Successfully implement NIS2 compliance

Building resilient NIS2 compliance in companies requires clear processes. Learn how organisations can minimise liability risks.

Contents

1. Prioritisation
2. The 3 most important immediate actions
3. Meeting reporting deadlines
4. Liability protection for management
5. NIS2 compliance in the supply chain
6. NIS2 compliance without certification

A compass for your NIS2 strategy

Get your company ready for the new legal obligations now. The following expert articles provide you with concrete foundations and proven approaches to structurally adapt your IT security to the current requirements.

Read more

NIS2 checklist: Implementing obligations

Read more

NIS2: Who is affected?

Read more

NIS2 Directive

Prioritisation: NIS2 compliance as an ongoing process

The idea that NIS2 compliance can simply be completed by a deadline is misleading. The legislator thinks completely differently here. It is about a permanent process, not perfection from day one. Anyone who believes they have to present a completely unassailable fortress at the first official audit is setting completely the wrong priorities. The auditors expect something different. They want to see that an organisation has understood its real core risks and is actively managing them with sensible measures. In practice, this means that the identification and processing of risks must never stop. Every protective measure implemented must be continuously put to the test and every change properly recorded. Our guide to the NIS2 Directive highlights the current status of legal implementation in various countries. 

Our NIS2 check gives you an initial overview of where you currently stand in terms of NIS2 compliance:

Test your NIS2 readiness now

Check NIS2 readiness

Answer a handful of practical questions to see how prepared your organisation is and get simple tips to strengthen your defences right away.

The 3 most important immediate actions for your NIS2 compliance

Anyone who wants to meet all requirements at the same time quickly loses focus. IT decision-makers will do much better if they first prioritise those measures that offer the greatest protection. This way, cyber risks are measurably reduced and the next audit can be mastered with confidence. The EU directive not only requires organisational processes here, but also calls for tangible technical protective walls. Three key points cannot be postponed.

But the best technical walls are of little use if employees accidentally open the gates. Without ongoing Cyber Security Awareness Training and an active Human Risk Management Platform, such measures will fizzle out. Anyone looking for a holistic roadmap will find practical guidance in our detailed NIS2 Compliance Checklist.

Meeting reporting deadlines: Resilient response processes in an emergency

The EU directive prescribes extremely strict reporting processes to make security incidents transparent. Anyone who slips up here endangers the organisation’s entire NIS2 compliance. If an incident occurs in the system, those affected must issue an early warning to the competent authorities within 24 hours at the latest. A detailed report must follow after 72 hours, before the final conclusion is due one month later.

This obligation does not apply to every routine virus alert. The reporting chain starts as soon as an attack disrupts essential services or causes massive financial damage. That is why smart IT managers record their response routes in detailed playbooks long before the first emergency.

For smaller businesses in particular, establishing NIS2 compliance can seem overwhelming at this point. Only a pragmatic approach will help here. To begin with, it is quite sufficient to nail down essential basic processes. Who is informed immediately if your own servers are encrypted by ransomware at night? Analogue emergency numbers must be printed out on paper, as digital lists are useless in the event of a failure. The team must also know who has the authority to physically disconnect the network from the internet. Such clear instructions for action can save the company in the critical first few hours.

Liability protection for management

The legislator makes it unmistakably clear where the legal responsibility lies in an emergency. It directly affects management. Because management is ultimately responsible for NIS2 compliance in the company, simply nodding through budgets will no longer be enough in the future. To reliably avert personal liability risks, the law obliges the management level to perform three very specific core tasks:

• Formally approve security measures: Risk management strategies require official approval from the very top. Management must understand the content of the protective measures and strategically support them.
• Actively monitor implementation: Managers must regularly check whether and how these concepts are being applied in practice. The best way for companies to do this is to establish fixed reporting structures. Via these, IT managers report the current status of NIS2 compliance directly to the management on an ongoing basis.
• Build up your own expertise: Anyone who approves concepts must be familiar with the underlying risks. The law requires mandatory Cyber Security Awareness Training for management so that the executive level can make well-founded decisions.

Those who take these duties lightly risk severe personal consequences as managers.

In Germany, the consequences under the new BSIG (Act on the Federal Office for Information Security) are drastic. If board members or managing directors culpably violate their approval and monitoring obligations, they are liable with their private assets to the company (internal liability). In addition, the law imposes fines on the organisation of up to 10 million euros or 2 per cent of the global annual turnover for serious violations.​

However, forward-thinking companies do not see this as a purely additional expense. When cybersecurity is prioritised and actively practised at the highest level, an extremely resilient NIS2 conformity is automatically created throughout the entire company.

Ensuring NIS2 compliance in the supply chain

Cybersecurity never ends at your own company’s borders. The law therefore forces a close look at the entire supply chain. Anyone who wants to achieve NIS2 compliance must systematically screen their direct suppliers. This is currently leading to a massive domino effect in the economy. Large corporations are contractually passing on their legal obligations to their service providers. The result: suddenly, even small suppliers who are not actually covered by the law have to comply with strict standards. Those who fail to meet these requirements risk losing important contracts.

Standardised contracts create security for both sides here. They define exactly what security precautions a service provider must take. This increasingly includes the human factor. Large organisations today demand proof that suppliers are actively arming their workforce against phishing. Those who rely on a well-founded Human Risk Platform here make their security level measurable. If companies then also regularly check these contractual obligations by means of an audit, the risks from the supply chain are enormously reduced.

Demonstrating NIS2 compliance without certification

You will currently search in vain for an official, Europe-wide seal for NIS2 compliance. Anyone hoping for a classic badge (as with ISO 27001) will be disappointed. Instead, companies must prove to the authorities through their own evidence that they are complying with the legal requirements.

In practice, this works primarily via detailed self-assessments. Standardised questionnaires for suppliers and consistent internal checks are part of the mandatory programme. Everything that is implemented in terms of protective measures must be properly incorporated into the information security management system. A Human Risk Management Dashboard can help to seamlessly document the measures relating to the human factor and present them during an audit. Because only with such documentation can you be on the safe side. A uniform certification is still a long way off anyway.

What does implementation cost without an official certificate?

Even though there are no direct inspection fees without an official certificate, implementation requires considerable resources. However, it is hardly possible to put concrete price tags on the process. The investments flow directly into tangible areas: new technologies, fail-safe systems and intensive training for the workforce. The final bill simply depends on the level of maturity a company has already reached. Those who have already invested heavily in IT security will benefit from this basis. Those who are just starting to secure their supply chain will have to budget for significantly more.

Note: This article does not constitute legal advice. It serves for general information purposes only and does not replace an individual legal review. For binding information on your obligations under the NIS2 Directive, please contact qualified legal advisors or the competent authorities.