What is NIS-2?

For SMEs, the risk of cyber attacks is higher than ever before and continues to increase. It can be assumed that your company will also be affected sooner or later. Professionally managed SMEs have been working intensively on protecting their data and systems for some time now, and the legislator is now also demanding this. The NIS-2 Implementation Act (NIS = Network & Information Security) transposes an EU directive into national law and is therefore also expected to become mandatory for many German SMEs from March 2025.

• Are you therefore sure that your data, systems, processes and employees are adequately and cost-effectively protected to rule out an existential threat to your company?
• Are you equipped for the challenges of the digital future and can you utilise the opportunities for company development?
• Do you know whether your company falls under the NIS 2 requirements and are you sure that you can fulfil these obligations and thus avoid personal liability?

Our cyber security experts help you to proactively strike a balance between vulnerability detection and defence, corporate protection and NIS 2 compliance. This is done by individually weighing up the risks and costs so that you can continue to focus on your core business.

What impact does NIS-2 have on companies?

It is up to the companies themselves to determine whether they are affected by the NIS 2 Directive. According to estimates, around 30,000 companies in Germany alone could be affected by this directive. The directive leads to stricter reporting obligations and clearly defined sanctions in the event of non-compliance. This emphasises the need for proactive security strategies.

The scope of the NIS 2 Directive extends far beyond the previously recognised key critical infrastructure companies (KRITIS). Categorisation as an affected company is based on the area of activity. Company size and annual turnover also play an important role. This means that a large number of small and medium-sized companies will also be included in the obligations of the directive in future.

Our methodology for achieving your NIS-2 compliance

Our BDO NIS-2 Readiness approach to achieving NIS-2 compliance consists of a total of four phases:

NIS-2 Impact analysis:

• Preparation and information procurement 
  At the beginning, it is important to collect all the relevant information required to understand the project environment and the specific requirements. We provide you with an overview of the necessary documents and evidence by means of a requirements list.
• Impact analysis 
  We determine which of your areas and stakeholders are affected by the planned measures. This helps to understand the relevance of the project for different company segments and the potential impact on your internal processes.
• Validation & documentation of the project scope & status quo 
  Together with you, we define the scope by determining the objectives, deliverables and time frame. In addition, the current status of the relevant processes and systems is documented to ensure a solid basis for further project planning and implementation.

Target/actual comparison:

• Gap analysis
  Using a target/actual comparison, we compare your company's current security measures and practices with the requirements of the NIS 2 directive. Identified gaps between the current state of compliance and the required standards form the basis for the next steps. We carry out this GAP analysis together with you in a hybrid approach:
  • Document review

    During the documentation check, existing documentation and diagrams (e.g. network structure plans) are reviewed and their content checked against the requirements.

  • On-site analysis
    As part of the on-site analysis, the relevant processes and important objects are examined and analysed during site visits and interviews with the responsible persons

As part of the GAP analysis, we assess the maturity level of your company in relation to the implementation of the NIS 2 Directive with regard to the following topics and measures:

• Development and prioritisation of measures
  Measures are developed and prioritised based on the results of the gap analysis. This involves formulating specific instructions for action aimed at closing the identified gaps. These measures are prioritised based on urgency, resource capacity and the potential impact on the company's cyber security.
• Development of a roadmap for achieving NIS-2 compliance
  The final step is to draw up a detailed roadmap for achieving NIS-2 compliance. This includes clear milestones, timeframes and responsibilities for each measure.

Implementation

The implementation of your NIS-2 compliance takes place through careful planning and realisation based on the previously approved roadmap. 

The implementation can be divided into the following phases: 

• Concept
  The strategies and concepts required for project implementation in the NIS-2 requirement areas are developed as part of the conceptualisation. This includes analysing the specific requirements of the NIS-2 directive and developing technical and procedural measures that address the gaps identified in the gap analysis.
• Operationalisation
  Operational implementation is carried out in close cooperation with your internal and external stakeholders. 

 
We would be happy to support you in implementing the identified technical and procedural measures with the help of our other BDO Cyber Services: