NIS2 Directive: 6 tips for implementation in companies

Share post

The EU NIS2 Directive will soon oblige many companies to meet higher cybersecurity standards - the law is expected to be ready in October 2024. What do security managers need to consider now? How do IT teams handle the additional tasks? And to what extent can Information Security Management Systems (ISMS) help? indevis knows the most pressing questions and has the right tips.

The EU NIS2 directive has a clear goal: to strengthen resilience and responsiveness to cyber threats. In Germany, 27.000 companies could be affected by the new regulations - a tenfold increase in the number of companies currently falling into the KRITIS area. The German implementation law is still being developed.

Law: Composition in October 2024

The third draft bill from autumn 2023 is currently available, and a fourth is expected in spring. The law is to be enshrined by October 17, 2024. All affected institutions will then be obliged to implement a series of cyber security measures. How can German companies adequately prepare for this?

EU-NIS2-Tip 1: Start now

First, check whether your company is affected by the NIS2 Directive. Do your products or services play an important role in the European economy and society? If so, the Directive applies to companies with more than 50 employees and a turnover of more than ten million euros. Also check whether the company belongs to the critical sectors according to Annex 1 or Annex 2 of the Directive and find out more about whether your company's security systems must meet the requirements of NIS2. If so, there are specific measures you can take to prepare yourself - because the sanctions here extend to managing director liability.

EU-NIS2-Tip 2: Establish an Information Security Management System

Appointed by management, the task of an information security officer (ISO) is to introduce an appropriate information security management system (ISMS). He does not usually work alone, but is supported by various departments. Suitable candidates for his team are data protection and quality management officers as well as representatives from human resources, facility management, purchasing or IT. The ISO can also be recruited externally, especially if existing staff are already fully involved in day-to-day business.

EU-NIS2-Tip 3: What does an effective ISMS look like?

It follows the best practice approach and is based on proven procedures and internationally recognized standards such as ISO 27001. Although certification according to this standard is not currently mandatory, it is advisable to prepare for future requirements. In addition to ISO 27001, there are also industry-specific security standards that set similar goals and are specifically tailored to the requirements of certain industries and their criticality. In addition, guidelines such as ISO 27002 and the BSI-Grundschutzkompendium provide practical guidance and resources to support implementation.

EU-NIS2-Tip 4: See it as a process, not a project

The process of building an ISMS follows an iterative approach known as Plan-Do-Check-Act (PDCA). At the beginning, goals are set, a security organization is formed and risk analyses are carried out. Based on the results, actions are taken and documented. Internal audits are used to check progress. A management review evaluates the achievement of goals and the effectiveness of the ISMS. The ISB plays a key role in this and works closely with management to continuously improve the ISMS and increase the maturity level over time.

EU-NIS2-Tip 5: Ensure business continuity

🔎 Wolfgang Kurz, CTO at indevis (Image: indevis).

You should also prepare for the event of a cyber attack and define responsibilities in advance. If you fall under the NIS2 directive, incidents must be reported to the BSI. Accordingly, tools for detecting and combating cyber attacks at an early stage are crucial to increasing the resilience of the IT infrastructure. This way, damage can be minimized. Companies that are well positioned here also increase their value.

EU-NIS2-Tip 6: Get support

When companies need help, they should not hesitate to call in external service providers. The experts support them at all stages of meeting the requirements of NIS2. They help to clarify impacts, define responsibilities and develop tailored training programs for employees. They also provide companies with advice and threat analysis tools to detect attacks and manage incidents so that they can respond as early as possible.

Conclusion: NIS2 requirements as an opportunity

Even if a company is not directly affected by NIS2, it must still comply with certain standards in order to counter cyber attacks. If the NIS2 requirements are implemented and an ISMS is implemented, this ensures business continuity. The measures also open up the opportunity to identify vulnerabilities and make the company and its supply chain more resilient. In this way, NIS2 strengthens cybersecurity and with it the economy across Europe.

More at


About indevis

Certified according to the international standard ISO/IEC 27001, indevis IT-Consulting and Solutions GmbH is one of Germany's leading Managed Security Service Providers (MSSP) with services that are both cloud-based and on-premises. The company has been setting security standards in information technology for over 20 years and provides suitable IT security, network and data center solutions for customers of all sizes and industries.


Matching articles on the topic

Countering complex attacks with cyber recovery

Cyber ​​recovery goes far beyond operational recovery and disaster recovery. It enables systems, applications and data to be recovered even after ➡ Read more

Phishing: Employee training is effective

If companies regularly train their employees through security awareness training and simulated phishing tests, they are better protected against phishing attacks. ➡ Read more

Cyber ​​Resilience Act bans devices with known vulnerabilities

The Cyber ​​Resilience Act (CRA) is scheduled to come into force in the second half of 2024. It prohibits manufacturers in the EU from ➡ Read more

GAP analysis: Identify and close security gaps

For more and more companies, GAP analysis is becoming an indispensable tool for identifying and specifically resolving potential security risks. ➡ Read more

Extract data from encrypted virtual hard disks

Experts show 6 methods that security professionals should know: They can be used to extract data from encrypted, virtual hard disks. These are ➡ Read more

NIS 2: Too little support from management

The NIS 2 Directive aims to achieve a high common level of cybersecurity in the European Union. The member states ➡ Read more

AI in cybersecurity: both a weapon and a cure

Many IT security experts agree that generative AI is THE solution against increasingly complex cyberattacks. AI could close the gap, ➡ Read more

Report: 86 percent of CISOs rely on AI-based cybersecurity

72 percent of German Chief Information Security Officers (CISOs) see employee failure as the greatest cyber risk. 62 percent of them ➡ Read more