Privacy Policy

IT-Security

Occupational safety

NIS-2 Directive

In addition to comprehensive cybersecurity measures, NIS-2 brings with it stricter reporting obligations, expanded risk management and significantly greater management responsibility. Those who do not address the new requirements early on risk not only security gaps and operational risks, but also severe penalties.
For companies, this means extensively adapting their existing processes and systems in order to fulfil the new, strict requirements.
Would you like to find out more about NIS-2?
Here we explain the directive in detail and answer the most frequently asked questions.

How we can support you

NIS-2-Compliance-Check

We analyse your existing security infrastructure and assess the extent to which you already comply with the NIS-2 requirements. In the course of an audit, we analyse whether the current state of cyber security meets the requirements of NIS-2. We proceed on the basis of the requirements of the Federal Office for Information Security (BSI).

Legal advice and implementation

We help you to draw up security guidelines, contracts with service providers and internal documentation that fulfil the new requirements. NIS-2 places obligations on business partners and suppliers. We ensure that contracts are adapted accordingly. We also evaluate whether partners pose any security risks.

Technical safety analysis

Our co-operation partner RIEDEL Networks carries out a detailed review of your IT infrastructure and identifies weak points. With the [R.E.D.] service, you can hand over responsibility for continuous 24/7 monitoring. In the event of a security incident, you will be informed immediately and supported by technical experts.

Reporting and incident response

New with NIS-2 are the comprehensive reporting obligations. This includes, for example, manning a contact point 24 hours a day, 7 days a week and complying with the three-part reporting obligation in the event of security incidents within the statutory deadlines. We support you in developing an efficient and legally compliant reporting chain for security incidents. We support you in developing an efficient and legally compliant reporting chain for security incidents.

Employee training

Raising awareness and providing practical training on how to deal with cyber security risks is essential.
In order to effectively prepare your management and employees for NIS-2 and reduce the ‘human’ risk, we offer online training courses to increase security awareness. This can greatly reduce liability risk.

With our comprehensive solution, you are on the safe side technically, legally and organisationally.

The implementation of NIS-2 requires a combination of legal compliance and technical cyber security. For a customised solution that implements all aspects of the NIS-2 directive, we are therefore cooperating with RIEDEL Networks GmbH & Co. KG, a provider of customised telecommunications and network services.

While RIEDEL Networks takes care of the technical implementation, we support you with our legal and organisational expertise. Our partner for network security checks your network and your IT security and we take care of the legal and organisational requirements. In this way, we take legal requirements into account and offer directly effective security measures.

The RED-Skull Vulnerability Assessment Service is a non-disruptive, streamlined, and automated solution for uncovering vulnerabilities and delivering actionable insights within your network. With state-of-the-art scanning technology and a preconfigured hardware appliance, the service enables a seamless process from preparation through to reporting. This allows potential risks to be identified effectively while maintaining operational continuity.

The trade magazine IT-BUSINESS spoke with Dr. Arnt Glienke, LL.M., CCP, our Head of Legal & Compliance, and Michael Martens, CEO of Riedel Networks. In the issue of July 23, 2025, our concept was presented. If you are interested, you can find the article here.

Get in touch

The NIS 2 compliance auditYour first step to safety

To give companies an initial orientation, we offer an NIS 2 compliance audit. This is based on the proven building blocks of BSI IT baseline protection and enables a structured analysis of current security measures. Together with your IT and compliance team, we go through a structured catalogue of questions that covers all relevant areas of NIS-2 – from technical protection measures to legal processes.

On completion of the check, you will receive a detailed report with an assessment of your current status, identified vulnerabilities and specific recommendations for action to improve your security strategy.

How our collaboration works

  • How our collaboration works
  • Creation of an audit plan, i.e. affected departments and focus topics
  • Review of the current situation through an audit
  • Establishment of risk management
  • Support with implementation (e.g. setting up the contact point)
  • Adaptation of contracts and evaluation of partners
  • Training and sensitisation of employees

Technical securitywith RIEDEL Enterprise Defence [R.E.D.]

Our partner RIEDEL Networks offers the corresponding RIEDEL Enterprise Defence [R.E.D.] solution to identify and eliminate vulnerabilities in the system. With the [R.E.D.] service, you can protect your company from cyber attacks around the clock – through prevention, detection and response, including compliance and reporting.

By combining state-of-the-art technologies, [R.E.D.] creates a strong line of defence against cyber threats. The security toolbox enables comprehensive vulnerability analysis, active protection and targeted preventive measures – all monitored and controlled via the Security Operations Centre (SOC).

Request complete solution

What exactly is
NIS-2 about?

The NIS 2 Directive presents companies with new and extensive challenges. The extended requirements demand a significant strengthening of security measures and the introduction of more comprehensive protection mechanisms for networks and information systems.

The NIS 2 Directive applies to companies and organisations operating in certain critical sectors. The 18 sectors affected include, among others:

  • Energy
  • Healthcare
  • Manufacturing sector
  • Finance
  • Transport
  • Digital infrastructure and digital services
  • Public administrations
  • Food production and processing

The obligated companies must now not only review and adapt their existing security precautions, but also continuously monitor and respond to new threats.

Companies must take several measures to comply with the NIS 2 Directive:

  • Implementation of robust security measures: Companies must protect their networks and information systems with appropriate technical and organisational measures to prevent and defend against cyber attacks.
  • Regular risk analyses: Companies must carry out regular risk assessments to identify potential vulnerabilities and implement appropriate protective measures.
  • Reporting of security incidents: Companies are obliged to report serious security incidents immediately to the competent authorities to enable a rapid response and cooperation.
  • Training and awareness: Employees must be regularly trained and made aware of cyber security risks in order to promote security-conscious behaviour and minimise human error.
  • Emergency plans and crisis management: Companies must establish emergency plans and crisis management processes in order to be able to react quickly and effectively in the event of a cyberattack.

This means effort for the companies concerned, but non-implementation could result in severe penalties:

  • The extended liability of managing directors means that managers can be held personally responsible for compliance with cyber security requirements.
  • In serious cases, companies can be fined up to 10 million euros or 2% of their global annual turnover - whichever is higher.
  • Violations may be publicised in a manner that damages the company's reputation.

We are happy to support you with our services and help you to fulfil the requirements.

Get in touch

Important questions and answers on the NIS-2 Directive

What is NIS-2 supposed to do?

The NIS 2 Directive aims to strengthen cybersecurity in the European Union by introducing higher security standards and reporting obligations for companies. It aims to increase the resilience of critical infrastructures and improve cooperation between member states.

When does NIS-2 come into force?

Die EU-Richtlinie NIS-2 (Network and Information Security Directive), die neue gemeinsame Mindeststandards für Cyber- und Informationssicherheit in der Europäischen Union setzt, ist bereits auf EU-Ebene am 16. Januar 2023 in Kraft getreten. Damit verpflichtete sie alle EU-Mitgliedstaaten, die Richtlinie bis spätestens 17. Oktober 2024 in nationales Recht umzusetzen.

In Deutschland wurde die NIS-2-Richtlinie schließlich durch das NIS-2-Umsetzungsgesetz in deutsches Recht überführt. Dieses Gesetz wurde vom Bundestag und Bundesrat beschlossen, am 5. Dezember 2025 im Bundesgesetzblatt veröffentlicht und ist am 6. Dezember 2025 in Kraft getreten. Seit diesem Datum gelten die neuen Regeln und Pflichten für betroffene Unternehmen und Einrichtungen nach deutschem Recht. Ab dem 06.01.2026 ist das Registrierungsportal des BSI geöffnet.

Which companies are affected?
Companies operating in critical sectors, including energy, transport, banking, financial market infrastructures, healthcare, drinking water supply and distribution, digital infrastructure, public administration and space, are affected by compliance with the NIS 2 Directive. In addition, the directive now also covers digital service providers such as cloud services, online marketplaces and search engines to ensure more comprehensive coverage of cybersecurity requirements.

Specifically, this means:

A company is considered to be affected by NIS-2 if it operates in one of these sectors and exceeds certain size or turnover thresholds:

  • At least 50 employees and

  • Annual turnover exceeding €10 million and

  • Annual balance sheet total exceeding €10 million

What measures do companies need to take?

Companies must take several measures to comply with the NIS 2 Directive:

  1. Implementation of robust security measures: Companies must protect their networks and information systems with appropriate technical and organisational measures to prevent and defend against cyber attacks.

  2. Regular risk analyses: Companies must carry out regular risk assessments to identify potential vulnerabilities and implement appropriate protective measures.

  3. Reporting of security incidents: Companies are obliged to report serious security incidents immediately to the competent authorities to enable a rapid response and cooperation.

  4. Training and awareness: Employees must be regularly trained and made aware of cyber security risks in order to promote security-conscious behaviour and minimise human error.

  5. Emergency plans and crisis management: Companies must establish emergency plans and crisis management processes in order to be able to react quickly and effectively in the event of a cyberattack.

What needs to happen if a security incident occurs?

Within 24 hours:
You must submit an initial assessment to the competent national authority or CSIRT (Computer Security Incident Response Team) within the first 24 hours of detecting a security incident. If applicable, indicate whether the incident may be due to illegal or malicious actions and provide initial information on the potential impact on systems and security of supply.

Within 72 hours:
You must compile a detailed report containing the so-called Indicators of Compromise (IoCs) and submit it to the competent authority no later than 72 hours after discovering the incident. These IoCs, such as IP addresses, malware signatures or unusual network activity, serve to identify the threat. Supplement the report with an initial assessment of the impact on affected services and customers.

After one month:
You must submit a comprehensive final report no later than one month after the incident. This report must describe the security incident in detail, analyse the causes, assess the severity and document the impact. In addition, you must explain the type of threat (e.g. ransomware, DDoS attack), describe the remedial measures taken and evaluate their effectiveness. Finally, you should formulate specific recommendations to prevent similar incidents in the future and improve the cyber security situation.

What are the sanctions for violations?

Companies that violate the NIS 2 Directive face significant sanctions. Depending on the severity of the offence and the national legislation of the EU member states, these can include the following measures:

  1. Management liability
    The NIS 2 Directive introduces extended management liability, which means that executives can be held personally liable for compliance with cybersecurity requirements.
  2. Heavy fines:
    Companies can be subject to substantial fines, which in serious cases can amount to up to 10 million euros or 2% of global annual turnover, whichever is higher.
  3. Public disclosure:
    Violations may be made public, which can significantly damage the company's reputation.
Who is responsible within the company?

The responsibility for implementing the NIS 2 Directive in companies lies with the top management level, in particular the managing directors and board members. These managers are responsible for ensuring that their company takes and maintains the necessary measures to comply with the directive.

They must check at an early stage and independently whether the company falls under the directive. A special feature is that the directive provides for the personal liability of the management if necessary measures are not implemented.

How can companies efficiently implement the requirements of the NIS-2 directive?

The requirements for companies include various to-do's from different fields. Software-based solutions help you to comply with all obligations and, in particular, simplify the fulfilment of the obligation to provide evidence.

The NIS-2 directive should not be understood as a static guideline, but aims to motivate companies to continuously manage risk.

Would you like more detailed information?Get free access to our German-language NIS-2 webinar recording

Get in touch

Your personal contact

Dr. Markus HülperAttorney at Law, specialist for data protection, compliance & IT security