Critical Infrastructure

NIS-2 & Critical Infrastructures

Cybersecurity & Resilience

Compliance & Security

The European Union’s NIS 2 and CER directives significantly expand the cybersecurity and information security requirements for companies and organizations. The goal of these directives is to strengthen the resilience of critical and important infrastructure against cyberattacks and IT disruptions throughout the EU.

Compared to previous regulations, NIS2 and CER as well as their national implementing laws, NIS2UmsuCG and the KRITIS Framework Act affect significantly more companies and industries. In addition to existing operators of critical infrastructure, numerous other organizations from the KRITIS sectors as well as from other sectors such as digital infrastructure and manufacturing - will be required in the future to implement comprehensive security measures and register with the Federal Office for Information Security (BSI). In addition to the measures to be implemented and the registration requirement, affected companies are also obligated to report relevant (cyber) security incidents to the BSI within 24 hours.

Existing KRITIS companies automatically fall into the category of particularly important companies under NIS 2. For these organizations, the existing national regulations will be expanded and supplemented by additional European requirements.

Support & Implementation

We assist companies with the analysis, implementation, and integration of the requirements under NIS-2 and the KRITIS Framework Act.

Our services include, among other things:

  • Analysis of how your company is affected by NIS-2 and the KRITIS Framework Act
  • Conducting training for company executives in accordance with Section 38 of the BSIG
  • Assessment of existing IT and information security measures
  • Identification of risks and potential damage scenarios
  • Development and implementation of appropriate security and risk management measures in accordance with Section 30 of the BSIG
  • Support for KRITIS operators regarding enhanced risk management measures and intrusion detection systems (SzA) in accordance with Section 31 BSIG
  • Support in establishing or further developing an information security management system (ISMS)
  • Preparation for reporting obligations under Section 32 BSIG, documentation requirements, and regulatory audits

Benefits of Implementation

Overview of Successful Implementation & Objectives:

  • A clear assessment of whether and to what extent your company is affected by NIS-2
  • Structured implementation of the new legal requirements
  • Integration of security requirements into existing IT and business processes
  • Strengthening your company’s cyber resilience, IT security, and IT compliance
  • Early detection of key risks or IT issues

In 2025, expanded liability rules were introduced for the management of affected companies. As a result, cybersecurity has become a core priority.  Under Section 38 of the BSIG, managing directors and board members are required to undergo regular training on the subject. If they fail to address this issue, they face personal liability (for breach of duty) or even temporary removal from office.

If you have any questions or would like advice as an initial introduction, you can contact us at any time using our contact form.