Compliance

Data protection

ESG

NIS-2 Directive

Challenges in cyber security

In addition to comprehensive cybersecurity measures, NIS-2 brings with it stricter reporting obligations, expanded risk management and significantly greater management responsibility. Those who do not address the new requirements early on risk not only security gaps and operational risks, but also severe penalties.
For companies, this means extensively adapting their existing processes and systems in order to fulfil the new, strict requirements.

Would you like to find out more about NIS-2?
Here we explain the directive in detail and answer the most frequently asked questions.

This is how we cansupport you

NIS-2-Compliance-Check

We analyse your existing security infrastructure and assess the extent to which you already comply with the NIS-2 requirements. In the course of an audit, we analyse whether the current state of cyber security meets the requirements of NIS-2. We proceed on the basis of the requirements of the Federal Office for Information Security (BSI).

Legal advice and implementation

We help you to draw up security guidelines, contracts with service providers and internal documentation that fulfil the new requirements. NIS-2 places obligations on business partners and suppliers. We ensure that contracts are adapted accordingly. We also evaluate whether partners pose any security risks.

Technical safety analysis

Our co-operation partner RIEDEL Networks carries out a detailed review of your IT infrastructure and identifies weak points. With the [R.E.D.] service, you can hand over responsibility for continuous 24/7 monitoring. In the event of a security incident, you will be informed immediately and supported by technical experts.

Reporting and incident response

New with NIS-2 are the comprehensive reporting obligations. This includes, for example, manning a contact point 24 hours a day, 7 days a week and complying with the three-part reporting obligation in the event of security incidents within the statutory deadlines. We support you in developing an efficient and legally compliant reporting chain for security incidents.

Employee training

Raising awareness and providing practical training on how to deal with cyber security risks is essential.
In order to effectively prepare your management and employees for NIS-2 and reduce the ‘human’ risk, we offer online training courses to increase security awareness. This can greatly reduce liability risk.

With our complete solution you are on the safe side -technical, legal and organisational

The implementation of NIS-2 requires a combination of legal compliance and technical cyber security. For a customised solution that implements all aspects of the NIS-2 directive, we are therefore cooperating with  RIEDEL Networks GmbH & Co. KG, a provider of customised telecommunications and network services.  

While RIEDEL Networks takes care of the technical implementation, we support you with our legal and organisational expertise. Our partner for network security checks your network and your IT security and we take care of the legal and organisational requirements. In this way, we take legal requirements into account and offer directly effective security measures.

Get in touch

The NIS 2 compliance auditYour first step to safety

To give companies an initial orientation, we offer an NIS 2 compliance audit. This is based on the proven building blocks of BSI IT baseline protection and enables a structured analysis of current security measures. Together with your IT and compliance team, we go through a structured catalogue of questions that covers all relevant areas of NIS-2 – from technical protection measures to legal processes.

On completion of the check, you will receive a detailed report with an assessment of your current status, identified vulnerabilities and specific recommendations for action to improve your security strategy.

How our collaboration works

  • Creation of an audit plan, i.e. affected departments and focus topics
  • Review of the current situation through an audit
  • Establishment of risk management
  • Support with implementation (e.g. setting up the contact point)
  • Adaptation of contracts and evaluation of partners
  • Training and sensitisation of employees

Technical securitywith RIEDEL Enterprise Defence [R.E.D.]

Our partner RIEDEL Networks offers the corresponding RIEDEL Enterprise Defence [R.E.D.] solution to identify and eliminate vulnerabilities in the system. With the [R.E.D.] service, you can protect your company from cyber attacks around the clock – through prevention, detection and response, including compliance and reporting.

By combining state-of-the-art technologies, [R.E.D.] creates a strong line of defence against cyber threats. The security toolbox enables comprehensive vulnerability analysis, active protection and targeted preventive measures – all monitored and controlled via the Security Operations Centre (SOC).

Request complete solution

Why implement NIS-2with CLARIUS.LEGAL as your partner

cybersecurity Platine
  • We cover both the technical and the legal side. This saves time and costs and ensures a high level of legal certainty.
  • As NIS-2 harbours high liability risks, efficient risk management is essential
  • Our service not only includes advice, but also permanent relief

The requirements of NIS-2 will soon become mandatory – companies that take early action can avoid fines and liability risks. In addition, a strong cyber security strategy also offers operational benefits: protection against economic damage caused by cyber attacks, reduction of business interruptions and increased trust among customers and partners.

With CLARIUS.LEGAL as your partner for the implementation of the NIS-2 directive, you are making a holistic choice. From technical advice in addition to our legal expertise to the permanent relief provided by our tools, we help you to easily manage risky and cost-intensive efforts.

Contact us now – together we can make your company NIS-2-ready!

Get in touch

What exactly isNIS-2 about?

The NIS 2 Directive presents companies with new and extensive challenges. The extended requirements demand a significant strengthening of security measures and the introduction of more comprehensive protection mechanisms for networks and information systems.

The NIS 2 Directive applies to companies and organisations operating in certain critical sectors. The 18 sectors affected include, among others:

  • Energy
  • Healthcare
  • Manufacturing sector
  • Finance
  • Transport
  • Digital infrastructure and digital services
  • Public administrations
  • Food production and processing

The obligated companies must now not only review and adapt their existing security precautions, but also continuously monitor and respond to new threats.

Companies must take several measures to comply with the NIS 2 Directive:

  • Implementation of robust security measures: Companies must protect their networks and information systems with appropriate technical and organisational measures to prevent and defend against cyber attacks.
  • Regular risk analyses: Companies must carry out regular risk assessments to identify potential vulnerabilities and implement appropriate protective measures.
  • Reporting of security incidents: Companies are obliged to report serious security incidents immediately to the competent authorities to enable a rapid response and cooperation.
  • Training and awareness: Employees must be regularly trained and made aware of cyber security risks in order to promote security-conscious behaviour and minimise human error.
  • Emergency plans and crisis management: Companies must establish emergency plans and crisis management processes in order to be able to react quickly and effectively in the event of a cyberattack.

This means effort for the companies concerned, but non-implementation could result in severe penalties:

  • The extended liability of managing directors means that managers can be held personally responsible for compliance with cyber security requirements.
  • In serious cases, companies can be fined up to 10 million euros or 2% of their global annual turnover - whichever is higher.
  • Violations may be publicised in a manner that damages the company's reputation.

We are happy to support you with our services and help you to fulfil the requirements.

Get in touch

Important questions and answerson the NIS-2 Directive

What is NIS-2 supposed to do?

The NIS 2 Directive aims to strengthen cybersecurity in the European Union by introducing higher security standards and reporting obligations for companies. It aims to increase the resilience of critical infrastructures and improve cooperation between member states.

When does NIS-2 come into force?

It is currently assumed that the NIS-2 Directive will be implemented in German law from mid-October. The following Q&A is intended to help you understand the most important aspects of the NIS-2 Directive and take concrete steps to comply with the new requirements.

Which companies are affected?

Companies operating in critical sectors, including energy, transport, banking, financial market infrastructures, healthcare, drinking water supply and distribution, digital infrastructure, public administration and space, are affected by compliance with the NIS 2 Directive. In addition, the directive now also covers digital service providers such as cloud services, online marketplaces and search engines to ensure more comprehensive coverage of cybersecurity requirements.

What measures do companies need to take?

Companies must take several measures to comply with the NIS 2 Directive:

  1. Implementation of robust security measures: Companies must protect their networks and information systems with appropriate technical and organisational measures to prevent and defend against cyber attacks.

  2. Regular risk analyses: Companies must carry out regular risk assessments to identify potential vulnerabilities and implement appropriate protective measures.

  3. Reporting of security incidents: Companies are obliged to report serious security incidents immediately to the competent authorities to enable a rapid response and cooperation.

  4. Training and awareness: Employees must be regularly trained and made aware of cyber security risks in order to promote security-conscious behaviour and minimise human error.

  5. Emergency plans and crisis management: Companies must establish emergency plans and crisis management processes in order to be able to react quickly and effectively in the event of a cyberattack.

What needs to happen if a security incident occurs?

Within 24 hours:
You must provide an initial assessment to the relevant national authority or the CSIRT (Computer Security Incident Response Team) within the first 24 hours of recognising a security incident. If applicable, indicate whether the incident may be the result of illegal or malicious behaviour and provide initial information on the potential impact on systems and security of supply.

Within 72 hours:
You must create a detailed report with the so-called Indicators of Compromise (IoCs) no later than 72 hours after the incident is discovered and submit it to the responsible authority. These IoCs, such as IP addresses, malware signatures or unusual network activities, are used to identify the threat. Supplement the report with an initial assessment of the impact on affected services and customers.

After one month:
You must submit a comprehensive final report no later than one month after the incident. This report must describe the security incident in detail, analyse the causes, assess the severity and document the effects. In addition, you must explain the type of threat (e.g. ransomware, DDoS attack), describe the remedial measures taken and evaluate their effectiveness. Finally, you should formulate specific recommendations to prevent similar incidents in the future and improve the cyber security situation.

What are the sanctions for violations?

Companies that violate the NIS 2 Directive face significant sanctions. Depending on the severity of the offence and the national legislation of the EU member states, these can include the following measures:

  1. Liability of the management
    The NIS 2 Directive introduces extended managerial liability, which means that managers can be held personally liable for compliance with cybersecurity requirements.
  2. High fines:
    Companies can be fined heavily, up to €10 million or 2% of annual global turnover in serious cases, whichever is higher.
  3. Public announcement:
    Violations can be publicised, which can cause considerable damage to the company's reputation.
Who is responsible within the company?

The responsibility for implementing the NIS 2 Directive in companies lies with the top management level, in particular the managing directors and board members. These managers are responsible for ensuring that their company takes and maintains the necessary measures to comply with the directive.

They must check at an early stage and independently whether the company falls under the directive. A special feature is that the directive provides for the personal liability of the management if necessary measures are not implemented.

How can companies efficiently implement the requirements of the NIS-2 directive?

The requirements for companies include various to-do's from different fields. Software-based solutions help you to comply with all obligations and, in particular, simplify the fulfilment of the obligation to provide evidence.

The NIS-2 directive should not be understood as a static guideline, but aims to motivate companies to continuously manage risk.

Would you like more detailed information?Get free access to our German-language NIS-2 webinar recording

WATCH NOW

Your personal contact

Dr. Markus Hülper.Attorney at Law, specialist for data protection, compliance & IT security