NIS-2 requiresdemonstrablerisk management.

NIS-2 distinguishes between essential and important entities and covers far more sectors than its predecessor: energy, transport, health, digital infrastructure, public administration, providers of digital services, manufacturers of critical products and more. The German transposition takes place through the NIS2UmsuCG; parts of the transposition process are still ongoing. Regardless of the final date of entry into force, the substantive requirements already serve as a reference for all affected organisations.

1. BLOCK · 01

   Risk management measures

   NIS-2 requires appropriate technical and organisational measures – including vulnerability management, access controls, hardening and regular effectiveness reviews. Penetration testing and continuous vulnerability management provide the evidence.

2. BLOCK · 02

   Incident reporting obligations

   An early warning is typically due within 24 hours, a more detailed notification within 72 hours and a final report usually within one month. We help prepare the forensic data baseline and communication workflows.

3. BLOCK · 03

   Management body accountability

   Management bodies must approve risk-management measures, oversee their implementation and undergo regular training. Our reports are deliberately structured so they can be signed off at board level.

4. BLOCK · 04

   Evidence obligations towards authorities

   Competent authorities can order inspections and request evidence. We document tests, findings and retests in a form that holds up to regulatory scrutiny.

Risk management measures are only as good as the evidence of their effectiveness. We test the relevant attack paths against your production environment, document findings along your control objectives and deliver a retest that proves remediation. The result is an evidence chain that withstands audits and regulatory inquiries.