THINK SAFE. THINK ICS.

Understanding and implementing NIS2

Find out how the NIS2 directive is designed to better protect companies against modern cyber attacks and how this can be achieved without endless effort.

From analysis to implementation - NIS2 from a single source.

Instead of coordinating individual modules from different providers, ICS gives you an end-to-end NIS2 roadmap — with clear responsibilities, measurable progress and hands-on operational support.

How does ICS support NIS2?

Free NIS2 applicability check

Our applicability check is the first step towards a structured and comprehensible NIS2 implementation.

 

LEARN MORE

NIS2 maturity assessment & GAP analysis

z.e.g. against ISO 27001, IEC 62443) incl. implementation planning with prioritized measures

 

LEARN MORE

Support with ISMS implementation & operation

We support you in setting up and operating an ISMS that fits your structures and is audit-ready.

 

LEARN MORE

NIS2 training for specialist departments & management

We convey the requirements of the NIS2 directive in an understandable and application-oriented way for management, IT and specialist managers.

Penetration testing & vulnerability analysis (free of charge)

Our analysis shows whether your systems are potentially vulnerable and where there is an acute need for action.

 

LEARN MORE

Automated risk analysis with SECIRA

SECIRA helps with structured risk analysis in accordance with NIS2 and forms the basis for an audit-capable ISMS.

 

LEARN MORE

Are we affected by NIS2? What do we need to do? And how can we do it without endless effort?

Many companies are currently facing the same challenges: Does the NIS2 Directive or the Cyber Resilience Act apply to us? What specific obligations does this entail? And how can these be implemented securely, efficiently and practically?

We provide you with clear and understandable answers, explained in a practical way, directly implementable and tailored to your situation. With our free impact check and individual advice, you will receive exactly the support you need for your next steps.

csm_IT_Security_made_in_Germany_TeleTrusT_Seal
ics_1966_think_safe_think-ics

The most important questions about the NIS2 Directive explained clearly

What is the NIS2 Directive?

The NIS2 Directive (EU 2022/2555) is an EU-wide law to strengthen the cyber resilience of critical and important institutions. Compared to the previous NIS1, it is significantly more comprehensive, relevant for far more companies and associated with stricter requirements and higher fines.

In Germany, NIS2 will be implemented by the NIS2UmsuCG, which is expected to come into force in 2025. Incidentally, changes to the legislative process are still possible.

Am I affected by NIS2?

The extent to which you are affected depends on

  • Company size (employees, turnover, balance sheet total)
  • Sector (according to Annexes I & II of NIS2)
  • Criticality of the service

Typical threshold values:

Facility

Employees

Turnover + balance sheet total

Particularly important

≥ 250

> € 50 million & > € 43 million

Important

≥ 50

> € 10 million & > € 10 million
Smaller companies may also be affected, e.g.e.g. if they provide security-critical services for organizations with Critical Infrastructures.

Which sectors are affected by NIS2?

Critical supply infrastructure

- Energy infrastructure
- Water/Wastewater
- Waste
- Banking/Insurance
- Transportation
- Municipalities

Health and public administration

- Public Health
- Public administration
- Justice
- Universities

Digital infrastructure and IT services

- IT service provider
- cloud
- hosting
- Data centers
- Digitization

Industry and manufacturing

- Mechanical engineering
- Food industry
- Chemicals
- pharmaceuticals
- aerospace

What obligations apply after entry into force?

Important: The obligations arising from the NIS2 Directive do not only apply after an official audit or official classification, but from the point at which a company is objectively deemed to be "affected". Every affected company must actively deal with information security.

Even if an ISMS (information security management system) is already in place, additional measures may be necessary - for example, if the ISMS only covers one area. This is because NIS2 applies to the entire company and prescribes mandatory security measures.

Measure

Deadline

Registration with the BSI

3 months

Implementation of technical measures

21 months

Operational readiness (ISMS, SOC, etc.)

24 months

What happens if you do not comply with NIS2?

The NIS2 Directive provides for significantly higher fines than the previous NIS Directive. In Germany, these could be as follows according to the transposition law:

Fines:

The NIS2 Directive provides for significantly higher fines than the previous NIS Directive. In Germany, these could be as follows according to the transposition law

Up to €10 million or 2% of global annual turnover (whichever is higher), in particular for essential facilities in the event of gross violations.

Liability of management:

The directive explicitly places managers under an obligation. Non-compliance may result in personal liability risks, e.g. due to organizational fault (Section 130 OWiG).

Loss of orders or approvals:

Companies that are not NIS2-compliant could:

  • Lose tenders or certifications
  • lose cooperation partners or customers who are themselves NIS2-compliant and demand conformity

What needs to be done with NIS2?

  • Multi-factor authentication & access management
  • Encryption & network segmentation
  • Vulnerability management & patching
  • Awareness training
  • ISMS according to ISO 27001
  • Supply chain security
  • Business continuity / disaster recovery
  • Security Operation Center (SOC), if applicable

Reporting obligations:

  • 24h: Initial report
  • 72h: Status report
  • 30 days: Final report with root cause analysis

How must the verification obligations and testing requirements of NIS2 be fulfilled?

  • Management responsibility for cyber security
  • Documentation & verifiability vis-à-vis authorities
  • Order & execution of audits by the BSI

~ 80%

of companies and decision-makers report difficulties in meeting regulatory compliance requirements.

~ 60%

of companies state that their manual processes are no longer sufficient to meet the constantly increasing requirements.

~ 2%

of annual turnover is paid by companies for breaches of compliance requirements, with the additional threat of considerable reputational damage.

What is the Cyber Resilience Act (CRA)?

The CRA affects manufacturers and providers of digital products. It requires products to be developed, tested and documented "secure by design" - including vulnerability management and update processes.

MORE ABOUT THE CRA

Link to NIS2:

Operators according to NIS2 and manufacturers according to CRA are equally required to act in a security and risk-based manner. This includes effective security management (ISMS), regular risk analyses, comprehensible technical documentation and, in the case of manufacturers, product verification of the security of digital components. The aim is to systematically identify cyber risks, implement suitable protective measures and provide evidence of compliance with legal requirements.

Implement NIS2: How you should proceed step by step now

Practical guide to NIS2 implementation: 9 steps for more cyber security and compliance in your company. With check, ISMS and training.

TO THE ARTICLE

Normative requirements for risk management - IEC 62443 and ISO 27005

What are the differences between the various norms and standards and what do companies need to do to comply with them?

TO THE ARTICLE

The importance of a user-friendly security platform | SECIRA

Learn why usability is becoming a security issue - and how SECIRA combines risk, compliance & IT/OT security on one platform.

TO THE ARTICLE

Recent Posts

Book a consultation now!

We’re happy to offer personal, tailored guidance — and we look forward to meeting you and discussing your questions.