The clock is ticking, and NIS 2 is getting closer. What do you need to do? Or is no action necessary in your case? In any case, one thing is certain: Anyone who simply ignores NIS 2 may face severe penalties. With our quick overview, you’ll know in just three minutes what you need to do now to prepare:
1. NIS 2 affects more companies than before
The EU Directive on Network and Information Security 2 (NIS 2) is an extension of NIS 1. But take note: It affects more companies than before! This is because criteria such as company size, number of employees, and revenue have been adjusted. Service providers and suppliers of critical infrastructure companies can also be affected. So be sure to check whether your company is required to register! You can determine this German Federal Office for Information Security (BSI).
2. NIS 2 is not just a task for the IT department
NIS 2 concerns the general security of networks and information – and is therefore not just the responsibility of your IT department. Physical and personal security must also be taken into account. An information security management system (ISMS) is used for this purpose.
3. The countdown has already started
In Germany, a law on NIS 2 is planned to take effect in the fall of 2024 – in just a few months. This marks the start of the transition phase, during which affected companies must actively register. The expected deadline for registration is July 2026. You should know that setting up an ISMS takes about a year. So start now, since there is still time to prepare yourself well for all of the requirements!
4. Just ignore it? Think again!
Ignoring the new requirements and claiming ignorance won’t work with NIS 2, because that approach can quickly become very expensive. If a company fails to comply with its reporting obligations, it may face heavy fines of up to 2% of its annual global revenue or EUR 10 million, whichever is higher. Companies must therefore get active and register by July 2026 if they are affected by NIS 2. The reporting chain must be clear, i.e., who reports security incidents and to whom, and within what period of time.
5. What you can do now
To be optimally prepared, you should carry out a gap analysis with regard to NIS 2 by consulting with an IT company specializing in security. This will allow you to set up an up-to-date ISMS for your company o ensure that you meet the requirements of the new directive. In order to perform the analysis quickly and effectively, you can clarify a few things in advance:
- Are your systems up to date? Are there any old systems anywhere in the company that no longer receive update support?
- Have all of the updates been implemented? Can pending updates be carried out in a structured manner without causing conflicts with normal operations?
- What provisions govern risk and emergency management at your company? Who is responsible for what – including on weekends, holidays, etc.? Who speaks with whom? Is there a plan B if an attack is successful?
- Have processes already been documented? If so: Which ones and in what areas?
- Which suppliers and service providers work with your company? Which work and infrastructure areas do they have access to?
- Where is sensitive data physically stored or digitally saved? How have you protected these data so far?
- What access rights policies have already been adopted by the company? How is compliance with them ensured?
Of course, an ISMS cannot be set up overnight. However, you can use a gap analysis to set the right priorities. With regard to NIS 2, the reporting chain to be followed in the event of security incidents is particularly important.
So NIS 2 is no reason to panic. If you take an active approach to the whole thing, you will benefit in the long term, also in terms of audits and certifications. With a clear view of the processes in your company, you can invest in the right things and set up better time frames for introducing new technologies. Our security experts will be happy to help you get ready for NIS 2. Simply contact us.