Example: NIS-2

When applying the approach from the originals to NIS2 in summer 2023, I started with the EU version, the original NIS-2 directive. First learning: A directive has to be transferred into national law by each nation state to get activated, no further grace period. A regulation (de.: Verordnung) is activated by EU, but always contains a grace period of approximately 36 month. NIS2 was released in 2022, so the text was finalized and the minimum level of requirements was defined. On 2024-10-17 latest, the nation states should have released their national version, implementing the EU version. Some did, others not. Germany was close to release at end of 2024, but got delayed on the last mile and released the NIS2UmsuCG in 2025-12-05. But again: The EU version give a very good base line to assess the relevance for a company. Appendix A and Appendix B listed sectors and of companies in scope, other limits where stated in the main paragraphs. Seeing the first three drafts of the german version revealed, that most definitions have been copied without modifications. But at some points Germany decided to tighten the strings a bit. But the evolution of the german draft also demonstrated, that these points changed. (number of employee and turn over vs. or). The scope for the authorities and administrative bodies in contrast has been relaxed as good as possible, because security may cost money and the federal state tries to avoid costs by trading in security. Ugly, but no impact on commercial companies.

Sources

Using Garmin devices to record my outdoor activities, all tracks are send to Garmin-cloud via the app GarminConnect automatically. This is very convenient and cloud-to-cloud connections forward the tracks to Strava and Komoot. Long before the Bluetooth-Cloud-Automagic-era I already used a Garmin Edge 710 with USB connectivity only. As a Linux user I read out the TCX files from the mass storage, stored it locally and sent it to Garmin years later for completeness.

Finding upcoming regulations

The web is full of articles about new laws and regulations, but many sites from law firms write more like: “you know there is this new regulation”, “do you really know, what this implies to your company? “, “Relax, we can help you”. Some sites like openkritis.de really summarize the originals, and give status updates. Tech-News like Heise write every now and then about upcoming regulations, that all can serve as a starting point and to get an overview of the landscape. My latest gold nuggets are

tl;dr

Today, I finally launched my “Blog and Website” project. Topics will touch cybersecurity, IT@home, ski mountaineering. Starting with two articles about me, but more content is already prepared.

Why these pages

On this website I plan to publish some articles about things I learned, things I am engaged in and topics of my interest. I am not using any social media very intensively and I want to control my own content, so I decided to do it as in the beginning of the web: create a personal web page. Other channels might be used to post updates with links.

Cannot live without

Over the years I developed a passion for multiple outdoor sports, and I took care to find matching sports for summer and winter. When living in north of Germany, road biking was sufficient: Summer and winter are nearly equally cold/warm, terrain nearly flat. But when moving to the Black Forrest, a hill region in south of Germany, more opportunities came along and the winters are not so nice for biking. So today it splits as follows.