NIS-2
Get NIS-2 Compliance with KC

NETWORK AND INFORMATION SECURITY 2 (NIS-2) DIRECTIVE

The NIS 2 Directive, a EU regulation for cyber security, is currently in focus.

We ensure a successful NIS 2 implementation programme and support you in ensuring compliance!

Definition

What is NIS-2?

The European economy is increasingly dependent on functioning and resilient infrastructures, both physical and digital, to ensure prosperity and growth. At the same time, companies are exposed to higher cyber security risks (e.g. ransomware attacks) due to digitalisation and global networking. The European Union's NIS-2 Directive (NETWORK AND INFORMATION SECURITY DIRECTIVE 2 - (EU) 2022/2555) aims to standardise and strengthen the level of cybersecurity throughout the EU. In Germany, NIS-2 is being introduced and implemented with the  NIS2UmsuCG act. With the introduction of NIS-2, the EU aims to prevent attacks on infrastructures and the associated potentially catastrophic consequences for companies and their employees.

The companies covered  must have implemented the requirements of the NIS 2 Directive by the time the NIS2UmsuCG comes into force.

Area of application

Who is affected?

The impact of the NIS 2 Directive on a company is determined by the standardised EU economic sectors , the number of employees and the turnover or profit. In addition to critical infrastructures (e.g. energy supply, healthcare, etc.), other sectors are also subject to the obligation for the first time. These include, in particular, the manufacturing industry, manufacturers of goods from sectors such as mechanical engineering, automotive manufacturing and suppliers, but also the production and distribution of food or chemical substances as well as providers of online or cloud services.

This means that every relevant economic sector in Germany is affected if, in addition to belonging to one of these sectors, it employs at least 50 people or generates either a turnover or a balance sheet profit of at least 10 million euros.

Procedure

What needs to be done?

The executive management of a company concerned is responsible for taking suitable, proportionate and effective technical and organisational measures. These measures are intended to prevent disruptions to the availability, integrity, authenticity and confidentiality of information technology systems. They should also help to minimise the impact of incidents that have an impact on business activities.

NIS-2 implementation can be reviewed by the offical authorities.

Consequences

What are the consequences of non-compliance?

Managing directors or board members who violate their obligations under the NIS 2 Directive are liable to the company for the damage caused. Furthermore, the German NIS2UmsuCG allows high penalties for companies, which start at 100,000 euros and can amount to up to 2% of global turnover.

In addition, the law allows interventions in business operations in the event of an incident and stipulates that affected customers must be informed if necessary.

Our approach

Where does Karer Consulting provide support?

We support potentially affected companies in determining their position with regard to NIS-2 implementation - on the one hand with our assessment, which is based on industry standards and best practices. On the other hand, we support you by managing corresponding implementation projects in the areas covered by NIS-2:

  • Information security management
  • HR Security
  • IT security
  • Physical security of facilities
  • Cyber hygiene measures
  • Transparency in the dependency on information technology systems
  • Business and IT continuity in the event of a disaster
  • Security in the supply chain / with suppliers
  • Regular training courses for employees
  • Regular training courses for managers and the management
  • Implementation of requirements from registration and reporting obligations to the BSI (Federal Office for Information Security)

We prepare you optimally for the implementation and accompany you through the implementation process. Our NIS-2 readiness approach provides for the following steps to achieve compliance:

Key aspects

Kreis 1
Management and Policies
  • Policy on the security of network and information systems
  • Risk management policy
  • Effectiveness of cybersecurity (ISMS)
  • Asset management
Kreis 1
Business Continuity
  • Business Continuity
  • Business Impact Analysis
  • Desaster Recovery Plan
Kreis 1
IT Security and Networks
  • Security in Acquisition and Development
  • Cryptography
  • IAM and Access control
Kreis 1
Physical Security
  • Physical Security incl. Datacenter Security
Kreis 1
Incident Management
  • Security Incident Management
Kreis 1
Supply Chain
  • Supply Chain
  • Service Level Management and Agreements
Kreis 1
Personnel Security
  • Human resources security
  • Cyber hygiene

„In future, around 29,500 companies will be obliged to implement cyber security measures. They guarantee the security of supply for the population and form the backbone of Germany as a cyber nation...“
BSI President Claudia Plattner


Together we will secure your digital future