NIS-2 Workshop to prepare the implementation of the NIS-2 Directive
Background
An IT system house approached 3-core GmbH with the request for a hands-on workshop on the NIS-2 Directive to gain an understanding of the upcoming obligations arising from the NIS-2 Implementation and Cybersecurity Act (NIS-2-UmsuCG) in Germany. The aim was to clarify whether the company is affected by the scope of application, what security requirements result from this and what specific measures need to be introduced.
With the entry into force of EU Directive 2022/2555, the scope of security will be significantly expanded. Especially companies in critical or technology-related sectors, such as IT service providers, will have to provide extensive evidence in matters of security and actively involve management.
Solution
The 3-core GmbH designed and led the NIS 2 workshop, which covered both legal and technical aspects and established a connection to the operational implementation of the NIS 2 directive within the company. The company had completed a questionnaire in advance, which enabled 3-core GmbH to respond specifically to individual questions, existing structures and industry-specific requirements.
The first step was to provide a comprehensive overview of the EU NIS-2 Directive and the status of the German implementation law. The experts from 3-core GmbH then analysed together with the customer whether the company is considered an ‘important’ or ‘particularly important institution’ and therefore falls within the scope of application.
The workshop provided a comprehensive overview of the relevant requirements from the NIS-2-UmsuCG, including risk management and emergency preparedness measures. In addition, the legal reporting obligations, verification requirements and the special responsibility of the management were explained in a hands-on approach. The focus was also on developing a structured roadmap with clear tasks, responsibilities and timetables for the gradual implementation of the legal requirements. Particular attention was also paid to established standards such as ISO 27001 and BSI IT baseline protection.