NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG)

NIS-2 requirements: accountability and evidence obligations

The law significantly expands the group of affected companies and distinguishes between “important” and “particularly important” entities. The scope includes companies that can be assigned to one of the 13 sectors defined by law. These include energy, transport and traffic, finance, healthcare, water, digital infrastructure, space, waste management, manufacturing, production, manufacture and trade of chemicals, production, processing and distribution of food, manufacturing industry/production of goods, providers of digital services, and research.

Companies in these sectors that meet the criteria of at least 50 employees or annual turnover of more than €10 million are classified as “important” entities. Larger entities with 250 or more employees or €50 million in turnover are classified as “particularly important” entities and are subject to stricter regulatory oversight. In terms of content, the legislator requires, among other things, a comprehensive information security management system (ISMS) and risk management, ranging from risk analysis and handling security incidents through to supply chain security.

The role of executive management is particularly relevant: under NIS 2, it must not only support the implementation of the actions, but actively monitor it. To avoid fines and possible personal liability of the legal representatives for violations, robust evidence must be maintained.

Meeting the NIS-2 requirements calls for transparency and verifiability. Our experts assess the status of your processes and systems, review compliance with legal requirements, systematically identify deviations, and support you with a practical implementation of the documentation obligations. This paves the way for demonstrable and robust IT security.