A law that changes the rules of the game
Cyber security has long been a topic for the IT department. The
The special feature: Responsibility no longer lies solely with experts in the background. Managing directors and board members are directly responsible. Those who neglect security measures not only risk attacks, but also fines of up to 10 million euros.
Who is affected?
The directive is aimed at companies in critical sectors – from energy, health and finance to transport, postal services, waste management and digital services. As a rule, companies with more than 250 employees or a turnover of more than 50 million euros are affected. However, smaller companies can also be included if they are part of a sensitive supply chain.
In other words, many German companies will be subject to completely new security requirements from fall 2024.
What is changing
NIS2 is not a “nice-to-have”, but a mandatory program. In future, companies will have to report security incidents within 24 hours, closely examine their supply chains and integrate cyber security into their processes from the outset.
Above all, however, the management itself is responsible. Management must not only approve security measures, but actively monitor them. Anyone who is negligent here is personally liable.
Why waiting is risky
A breach of the directive can not only be expensive. It also jeopardizes the trust of customers and partners. Clients are increasingly demanding proof that their business partners are NIS2-compliant. Those who cannot provide this run the risk of losing orders and collaborations.
The directive thus makes visible what has long been a reality: cyber security is a competitive factor.
What companies should do now
The good news is that there is still time to prepare. The first step is to take stock. Where do we stand? What gaps are there? What measures do we need to take by October 2024?
A structured audit uncovers these points and provides the basis for a roadmap. This allows responsibilities, budgets and deadlines to be clearly defined – and companies are on the safe side before things get serious.
Sheriff Security supports companies in Germany in implementing the NIS2 requirements pragmatically and efficiently. From the initial analysis to the finished security concept.
Let us check together how well prepared your company is. Arrange a non-binding initial consultation now.
Conclusion: both a duty and an opportunity
The NIS2 Directive brings stricter rules and higher requirements. But it also opens up opportunities: those who act in good time show digital strength, gain trust and protect themselves from damage that goes far beyond fines.
Frequently asked questions about the NIS2 Directive
Die NIS2-Richtlinie (Network and Information Security 2) ist eine EU-weite Vorgabe für höhere Cybersicherheitsstandards. Sie verpflichtet Unternehmen, technische und organisatorische Maßnahmen umzusetzen, um sich besser gegen Cyberangriffe zu schützen.
Deutschland muss die NIS2-Richtlinie bis zum 17. Oktober 2024 in nationales Recht umsetzen. Ab diesem Zeitpunkt sind betroffene Unternehmen zur Einhaltung der Vorgaben verpflichtet.
Betroffen sind mittlere und große Unternehmen ab 250 Mitarbeitenden oder mehr als 50 Mio. Euro Umsatz. Dazu zählen wesentliche Einrichtungen wie Energie, Gesundheit oder Finanzen sowie wichtige Einrichtungen wie Postdienste, Abfallwirtschaft, Medizintechnik, Elektronik oder digitale Dienste. Auch kleinere Firmen können einbezogen werden, wenn sie Teil einer kritischen Lieferkette sind.
Unternehmen, die die NIS2-Anforderungen nicht erfüllen, müssen mit hohen Bußgeldern rechnen – bis zu 10 Mio. Euro oder 2 % des weltweiten Jahresumsatzes. Zudem droht die persönliche Haftung von Geschäftsführung und Vorstand.
Der erste Schritt ist eine Bestandsaufnahme durch ein Audit. Darauf folgt ein Maßnahmenplan mit Verantwortlichkeiten und Fristen. Sheriff Security unterstützt dabei mit praxisnahen Lösungen – von der Gap-Analyse über Awareness-Trainings bis hin zu technischen Sicherheitskonzepten.
