The significance of NIS-2 and NIS2UmsuCG for companies
What are NIS-2 and NIS2UmsuCG?
Critical infrastructure in Europe should be better protected. With the NIS-2 Directive, the EU aims to achieve a uniform, high level of cybersecurity and to strengthen the internal market. The evolution of the NIS Directive, which was adopted in 2016, is intended not only to better protect companies and critical facilities from cyber-attacks, but also to provide them with binding guidelines for responding to attacks.
NIS-2 came into effect on 16 January 2023. The EU member states had to transpose the directive into national law by 17 October 2024. In Germany, NIS2UmsuCG is already a bill that requires selected companies and operators of critical facilities to implement and comply with the new security standards.
Data leaks, ransomware attacks, system failures: Operators of critical infrastructures in Europe are facing an increasing number of threats. These not only lead to high economic losses for companies and customers, but also threaten social stability.
In order to better meet this challenge, NIS-2 aims to establish a uniform, high level of cyber security at EU level. The EU member states are translating the directive into national law.
With NIS-2, the EU requires all member states to comply with the same IT security standards in order to ensure a common level of cyber security and stable infrastructures in Europe. The directive obliges member states to enforce certain measures.
National legislation should oblige companies to meet higher standards in the areas of risk analysis and management, incident and crisis management and encryption.
NIS-2 not only affects a larger number of companies and organizations than NIS-1, but also strengthens the powers of certain national institutions such as the German Federal Office for Information Security (BSI).
With the NIS-2 Directive, the EU is strengthening and expanding the 2016 requirements. It now covers more sectors and areas of application, with companies categorized as “particularly important” and “important”. According to current estimates, the number of affected companies in Germany has increased to around 30,000.
National authorities will be given extended powers, for example for on-site inspections and for requesting data and documents. At the same time, cooperation between member states on cybersecurity issues will be strengthened.
As things stand, the NIS-2 Directive is set to be transposed into national law in Germany at the end of 2025 through the corresponding implementation law (NIS2UmsuCG).
The first verification checks for companies are expected to take place three years after the law comes into force. Companies that fail to implement the relevant measures could face fines of up to 10 million euros or 2 percent of their annual turnover.
What should companies do now?
The NIS-2 Implementation Act contains various requirements that affected institutions must implement. There is currently no transition period, meaning that the requirements apply immediately.
However, the past has shown that the full implementation of these extensive measures requires time and forward planning. It is therefore crucial to be able to present a concrete implementation plan at an early stage.
The BSI can only request proof of compliance with the requirements after three years at the latest – however, companies should not use this period as a delay, but rather as preparation time.
Depending on the starting point, a structured approach in the following phases has proven useful: Impact analysis, GAP analysis of NIS-2 requirements, creation of an action plan and implementation.
The impact analysis presents particular challenges for companies with complex structures. “Parent companies” with various ‘subsidiaries’, e.g. also in other European countries, must each comply with the national implementation law in the country in which they are based.
secunet provides support in analyzing the impact and can rely on proven and tested tools.
In accordance with the well-proven clustering, secunet checks the individual requirements, e.g. in the form of interviews, including the possibility of having evidence presented. A set of questions is used, which has been compiled by experts in information security consulting with more than 20 years of experience.
Optionally, the gap analysis can also be combined with the requirements of ISO/IEC 27001.
If companies from other European countries are audited, the questionnaire is adapted according to national specifics.
Depending on the initial situation, the gaps identified vary significantly: Some companies have already implemented comprehensive information security measures, while others have only implemented individual measures, such as the introduction of secure passwords.
Based on the gap analysis, secunet draws up a specific action plan. The identified content is organised thematically according to the proven clustering method. This provides the basis for structured action tracking.
Particularly during implementation, it is important to continuously monitor progress, identify any need for action and then initiate corrective actions.
Here, secunet provides support with specialist project management, which combines a good mixture of technical consulting with the involvement of other security experts and a distinctive organizational skillset.
Fields of action according to NIS-2
The implementation of NIS-2 faces many companies with the question:
How do I get an overview and how do I ensure that I meet all the requirements?
To provide orientation, we have structured the requirements into twelve fields of action. They make it clear which topics are crucial - from risk management and reporting obligations to supplier management. This creates a clear roadmap that identifies gaps and enables specific measures to be taken.
Which companies need to act now?
The extended group of affected institutions also includes medium-sized companies. All organizations covered are divided into different categories, including critical facilities, particularly important facilities and important facilities. These can be found in the following sectors, among others:
Energy // Transport // Finance // Healthcare // Drinking water // Wastewater // Waste management // Digital // Infrastructure // Space // ICT management // Logistics // Post and courier services // Food industry and trade // Manufacturing // Digital providers // Research
Particularly important facilities
Large companies with 250 or more employees or with more than 50 million euros annual turnover and 43 million euros annual balance sheet total as well as other individual companies (regardless of size) from critical sectors.
Important facilities
Medium-sized companies with 50 or more employees or with an annual turnover of 10 million euros and an annual balance sheet total of 10 million euros, as well as specific large companies.
Operators of critical systems
Critical facilities (KRITIS) with a supply capacity of 500,000 persons or more.
Federal Administration
Federal agencies, corporations, institutions, foundations under public law in accordance with NIS2UmsuCG, as well as federal ministries and the Federal Chancellery.
Secunet is ready to answer all your questions about the NIS-2 directive and the NIS2UmsuCG. Simply send us an request using the contact form. We are happy to help you.
