NIS2-Compliant Cybersecurity Solutions

The NIS2 directive (Network and Information Security Directive 2) marks a paradigm shift in European cybersecurity regulation. It significantly expands the scope of the original NIS directive and now affects far more organizations than before. In Germany, implementation is governed by the NIS2 Implementation Act (NIS2UmsuCG), which is estimated to directly affect 30,000 companies. In this article, we explain the essential requirements and show how organizations can effectively prepare.

What Is the NIS2 Directive?

The NIS2 directive was adopted at the EU level in January 2023 and must be transposed into national law by member states. It replaces the original NIS directive from 2016 and responds to the increased threat landscape and growing interconnection of critical infrastructures. The directive aims to establish a uniformly high level of cybersecurity across the entire EU.

Who Does NIS2 Affect?

NIS2 distinguishes between "essential entities" and "important entities" and covers a total of 18 sectors:

• Essential Sectors: Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space.
• Important Sectors: Postal and courier services, waste management, manufacturing, production and distribution of chemicals, food production, processing industry, digital providers, and research institutions.

Generally, organizations with 50 or more employees or annual revenue exceeding 10 million euros are affected if they operate in one of the listed sectors. Certain entities -- such as DNS services, TLD registrars, and providers of public electronic communication networks -- fall under the directive regardless of their size.

Core Requirements of NIS2

Risk Management Measures

NIS2 requires a comprehensive, risk-based approach to cybersecurity. Organizations must implement technical, operational, and organizational measures that correspond to the state of the art and are proportional to risk. Required minimum measures include:

• Risk analysis and security concepts for information systems
• Security incident handling
• Business continuity management and crisis management
• Supply chain security
• Security in acquisition, development, and maintenance of IT systems
• Strategies and procedures for assessing the effectiveness of measures
• Basic cyber hygiene and cybersecurity training
• Cryptography and encryption
• Personnel security, access control, and asset management
• Multi-factor authentication and secure communication

Reporting Obligations

NIS2 significantly tightens reporting obligations for security incidents. Affected entities must report significant security incidents in a three-stage process: an early warning within 24 hours, a detailed notification within 72 hours, and a final report within one month. Reports are submitted to the competent national authority -- in Germany, presumably the Federal Office for Information Security (BSI).

Management Accountability

A core aspect of NIS2 is the personal accountability of executive management. Management bodies must approve cybersecurity measures and oversee their implementation. They are required to participate in cybersecurity training and can be held personally liable for breaches of duty. This underscores that cybersecurity is not a purely technical matter but a task for corporate leadership.

Practical Steps to NIS2 Compliance

1. Applicability Analysis: First determine whether your organization falls within the scope of NIS2 and whether it should be classified as an essential or important entity.
2. Gap Analysis: Assess your current cybersecurity maturity level and identify gaps relative to NIS2 requirements.
3. Risk Assessment: Conduct a comprehensive risk assessment covering all relevant information systems and business processes.
4. Action Plan: Develop a prioritized action plan to close identified gaps.
5. Implementation: Execute the measures -- from implementing technical controls to creating policies to establishing reporting processes.
6. Training: Train executive management and employees on the new requirements and their role in cybersecurity.
7. Continuous Improvement: Establish processes for regular review and improvement of your cybersecurity measures.

Conclusion

The NIS2 directive is an opportunity to elevate your organization's cybersecurity to a new level. Those who begin preparation early avoid the time pressure near the deadline and can use the requirements as a catalyst for sustainably improving their security posture. SecTepe provides comprehensive support for NIS2 preparation -- from the initial applicability analysis through gap analysis to the implementation of all required measures.