We use cookies to give you the best experience on our website. You can choose which cookies you want to allow below. You can find more details in our privacy policy.
Purpose | So that the user's cookie preferences can be taken into account, these are stored in the cookies. |
Data | Accepted or rejected cookie categories |
Originator | Lywand Software GmbH |
Privacy Policy |
Purpose | This web analytics tool allows us to compile user statistics about your website activity and to best tailor our website to your interests. |
Data | anonymized IP address, pseudonymized user identification, date and time of the request, amount of data transferred incl. message as to whether the request was successful, browser used, operating system used, website from which access was made. |
Originator | Google Ireland Limited |
Privacy Policy |
Purpose | Representation of the company's location using Google's map service. |
Data | Date and time of visit, location information, IP address, URL, usage data, search terms, geographic location. |
Originator | Google Ireland Limited |
Privacy Policy |
Purpose | Convenient appointment scheduling via Calendly directly on the website. |
Data | Appointment information, calendar information, information from third-party software providers, payment information, chatbot data, marketing information, log & device data, cookie data, usage data |
Originator | Calendly LLC |
Privacy Policy |
Purpose | This data processing is performed by YouTube to ensure the functionality of the player. |
Data | Device information, IP address, referrer URL, viewed videos |
Originator | Google Ireland Limited |
Privacy Policy |
The NIS2 Directive, also known as the Network and Information Security Directive, deals with measures to ensure a high common level of security of network and information systems in the European Union.
The NIS2 Directive is a revision of the original NIS Directive (NIS1) and was developed in response to the changing threat landscape and new cybersecurity challenges.
It aims to further strengthen cybersecurity in Europe by imposing stricter requirements on companies and organizations, particularly with regard to security incident reporting and security compliance.
Improving the cooperation between Member States
Promoting a coherent approach to cyber security across the EU
Ensuring an adequate level of protection for critical infrastructure and digital service providers
The NIS2 Directive came into force on January 16, 2023. EU member states have until October 17, 2024 to transpose it into national law.
Energy: companies that provide electricity and gas, including electricity grids and gas pipelines
Transportation: Companies that operate air, rail, road, sea, and inland waterway transportation.
Banking: Financial institutions, including banks, stock exchanges, and payment service providers
Healthcare: Hospitals, medical facilities and healthcare providers
Water: Water utilities and water treatment companies
Digital Services: Platforms, marketplaces, cloud service providers, and other digital service providers
Management of information and communication technology (ICT) services in the B2B sector
Public administration
Outer space
Postal and courier services
Waste management
Chemicals
Food industry
Processing/manufacturing industry
Digital service providers and research
Size class | Employees (FTE) | Annual turnover | Annual balance sheet total |
---|---|---|---|
Small company (SE) | < 50 and | ≤ 10 million euros or | ≤ 10 million euros |
Medium company (ME) | < 250 and | ≤ 50 million euros or | ≤ 43 million euros |
Large company (LE) | ≥ 250 and | > 50 million euros and | > 43 million euros |
Small companies are generally not affected by NIS2. However, there are the following exceptions:
Trust service providers
Providers of public electronic communication networks
TLD name registries and DNS service providers
Essential facilities | Important facilities |
Large companies from sectors with high criticality | Medium-sized companies from sectors with high criticality |
Large and medium-sized enterprises from other critical sectors |
From a safety perspective, there are no major differences in the implementation of the NIS2 Directive. There are only deviations in terms of monitoring and sanctions. These are as follows:
Essential facilities | Important facilities |
Regular and targeted safety checks ("ex-ante") | Checks only in the event of reasonable suspicion ("ex-post") |
Random inspections | On-site inspections and external ex-post supervisory measures |
Fines of 10 million euros or 2% of global turnover (whichever is higher) | Fine of 7 million euros or 1.4% of global turnover |
If a company is affected by NIS2, in addition to registering with the relevant authority, the following areas are required in which cybersecurity improvement measures must be implemented:
Implementation of comprehensive risk management
Security in the supply chain, i.e. in dealing with business partners, suppliers, etc.
Incident and crisis management
Basic cyber hygiene
Notification and reporting obligations
The NIS2 Directive requires affected companies to take "appropriate and proportionate technical, operational and organizational measures to manage the risks to the security of network and information systems [...] and to prevent or minimize the impact of security incidents [...]".
Official Journal of the European Union L, 2022/2555, December 14, 2022
According to NIS2, companies are obliged to adapt their security measures to the current state of technology and individual threat scenarios. These protective measures must take a holistic approach that considers not only cyber-attacks, but also other potential incidents that could affect the company's own IT infrastructure and thus the provision of essential services.
Description | Solved with lywand |
Regular checks of the IT infrastructure for vulnerabilities | Yes |
Assessment of the vulnerabilities | Yes |
Description | Solved with lywand |
Remediation of the incident | Partial |
Maintenance of operations | No |
Recovery after an incident | No |
Backup management | No |
Description | Solved with lywand |
Cross-partner information systems | No |
Dealing with business partners | No |
Interfaces with partners | Partial |
Description | Solved with lywand |
Monitoring vulnerabilities | Yes |
Addressing vulnerabilities | Yes |
Check for vulnerabilities | Yes |
Description | Solved with lywand |
Permanent assessment of cyber security | Yes |
Checking the implementation and effectiveness of measures | Yes |
Description | Solved with lywand |
Zero Trust Principles | No |
Software updates | Yes |
Device configurations | Yes |
Network segmentation | No |
Description | Solved with lywand |
Verification that communication channels are encrypted | Yes |
Verification of encryption algorithms and technologies used | No |
Encryption of business-critical data | No |
Description | Solved with lywand |
Least privilege approach | No |
Monitoring access | No |
Description | Solved with lywand |
Reporting Obligations to Governmental Institutions - CERT/CSIRT | No |
Check if multi-factor authentication is enabled | Partial |
Further information can be found in the Official Journal of the European Union.
Feature
Whitelabeling allows you to customize the Security Audit Platform with your own look and feel. To complete the new feature, we have added another "treat": Read-only Access.
Feature
In this article, you will find out why we have introduced probability of occurrence as a new factor in vulnerability risk assessment, and how IT security assessment works in our Security Audit Platform.
Company
In this article, we look back on the past year and have summarised the most important things for you: newly developed features, updates on our partner network and technical insights into the security audit platform. Finally, you will find a summary of our management and an outlook for 2024.