Your company must comply with the NIS2 directive? Effective vulnerability management, including vulnerability scans and penetration tests, is an important part. We help you meet the requirements.
Understanding and implementing compliance requirements
NIS2 stands for "Network and Information Systems Security Directive 2" and is an EU directive designed to improve the security of network and information systems in the EU. With its second iteration, the directive is making big waves as it affects many companies. The directive forces companies to assess and improve their IT security where necessary. Risk management and vulnerability management are key issues here. Cybersecurity incidents must be reported within 24 hours. Another new feature is that management can be held personally liable for negligent breaches. In general, companies can be forced to pay fines in the millions based on this directive.
Article 21 of the NIS2 directive is particularly relevant here (see here). It states that companies must implement "risk management measures in the area of cybersecurity". More specifically, "technical, operational and organizational measures" are required to minimize the "impact of security incidents on the recipients of their services". Vulnerability management is explicitly mentioned here, which typically includes penetration testing. However, "penetration testing" as a term is not mentioned in the directive, so it can be assumed that many companies will opt for vulnerability scans instead. Legally this should be acceptable, but in terms of effectiveness it is questionable. A penetration test is generally much more effective than a vulnerability scan, finds more security vulnerabilities and can assess them better.
Energy, transport, banking, financial market infrastructures, healthcare, water management, digital infrastructures, public administration, space, postal services, waste management, chemicals, food, manufacturing in general, digital services, research.
> 250 employees
> €50M revenue
> 50 employees
> €10M revenue
Although vulnerability scans cannot be compared with penetration tests in terms of effectiveness and depth, they are a good start to finding initial vulnerabilities.
We can check your critical systems and applications for vulnerabilities and help you to close them.
We provide you with a comprehensive report containing all the vulnerabilities found and possible solutions.
Our phishing services help to raise your employees' awareness of the dangers of phishing - the number 1 attack vector.
Article 21 of NIS2 defines minimum requirements - we help you meet them.
We help you identify and assess the risks for your company.
A pentest within the scope of NIS2 is typically an extensive manual penetration test against a specific application or a composition of various applications and digital systems. Accordingly, the costs of a NIS2 pentest depend on the size of the scope, the testing depth and the complexity of the applications and systems to be tested.
Extent of systems to be tested
Technical requirements
Level of analysis detail
In general, a NIS2 pentest is a "normal" penetration test that is carried out, for example, as a web app pentest or external infrastructure pentest. The costs for a NIS2 pentest are therefore comparable to the costs for a "normal" penetration test.
Detailed Cost Information
We've had the privilege of working with some of the world's leading companies and strengthening their IT security.
At EU level, the NIS2 directive has been in force since January 16, 2023. However, EU member states have until October 18, 2024 to transpose the directive into national law. This is the date from which companies in Germany must comply with the NIS2 directive.
The regulation lists various critical sectors as relevant. These include utilities, waste management, food producers, banks, the digital economy, healthcare, energy companies and transport companies. In addition, there are companies that are considered "essential" for maintaining public safety, regardless of their size or sector.
Yes, the amendment from NIS to NIS2 explicitly regulates the liability of the managing director for non-compliance with the directive. They are even personally liable.
The penalties depend on the size of the company. In general, the penalty can amount to up to 2% of global annual revenue or up to 10 million euros.
No. It is primarily aimed at companies with more than 50 employees. Small companies in very critical sectors may be an exception. However, this should be examined on a case-by-case basis.
Check whether you are affected. Have a risk analysis carried out and develop a security concept. This should include vulnerability management - regular security tests in the form of scans and penetration tests. Your employees should be trained and you should have an emergency plan ready. As the person responsible, it is generally worth reviewing Article 21 of the directive and checking where improvements are still needed.
Vulnerability scans, penetration tests and red teaming - to identify problem areas. Phishing to raise employee awareness. General risk analyses and advice on the minimum standards from Article 21 NIS2.
Have questions about our services? We'd be happy to advise you and create a customized offer.
We'll get back to you within 24 hours
Your data will be treated confidentially
Direct contact with our experts
