NIS2 Consulting

The NIS 2 Directive significantly expands the scope of affected organizations compared to the original NIS Directive. In Germany, an estimated 29,

000 companies are affected – many of them for the first time. The directive distinguishes between two categories: essential entities and important entities. Essential entities include companies from the sectors of energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Important entities include postal and courier services, waste management, chemicals, food, manufacturing, digital providers, and research. Two criteria are decisive: sector affiliation and company size. In general, medium-sized companies (with

50 or more employees or €

10 million in revenue) and large companies fall within the scope. However, there are exceptions: certain entities such as DNS service providers, TLD registries, or providers of public communications networks fall under NIS 2 regardless of their size. For the financial sector, the situation is particularly complex: banks, insurance companies, and investment firms are simultaneously subject to the DORA regulation, which takes precedence as lex specialis in many areas. Nevertheless, NIS 2 requirements may apply additionally, particularly in group structures with non-regulated subsidiaries. ADVISORI therefore recommends that every company conduct a professional impact analysis to gain clarity on its individual compliance requirements.

The NIS 2 Directive provides for a tiered sanctions regime that is significantly stricter than its predecessor. For essential entities, fines of up to €

10 million or

2 percent of global annual turnover can be imposed – whichever amount is higher. For important entities, the upper limit is €

7 million or 1.4 percent of global annual turnover. These amounts are deliberately aligned with the scale of GDPR fines and are intended to ensure that cybersecurity is prioritized at board level. In addition to financial sanctions, NIS 2 provides for further enforcement measures: supervisory authorities can issue binding instructions, conduct on-site inspections, order security audits, and in extreme cases temporarily relieve management of their duties. Particularly significant is the personal liability of management: Article

20 of the directive explicitly requires governing bodies to approve cybersecurity measures, oversee their implementation, and participate in training. In the event of a breach of duty, managing directors and board members can be held personally liable. This liability provision represents a fundamental shift in European cybersecurity regulation. For companies, this means: NIS 2 compliance is no longer a purely IT matter, but a board-level concern. ADVISORI supports both the operational implementation and the strategic anchoring of NIS 2 compliance in corporate governance – so that your management can demonstrably fulfill its supervisory obligations.

NIS 2 and DORA are two distinct EU regulations with partially overlapping requirements but different focuses and scopes. The NIS 2 Directive (EU 2022/2555) is a horizontal regulation that defines cybersecurity requirements for companies in

18 critical sectors – from energy and healthcare to financial services. It must be transposed into national law by each EU member state, which can lead to country-specific differences. DORA (Digital Operational Resilience Act, EU 2022/2554), on the other hand, is a regulation that applies directly in all EU member states and is addressed exclusively to the financial sector: banks, insurance companies, investment firms, payment service providers, and their critical ICT third-party service providers. There are significant overlaps in substance: both regulations require cybersecurity risk management, incident reporting, supply chain management, and regular testing. However, DORA goes further than NIS 2 in many areas – for example, in threat-led penetration testing (TLPT), the management of ICT third-party service providers, or the detailed requirements for the ICT risk management framework. For financial institutions, DORA applies as lex specialis: where DORA sets specific requirements, these take precedence over the more general NIS 2 provisions. However, this does not mean that NIS 2 is irrelevant for the financial sector – particularly in group structures with non-regulated entities or in areas covered by NIS 2 but not by DORA. ADVISORI specializes in the integrated implementation of both regulations. We identify overlaps, utilize collaboration effects, and avoid redundant measures. Our clients in the financial sector benefit from a single, coherent compliance program rather than two parallel workstreams – saving time, costs, and internal resources.

The duration of a NIS 2 implementation depends on several factors: the current maturity level of your cybersecurity measures, company size, the complexity of your IT landscape, and the available internal resources. Based on experience, companies should expect the following timeframes: The initial impact analysis and gap analysis typically takes

4 to

8 weeks. During this phase, we identify your specific action requirements and create a prioritized roadmap. The subsequent planning and design phase takes a further

4 to

6 weeks, during which measures are conceived, policies are created, and architectures are defined. The actual implementation phase is the most time-intensive part and takes

3 to

9 months depending on scope. Companies that already have an established ISMS in accordance with ISO 27001 can significantly shorten this period, as many NIS 2 requirements are already covered by existing controls. The final operationalization phase, including training, test runs, and audit preparation, takes a further

4 to

8 weeks. Overall, companies should plan for a period of

6 to

15 months for a complete NIS 2 implementation. ADVISORI recommends not waiting until the last possible deadline, but starting early. A phased approach with quick wins in the first few weeks – such as establishing reporting processes and conducting management training – creates immediate compliance progress, while strategic measures are planned and implemented in parallel. Companies with DORA obligations benefit from our integrated approach: by addressing both regulations simultaneously, the overall effort is typically reduced by up to

40 percent compared to a sequential implementation.

Article

21 of the NIS 2 Directive defines ten minimum measures that affected companies must implement. These measures form the foundation of NIS 2 compliance and must correspond to the state of the art and be proportionate to the risk. First: Policies for risk analysis and information system security – companies must establish a systematic risk management process that identifies, assesses, and addresses cyber risks. Second: Handling of security incidents – this includes incident response plans, escalation procedures, and the ability to report incidents within the statutory deadlines. Third: Business continuity and crisis management – companies need backup management, disaster recovery plans, and crisis management processes. Fourth: Supply chain security – securing relationships with direct suppliers and service providers, including contractual cybersecurity requirements. Fifth: Security in the acquisition, development, and maintenance of IT systems, including the handling of vulnerabilities. Sixth: Policies and procedures for assessing the effectiveness of risk management measures. Seventh: Basic cyber hygiene practices and cybersecurity training. Eighth: Policies on the use of cryptography and encryption. Ninth: Personnel security, access controls, and asset management. Tenth: Multi-factor authentication and secured communication systems. ADVISORI supports you in implementing all ten areas of measures. Our approach: we first examine which measures are already covered by existing controls, identify gaps, and prioritize implementation according to risk and regulatory urgency. Our AI-supported compliance platform enables continuous monitoring of implementation progress and automates documentation – a decisive advantage during regulatory reviews.

ADVISORI differs from other NIS 2 consulting providers in the German market in several key respects. First: Deep regulatory expertise in the financial sector. While many NIS 2 consultants come from the general IT security environment, ADVISORI has years of experience in financial regulation – from MaRisk, BAIT, and VAIT to DORA. This expertise is critical because NIS 2 in the financial sector cannot be viewed in isolation, but must be implemented in the context of the existing regulatory landscape. Second: Integrated DORA + NIS 2 consulting. ADVISORI is one of the few consulting partners in Germany that covers both regulations from a single source. Financial institutions benefit from a coherent compliance program that utilizes synergies and avoids duplication of effort. This demonstrably saves up to

40 percent of implementation effort. Third: Certified quality. ADVISORI is certified to ISO 27001, ISO 9001, and ISO 14001. These certifications are not only a quality hallmark, but also ensure that we practice the standards we implement at our clients. Fourth: Flexible consulting capacity. With around

150 employees, ADVISORI can handle even complex, company-wide NIS 2 implementations – from individual entities to international groups. Fifth: AI-supported methodology. Our own multi-agent AI platform accelerates gap analyses, automates documentation, and enables continuous compliance monitoring. This significantly reduces the manual effort for your internal teams. Sixth: Cross-sector KRITIS experience. In addition to the financial sector, we advise companies in the areas of energy, healthcare, and digital infrastructure – and bring best practices from all sectors to your NIS 2 implementation. ADVISORI is not simply another IT service provider that has added NIS 2 to its portfolio. We are a specialized compliance partner with the expertise, resources, and tools to sustainably embed NIS 2 compliance in your organization.