NIS-2 is coming: We will make your company compliant for IT security

NIS 2 Compliance for companies

Implement cyber security requirements successfully with UNITY!

The NIS 2 Directive that was adopted by the EU in 2022 significantly expands the requirements for information security. Technical and organizational measures must be implemented in order to remain compliant with the NIS 2 requirements.

UNITY always regards investments that are necessary due to regulatory requirements as an opportunity to sustainably improve a company’s organization with efficient solutions. By implementing NIS 2 correctly, you can establish a security organization for your company for the long term. We support you in all phases – from the identification of those impacted, the development of objectives and a gap analysis, to the implementation of customized measures.

As a management consultancy, we specialize in advising companies on regulatory and information security issues in Europe. Please contact us to find out more about how we can support you.

NIS 2 Compliance with UNITY

Board-compliant, implementation-driven and results-oriented consulting for your NIS 2 compliance:

Impact & requirements analysis
Target picture & action plan/ implementation

NIS 2 is coming: Get ready now!

NIS2UmsuCG is currently in the legislative process
Expected effective date is March 2025
We recommend starting today with your impact assessment and action plan preparation

Extensive IT security requirements

The requirements of NIS 2 can be divided into the following clusters:

Information Security Management System (ISMS)
Business Continuity Management (BCM)
Identity and Access Management (IAM)
Supply Chain Security

Impacted companies

A total of 14 sectors will be impacted, including among others:

Digital infrastructure
Manufacturing and transportation
Energy and chemicals

Check whether your company will be impacted by the NIS 2 directive.

Significant fines

Management is obliged to implement the NIS 2 related measures. Penalties include:

Management is liable
Essential entities: at least €10 million or 2% worldwide sales
Important entities: at least €7 million or 1.4% worldwide sales

Overall implementation

NIS 2 is just one of several regulations currently impacting companies. We not only support you with NIS 2, but also provide holistic consulting with synergies between regulations such as:

Cyber Resilience Act (CRA)
Radio Equipment Directive (RED)
Digital Operational Resilience Act (DORA)

Our commitment to quality

Extensive cyber security consulting portfolio

We are already familiar with the requirements of NIS 2 from previous cyber security projects. From organizational development to the establishment of a SOC, we support you in the implementation of NIS 2 requirements.

Industry best practices in strategy and implementation

We provide industry-specific solutions for the individual sectors of NIS 2 and adapt these to your individual needs.

Qualified cyber security consultants

Our highly qualified consultants are results and implementation-oriented The project team can always be expanded with experts from our extensive network.

Our consulting services for NIS 2 compliance for companies

Efficient solutions, customized for success in your NIS 2 compliance program

NIS-2 Readiness & Betroffenheitsprüfung

Impact analysis
Assessment of the current security landscape

Results:

Impact on entities
Defined concrete fields of action

Requirements analysis & measures catalogue

Requirements analysis NIS 2
Derive dedicated measures

Results:

Degree of coverage NIS 2 requirements
Catalogue of measures

Target picture & NIS-2 roadmap

Definition of target picture
Derive a roadmap for NIS 2 compliance

Results:

Budgeted projects / initiatives for NIS-2 compliance
Activities embedded in the security framework

Implementation & monitoring

Steering and implementation of the measures
Preparation of audits and compliance checks

Results:

Implemented NIS 2 requirements
Progress report and NIS 2 compliance

Enquire now: NIS compliance and security for your company
Determine your NIS 2 maturity level and together, we will create a customized NIS 2 implementation plan for you

Request NIS-2 Quick Start

NIS-2-Schedule and deadlines

The requirements of NIS 2 are clear. Get started with an impact analysis and NIS 2 implementation today!

Dezember 2022

Entry into force of the NIS 2 EU Directive 2022/2555.

October 17, 2024

The requirements of the EU directive must be incorporated into national law.

Current status in Germany:

A draft bill for the German NIS2 Implementation Act was adopted and is currently in the legislative process.

Extensive IT security requirements

We are familiar with the requirements of the NIS 2 directive and offer you specific solutions to implement them successfully. By comparing industry standards with the current status of your company, we will create a comprehensive action plan for NIS 2 compliance. In this way, we ensure that you meet all legal requirements and that your cyber security is optimally positioned.

Risk management & ISMS
§ 30 Article 2 No. 1 – Risk management
- Risk identification and assessment based on UNITY's industry standards
- Continuous risk management and monitoring
§ 30 Article 2 No. 2 – Handling security incidents
- Incident management with individual incident response plans
- Trainings and simulations
- Selection and integration of SIEM-. IDPS or incident response systems
§ 30 Article 2 No. 5 – Security in development, procurement and maintenance
- Introduce and establish Security by Design principles
§ 30 Article 2 No. 6 – Concepts and procedures to evaluate the effectiveness of risk management measures
- Continuous vulnerability scanning
- Initial introduction and establishment of continuous security assessments
§ 30 Article 2 No. 7 – Basic concepts and procedures in the field of cyber hygiene
- Patch and backup management
- Access control and password policy
- Security measures such as penetration tests
§ 30 Article 2 No. 7 & § 38 – Training in the field of information security
- Specific trainings such as: Continuous E-learnings and training in information security
§ 30 Article 2 No. 8 – Cryptography and encryption
- End-to-end encryption
- Encryption of dormant data (Data-at-rest)
- Key management
§ 30 Article 2 No. 9 – Personnel security and concepts for access control and asset management
- Physical security monitoring and access restriction
- Role-based access controls
Identity & Access Management (IAM)
§ 30 Article 2 No. 10 – Identity management and authentication
- Multi-factor authentication or continuous authentication
- Secure voice, video and text communication with internal and external partners
Reporting & registration obligations
§ 32 – NIS 2 specific reporting obligations
- Integration of NIS 2 -specific specifications in the incident and crisis management (BCM)

Business Continuity Management (BCM)
§ 30 Article 2 No. 3 – Maintenance of operations
- Business Impact Analysis (BIA) to identify assets
- Crisis organization and emergency plans for business processes
- Emergency operation and system recovery
§ 30 Article 2 No. 10 – Secure emergency communication systems within the facility
- Redundant emergency infrastructure
- Backing up contact lists
Supply chain security
§ 30 Article 2 No. 4 – Sicherheit der Lieferkette
- Continuous supplier management
- Security audits and risk assessment of suppliers
- Contract-based security requirements
Management
§ 38 – Obligations of management (implementation of measures and training)
- Specific trainings fpr managers: IT security for managers -- Cyber Security Awareness Training
- Monitoring dashboard for risk measures

Impacted companies

The NIS 2 Directive significantly expands the scope of previous regulations. It now applies not only to critical infrastructures, but to all companies in the 14 sectors that employ more than 50 people or generate more than €10 million in annual revenue. This extends cyber security responsibility to a much broader corporate landscape. The requirements of NIS-2 are to be fulfilled by particularly important and important institutions alike. Differences exist only in terms of proportionality. The BSI's impact assessment provides you with an initial self-assessment (BSI - NIS-2-Betroffenheitsprüfung (bund.de))

Sectors of particularly significant institutions:

Energy
- Supply of electricity
- District energy (heating and cooling)
- Fuel and heating oil supply
- Gas supply
Transportation and traffic
- Air transport
- Rail transport
- Shipping
- Road transport
Finance
- Banking
- Financial market infrastructure
Health
- Healthcare providers
- EU reference laboratories
- Research and development activities in relation to pharmaceuticals
- Companies that manufacture pharmaceutical products

Water
- Drinking water supply
- Wastewater disposal
Digital Infrastructure
- Internet Exchange Points
- DNS service provider
- Top level domain name registry
- Cloud computing service providers
- Data center service providers
- Operators of content delivery networks
- Trust service provider
- Operators of public telecommunications networks
- Managed services provider
- Managed security services provider Exchange Points
Space
- Ground infrastructure

Sectors of important entities:

Postal and courier services
Waste management
Chemicals
- Production, manufacturing and trade of chemicals
Food
- Production, processing and distribution of food

Manufacturing industries
- Manufacture of medical products and invitro diagnostics
- Manufacture of data processing devices, electronic and optical products
- Mechanical engineering
- Manufacture of motor vehicles and motor vehicle parts
- Other vehicle manufacturing
Provers of digital services
- Providers of online marketplaces
- Providers online search engines
- Providers of platforms for social networking services
Research institutions

Significantly higher penalties

The NIS 2 Directive has considerably more severe penalties for violations than previous regulations. Companies face high fines of up to 10 million euros or 2% of their global annual revenue. These more severe penalties are intended to ensure that cyber security is implemented in the relevant companies. The penalties will significantly exceed the investment costs of implementing the requirements.

Duties of management through NIS 2:

Implementation and monitoring of the implementation of IT security measures
Regular participation in training courses to assess risks and measures

In the event of a breach of obligations, management is liable in accordance with the rules of the respective company law (§38 NIS2UmsuCG - draft).

Penalties and fines for companies:

Essential entities

€10 million or 2% of worldwide sales (starting from €500 million in sales)

Important entities

€7 million, or 1.4% of worldwide sales (starting from €500 million in sales)

Additional penalties for non-compliance with individual requirements from the NIS 2 directive

Implement cyber-relevant EU regulations holistically with UNITY

FAQ on the NIS-2-Compliance

What is the NIS-2 directive?

The NIS 2 Directive extends the security requirements for a large number of companies. Affected companies must introduce enhanced cyber security measures, such as risk management, BCM and reporting obligations in the event of security incidents. A regular review of security processes is also prescribed. Non-compliance can lead to high penalties.
How does NIS-2 affect my company's IT security strategy?

NIS-2 forces companies to rethink their IT security strategy and align it with new requirements. More comprehensive measures are needed to minimize risks, including better monitoring and reporting of incidents. The directive also encourages the introduction of emergency plans and security audits. Companies must therefore invest more in IT security.
What role does management play in the implementation of NIS-2?

Management is responsible for implementing the NIS 2 directive. Appropriate security precautions must be taken to prepare the company for potential cyber attacks. Regular training for employees and management is also required. A lack of management commitment can lead to legal consequences.
How does NIS-2 affect cooperation with partners and suppliers?

Under the NIS 2 Directive, companies are obliged to check the security standards of their partners and suppliers. A weak security infrastructure of a business partner can pose considerable risks for the company itself. Partner networks must therefore also comply with stricter cyber security measures. This often requires new contracts and closer monitoring of supply chains.
What do I have to do if I already have an ISMS to establish NIS-2 compliance?

If your company has already implemented an information security management system (ISMS), you have already implemented a large part of the NIS-2 requirements. The NIS-2 requirements extend an ISMS according to ISO27001 in some areas, such as: Reporting obligation, registration obligation, etc.). These specifics must be integrated into the ISMS. You should therefore carry out a compliance check with the NIS-2 requirements.
What specific details have to be taken into account in Germany?

In Germany, there are a number of technical standards and certifications that can help companies meet the requirements of the NIS 2 Directive. Examples include ISO 27001 certification for information security management systems and the BSI IT Grundschutz Compendium of the Federal Office for Information Security.

Companies that are already subject to the BSI Critical Infrastructure (KRITIS) Regulation or the Security Act 2.0 of the Federal Office for Information Security have already established a high level of security in the past. Nevertheless, it is also advisable here to use a gap analysis to identify possible gaps for NIS 2.

A successor for the implementation of the NIS 2 Directive is still open, but this should be in place by October 2024 at the latest.
How will NIS-2 be applied in Austria?

In Austria, the previous EU NIS Directive was implemented through the Austrian NIS Ordinance (BGBl. II No. 215/2019) and the Austrian NIS Act (BGBl. I No. 111/2018). A successor for the NIS 2 Directive is still open, possibly the NIS Act will be amended for the new requirements.

In Austria, there are a number of technical standards and certifications that can help companies meet the requirements of the NIS 2 Directive. Examples include the ISO 27001 certification for information security management systems and the Austrian Information Security Handbook.
What specific details apply in Switzerland?

Switzerland is not a member of the European Union and is therefore not directly bound by the NIS 2 Directive. However, Switzerland has similar cyber security provisions, and the requirements for critical infrastructure operators and service providers are similar to those specified in the NIS-2 Directive.

In Switzerland, the National Cyber Security Center (NCSC) is responsible for coordinating and implementing cyber security measures. The NCSC works closely with critical infrastructure operators and other relevant partners to ensure the security of the Swiss cyberspace.
When should I get involved in NIS-2?

As a company or organization, you should address the NIS 2 Directive as early as possible, especially if you are a critical infrastructure operator or digital service provider.

If the NIS 2 Directive applies to you, you must take appropriate action promptly once your industry is brought within the scope of the NIS 2 Directive to avoid large penalties.

Even if your company is not directly affected by the NIS 2 Directive, it can still benefit from the regulations by improving its cyber security measures and better protecting itself against cyber attacks. We can help you take appropriate measures to improve your cyber security and make your business processes more secure.

Make an appointment with our experts

Depending on the topic, we provide you with the right experts. Select your preferred date from our calendar and discuss your concerns with our experts by phone or via Microsoft Teams without any obligation. We look forward to getting to know you!

Book an appointment