Cookie consent(s)
We use cookies to personalize content and ads, provide social media features, and analyze traffic. This is done only with your explicit consent. By clicking "ACCEPT ALL," you agree to the processing and sharing of your data with our partners for social media, advertising, and analytics, including in third countries in accordance with Art. 49(1)(a) GDPR and Art. 17(1)(a) FADP (Switzerland). There is a risk that your data may be monitored by authorities without legal recourse. You can change or revoke your consents at any time in the data privacy settings.
Data protection declaration | Legal notices
Settings
Jubilee Signet

NIS-2 Directive to become national law

May 14, 2024 Audit

New requirements and compliance: What companies need to know

With the implementation of the second version of the EU Directive on Security of Network and Information Systems (NIS-2) by October 2024, German companies will be required to make significant changes in the area of cybersecurity. The Directive expands requirements and obligations for a wide range of companies. In the following, we will show what this means in specific terms and what measures you as a company can take to meet the requirements of the NIS-2.

The key benefits of the NIS-2 Directive for affected companies
  • Improved resilience to cyber attacks through more stringent security regulations
  • Clear responsibilities and transparent reporting obligations
  • Strengthening the trust of all participants through demonstrably high security standards
The EU Directive NIS 2 entered into force at the beginning of 2023; the EU member states, including Germany, are required to transpose the Directive into national law by October 17th, 2024. The draft for the NIS 2 Implementation Act in Germany (NIS2UmsuCG) has already been formulated.
The Directive also strengthens the critical infrastructure regulations by also including companies outside traditional critical infrastructures and by introducing stricter security protocols and reporting obligations for all facilities concerned. This will significantly improve the resilience and responsiveness to national security risks.

Extension of the scope of application

The extended NIS Directive distinguishes between “essential” and “important” entities. Essential entities are subject to regular security audits with possible fines of up to EUR 10 million or 2% of their global turnover. Important entities, however, are only audited if there is suspicion, with fines of up to EUR 7 million or 1.4% of their turnover.
    Essential entities include large companies from the following sectors in particular, which are highly critical:
    • Energy
    • Road, rail, air and sea transport
    • Water
    • Digital infrastructure and IT and telecommunications services
    • Finance and insurance
    • Health care
    • Public administration
    • Aerospace

    What can you do to make sure that you fulfill the NIS-2 requirements?

    To fulfill the requirements of the NIS 2 Directive, you as a company should first check whether you are classified as an “essential” or “important” entity, as this determines the specific safety obligations and the scope of regulatory oversight. It is important to implement a robust risk management and cybersecurity system that includes regular security audits, penetration testing and the training of your staff. Similarly, you should create effective contingency plans to respond quickly to security incidents and continuously monitor your IT infrastructure so as to ensure compliance and avoid potential penalties.
    Do you have any questions or do you need more information about the NIS-2 Directive? Then contact us for more information!
    Show all articles