Definition
What is NIS-2?
The European economy is increasingly dependent on functioning and resilient infrastructures, both physical and digital, to ensure prosperity and growth. At the same time, companies are exposed to higher cyber security risks (e.g. ransomware attacks) due to digitalisation and global networking. The European Union's NIS-2 Directive (NETWORK AND INFORMATION SECURITY DIRECTIVE 2 - (EU) 2022/2555) aims to standardise and strengthen the level of cybersecurity throughout the EU. In Germany, NIS-2 is being introduced and implemented with the NIS2UmsuCG act. With the introduction of NIS-2, the EU aims to prevent attacks on infrastructures and the associated potentially catastrophic consequences for companies and their employees.
The companies covered must have implemented the requirements of the NIS 2 Directive by the time the NIS2UmsuCG comes into force.
Area of application
Who is affected?
The impact of the NIS 2 Directive on a company is determined by the standardised EU economic sectors , the number of employees and the turnover or profit. In addition to critical infrastructures (e.g. energy supply, healthcare, etc.), other sectors are also subject to the obligation for the first time. These include, in particular, the manufacturing industry, manufacturers of goods from sectors such as mechanical engineering, automotive manufacturing and suppliers, but also the production and distribution of food or chemical substances as well as providers of online or cloud services.
This means that every relevant economic sector in Germany is affected if, in addition to belonging to one of these sectors, it employs at least 50 people or generates either a turnover or a balance sheet profit of at least 10 million euros.
Procedure
What needs to be done?
The executive management of a company concerned is responsible for taking suitable, proportionate and effective technical and organisational measures. These measures are intended to prevent disruptions to the availability, integrity, authenticity and confidentiality of information technology systems. They should also help to minimise the impact of incidents that have an impact on business activities.
NIS-2 implementation can be reviewed by the offical authorities.
Consequences
What are the consequences of non-compliance?
Managing directors or board members who violate their obligations under the NIS 2 Directive are liable to the company for the damage caused. Furthermore, the German NIS2UmsuCG allows high penalties for companies, which start at 100,000 euros and can amount to up to 2% of global turnover.
In addition, the law allows interventions in business operations in the event of an incident and stipulates that affected customers must be informed if necessary.
Our approach
Where does Karer Consulting provide support?
We support potentially affected companies in determining their position with regard to NIS-2 implementation - on the one hand with our assessment, which is based on industry standards and best practices. On the other hand, we support you by managing corresponding implementation projects in the areas covered by NIS-2:
- Information security management
- HR Security
- IT security
- Physical security of facilities
- Cyber hygiene measures
- Transparency in the dependency on information technology systems
- Business and IT continuity in the event of a disaster
- Security in the supply chain / with suppliers
- Regular training courses for employees
- Regular training courses for managers and the management
- Implementation of requirements from registration and reporting obligations to the BSI (Federal Office for Information Security)