Network and Information Security – Version 2 (NIS-2)

The EU directive NIS-2 (EU) 2022/2555 (“Network and Information Security (NIS) – Version 2”) is a revised version of the NIS directive introducted in 2016. NIS-2 came into effect in the EU in January 2023 and is currently being implemented by its member states. The main goal of NIS-2 is to “achieve a high common level of cybersecurity” for the EU internal market.

Similar to KRITIS, the target group of NIS-2 are companies in “critical” industrial sectors. However, in contrast to KRITIS, the term “critical” has been expanded to include 18 sectors that are listed in the directive’s appendix as “sectors of high criticality” and “other critical sectors”. NIS-2 also divides companies into the categories “medium” and “large”, based on the company’s size and annual turnover. Overall, NIS-2 will impact a considerably larger number of companies than NIS or the former German IT security law (“IT-Sicherheitsgesetz”).

Similar to previous frameworks, the NIS-2 directive also imposes various minimum requirements on affected companies (article 21), including:

  • “a) policies on risk analysis and information system security”
  • “d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers”
  • “e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure”
  • “g) basic cyber hygiene practices and cybersecurity training”

With over 10 years of experience in penetration testing, NSIDE is the right partner to assist you in implementing the minimum requirements. Please feel free to contact us for advice. This includes concept reviews, penetration tests, source code analyses or vulnerability scans, for the latter we are also happy to advise you on your own setup.

Critical Entities Resilience (CER)

The EU directive CER (EU) 2022/2557 (“Critical Entities Resilience”) deals with resilience of critical infrastructure. This way, the EU bridges the gap between NIS-2 and physical resilience to external threats. The CER minimum requirements demand that affected companies “ensure adequate physical protection of their premises and critical infrastructure, duly considering, for example, fencing, barriers, perimeter monitoring tools and routines, detection equipment and access controls”.

NSIDE’s Red Team has over 10 years of experience in this area and can assist you in discovering vulnerabilities in your physical infrastructure. This allows you to efficiently work towards implementing the CER requirements.


Contact us to uncover and close your security gaps.