NIS2 cybersecurity Directive – from regulatory requirement to competitive advantage

In Germany, implementation will take place in accordance with the NIS2 Implementation Act (NIS2UmsuCG), which is available now in the speaker's draft of 27 September 2023 and is expected to be announced in March 2024. The NIS2 Directive is a comprehensive revision of the "Act on the Federal Office for Information Security" (BSIG) and extends its scope to include other sectors as well. The future BSI law defines detailed requirements for reporting and registration obligations, security measures, monitoring and training obligations, and special requirements for risk management.

All companies affected by the law must register with the Federal Office for Information Security (BSI) and provide detailed contact information. Operators of critical infrastructure must also report the key indicators of the installations they operate. In addition, they are required to establish a process for reporting security incidents to the BSI and for processing information received from the BSI.

The new law also imposes greater obligations on management. Corporate management is now explicitly responsible for implementing the required measures and will now be held personally liable.

Our Approach

Our team helps you not only fully implement the regulatory requirements, but also reduce the risk of cyberattacks. Our experts use knowledge gained from their many years of experience in the field of critical infrastructure security. This includes expertise in the implementation of measures as well as audits. As your trusted partner, we contribute our extensive knowledge in the industries affected by NIS2, our regulatory expertise, and our technical expertise to optimally prepare you for the challenges of the NIS2 Directive.

Our solutions

As the first step, we use an impact analysis to determine whether your company falls within the scope of the NIS2 Directive, which specifications are relevant to you, and which requirements are applicable to your company.

The complexity of the issues suggests that the next step be a GAP analysis to determine your company’s current status with regard to the NIS2 Directive and identify any necessary measures to be undertaken. After this information has been collected, the implementation can begin. Here, we offer you comprehensive support by:

• Defining the responsibilities, duties, and tasks
• Establishing reporting channels to ensure effective processes for responding to security incidents
• ISMS implementation: From development to integration of your information security management system
• Selecting the right measures and implementing suitable protective measures, e.g. in accordance with "Industry-Specific Security Standards" (B3S)
• Providing training to increase security awareness within the company
• Providing management training in accordance with § 38 (3) BSIG
•  Conducting security audits (in particular: vulnerability scans and penetration tests) to test the effectiveness of the implemented measures

How you benefit

Implementing the regulatory requirements in an effective and timely manner minimises your company’s liability risks and avoids possible fines. Improving information security and demonstrating sustainable cybersecurity enhances the trust of your customers and business partners. Finally, effective cybersecurity measures reduce your risk of becoming the victim of cyberattacks.