Overview
NIS-2 - What is NIS-2 (Network and Information Security 2)?
With the publication of the NIS-2 Directive on 27 December 2022, the European Union has taken a significant step towards strengthening cybersecurity. The NIS-2 Directive (Directive (EU) 2022/2555) replaces the previous NIS Directive (Directive (EU) 2016/1148) and significantly expands the scope of application and the requirements for companies.
Not least due to the changed global political situation, digital threats against important institutions have attracted the attention of politics and public.
By introducing NIS-2 and implementing NIS-2 standards, the EU is endeavoring to prevent attacks on critical infrastructures and the potentially catastrophic consequences associated with them.
Which sectors are affected by NIS-2?
Find out whether your company is affected by the NIS-2 Directive. Rely on professional advice to gain clarity at an early stage.
Based on the latest status, NIS-2 will be applied according to the following criteria:
- Large and medium enterprises from the Essential Sectors and Important Sectors
- Area of application: 50+ employees or 10m EUR turnover/year
- KRITIS operators are affected by NIS-2 regardless of the number of employees and annual turnover
NIS-2 Readiness Approach
Act now and prepare for the implementation of NIS-2!
NIS-2 obligations and requirements need to be implemented in a timely manner. Jointly, we will prepare the implementation and will accompany you through the implementation process. Our NIS-2 readiness approach provides the following steps to achieve compliance:
Core requirements for companies in the context of NIS-2
1. Risk management is a fundamental element of NIS-2 compliance
Effective risk management is a central component of NIS-2 compliance and plays a crucial role in the information security of companies. A structured approach allows potential threats and vulnerabilities in network and information systems to be identified at an early stage. This proactive approach strengthens resistance to threats and attacks in the long term. The systematic analysis and assessment of risks make it possible to take targeted measures to minimize potential vulnerabilities and better prepare for possible attacks.
2. Information security in the supply chain
Security in the supply chain is a crucial aspect of the NIS-2 requirements. Companies are obliged to ensure that their business partners and service providers implement appropriate security precautions for information security. Contractual agreements in which specific security requirements are defined can play a role here.
The aim is to prevent unauthorized access to sensitive information such as confidential customer data through "supply chain attacks".
3. Reporting procedure
Companies categorized as Critical Infrastructure Operators must notify national cybersecurity authorities of significant disruptions, incidents, and threats to their critical services. An effective security program with clear policies and procedures for dealing with security incidents is also required, and the ISO 27001 guidelines include requirements for quickly identifying and resolving security incidents, and communicating incidents to customers.
Matias Eugster
Telephone: +41 79 561 53 19
E-Mail: matias.eugster@karer-consulting.com
www.karer-consulting.com