Time is running out – Implementation of the NIS2 Directive

#NIS2, #CyberSecurity, #InfoSec, #CyberResilience

Information security is no longer just a technical issue. The increasing number of cyberattacks and stricter regulatory requirements, such as DORA, and their impact are gaining growing importance in management circles due to their critical nature. However, the equally urgent implementation of the NIS2 Directive (Network and Information Security Directive), which also applies to thousands of companies, is often overlooked. This can be costly, as draconian penalties for non-compliance will come into effect from October: up to 10 million euros or 2% of annual turnover for essential entities, and up to 7 million euros or 1.4% of annual turnover for important entities. Executive bodies must ensure risk management measures and are liable for damages. The regulations are expected to come into force from October 18, 2024, with no transition periods currently planned.

Affected are large and medium-sized enterprises:

• An organization is considered a "large enterprise" if it either employs at least 250 employees or generates an annual turnover of over 50 million euros and has a total annual balance sheet exceeding 43 million euros.
• An organization is considered a "medium-sized enterprise" if it either employs at least 50 employees or generates an annual turnover of over 10 million euros and has a total annual balance sheet exceeding 10 million euros, provided it is not already classified as a large enterprise.

… from, among others, the following sectors:

• Banking
• Insurance
• Financial market infrastructures
• Energy
• Transportation
• Digital infrastructure
• Management of B2B ICT services
• Manufacturing/industrial sector

But there is also good news: With the implementation of NIS2, not only are regulatory requirements met, but IT security within the company is also strengthened. A proper implementation of the directive brings a number of benefits:

• Haftungsrisiken minimieren: Leitungsorgane (Vorstand, Geschäftsführung) können durch Vorbereitungen auf das Eintreten eines Schadensfalls persönliche Haftungen vermeiden
• Wettbewerbsvorteile sichern: In einer Ära zunehmender Cyber-Bedrohungen und Spionage leistet die Informationssicherheit einen entscheidenden Beitrag zur Abwehr dieser Gefahren
• Reputationsverlust vermeiden: Insbesondere wesentliche Einrichtungen stehen im Fokus des öffentlichen Interesses, wodurch der Schutz von Informationen von zentraler Bedeutung ist

Our experience shows how important it is that investments in IT security are not only technically optimized but also economically sensible. Technical improvements do not automatically translate into business efficiency. Therefore, a sound commercial perspective is essential already in the goal-setting phase. In collaboration with our clients, a pragmatic approach has emerged:

1. Assessment of whether your company is affected by the NIS2 Directive: We check for you if you are affected and conduct the assessment together with you.
2. Identification of gaps (gap analysis): Through workshops and interviews, we evaluate your company’s maturity level in all NIS dimensions (environment, operations, assessment, development, planning, governance, and support outside IT).
3. Derivation, planning, and implementation of measures for NIS2 readiness: Based on your process landscape, we jointly develop a plan to meet the requirements in a timely manner.

As experienced experts in information security, we are happy to support you with the implementation of the NIS2 Directive or to engage in a discussion with you on the topic. Feel free to contact us.