NIS-2 - Three Questions for our Experts on the New EU Directive

7. March 2024

NIS-2: The new EU directive for cyber security is currently raising questions for security managers in countless companies: Are we affected? What requirements will we have to fulfil? What exactly do we know at this point? Dr. Marian Corbe, Chief Executive Officer at RST Informationssicherheit GmbH, and Vinzent Ratermann, IT security expert for critical infrastructures at usd AG, have the answers. In their German-language webinar on NIS-2 on 14 March 2024 they will take you through the expected timeline and give you tips on how to start preparing now.

They have answered three of our most pressing questions in advance:

NIS-2 is not the EU's first cyber security directive.
Why is it currently causing headaches for so many companies?

Dr. Marian Corbe, Geschäftsführender Gesellschafter der RST Informationssicherheit GmbH, NIS-2

Dr. Marian Corbe: NIS-2 is the successor to NIS-1, which has been implemented in Germany since 2015 through the IT Security Act and mainly places requirements on critical infrastructure companies (KRITIS). As the scope of NIS-2 is much larger than previous requirements, the national implementation of NIS-2 is the first time that a large number of companies will have to deal with the new regulatory requirements. However, it is not only the number of affected companies that is increasing - in many cases, more or even all systems within the companies must also be considered.

What companies are affected by NIS-2?

Vinzent Ratermann: It is not yet possible to give a general answer as to which companies are specifically affected. There are still too many unknown parameters. This is certainly one of the reasons why NIS-2 is currently keeping so many companies on tenterhooks. Because one thing is clear: NIS-2 will affect many more companies than NIS-1 and the IT Security Act. The new directive covers more sectors and may also affect SMEs. In addition, there are other special regulations that apply regardless of the size of a company. It is therefore always necessary to carefully consider each individual case in order to provide a reliable answer to this question.

Vinzent Ratermann, Experte für die IT-Sicherheit Kritischer Infrastrukturen der usd AG, NIS-2

Should we start preparing now - and how?

Dr. Marian Corbe: The transposition of the NIS-2 Directive into national law has not yet been completed - this must be done by 17 October 2024. Even if it can be assumed that some things could still change in the actual details of the requirements by then, our clear recommendation is: don't waste any time and prepare yourself for the event that you have to demonstrate security measures as part of NIS-2. According to our current state of knowledge, many of the required measures will correspond to proven best practices. Addressing these issues is therefore not only good preparation for NIS-2, but also strengthens the overall security level of your company.

Learn more

Would you like to find out more about NIS-2 or do you have specific questions? Get answers in the free German-languge usd webinar NIS-2 - Alles Wissenswerte zur Vorbereitung.

Or contact us directly. We are happy to help.

Also interesting:

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

The Digital Operational Resilience Act (DORA) will apply as of January 17, 2025. In addition to routine operational resilience testing, DORA will also make it mandatory for certain financial companies to carry out threat-led penetration testing (TLPT) every three...

Security Advisory on Gambio

Security Advisory on Gambio

The pentest professionals at usd HeroLab examined the online shop software Gambio during their pentests. The software offers merchants various functions that support the management of inventory and orders. Our professionals discovered a vulnerability in the password...