Example: NIS-2

When applying the approach from the originals to NIS2 in summer 2023, I started with the EU version, the original NIS-2 directive. First learning: A directive has to be transferred into national law by each nation state to get activated, no further grace period. A regulation (de.: Verordnung) is activated by EU, but always contains a grace period of approximately 36 month. NIS2 was released in 2022, so the text was finalized and the minimum level of requirements was defined. On 2024-10-17 latest, the nation states should have released their national version, implementing the EU version. Some did, others not. Germany was close to release at end of 2024, but got delayed on the last mile and released the NIS2UmsuCG in 2025-12-05. But again: The EU version give a very good base line to assess the relevance for a company. Appendix A and Appendix B listed sectors and of companies in scope, other limits where stated in the main paragraphs. Seeing the first three drafts of the german version revealed, that most definitions have been copied without modifications. But at some points Germany decided to tighten the strings a bit. But the evolution of the german draft also demonstrated, that these points changed. (number of employee and turn over vs. or). The scope for the authorities and administrative bodies in contrast has been relaxed as good as possible, because security may cost money and the federal state tries to avoid costs by trading in security. Ugly, but no impact on commercial companies.

Mapping to my company

Finally, our conclusion was, that we are at least “important entity” (“wichtige Einrichtung”), but due to the fact that our HQ runs the data center for our CSOs, we (the HQ) are data center provider and that is “essential entity” (“wesentliche Einrichtung” (EU) / “besonders wichtige Einrichtung” (DE)). No problem, the real risk management requirements are the same, just the penalties increase and audits can be initiated without any special trigger. Having all that documented helps to align with legal department and helps to keep the CDO / board in sync. Yes, it costs some hours or days, more time than asking a consultant. But now we (me, legal, CDO) are confident that we understand all implications and any auditor will appreciate a written documentation.

Implementation with ISO 27001

After identifying the need to implement NIS-2, or better: be NIS-2 compliant, the next question are: How big is the gap and what remains to do? So a fit-gap analysis has to be done and for that, the real requirements should be more precise than the few paragraphs of the article 21 of the NIS-2.

The best internationally visible standard for information security with respect to risk management is the ISO 27001. It defines requirements for a Information Security Management System (ISMS) but unlike other management system norms it also requires 93 (version: 2022) “controls” to be implemented. These are the hard facts, the base line of information security.

A comparison to other frameworks like BSI Grundschutz ort NIST Cyber Security Framework yield that ISO 27001 leaves room for individual implementations (BSI Grundschutz is very comprehensive and specific), it can be certified (NIST CSF not) and it seems to evolve to a standard like ISO 9001, which is mandatory for many companies.

Mapping NIS-2 to ISO 27001

In the internet, multiple source can be found to map the NIS-2 requirements to the control of the ISO 27001. These are not “officially approved” but when reading them, the mapping seems obvious and reasonable. So ISO 27001 sets our new base line.

(The norm it self is not freely available, so no direct links are given here.)