Compliance consulting for EU directives NIS2 and CER
From October 2024, the two European directives NIS2 (cyber security) and CER (physical security of critical facilities) will also come into force in Germany. We support affected companies in analysing and complying with their requirements.
We take care
Tasks
With an impact analysis, we first determine whether and how the regulation applies to your company. Together with you, we develop the technical and organisational measures that are necessary in the new legal framework. The cornerstone of this compliance: comprehensive risk management.
- Support and consultation during the process
- Impact analysis
- Evaluation and adjustment of risk management
- Strategic consultation on the implementation of requirements
- Documentation and reporting
- Introduction and enforcement of specific documentation requirements
- Consulting on the mandatory reporting of incidents
- Registration and communication with the supervisory authorities
Are you interested in or have a specific need for one of the topics listed? Please contact us.
Benefits
At a glance
Standards and Best Practices
We harmonise international standards, regulatory requirements and industry-specific procedures with corporate reality.
Political committee work
We already participate in the legislative process as experts and lobbyists and advise associations and companies on positioning and implementation.
Practical expertise
Our team has knowledge and personally proven skills in all relevant areas: Risk, business continuity and information security management, data protection and implementation at all levels in organisation and technology.
Strategic consulting
Information security is the responsibility of the management. We consult company management and their organisation on the strategic implementation of cyber security and technical compliance.
Information
Background and details
The European Union's NIS2 Directive, which came into force in January 2023, regulates the cybersecurity requirements for companies in all sectors considered critical. It distinguishes between "essential" and "important" organisations that are subject to regulation of their information security, risk management and reporting obligations. The directive prescribes binding measures to ensure the resilience of organisations:
- Concepts relating to risk analysis and security for information systems
- Management of security incidents
- Business continuity, such as backup management and disaster recovery, and crisis management
- Security of the supply chain, including security-related aspects of the relationships between individual organisations and their direct suppliers or service providers
- Security measures in the acquisition, development and maintenance of network and information systems, including management and disclosure of vulnerabilities
- Concepts and procedures for assessing the effectiveness of risk management measures in the area of cyber security
- Basic cyber hygiene procedures and cyber security training
- Concepts and procedures for the use of cryptography and, where applicable, encryption
- Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communication and, where appropriate, secure emergency communication systems within the organisation
Like every European directive, NIS2 must also be transposed into the German legal framework by law. The deadline for this is 17 October 2024, by which time operators of the affected facilities must at least be prepared to demonstrate compliance with these requirements.
As a cyber security directive, NIS2 is flanked by the CER Directive, which came into force at the same time and is also due to be implemented in Germany as the "KRITIS Dachgesetz". CER stands for "critical entities resilience" and forms the superstructure for sabotage protection and physical security of critical facilities.
While the NIS2 regulates the area of cyber security, the "Critical Entities Resilience" (CER) is the centrepiece of the reform for the regulation of physical security for providers of critical services. Above all, it regulates the obligation to introduce risk management with an "all-hazards approach", i.e. taking into account all factors that could jeopardise ongoing operations:
- The number of sectors affected will increase from eight to 18, bringing the total number of companies affected to around 30,000 (from only around 3,000 under the previous regulation)
- The catalogue of fines for non-compliance with the regulations now also provides for penalties that are not capped at an absolute fine but can amount to up to 2.4 percent of the global annual turnover of the company that is fined.
- Liability of directors is introduced for the first time, which can be enforced against personal assets in the event of a breach of the regulations.
In addition to these already considerable extensions and tightening, certain sectors are subject to particularly strict regulations. Domain name services, trust service providers and similar "super-critical" services, for example, are subject to even stricter rules than other sectors.
Three fundamental changes will be relevant for the companies affected by NIS2:
- The number of sectors affected will increase from eight to 18, bringing the total number of companies affected to around 30,000 (from only around 3,000 under the previous regulation)
- The catalogue of fines for non-compliance with the regulations now also provides for penalties that are not capped at an absolute fine but can amount to up to 2.4 percent of the global annual turnover of the company that is fined.
- For the first time, manager liability is introduced, which can be enforced against personal assets in the event of a breach of the regulations.
In addition to these already considerable extensions and tightening, certain sectors are subject to particularly strict regulations. Domain name services, trust service providers and similar "super-critical" services, for example, are subject to even stricter rules than other sectors.
As with operators previously categorised as KRITIS companies, there are several competent supervisory authorities tasked with enforcing the requirements and, if necessary, imposing fines. Depending on the sector and criticality, these include:
- Bundesamt für Bevölkerungsschutz und Katastrophenhilfe (BBK)
- Bundesnetzagentur (für Telekommunikations- und Stromnetzbetreiber)
- Bundesamt für Sicherheit in der Informationstechnik (BSI)
- Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin)
Team
Reliable contacts
From the initial consultation to the finalised security concept, we are at your side and ensure that you are optimally positioned in accordance with the legal requirements at a low effort.
Mathias Handsche
Managing Director
Contact us
We are here to help you
Contact us by post, in person or by e-mail!