From 2025, around 30,000 companies will have to comply with new security standards - and many are vastly underestimating the need for action.
From 2025, the EU-wide NIS 2 Directive will not only place obligations on large companies, but also on SMEs. The aim is to improve cyber security across Europe. However, many companies are inadequately prepared - partly due to dangerous misjudgements. The mosaic IT Group dispels the myths.
"Anyone who believes they can get through NIS-2 with a firewall and a gut feeling also believes that an umbrella helps against storm surges."
- Florian Laumer, cyber security expert at PASSION4IT GmbH
"NIS-2 only affects KRITIS companies."
Wrong. The new directive affects all medium-sized companies with 50 or more employees and a turnover or balance sheet total of 10 million euros. This also includes the broad German supplier industry - even dairies and manufacturing companies are affected.
"We're too small, we're falling out of it."
Smaller SMEs can also be affected if they are part of critical supply chains. In addition, a risk-based approach is to be expected - and this is not based on the size of the company, but on the potential impact of an attack.
"We are safe with a firewall, backup and antivirus."
Not even close. These measures are only one aspect. NIS-2 requires comprehensive risk management, including security assessments, penetration tests and employee training.
"Patching our systems? Nothing to do with NIS-2!"
Yes, the German draft law explicitly mentions "cyber hygiene", which also includes regular patch management. Anyone who is negligent here and causes security incidents as a result risks fines.
"IT takes care of that for us."
This is also a mistake. According to NIS-2, the management is also responsible - not only for providing evidence, but also for monitoring. Liability issues are not left out.
What does this mean for SMEs in concrete terms?
It is high time to take action. Anyone who negligently or deliberately fails to introduce measures is in breach of EU regulations. Transitional periods? Not a chance. As soon as the national law is in place, the rule applies. Compliance must be fully proven by the end of 2025 at the latest.
Central appeal from Martin A. Schaletzky, CEO of the mosaic IT Group:
"Check your company's IT security now so that it is not only prepared before the end of 2025, but also meets the NIS 2 compliance requirements."
"NIS-2 is not a bureaucratic monster - those who approach it pragmatically not only gain compliance, but also genuine cyber security, a more resilient company and at the same time strengthen the trust of customers, partners and society."
- Florian Laumer, cyber security expert at PASSION4IT GmbH
Info links:
