NIS2 in der Praxis: Was Unternehmen bis 2025 umsetzen müssen
Introduction
The EU’s NIS2 directive expands cybersecurity obligations to many more sectors and mid-sized organizations.
By 2025, companies must prove risk management, incident reporting, and governance controls are operational. Compliance will hinge on documented evidence that controls are tested, not just written down.
Key Points
- Scope is broader, including critical supply-chain providers
- Executive accountability and governance requirements are explicit
- Incident reporting timelines are short and enforceable
- Risk management must cover IT and OT environments
- Penalties align with GDPR-scale enforcement
How To
1) Confirm whether your entity falls under essential or important categories
Map your entity and subsidiaries against national transposition criteria to determine whether you are essential or important. Document the rationale and keep it ready for regulator inquiries.
2) Run a gap analysis against NIS2 risk-management obligations
Compare current controls against NIS2 requirements for access control, incident handling, and business continuity. Prioritize gaps that affect reporting timelines or supply-chain exposure.
3) Update incident response plans to meet notification timelines
Build a reporting playbook that can deliver early warning within 24 hours and follow-up within 72 hours. Ensure legal, security, and communications teams share a single incident timeline.
4) Strengthen supplier security controls and contract clauses
Segment suppliers by criticality and update contracts to include security requirements and notification SLAs. Require evidence such as audits, certifications, or vulnerability disclosure processes.
5) Deliver board-level reporting and staff awareness programs
Provide quarterly board reporting on risk posture and remediation progress, including tested metrics. Pair that with ongoing staff awareness so reporting obligations are understood across teams.
Conclusion
NIS2 is less about paperwork and more about demonstrable resilience. Organizations that start early can avoid rushed compliance, reduce real risk, and show regulators credible evidence of readiness.