Not sued yet?
Lucky you!

NIS 2 may have been postponed, but KRITIS companies remain in the focus. Use the time now and implement the security requirements for KRITIS.

Benefit from free advice and become KRITIS and NIS 2 compliant:

These companies already rely on us and our expertise:

What is a critical infrastructure?

Critical infrastructures (CRITIS) include systems and facilities that are essential to the functioning of our society – from energy and water to health and finance. The NIS 2 Directive is aimed precisely at critical infrastructures.

For example:

Energy supply

Water supply

Healthcare

Finance and insurance

Transport and traffic

State administration

Food supply

IT and TC

Municipal waste disposal

Media and culture

The NIS 2 directive:
New security and compliance requirements

The NIS 2 Directive is an EU-wide set of cyber security regulations that obliges companies to introduce stricter security measures. NIS 2 not only affects traditional CRITIS operators, but also extends the requirements to numerous new sectors, such as digital services, food and research.

Strict reporting obligation for cyber attacks and security incidents

Mandatory cyber security measures for suppliers and partners

Improved resilience and responsiveness in the area of cyber security

Creation of a harmonised level of protection for all Member States

Extension of the scope of application and stricter requirements

NIS 2 implementation delayed -
Why you should act now anyway

The introduction of the NIS 2 Directive into national law has been delayed as the legislative process in Germany has stalled. However, even if deadlines are postponed, the need to address information security and compliance at an early stage remains. Companies that take measures now will benefit from greater planning security and reduce future risks.

Are you affected by the NIS 2 Directive as a KRITIS?

The NIS2 directive affects far more companies than before. In addition to traditional KRITIS operators such as energy suppliers or hospitals, many medium-sized and large companies from new sectors are now also subject to the regulations.

Our decision tree will help you to assess whether your company could be affected by the new NIS2 requirements.

Companies that do not comply with these requirements face serious consequences:

Companies that violate cybersecurity regulations face higher penalties. Operators of critical and particularly important systems face fines of up to 10 million euros or 2% of their global turnover.

Type of organisation	From	To
Operators of critical systems	100.000 €	10 M€ or 2% global turnover
Facilities of particular importance	100.000 €	10 M€ or 2% global turnover
Important facilities	100.000 €	7 M€ or 1.4% global turnover
General offences	100.000 €	2 M€

ISO 27001 and ISMS:
The key to NIS 2 and KRITIS compliance

An ISMS is a management system that consists of a framework of well-defined processes, procedures and management practices used to systematically manage an organisation’s sensitive data and assets.

The introduction of an information security management system (ISMS) is a good solution to fulfil the requirements of the NIS 2 and KRITIS directive. An ISMS provides you with a structured method to identify risks, take action and continuously improve the security of your systems and data.

ISO 27001 is the internationally recognised standard for the implementation and certification of an ISMS. With this standard, you not only create the basis for compliance with NIS 2 and KRITIS requirements, but also ensure the trust of your customers and partners in the security of your processes.

With a certified ISMS you can:

Identify and minimise security risks at an early stage

Define clear guidelines and responsibilities within your organisation

Proof that you fulfil the legal requirements of the NIS 2 and KIRITS guidelines

Do you have questions about ISMS and NIS 2 compliance? Our experts will advise you free of charge and without obligation.

Frequently asked questions about NIS 2 and ISO27001

What is the EU's NIS 2 Directive (NIS 2.0 Directive) and which companies does it affect?

The EU’s NIS 2 Directive (also known as the NIS 2.0 Directive) is a set of cybersecurity regulations that replaces the original NIS Directive from 2016. It sets out new, stricter requirements for the protection of critical infrastructure and important services

The NIS 2 Directive affects not only operators of critical infrastructure such as energy, water or healthcare companies, but also many new industries, including digital services, research and food supply.

How do I prepare my company for the NIS 2 directive?

In order to prepare your company for the NIS 2 Directive, targeted measures are required, e.g:

Check your affectedness: analyse whether your company belongs to the affected industries or sectors covered by the directive.

Assess your IT security situation: Carry out a risk analysis to identify weaknesses in your cyber security.

Introduce an ISMS: An information security management system (ISMS) in accordance with ISO 27001 helps to systematically implement the requirements of the NIS 2 directive.

Training and awareness: Sensitise your employees to cyber security guidelines and best practices.

External consulting: Consult experts who have experience in implementing the NIS 2 directive.

What happens if I do not fulfil the requirements of the NIS 2 directive?

The NIS 2 Directive enforces stricter requirements for cyber security and information management in the EU. If you do not comply with these requirements, you could face serious consequences:

Heavy fines: The EU provides for fines of up to €10 million or 2% of annual global turnover, whichever is higher.
Loss of image: A security incident can significantly damage the trust of customers and business partners.
Legal consequences: Companies can be held liable for the failure of critical systems.
Cyberattacks: Without effective protective measures, you increase the risk of successful attacks on your infrastructure.

How does the NIS 2 directive relate to ISO 27001?

The NIS 2 directive and ISO 27001 certification have similar objectives, namely to improve cyber security and protect sensitive information.
ISO 27001 is an internationally recognised standard that provides exactly this framework for an ISMS. If your organisation is already ISO 27001 certified, you have already met many of the requirements of the NIS 2 directive. These include a systematic risk analysis, regular reviews of security measures and the introduction of clear processes for responding to security incidents.

What is an ISMS and why is it important for fulfilment of the NIS 2 requirements?

An ISMS is a management system that consists of a framework of well-defined processes, procedures and management practices used to systematically manage an organisation’s sensitive data and assets. It helps to identify risks, eliminate vulnerabilities and establish clear security guidelines.

What does the implementation of the NIS 2 directive cost and how long does it take?

The cost of implementing the NIS 2 directive depends on the size, sector and initial situation of your company.

As a rough guide, the costs for a medium-sized company can be around 150,000 euros, depending on the effort involved. However, the investment is worth it: you avoid fines, improve your cyber security, enhance your image and strengthen the trust of your customers.

Nothing to lose - but a lot to gain!

Take the opportunity for a free initial consultation – there is nothing to lose, but a lot to gain in terms of security.

Not sued yet? Lucky you!