Digitale blaue Weltkugel mit NIS2 Beschriftung

Implement NIS2
easily with Hays

We accompany you from the analysis to the compliant implementation of the NIS2 Directive

Arrange a consultation with us now

What is NIS2?

The NIS2 Directive (Network and Information Security Directive 2) is an EU-wide directive that aims to strengthen cyber security in the European Union. In contrast to the previous NIS Directive, which only affected companies from critical infrastructures, it affects significantly more companies and sectors. These include, for example, research institutions, digital services and production companies. NIS2 must be transposed into national law in Austria and the EU member states by October 2024.
The NIS2 Directive (Network and Information Security Directive 2) is an EU-wide directive that aims to strengthen cyber security in the European Union. In contrast to the previous NIS Directive, which only affected companies from critical infrastructures (KRITIS) , it affects significantly more companies and sectors . These include, for example, research, digital services and production. NIS2 must be transposed into national law in Germany and the EU member states by October 2024.
This means considerable pressure for many companies and in particular for their management and cyber security officers. This is because managers can be held personally liable if the directive is breached.

What are the penalties for violations?

Heavy fines can be imposed for violations of the NIS2 Directive. For significant companies, the fines can amount up to ten million euros or two per cent of the annual global turnover. For important companies, the fines can amount up to seven million euros or 1.4 per cent of the annual global turnover.
Heavy fines can be imposed for violations of the NIS2 Directive. For significant companies , the fines can amount to up to ten million euros or two per cent of annual global turnover. For important companies n, the fines can amount to up to seven million euros or 1.4 per cent of annual global turnover.

Furthermore, the introduction of NIS2 means a considerable effort for organisations. Many organisations lack the resources and knowledge to deal with such important topics as vulnerability scans, incident response management or awareness training.

In addition, many organisations are currently unable to assess the extent of cyber risks in their supply chain or the costs associated with implementing NIS2. Admittedly: Organisations from all sectors are facing quite a few challenges with the introduction of NIS2 in Austria.

Nevertheless, one thing is certain: dealing with cyber security is relevant for all of us and protects us significantly from the increasing number of cyber attacks worldwide. The implementation of the directive is therefore not only a comprehensive challenge, but also a necessary measure in the fight against cybercrime.

Every 6th cyberattack against companies in Austria is successful.1

In 2023, the total damage caused by cybercrime in Germany amounted to 205 billion euros.

Dealing with NIS2 is highly relevant for companies and protects them and their clients and stakeholders from the increasing number of cyberattacks worldwide.

The implementation of the NIS2 Directive is therefore not necessarily another construction site, but rather a sensible protective measure and opportunity. We and our more than 390 strategic partners can carry out a detailed security analysis for you, as well as correct reporting in the event of security breaches or the creation of a holistic cyber strategy with a simultaneous focus on cost minimisation.

NIS2 requirements
How to prepare for NIS2?

Companies and organisations affected by NIS2 need to address cyber risk management, control and monitoring, incident handling and business continuity.

Important steps for preparing for NIS2 are:
1. Risk assessment
Identify the risks associated with your digital operating and information systems. This should include a comprehensive analysis of all systems and processes that are essential to the operation of your organisation.
2. Implement security measures
Based on the risk assessment, appropriate security measures should be implemented. This could include the encryption of data, the implementation of firewalls and the regular updating of software and hardware.
3. Emergency planning
Create a detailed emergency plan with clear instructions on exactly what to do in the event of a cyberattack.
  • Employee training: Ensure that all employees, as well as management, are trained in the basics of cyber security and understand why it is so important to comply with the NIS2 policy.
  • Regular reviews: Conduct regular reviews and assessments of your security measures. The management is required to monitor the NIS2 measures.

Get ready for NIS2 with Hays

We support you from the initial assessments to the holistic strategy development and regular tests.
Protecting companies
Strengthen clients confidence
Stay profitable

Get ready for NIS2 with Hays

We support you from the initial assessment to the holistic strategy development and regular tests.
Protecting companies
Strengthen customer confidence
Stay profitable

NIS2 – who is affected?

The NIS2 Directive applies to public and private organisations in 18 sectors that either have at least 50 employees or an annual turnover and annual balance sheet of at least €10 million. They are divided into "high criticality sectors" and "other critical sectors".
More

As companies are not informed about this, it is up to you to check whether you are affected by the NIS2 Directive. We can help you analyse the impact and determine whether and which measures are required of you.

Some sectors are affected regardless of their size. These include, for example, parts of the digital infrastructure or critical infrastructure, the failure of which would have an effect on public order and security.

In order to avoid double regulation, financial companies that fall under the new EU regulation DORA are not affected by NIS2. They must adhere to the requirements of the Digital Operational Resilience Act.

These are the companies affected by NIS2

The 11 essential sectors are

  1. Energy: The NIS2 Directive applies in particular to operators of critical infrastructures in the energy sector. This includes companies that generate, distribute or store electricity, gas or district heating.
     
  2. Transport: In the transport sector, the NIS2 Directive affects operators of airports, railway stations and transport networks, for example.
     
  3. Banking: In the banking sector, which primarily includes credit institutions, NIS2 only affects companies that are not affected by the EU-wide DORA Regulation.
     
  4. Public administration: The NIS2 Directive applies to various areas of public administration, including federal agencies, public corporations and public companies that provide IT services for the federal administration.
     
  5. Healthcare: The management of healthcare organisations must actively address cyber security, implement specific information security requirements and be able to demonstrate these measures.
     
  6. Drinking water: The companies responsible for the supply of drinking water and wastewater disposal must be protected against cyber attacks and are therefore affected by NIS2.
     
  7. Wastewater: The disposal of wastewater is an essential part of critical infrastructure and is therefore affected by NIS2.
     
  8. Digital infrastructure: The IT infrastructure is particularly vulnerable to digital attacks and must therefore be adequately protected.
     
  9. Space: In the space sector, critical infrastructure operators and organisations provide the general public with a critical service  the operation of ground infrastructure. This service must be protected with cyber security obligations in accordance with NIS2.
     
  10. ICT service management: Companies and institutions that offer digital services or operate critical infrastructures must fulfil the security requirements.
     
  11. Financial market infrastructures: In addition to the NIS2 Directive, there is also the DORA Regulation, which focuses on the digital operational resilience of financial organisations and critical ICT third-party service providers. This regulation aims to increase the resilience of the financial sector.
  1. Energy: The NIS2 Directive applies in particular to operators of critical infrastructures in the energy sector. This includes companies that generate, distribute or store electricity, gas or district heating.
     
  2. Transport: In the transport sector, the NIS2 Directive affects operators of airports, railway stations and transport networks, for example.
     
  3. Banking: In the banking sector, which primarily includes credit institutions, NIS2 only affects companies that are not affected by the EU-wide DORA Regulation.
     
  4. Public administration: The NIS2 Directive applies to various areas of public administration, including federal agencies, public corporations and public companies that provide IT services for the federal administration.
     
  5. Healthcare: The management of healthcare organisations must actively address cyber security, implement specific information security requirements and be able to demonstrate these measures.
     
  6. Drinking water: The companies responsible for the supply of drinking water and wastewater disposal must be protected against cyber attacks and are therefore affected by NIS2.
     
  7. Wastewater: The disposal of wastewater is an essential part of critical infrastructure and is therefore affected by NIS2.
     
  8. Digital infrastructure: The IT infrastructure is particularly vulnerable to digital attacks and must therefore be adequately protected.
     
  9. Space: In the space sector, critical infrastructure operators and organisations provide the general public with a critical service  the operation of ground infrastructure. This service must be protected with cyber security obligations in accordance with NIS2.
     
  10. ICT service management: Companies and institutions that offer digital services or operate critical infrastructures must fulfil the security requirements.
     
  11. Financial market infrastructures: In addition to the NIS2 Directive, there is also the DORA Regulation, which focuses on the digital operational resilience of financial organisations and critical ICT third-party service providers. This regulation aims to increase the resilience of the financial sector.

The 7 important sectors include

  1. Post & courier: This concerns companies that offer postal services, parcel services or courier services.
     
  2. Waste: From 1 January 2024, the disposal of municipal waste such as residual waste, organic waste, paper, glass or bulky waste will officially be considered critical infrastructure.
     
  3. Chemicals: Companies that produce or sell chemicals are affected.
     
  4. Food: In this sector, operators and facilities that supply the general public with food are affected by the requirements of the NIS2 Directive.
     
  5. Manufacturing industry: Companies that manufacture products in the medical sector, electronics, mechanical engineering or motor vehicles must be protected by cybersecurity measures in accordance with NIS2.
     
  6. Digital services: Providers that make digital services such as online marketplaces, search engines and social networks available to the general public must be protected with cybersecurity measures in accordance with the NIS2 Directive.
     
  7. Research: Research is now more dependent on digital services than ever before. This sector must therefore be protected with cybersecurity measures in accordance with the NIS2 Directive
  1. Post & courier: This concerns companies that offer postal services, parcel services or courier services.
     
  2. Waste: From 1 January 2024, the disposal of municipal waste such as residual waste, organic waste, paper, glass or bulky waste will officially be considered critical infrastructure.
     
  3. Chemicals: Companies that produce or sell chemicals are affected.
     
  4. Food: In this sector, operators and facilities that supply the general public with food are affected by the requirements of the NIS2 Directive.
     
  5. Manufacturing industry: Companies that manufacture products in the medical sector, electronics, mechanical engineering or motor vehicles must be protected by cybersecurity measures in accordance with NIS2.
     
  6. Digital services: Providers that make digital services such as online marketplaces, search engines and social networks available to the general public must be protected with cybersecurity measures in accordance with the NIS2 Directive.
     
  7. Research: Research is now more dependent on digital services than ever before. This sector must therefore be protected with cybersecurity measures in accordance with the NIS2 Directive

Our experienced cyber security team makes
your company NIS2-ready

With the Hays Cyber Security Team, we have created a central point of contact that provides you with highly competent 360-degree support for all cyber security issues and NIS2 requirements: from project and consulting services to suitable technology and software solutions and highly qualified specialists. We also work with strategic and certified partner companies that can offer you the best solution for your concerns relating to the new EU Directive at all times.

Our team of experts

  • Mike Beaupre
    Head of Cyber Security (Global)
  • Julius Ponsen
    Cyber Solutions Lead & CISO, EMPOSO GmbH
  • Wladimir Baghdasarian
    Teamlead Cyber Security (Austria)

Mike Beaupre

Head of Cyber Security (Global)


  • Over 28 years of experience in IT and security
  • Know-how in 12 different industries
  • Leadership experience in the US military at C-level
  • Former DAX 30 CISO

Julius Ponsen

Cybersecurity Services & Solutions Lead + CISO, EMPOSO GmbH


  • Experienced cyber security expert
  • M.Sc. in Cybersecurity & Privacy
  • Experience in over 50+ cyber security projects
  • Specialized in: Endpoint, network, email and human firewall security

Wladimir Baghdasarian

Teamlead Cyber Security (Austria)


  • Master in IT Management and regular participation in Cyber Security Summits
  • Over 4 years of experience in personnel services and recruiting
  • C-level consulting for IT strategies in various industries
  • Specialist expert for cyber security in Austria

Our portfolio of solutions: From NIS2 audit to cyber security strategy

Cyber Security Recruitment
We specialise in the search and placement of highly qualified cyber security experts. We connect companies affected by NIS2 with the talent they need to protect their data and digital assets.
Upskilling and reskilling of personnel
Cyber security is dynamic, because cybercrime is developing at a rapid pace. In order to stay one step ahead of the impending dangers, we help you to train your staff effectively and in a targeted manner.
C-Level Advisory
Our internal Hays experts are your contacts when it comes to designing your cyber security strategy. We advise both C-level executives and the specialists responsible for implementing NIS2 in your company.
Cyber Security Consulting
Services
Together we will manage the NIS2 implementation. We advise you on all issues relating to the regulation. From strategy development and specific measures to cyber security assessments.
Managed Security Services
Our professional partners offer a comprehensive portfolio of software and hardware tailored to your needs to beat cybercrime, as well as smooth integration and maintenance of the new security solutions.
Technology Solutions
Our network of more than 390 strategic partners supports you with state-of-the-art technological cyber security solutions.

Our wealth of operational experience and certified partner network

390+ partner companies
in long-term collaborations and over 30 highly specialized strategic cyber partners based in german-speaking countries
2.000+ projects
successfully implemented with our customers from over 50 industries in Germany and Austria in the field of cyber security
5.200+ experts
from the cyber security environment – both freelance and in permanent employment

Our portfolio of solutions: From NIS2 audit to cyber security strategy

Cyber Security Recruitment
We specialise in the search and placement of highly qualified cyber security experts. We connect companies affected by NIS2 with the talent they need to protect their data and digital assets.
Upskilling and reskilling of personnel
Cyber security is dynamic, because cybercrime is developing at a rapid pace. In order to stay one step ahead of the impending dangers, we help you to train your staff effectively and in a targeted manner.
C-Level Advisory
Our internal Hays experts are your contacts when it comes to designing your cyber security strategy. We advise both C-level executives and the specialists responsible for implementing NIS2 in your company.
Cyber Security Consulting
Services
Together we will manage the NIS2 implementation. We advise you on all issues relating to the regulation. From strategy development and specific measures to cyber security assessments.
Managed Security Services
Our professional partners offer a comprehensive portfolio of software and hardware tailored to your needs to beat cybercrime, as well as smooth integration and maintenance of the new security solutions.
Technology Solutions
Our network of more than 390 strategic partners supports you with state-of-the-art technological cyber security solutions.

Our wealth of operational experience and certified partner network

390+ partner companies
in long-term collaborations and over 30 highly specialized strategic cyber partners based in Germany
2.000+ projects
successfully supported our customers and partners from over 50 industries in all areas of cyber security
5.200+ skilled professionals
from the cyber security environment - both freelance and in permanent employment and temporary employment

An excerpt from our clients

An excerpt from our customers

Graph . Customer Satisfaction

Your benefits from our NIs2 consultation

1. Being competitive and profitable in the long term

NIS2 harmonises and significantly improves the level of security in the companies affected by NIS2, as the directive also obliges them to ensure that their entire supply chain complies with the requirements. This ensures the long-term competitiveness and profitability of the companies concerned.

2. Become resilient

Get a head start against cybercrime. NIS2 includes measures that significantly reduce business and financial risks and protect you from attacks.

3. Increase compliance

Show that your company can operate securely in a complex world. Compliance with the NIS2 Directive strengthens the trust of clients and partners. You also avoid sanctions: Penalties of up to ten million euros or up to two per cent of annual turnover can be imposed for violations and management and CISOs can be held personally liable.

Get ready for NIS2 with Hays

We support from the initial assessment to the holistic strategy development and regular tests.
Protecting companies
Strengthen clients confidence
Stay profitable

Get ready for NIS2 with Hays

We support from the initial assessment to the holistic strategy development and 
Protecting companies
Strengthen customer confidence
Stay profitable

NIS2 consulting and implementation
How the collaboration with Hays works

Appointment with Cyber Experts
  • Consultation to assess the current situation
  • Development of an initial roadmap
Deep Dive with NIS2 Experts
  • Impact analysis and classification according to NIS2
  • Agreement on the roadmap
  • Joint mapping of capacities and timeline
  • Preparation of documents for the upcoming GAP analysis
Gap analysis and implementation
  • NIS2 requirements and GAP analysis
  • Development of the implementation plan
  • Workshop on the implementation plan based on the GAP analysis
Establishing NIS2 compliance
  • Final creation of the roadmap
  • Kick-off
  • Implementation of all measures
  • Internal NIS2 audit to determine compliance
Regular
testing
  • Pentesting
  • Regular NIS2 audits

The NIS2 gap analysis

At the start of our collaboration, we usually conduct a detailed gap analysis. Our experts conduct a review of your existing documentation to determine whether it meets the requirements of the NIS2 Directive. We then organise a one-day workshop with your team to jointly identify gaps. On this basis, our experts develop a detailed roadmap with customised measures to close the identified gaps.

Individual support

From customized security assessments to penetration tests, we offer services that put your digital infrastructure through its paces.

A team at your side

Our experts are not only specialists, but also your partners. Together, we will walk the path to NIS2 compliance.

Software and hardware solutions

Our solutions are designed to make companies more resilient in a cost-effective and sustainable way. 
From SOCaaS (Security Operations Center-as-a-Service) to advanced deception & detection platforms – we have the tools.

Personnel services from the #1

We offer not only technical solutions, but also highly qualified specialists to drive your security strategy and NIS2 processes forward.

Contact us now

Yesterday's solutions don't solve tomorrow's problems!
nis2-beratung-form-en

Data privacy and marketing purposes

<p><strong>Data privacy and marketing purposes</strong></p>

I confirm that I have read and understood the data privacy policy and terms of use.*

Datenschutz Consent
Required

I would like to receive information from Hays that is tailored to my requirements regarding jobs, careers, training, projects, the services which Hays provides and the company’s portfolio.

Hays may also use my data for market research purposes in order to make further improvements to its services. Hays may also pass on my email address and/or telephone number in a pseudonymous manner to advertising partners, including those outside of the European Economic Area, in order to import Hays advertising that is tailored to my requirements on their websites. More information about this can be found in the data privacy statement.

I am aware that I can revoke my consent at any time with effect for the future by clicking the unsubscribe link in an email, for example. We will process the data which you have entered in accordance with our data privacy statement. There you will also find other information concerning your consent, your rights and a list of all Hays companies in Germany, Austria and Switzerland and our advertising partners.

Consent

FAQ

What does NIS2 mean?

The abbreviation "NIS2" stands for the "Network and Information Security Directive 2" (Directive on Network and Information Systems). This European legislation aims to strengthen cyber resilience in the European Union by defining security measures for affected companies to ensure the integrity, availability, confidentiality and robustness of their network and information systems.

The abbreviation "NIS2" stands for the "Network and Information Security Directive 2" (Directive on Network and Information Systems). This European legislation aims to strengthen cyber resilience in the European Union by defining security measures for affected companies to ensure the integrity, availability, confidentiality and robustness of their network and information systems.


Who has to implement NIS2?

Companies with at least 50 employees or an annual turnover of more than ten million euros are directly affected by NIS2 and should comply with the NIS2 Directive in order to avoid fines and liability risks.

Companies with at least 50 employees or an annual turnover of more than ten million euros are directly affected by NIS2 and should comply with the NIS2 Directive in order to avoid fines and liability risks.


Who is liable for NIS2?

The NIS2 Directive stipulates that the management of a company is personally responsible for compliance with the Directive. This means that members of the management can be held personally liable if the company does not fulfil the requirements of the NIS2 Directive. Violations of the NIS2 requirements can lead to national fines, penalties and sanctions.

The NIS2 Directive stipulates that the management of a company is personally responsible for compliance with the Directive. This means that members of the management can be held personally liable if the company does not fulfil the requirements of the NIS2 Directive. Violations of the NIS2 requirements can lead to national fines, penalties and sanctions.


When does NIS2 come into force?

The NIS2 Regulation was adopted by the EU Parliament in 2022. It must be applied in the EU countries from 17 January 2025, which is why NIS2 implementation is a time-critical challenge for many companies.

The NIS2 Regulation was adopted by the EU Parliament in 2022. It must be applied in the EU countries from 17 January 2025, which is why NIS2 implementation is a time-critical challenge for many companies.


What is the difference between NIS2 and DORA?

NIS2 is an EU regulation that focuses on improving cyber security and information sharing following cyber attacks in 18 sectors. DORA, on the other hand, is specific to the financial sector and aims to ensure cyber resilience in this sector. Both regulations must be complied with by companies from October 2024.

NIS2 is an EU regulation that focuses on improving cyber security and information sharing following cyber attacks in 18 sectors. DORA, on the other hand, is specific to the financial sector and aims to ensure cyber resilience in this sector. Both regulations must be complied with by companies from October 2024.


NIS2 Directive: Summary

NIS (Network and Information Security Directive) is an important EU directive for the security of critical infrastructures and has defined the minimum cyber security standards in companies since 2016. The NIS2 Directive is the revised version that must be transposed into national law in Austria by October 2024.

The EU-wide regulation aims to strengthen resilience against cyberattacks in the European Union. It does this by laying down security requirements for affected organisations to ensure the integrity, accessibility, confidentiality and resilience of their network and information systems. NIS2 not only drives the EU-wide development of national cybersecurity, but is also an important measure in the fight against cybercrime.

In addition to the critical infrastructure companies that were previously subject to the NIS Directive, a broader range of companies are now also affected by the new NIS2 regulation. The expanded number of affected sectors presents many company managements with a number of critical challenges.

As a first step, companies should inform themselves about the changes and check whether they are affected by NIS2. If this is the case, they face the far greater challenge of implementation. A detailed NIS2 audit then helps them to define and implement specific measures.

Quelle

  1. https://kpmg.com/at/de/home/insights/2024/04/cybersecurity-studie-2024.html