NIS-2 and the future of cybersecurity: What you need to know now.
At the 30th qualityaustria Forum in March 2025, current regulatory challenges were highlighted by experts from a wide range of industries. CEO of CIS, Harald Erkinger, showed ways through the current NIS-2 labyrinth. For companies, cybersecurity and the future with NIS-2 are currently at the center of numerous considerations.
Digitalization is progressing rapidly and with it the challenges for many companies: Cybercrime and new directives such as NIS-2 are a major concern. For many companies, however, NIS-2 is still associated with a great deal of uncertainty. Harald Erkinger, CEO of CIS – Certification & Information Security Services GmbH, started his presentation on NIS-2 with an important question: namely, who of the 400 or so attendees is covered by the directive? Around 30% of those present were sure of this, while only 10% clearly answered in the negative – so for many participants from various industries, it is still unclear whether they are covered by the directive at all. Find out here whether your company is affected.
Affectedness: What are “essential” and “important” facilities?
A distinction is made between two key sectors in 18 different industries. The most important difference between the two sectors with regard to NIS-2 auditing: Essential facilities are audited ex-ante (in advance) on a regular and targeted basis, while important sectors are audited ex-post (after the fact) in the event of an incident or suspicion.
Make sure that the company you have been contacted by has been audited and certified itself and is authorized to carry out audits itself. Fake providers often do not contain such a certificate or references to trustworthy certification bodies.
NIS-2: here to stay
In any case, the fact is that NIS-2 is coming to Austrian companies despite the pending legislation. The new government is placing a clear focus on cyber security, resilience and NIS-2. However, implementing the directive requires time, resources and personnel – without external support, NIS-2 will be a project that is difficult to manage.
Companies are therefore well advised to start implementation now and use proven frameworks such as ISO 27001 to create a structured basis for fulfilling cyber security measures. CIS also offers an NIS Act and ISO 27001 combined audit for this purpose.
Harald Erkinger, CEO of CIS – Certification & Information Security Services GmbH, on non-compliance with the NIS-2 directive: “All NIS-2 companies must also implement and comply with all NIS-2 requirements. Managers have a training and liability obligation, cyber security incidents must be reported within 24 hours. And one thing is guaranteed: Legislators will audit companies for implementing the required information security measures. Prevention is better than cure – CIS recommends that companies protect themselves with an independent self-assessment and have an audit carried out by experienced NIS auditors such as those at CIS.”
6 recommendations that make the path easier:
In order to not only be well prepared when the directive comes, but to even use the challenge as a success factor, Harald Erkinger gave the audience 6 key tips for dealing with NIS-2:
- Use NIS-2 as an opportunity for resilience.
- Don’t wait for the law. Start now.
- Do not underestimate the effort involved.
- Assume that you will need external expertise. The rush on NIS-2 test centers will be great when the law comes into force.
- Stay risk-oriented = cost-efficient and effective.
- Be prepared for a long journey.
Any questions? As a qualified body, CIS is one of the few companies appointed by the Federal Ministry for Economic Affairs, Energy and Tourism (BMWET) that can carry out NIS-2 tests on the domestic market due to its expertise. Get in touch with our experts to be on the safe side!
More news
