Our approach on NIS2 and how we comply

Our approach on NIS2 and how we comply

The new European NIS2 directive sets stricter requirements for cybersecurity within critical sectors and digital service providers. We fully support this development. Our approach combines NIS2 with recognized standards such as ISO/IEC 27001 and IEC 62443-4. Not only to comply with legislation, but to make our organization, supply chain and customers more resilient.

Our Position

We fall under the category of Essential / Significant Entity according to NIS2. That classification brings with it clear obligations. We are ready for that. We do not see NIS2 as a burden, but as an opportunity to structurally strengthen our cyber security. By combining it with the risk-based approach of ISO 27001 and the technical depth of IEC 62443-4, we are building a strong and future-proof foundation.

This is how we ensure compliance

Our cybersecurity approach rests on three pillars:

  • NIS2: Legislation and obligations around risk management, incident reporting and chain security.
  • ISO/IEC 27001: A certified information security system that ensures continuous risk management and improvements.
  • IEC 62443-4: Industry standard for cybersecurity in OT environments (operational technology).

Specifically:

  1. Risk Management and Governance
    Our information security is ISO 27001 certified. Risks are periodically assessed and addressed. Cybersecurity is managed at the executive level and is part of our broader risk management.
  2. Secure Development and Systems
    For our OT environments, we follow IEC 62443-4-1 (secure development) and 62443-4-2 (system security). Security is integrated into the design from the start.
  3. Incident Detection and Reporting
    We have 24/7 monitoring and clear response procedures. We comply with the NIS2 reporting obligation and regularly test our processes with realistic scenarios.
  4. Supply Chain Security
    Suppliers and partners are assessed for their security level. We apply requirements based on ISO 27001 and – where relevant – IEC 62443.
  5. Continuity and Recovery
    We have business continuity and recovery plans that are regularly tested. These are aligned with ISO 27001 and adapted for OT risks.
  6. Technical Security Measures
    We use strong authentication, segmentation, encryption, and monitoring. Everything is aligned with ISO 27001 and IEC 62443-4-2 and is regularly checked.
  7. Awareness and Training
    Everyone in the organization plays a role in cybersecurity. We provide structured training and specific sessions for IT and OT teams.
  8. Audit and Improvement
    We document everything carefully and are always audit-ready. Our approach is focused on continuous improvement, not just minimal compliance.

Looking Ahead

Cybersecurity is a strategic priority. By working according to NIS2, ISO 27001, and IEC 62443-4, we not only ensure compliance with regulations – we actively strengthen the resilience of our organization.
This is not a cost, but an investment in stability, continuity, and trust.

NIS2 stands for the “Network and Information Security Directive 2”, a European directive adopted in 2022 that builds upon the original NIS directive from 2016. The aim of NIS2 is to improve cybersecurity and operational resilience of essential and important sectors within the EU. This is particularly important given the increasing threat of cyberattacks.

  1. Broader scope: The directive applies not only to critical infrastructure such as energy, transport, and healthcare sectors, but also to many more “important” sectors including digital infrastructure, waste management, food production, and even government services.

  2. Stricter security requirements: Organizations falling under NIS2 must comply with stricter requirements in risk management, security measures, incident reporting, and supply chain security.

  3. Supervision and enforcement: Member States must designate supervisory authorities to monitor compliance with NIS2, and fines can be imposed for non-compliance.

  4. Harmonization within the EU: NIS2 ensures more uniform rules across all EU countries, reducing differences in security requirements between countries.

  5. Reporting obligations: Organizations must report cyber incidents within a certain timeframe (for example, an initial notification within 24 hours) to enable rapid response.

EU member states must transpose NIS2 into national legislation by October 2024, so organizations in relevant sectors have until then to prepare.

For more information on NIS2, visit the NCSC