary steering team.Document and evidence management
Systematic documentation of all decisions, actions, and processes for preparing for regulatory authority examinations.Managing supply chain and third-party risks
Introduction of security requirements for service providers, contract reviews and third-party risk management.Taking international dependencies into account
Harmonisation of safety and reporting processes for international or group-wide activities.
Objective Gain transparency about the security level and the need for action.
Gap analysis
Assessment of technical, organisational, and procedural maturity based on recognised standards (e.g. ISO 27001, NIST, BSI Basic Protection).Prioritise risks
Derivation and prioritisation of measures based on criticality, risks, and feasibility.Adapt IT and security roadmap
Further development of the security architecture (e.g. Zero Trust, MFA, IAM, Monitoring, Cloud Security).
Objective Creating the prerequisites for effective implementation.
Plan resources and budget
Planning of personnel, technologies, external services as well as crisis and special budgets.Training and awareness establishment
Introduction of mandatory training, target group-specific training and continuous awareness-raising measures.
Objective Effectively implementing NIS-2 requirements in practice.
Implement risk management
Introduction of formal information security risk management with regular reporting to senior management.Establishing crisis management and incident response
Development of emergency plans, reporting chains, escalation levels, and carrying out exercises and simulations.Prepare reporting obligations
Setting up internal reporting processes, automated monitoring, and preparing reports for authorities.
Objective Ensuring sustainable cybersecurity.
Regularly check effectiveness
Continuous Monitoring, Audits, vulnerability and patch management, and KPI-driven control.Embedding cybersecurity into company culture
Promoting a lived safety culture through communication, leadership by example, and continuous development.
What measures need to be implemented?
- Concepts for Risk Analysis and Security for Information Systems
- Business Continuity and Disaster Recovery
- Incident Response Plan for the rapid resolution of security incidents
- Cyber hygiene and cybersecurity training
- Multi-factor authentication or continuous authentication
- Supply chain security
- Security measures in the acquisition, development, and maintenance of network and information systems
- Concepts and procedures for the use of cryptography and encryption
- Personal security, access control and facility management
YOUR CONTACT PERSON
Connect with our expert.
Non-binding, uncomplicated, but always with
added value for you.
MAX GIESSLER
Managing Director of bitformer GmbH
