-
Operational Advisory
Solidifying and supporting transformation
-
Deal Advisory
We’ll advise you on national and international transactions
-
Valuation & economic and dispute advisory
We’ll value your business fairly and realistically
-
Public sector
Digitalisation, processes & projects
-
Debt advisory & treasury services
Funding and treasury consulting to the client’s advantage
-
Tax for businesses
Because your business – national or international – deserves better tax advice.
-
Tax for financial institutions
Financial services tax – for banks, asset managers and insurance companies
-
Global mobility services
Avoid double taxation – and minimise costs
-
Employment law
Representation for businesses
-
Commercial & distribution
Making purchasing and distribution legally water-tight.
-
Financial Services | Legal
Your Growth, Our Commitment.
-
Business legal
Doing business successfully by optimally structuring companies
-
Real estate law
We cover everything on the real estate sector, the hotel industry, and the law governing construction and architects, condominium ownership, and letting and renting.
-
IT, IP and data protection
IT security and digital innovations
-
Mergers & acquisitions (M&A)
Your one-stop service provider focusing on M&A transactions
-
Sustainability strategy
Laying the cornerstone for sustainability.
-
Sustainability management
Managing the change to sustainability.
-
Legal aspects of sustainability
Legal aspects of sustainability
-
Sustainability reporting
Communicating sustainability performance and ensuring compliance.
-
Sustainable finance
Integrating sustainability into investment decisions.
-
Grant Thornton B2B ESG-Study
Grant Thornton B2B ESG-Study
-
International business
Our country expertise
-
Entering the German market
Your reliable partners.
The EU Cybersecurity Directive NIS-2 must be transposed into national law by the member states of the European Union by October 17, 2024. A draft bill to transpose it into German law is available, although it remains to be seen whether the legislative process will be completed by October 17 and the so-called NIS-2 Implementation and Cybersecurity Strengthening Act will come into force on time. According to estimates, between 25,000 and 40,000 companies in Germany fall within the scope of application. The companies affected are no longer just operators of so-called critical infrastructures. Rather, they also include postal and courier services, companies in the waste management and chemical industries (production, manufacture and trade in chemical substances), manufacturers of medical products or data processing devices, electronic equipment, mechanical engineering and vehicle construction. With its far-reaching effects, NIS-2 is aimed in particular at German SMEs.
SMEs, the backbone of the German economy, in particular will have to adapt to significant technical and organizational changes in order to meet the requirements of the new directive.
Increased security requirements
The present draft for the implementation of NIS-2 aims to ensure that the in scope entities take appropriate and proportionate technical, operational and organizational cybersecurity measures. Appropriateness is assessed on the basis of a risk assessment: How likely is a security incident to occur and its severity? The measures include concepts for risk analysis and security for information systems, handling security incidents, business continuity (backup management, disaster recovery) and crisis management. Companies must also ensure the IT security of the supply chain, take security measures in the acquisition, development and maintenance of network and information systems and, above all, establish concepts and procedures to evaluate the effectiveness of risk management measures in the area of cyber security. Finally, the institutions and companies concerned must develop concepts and procedures for the use of cryptography and encryption as well as the use of multi-factor authentication solutions. Last but not least, companies must provide training for employees to raise their awareness of cyber security issues and potential threats.
Cost, investments, know-how
The implementation of NIS-2 will require financial and human resources. Medium-sized companies in particular will face major challenges: Investments in technology are required to implement new security solutions and IT infrastructure. In addition to these investment costs, the necessary know-how must be built up or made available within the company, whether through the qualification and training of existing employees or the recruitment of new employees. In many cases, this will mean that additional IT staff will have to be recruited, especially where the necessary know-how should be available within the company on a long-term basis. External security experts can provide support in implementing the NIS-2 requirements. In both cases, however, companies are faced with increased costs. This is a particular challenge given the general shortage of skilled workers in the information technology sector, especially in the area of security.
Reporting obligations and reporting system
In addition to the technical requirements, companies must also be able to meet the strict reporting obligations for security incidents from an organizational and procedural perspective. Companies must report serious security incidents within a certain timeframe, which requires a rapid response and well-established communication channels. Companies also face organizational challenges with regard to documentation requirements. All cyber security measures and incidents must be comprehensively documented, which increases the administrative burden. As part of internal organizational and process analyses, companies are required to scrutinize their governance structures and adapt them to the requirements of NIS-2.
Sanctions and liability
Finally, NIS-2 provides for sanctions in the event of non-compliance with the regulatory provisions: Companies that fail to meet the requirements risk significant fines. They run the risk of suffering reputational damage in the event of non-compliance with NIS-2 requirements and successful cyberattacks as a result, because the trust of customers and partners is impaired. Furthermore, non-compliance with NIS-2 requirements can lead to the liability of the board of directors and management if NIS-2 is not observed as a compliance regulation.
Competitive advantages and opportunities
Despite all these considerable challenges, NIS-2 also offers opportunities for German SMEs: IT and cyber security creates trust among customers and business partners and represents a competitive advantage. This is because sensitivity in dealing with data and trade secrets - i.e. the question of how business contacts handle external data and information - is increasing. Last but not least, the new regulation also opens up potential for innovation. This is because investments in cyber security measures open up technical, organizational and procedural potential in companies, which can promote the necessary innovations and accelerate measures for digital transformation.
Cooperation and support
It should also be noted that German SMEs can draw on various support measures to meet the requirements of NIS-2. Government and European funding programs can provide financial support for investments in cybersecurity. Industry associations and networks offer cooperation. The exchange of best practices within industry associations and networks can strengthen SMEs. External consulting can help to identify and close gaps in cyber security, especially in times of skills shortages.
Conclusion: companies must take proactive measures
The EU Cyber Security Directive NIS-2 poses considerable challenges for German SMEs, but also offers opportunities to improve IT security and competitiveness. Companies must take proactive measures to meet the new requirements and can count on government support and cooperation within their industries. By strengthening cybersecurity measures, SMEs can not only meet legal requirements, but also strengthen the trust of their customers and business partners and secure their position in the market in the long term.