top of page

How to prepare your company for the EU NIS2 Directive.


The Network and Information Systems Security Directive (NIS2) is a significant extension of European cybersecurity legislation, which aims to ensure a high common level of security for network and information systems across the European Union. This directive is an update of the original 2016 NIS Directive and brings significant innovations and enhancements aimed at strengthening resilience to cyber threats and improving cross-border cooperation.


The focus of NIS2 is on expanding the scope and introducing stricter security requirements for a wider range of sectors and digital services. Key changes include the clear definition of "important" and "particularly important" entities, which are subject to strict compliance requirements due to their role in the critical infrastructure. This categorization is crucial as it determines what security and reporting measures organizations must take to minimize potential risks and protect the integrity of their operational and information processes.


The update also reflects the changing cybersecurity landscape and the need to take adaptive measures against increasingly complex and diverse threats. By introducing NIS2, the EU is responding to the urgent need to secure both the physical and digital infrastructure that forms the backbone of our society and economy.


For IT security managers in the SME sector, NIS2 presents both challenges and opportunities. The directive not only requires adherence to stricter security protocols, but also promotes a culture of continuous improvement and cybersecurity awareness that goes beyond traditional IT boundaries. Understanding and implementing this directive is therefore critical to ensuring the future viability and resilience of SMEs in an increasingly connected world.



 


1. Important definitions and classifications


Die Einteilung in „wichtige“ und „besonders wichtige Einrichtungen“ ist ein Kernstück der NIS2-Richtlinie und spielt eine entscheidende Rolle bei der Bestimmung der Sicherheitsanforderungen, die auf unterschiedliche Organisationstypen angewandt werden. Diese Klassifizierung reflektiert das Ziel der EU, sicherzustellen, dass Unternehmen, die essenzielle Dienste anbieten oder aufgrund ihrer Größe oder strategischen Bedeutung eine hohe Relevanz haben, besonders strenge Sicherheitsmaßnahmen ergreifen. Hier ein tieferer Einblick in die Unterscheidungen und Kriterien:


1.1 Important facilities


Important entities are companies or organizations that provide essential services that, if compromised, would have a serious but not necessarily catastrophic impact on the public good or the economy. The classification as "important" entails specific security and reporting obligations to ensure that these entities take appropriate protective measures against cyber threats.


Criteria:

  • Companies in sectors such as healthcare, digital infrastructure, transportation and energy that do not exceed certain thresholds in terms of size, turnover or importance of service.

  • Companies that supply a critical mass of users or consumers but do not have a monopolistic or highly systemically relevant position.


Relevance for medium-sized companies: For mid-sized companies, this classification means that they must implement security practices that are robust enough to minimize risk, but also proportional to their size of operation and sphere of influence. This helps to keep compliance costs in line with the actual risks and capacities of the company.

1.2 Particularly important institutions


Particularly important facilities are those whose impairment could lead to

serious national or cross-industry crises. These facilities are subject to the most stringent provisions of the NIS2 Directive, including rigorous security audits and ongoing monitoring.


Criteria:

  • Large energy suppliers, major financial institutions and other key players providing essential services at national or EU level.

  • Companies whose failure could have a direct and serious impact on other critical sectors, public security or the national economy.


Relevance for SMEs: Although many medium-sized companies are not classified as “particularly important”, there are exceptions, especially in highly specialized or strategically critical niches. For these companies, being classified as particularly important means that they must not only meet higher security standards, but also cooperate more closely with government agencies and demonstrate greater transparency in their operations.


Conclusion

Correct classification according to NIS2 is essential for medium-sized companies to implement the necessary security measures in a targeted and effective manner. This not only protects their own operations, but also increases the confidence of their customers and partners in their ability to provide secure and reliable services. By understanding these classifications, IT security managers can ensure that their organizations are compliant with regulatory requirements while making the best use of their resources.



 


2. Requirements of the NIS2 directive


The requirements are specifically designed to increase resilience to cyberattacks and ensure a fast and effective response in the event of security incidents. Here is a detailed look at the main requirements:


2.1 Risk management of particularly important facilities and important facilities:


Particularly important institutions and important institutions are obliged to take appropriate, proportionate and effective technical and organizational measures to prevent disruptions to the availability, integrity, authenticity and confidentiality of the information technology systems, components and processes that they use to provide their services and to minimize the impact of security incidents. The extent of the risk exposure, the size of the institution, the implementation costs and the probability of occurrence and severity of security incidents as well as their social and economic impact must be taken into account.


The measures should comply with the state of the art, take into account the relevant European and international standards and must be based on a cross-hazard approach.

  • Identification and assessment of risks: Organizations must continuously identify risks that could affect their information systems. This includes assessing potential threats and the likelihood of their occurrence as well as the potential impact on the organization.

  • Development of risk management plans: Based on the risk assessment, organizations must develop comprehensive risk management plans that include risk mitigation, monitoring and reporting measures.

  • Implementation of security measures: Plans must include technical and organizational measures to secure network and information systems, including access controls, encryption procedures, incident management and disaster recovery, backup management, crisis management.

  • Supply chain security, including security-related aspects of relationships between individual entities and their direct vendors or service providers.

  • Security measures in the acquisition, development and maintenance of information technology systems, components and processes, including management and disclosure of vulnerabilities

  • Regular review and update: Risk management policies and measures must be regularly reviewed and updated to ensure that they remain appropriate and effective.


Reporting obligations:

Companies must report security incidents quickly and effectively. Particularly important and key facilities are obliged to do so:

  • Early warning notifications: Companies must submit a preliminary report to the relevant authorities within 24 hours of detecting a significant security incident.

  • Detailed reports: This must be followed within 72 hours by a detailed report that includes an assessment of the incident, its impact and the countermeasures taken or planned.

  • Documentation obligation: Companies are obliged to keep records of security incidents and their management and to make these available to the supervisory authorities on request.

Cyber security measures:

NIS2 requires the implementation of specific cyber security measures to protect the integrity and availability of IT systems and data:

  • Technical protection measures: Use of firewalls, intrusion detection systems, encryption technologies and other protective measures to defend against cyber-attacks.

  • Organizational measures: Establishment of security guidelines, training programs for employees and emergency plans.

  • Adaptation to the state of the art: Security measures must be updated regularly to keep pace with technological developments.

Obligation to register:

Important and particularly important facilities must register with the competent national authorities. This registration includes basic information such as name, contact details and the sector of the facility.


Special registration requirement for certain types of facilities:

Certain types of facilities that play a central role in critical sectors may be subject to extended registration requirements. These may require specific information that goes beyond the usual registration information.


Notification requirements:

In the event of a significant security incident, the competent federal office may instruct the facilities concerned to inform the public or specific target groups about the risks and the measures taken.


Feedback from the Federal Office to reporting facilities:

The Federal Office is obliged to respond to reports of security incidents and may offer advice or support to the reporting facilities in order to minimize the impact of the incident.


Duty of approval, monitoring and training for managers:

Managers of key and particularly important entities are responsible for approving and monitoring the implementation of cybersecurity measures. They must regularly participate in training to update their knowledge of cybersecurity and understand the risks to their organizations.


Central reporting and contact point:

The Federal Office acts as a central reporting and contact point for important and particularly important institutions. This central office coordinates the reporting of security incidents and ensures effective communication between the facilities and the competent authorities.




2.2 Special risk management requirements for operators of critical facilities:


Definition: Operators of critical facilities are organizations that operate infrastructure that is considered essential for the maintenance of vital social or economic functions. The failure or impairment of these facilities could have a significant negative impact on public safety, health or the economy.

Examples of this are

  • Operators of waterworks

  • Operators of electricity grids

  • Airport operators


Additional specific requirements apply to operators of critical facilities, taking into account their central importance for public safety and the economy:

  • Extended risk assessment: operators of critical facilities must not only assess the risks to their own systems, but also the potential impact of a failure or impairment of their facilities on public safety and other critical infrastructure.

  • Tightened security measures: These facilities often need to implement more stringent security measures, which may include government monitoring or specialized technology solutions.

  • Contingency and recovery plans: It is necessary to have detailed and robust contingency plans in place to ensure rapid restoration of services and minimization of impact in the event of a disruption.

  • Cooperation with authorities: Critical asset operators often need to work closely with government cyber security agencies to report threats and respond to incidents.

  • Verification requirements for operators of critical facilities: Operators of critical facilities must demonstrate that they have implemented the necessary security measures. This can be done through security audits, inspections or certifications, the results of which must be submitted to the authorities.



These regulations ensure that both important and particularly important facilities as well as operators of critical systems can actively and responsibly deal with cyber security risks and respond quickly and effectively in the event of incidents.



 


3. Practical implementation of NIS2


IT security managers play a key role in the implementation of the NIS2 directive in medium-sized companies. To implement the requirements effectively, they should develop structured strategies and processes based on the three main aspects of the directive: Risk Assessment and Mitigation, Incident Management and Compliance. Here are practical approaches for each of these aspects:


Risk assessment and mitigation strategies:


  1. Regular risk assessments: IT security managers should ensure that regular and systematic risk assessments are conducted to identify potential vulnerabilities and threats. This includes the assessment of both internal and external risk factors.

  2. Develop a risk management plan: Based on the risk analysis, a detailed plan should be developed that includes risk mitigation measures. This includes technical security measures, organizational processes and contingency plans.

  3. Training and awareness: Regular training and awareness programs for all employees are crucial to raise awareness of cybersecurity risks and ensure that security policies are understood and adhered to.


Best practices for incident management and the fulfillment of reporting obligations:


  1. Establish an incident response team: a specialized team should be in place to respond quickly and effectively to security incidents. This team is responsible for monitoring the IT systems and acts as the first point of contact in the event of security incidents.

  2. Detailed incident response plans: These plans should include clear procedures and guidelines on how to respond to different types of security incidents, including steps to contain, investigate and report incidents.

  3. Compliance with reporting requirements: IT security managers must ensure that all legal reporting requirements are met. This includes setting up mechanisms to detect incidents quickly and communicating with the relevant authorities in accordance with the prescribed deadlines.


Recommendations for meeting compliance requirements:


  1. Review compliance regularly: regular reviews and audits should be carried out to ensure that all requirements of the NIS2 Directive are met. This includes reviewing contracts and agreements with third parties and service providers.

  2. Integration of compliance into the corporate culture: Compliance should be seen as an integral part of the corporate culture. This is best achieved by clearly communicating the importance of cyber security and by involving top management.

  3. Use of compliance tools and software: The use of specialized tools for monitoring and reporting can help to continuously check and document the compliance status.

The practical implementation of the NIS2 directive requires a proactive and structured approach from IT security managers. By establishing clear processes and continuously training and raising awareness among all stakeholders, a medium-sized company can not only ensure compliance but also improve its overall security posture.



 


4. Benefits of ISO 27001 in the implementation of NIS2


DIN ISO 27001 plays a central role in the practical implementation of the NIS2 directive, as it represents an internationally recognized standard for the management of information security. This standard provides a systematic and comprehensive approach to the Information Security Management System (ISMS) that helps organizations ensure the security of their information through appropriate management processes. Here are some key aspects of how DIN ISO 27001 supports the implementation of NIS2:



1. Risk management

ISO 27001 requires the implementation of an effective risk management process that harmonizes with the requirements of NIS2. This process includes the identification, assessment and treatment of risks to ensure the security of information. By implementing ISO 27001, organizations can ensure that their risk management practices are aligned with the expectations of NIS2, effectively minimizing risk.

2. Security measures and controls

ISO 27001 lists a number of security measures and controls that organizations can implement to improve their information security. These controls cover various areas, including physical security, access control, cryptography, personnel security, communication security and operational security. Implementing these controls will help organizations meet the security requirements of the NIS2 directive by strengthening the security of their network and information systems.

3. Incident Management

ISO 27001 places a strong focus on incident management and requires organizations to establish procedures for the effective handling of information security incidents. These procedures are directly relevant to the reporting obligations under NIS2, as a quick and effective response to security incidents is crucial to minimize the impact and inform the authorities in accordance with the requirements of NIS2.

4. Compliance and continuous improvement

The standard promotes continuous improvement of the ISMS through regular reviews and audits. This supports NIS2 compliance as organizations need to regularly review and improve their security practices to meet the dynamic threats of cybersecurity. In addition, ISO 27001 helps to create a formal framework for compliance, making it easier for organizations to meet regulatory and legal requirements.


5. Training and awareness

Another important aspect of ISO 27001 is the emphasis on training and awareness regarding information security. By training employees and promoting security awareness throughout the organization, IT security managers can ensure that all employees understand and follow security policies, which plays a key role in NIS2 compliance.


Overall, the implementation of ISO 27001 provides a robust framework that not only helps organizations to meet the specific requirements of NIS2, but also to improve their overall information security posture. This standard helps organizations develop systematic and comprehensive security practices that are essential for NIS2 compliance.



 


5. Are you already ISI 27001 certified?


Companies that are already ISO 27001 certified have several advantages when implementing the NIS2 directive. This certification ensures that the organization has already implemented a solid information security management system (ISMS), which covers many of the requirements of NIS2. Here are some specific benefits and explanations of how ISO 27001 certification impacts NIS2 compliance:



1. Simplified risk management

Die ISO 27001 legt einen starken Fokus auf Risikobewertung und -management, was ein Kernaspekt der NIS2 ist. Unternehmen, die bereits nach ISO 27001 zertifiziert sind, haben Verfahren und Werkzeuge etabliert, um Risiken systematisch zu identifizieren, zu analysieren und zu steuern. Dies vereinfacht die Erfüllung ähnlicher Anforderungen unter NIS2.

2. Effective incident management

ISO 27001 places a strong focus on risk assessment and management, which is a core aspect of NIS2. Companies that are already ISO 27001 certified have established procedures and tools to systematically identify, analyze and manage risks. This simplifies the fulfillment of similar requirements under NIS2.

3. Existing security controls

ISO 27001 includes a comprehensive list of security controls, many of which meet the requirements of NIS2. The controls already implemented can often be used directly to meet NIS2 requirements without having to introduce additional systems or procedures.

4. Dokumentation und Compliance

Certification requires detailed documentation of security policies, processes and measures. This documentation helps companies to fulfill the NIS2 documentation and verification requirements more efficiently.

5. Regular audits and continuous improvement

The regular reviews and audits that are part of ISO 27001 certification help organizations to continuously improve their security practices and adapt to new threats. This is in line with the NIS2 objective of continuous improvement of network and information security.


Are certain requirements not applicable?

Although ISO 27001 certification covers many processes and systems that are also required for NIS2, it does not necessarily remove specific requirements. Rather, the existing infrastructure and practices make it easier to meet the NIS2 requirements. However, companies must continue to ensure that all specific aspects of NIS2, in particular the extended reporting and registration obligations as well as the stricter requirements for critical sectors and cooperation with national authorities, are fully complied with.


In summary, ISO 27001 certification provides companies with a strong basis for efficiently meeting the requirements of NIS2. It reduces the effort and complexity associated with the introduction of new security measures and processes, thus facilitating the transition and compliance with the new EU directive.

Comments


Important Definitions
NIS2 Requirements
Implemtation
ISO 27001 Benefits
Already ISO 27001 certified
bottom of page