What is NIS-2?

The risk of a cyber-attack on any mid-sized business is higher than ever and growing. Sooner or later, your business will undoubtedly be affected. Professionally managed SMEs have been working hard to protect their data and systems for some time, but now the law is demanding it. The NIS-2 Implementation Act (NIS = Network & Information Security) transposes an EU directive into national law and is expected to become mandatory for many German SMEs in 2025.

• Are you sure that your data, systems, processes and people are adequately and cost-effectively protected to prevent a threat to your business?
• Are you prepared for the challenges of the digital future and can you capitalise on the opportunities for business development?
• Do you know if your organisation is subject to NIS-2 requirements and are you confident that you can meet these obligations and avoid personal liability?

Our cyber security experts can proactively help you combine all of the above: Identify vulnerabilities, defend against threats, protect your business and position yourself for NIS 2 compliance. We weigh up the risks and costs for you. So you can focus on your business.

What impact does NIS-2 have on companies?

Companies will have to assess for themselves whether they are affected by the NIS 2 Directive. It is estimated that around 30,000 companies in Germany alone could be affected. The directive leads to stricter reporting requirements and clear sanctions for non-compliance, underlining the need for proactive security strategies.

The scope of the NIS 2 Directive goes far beyond the previously known Key Critical Infrastructure Companies (KRITIS). Classification as an affected company is based on the area of activity, with company size and annual turnover also playing a significant role. This means that a large number of small and medium-sized companies will now be subject to the obligations of the Directive.

Our methodology for achieving your NIS 2 compliance

Our BDO NIS-2 Readiness approach to achieving NIS-2 compliance consists of a total of four phases:

NIS-2 Impact analysis:

• Preparation and information gathering: At the outset, it is important to gather all the relevant information needed to understand the project environment and specific requirements. We will provide you with an overview of the documents and evidence required in the form of a requirements list.
• Impact analysis: We identify which of your areas and stakeholders will be affected by the planned activities. This helps to understand the relevance of the project to different parts of the business and the potential impact on your internal processes.
• Validation & documentation of the project scope & status quo: We work with you to define the scope of the project by identifying objectives, deliverables and timeframes. We also document the current state of the relevant processes and systems to ensure a solid basis for further project planning and implementation.

Target/actual comparison:

• Gap analysis: We compare your organisation's current security measures and practices with the requirements of the NIS-2 Directive using a target/actual comparison. Identified gaps between the current state of compliance and the required standards form the basis for further steps.
• Development and prioritization of measures: Based on the results of the gap analysis, actions are developed and prioritised. This involves formulating specific instructions for action to close the identified gaps. These are prioritised based on their urgency, resource capacity and potential impact on the organisation's cyber security.
• Development of a roadmap for achieving NIS-2 compliance: The final step is to develop a detailed roadmap for achieving NIS 2 compliance. This will include clear milestones, timeframes and responsibilities for each action.

Implementation 

The implementation of your NIS-2 compliance is achieved through careful planning and execution based on the pre-approved roadmap.

Implementation can be broken down into the following phases:

• Conception: The design phase involves the development of the strategies and concepts required for project implementation in the NIS 2 requirement areas. This includes analysing the specific requirements of the NIS 2 Directive and developing technical and procedural measures to address the gaps identified in the gap analysis.
• Operationalization: Operational implementation is carried out in close collaboration with your internal and external stakeholders.

We are happy to support you in implementing the identified technical and procedural measures with the help of our other BDO Cyber Security Services: