NIS-2 Directive 2025: EU Compliance Consultancy

• Only authority registration required
• Reporting obligations remain with existing regulators – no duplicate structures
• DORA compliance covers 95%

• Minimal changes for existing critical infrastructure operators
• Existing regulatory processes can be maintained
• Only additional documentation required

• 95% of requirements already met
• Only reporting procedures and registration additional
• Gap assessment possible in under 2 weeks

The NIS 2 directive establishes minimum requirements for security measures that must be implemented to strengthen a company's essential information security objectives. The focus here is on confidentiality, integrity, and availability, especially regarding all types of information, documents, software, and hardware. It is fundamentally important to maintain the four dimensions of information security (according to ISO 27001) through physical security, IT security, organizational security and personnel security.

The regulations in the area of incident reporting require essential and important companies to promptly report substantial IT security incidents (including outsourced services) to the relevant national authorities and to register the affected facilities and components. A two-stage reporting process must be followed, during which a preliminary report must be submitted within 24 hours. In the second stage, detailed information about the incident, including its impact and the immediate measures taken to mitigate it, must be provided within 72 hours. Enhanced reporting obligations can arise from the classification of incidents and the associated potential for significant impact. Sanctions may be imposed for late or omitted reporting. Therefore, companies must ensure that their communication channels for incident reporting are robust and fast enough to meet the requirements of the NIS-2 directive.

To ensure that only authorized users can access critical information and systems, the NIS 2 directive requires the implementation of effective access controls. These include not only access permissions for buildings and rooms but also the introduction of role-based access controls (RBAC) to govern access to information according to the respective permissions. Furthermore, the regulation demands comprehensive documentation of granted access rights, including any changes made. It is essential to raise employees' awareness of cybersecurity risks through training.

In addition to responding to IT security incidents, the NIS-2 directive, as part of backup and business continuity management, also aims to implement measures that should increase resilience against potential cyberattacks proactively. The focus is on the uninterrupted availability of a service. Specifically, the development and implementation of emergency plans are required, which must undergo regular testing and reviews. Furthermore, provider exit strategies must be demonstrated in connection with this. All backup and recovery procedures need to be documented.

The NIS-2 directive particularly serves to protect critical infrastructures (KRITIS) from disruptions and cyberattacks. Since October 2024, it represents an extension of the German KRITIS regulation. There are just few changes for existing critical infrastructures, but approximately 29,000 "especially important" companies are additionally included by NIS-2. More specifically, these are companies whose failure would impair public safety or the common good and that can be assigned to one of the sectors listed in Annex 1 (NIS-2). These companies are subject to stricter regulations (BCM, resilience measures, IAM, physical protection) and regular reporting obligations. Furthermore, the institutions are required to conduct a due diligence analysis to assess the risks in supply chains and procurement that have a direct impact on critical areas. To ensure continuous service delivery, alternative supply chains should also be identified.

Companies must implement a systematic risk management process in accordance with international standards (ISO 31000, ISO 27005, BSI Standard 200-3), which includes regular risk analysis. This pertains to both internal and external risks and encompasses the identification, assessment, and treatment of risks related to information systems. A systematic cross-cutting approach should be pursued to ensure a structured and continuous improvement of security measures. It is essential to adhere to the state of the art. Backup solutions, encryption methods, Multi-Factor Authentication (MFA), and Identity & Access Management (IAM) should be integrated into the risk management process.