The NIS 2 Directive must be transposed into national law by October 17th, 2024. From October 18th, organizations based in an EU member state or operating within the European Union must be able to demonstrate that they are effectively strengthening their cybersecurity. This is accompanied by reporting obligations in the event of incidents, the inclusion of the supply chain, severe penalties and numerous cross-sectional disciplines from the areas of governance, risk management and compliance (GRC). GRC software provides you with optimal support in demonstrating your NIS 2 compliance.
OMNINET already supports customers in preparing for NIS 2 compliance.
NIS 2 coverage in the OMNITRACKER GRC Center
- Risk-based approach
(integrierted risk management) - Crisis and emergency management
(business continuity management) - Asset management
(identifying protection requirements and evaluation of asset dependencies) - Supplier-specific risks
(risk-based supply chain management) - Initiating and documenting measures and controls
(mandatory content of reports) - Optimally prepare and efficiently perform audits
- Providing of a contact and reporting channel
- Document filing in central document management
- ISMS obligation for critical areas
Individual technical consulting on your NIS 2 compliance
The NIS 2 Directive has many thematic overlaps with other areas of governance, risk management and compliance. The OMNITRACKER GRC Center multistandard solution supports you by centrally managing all compliance, audit, risk management and documentation topics. This creates synergy effects and enables you to comply with the upcoming requirements of the NIS 2 Directive in an audit-proof and efficient manner.
Background, obligations and sectors affected by the NIS 2 Directive
Background
The aim of the NIS 2 Directive (link to the official website of the EU) is to strengthen the cybersecurity of important and relevant organizations. The most important sectors for a functioning digital society and organizations above a certain size must therefore prove that they have effective, risk-based cyber protection when the respective national law comes into force (in Germany via NIS2UmsuCG). Overall responsibility lies with management, who must attend security-related training courses, among other things. Staff awareness must also be ensured. The estimated 30,000 organizations affected face sanctions if they fail to meet their obligations..
Obligations
In the event of an incident, this must be reported to a supervisory authority in an early warning, interim reports if necessary and a final report. These reports must contain information on which organizational areas are affected by the cybersecurity incident (asset management is useful), what measures have been taken and what measures can be used to prevent or mitigate similar incidents in the future.
Relevance
The NIS 2 Directive affects numerous industries and sectors, which are defined in two annexes. Medium-sized institutions with more than 50 employees and an annual turnover of more than 10 million but less than 50 million euros (or an annual balance sheet of no more than 43 million euros) that are listed in an industry in Annexes 1 or 2 must be prepared to implement the NIS 2 Directive from October 2024. The same applies to large companies with more than 250 employees and an annual turnover of more than 50 million euros or an annual balance sheet of more than 43 million euros.
Significant and important facilities will fall within the scope of NIS 2 regardless of turnover or number of employees.
In addition, smaller organizations may also fall under NIS 2 by order of the authorities, for example if they are part of the digital infrastructure, are DNS providers or offer critical services—public administration is also an exception here. Organizations previously classified as critical infrastructures are all affected by NIS 2.
Which category an institution falls into affects potential sanctions and supervision (reactive/proactive).
Annex 1: Sectors of high criticality
Energy
Transport
Banking
Financial market infrastructures
Health
Drinking water
Waste water
Digital infrastructure
ICT service management
Public administration
Space
Annex 2: Other critical sectors
Postal and courier services
Waste management
Manufacture, production and distribution of chemicals
Production, processing and distribution of food
Manufacturing
Digital providers
Research
GRC Center as a multistandard solution—a central tool for all management systems, risks and audits
With the GRC Center, you are not only prepared for the compliance requirements of the NIS 2 Directive, but also for auditing your ISMS (e.g. in accordance with ISO 27001), IMS, quality management system (ISO 9001) or numerous other (including upcoming) standards and regulations. The advantages of widespread compliance are obvious: risks and organizational units are maintained in a central location. An authorization and role concept is used to manage, document and continuously improve the management of risks, measures, controls, audits, contracts and emergency plans.
NIS 2-relevant features in the OMNITRACKER Governance, Risk and Compliance Center
- Integrated risk management
- Role concept for approvals and responsibilities
- Multistandard capability (any compliance records bundled in one tool)
- Document management (versioning, filing, approval, subscription function)
- Supplier management (for outsourced NIS 2-relevant processes/services)
- Establishment of an ISMS (certifiable in accordance with ISO 27001)
- Central reporting channel
- Compliance case management
- Business continuity management (emergency management)
- Action and control management (including action plans)
- Audit management (audit planning and execution)
- Asset management (dependencies, categorization and evaluation)
OMNINET's realization know-how for compliance projects
As a digitalization partner, we are happy to prepare you for the new EU Directive, for example in the management areas of supplier, asset, crisis, audit, document and risk management as well as in the establishment of a reporting channel or in the structured, process-based clarification of responsibilities and competencies. We are happy to support you in all phases of project realization, from requirements analysis, implementation and technical consulting to go-live and the continuous maintenance and development of your system.
To ensure that the implementation runs smoothly, we are at your side as an experienced consulting partner. We know the tool in detail and have comprehensive expertise of all software implementation processes.
In a workshop, we develop the individual requirements of your OMNITRACKER system together. Then, we systematically document the results in the OMNITRACKER Requirements Management Center
We also take care of project management and controlling. Our standardized and field-tested process model is suitable for both agile and traditional project execution.
After defining the system and business processes, we implement your requirements quickly in OMNITRACKER. Complex and highly individual configurations are also possible.
After an extensive and successful test phase—and final adjustments, if necessary—your OMNITRACKER installation is put into operation with our support.
After the go-live, we are glad to answer your question about ongoing operations, change requests or performance enhancements.
Good reasons for choosing OMNITRACKER
|
|