01
Legal Situation Assessment
Is Your Business Affected by the NIS-2 Directive? Within the scope of an analysis, we assess whether your company's offerings fall within one of the 18 sectors outlined by the law. Additionally, it's recommended to examine whether your key clients fall under these sectors. Because even if you're not directly affected, indirect requirements could potentially be imposed on you through their reporting obligations to the supply chain.
02
Gap-Analysis
Based on the requirements of the law, the existing conditions, guidelines, processes, and cybersecurity measures of the organization are assessed for sufficient suitability in meeting the legal requirements. If conformity with the requirements is determined, this is documented and used to fulfill reporting obligations. In cases of identified deviations, specific and targeted measures are necessary, which should be implemented promptly based on the legal requirements and operational conditions.
03
Measures
We design, plan, and guide you through the implementation of the requirements within your current environment, drawing upon our ISO 27001, TISAX®, emergency management, and IT expertise. A comprehensive definition of specific organizational and technical measures is carried out, including implementation within a robust cybersecurity framework (potentially utilizing an ISMS tool).
04
Operations and Ongoing Optimization
The once defined and implemented NIS-2 compliant system must be initially documented and continuously adapted. Therefore, the development and implementation of monitoring mechanisms for continuous effectiveness review are necessary. We design exercises, train in the processes described in the plans, establish routine procedures, and verify the efficient functionality of the solutions. This enhances the responsiveness and confidence of the employees in their actions. In addition to testing the real-world solution, possibilities for improvement are also to be examined. Ensuring reporting obligations is crucial, as there are specific content-related and tightly timed requirements in this regard.
I am pleased to work with Mr. Salvador and the team again on the next project. Thank you and all the best!
Andreas Freitag, BMW AG
My TISAX® audit went smoothly and was successful right away. We were able to demonstrate our information security according to TISAX® and can now attract new automotive clients.
Gaps in our preparation and examination were promptly addressed, and high-quality documents were provided by Opexa. I can only recommend the team led by Klaus Höllerer, Klaus Kilvinger, and Thomas Salvador.
Dr. Samir Kadunic, MAASU GmbH
During the examination of customer requirements in the TISAX® domain, there was an urgent need for consultation within the company. Thanks to the assistance of Opexa Advisory GmbH, we were able to meet our customer requirements and furthermore achieve our goals with significant cost savings.
Opexa Advisory is the ideal partner due to their extensive automotive experience, project expertise, and their competent, efficient, and straightforward support.
Herbert Schmidt, Dennemeyer & Co. GmbH
What our clients have to say
Frequently Asked Questions about the NIS-2 Directive
What concrete benefits do I have in my company?
How does NIS-2 apply to the supply chain?
Improving the security of supply chains is one of the objectives of the directive. In addition to internal organization, the cybersecurity of your suppliers also needs to be assessed. Your suppliers are important as well; they should adequately protect themselves from cyber threats to minimize or eliminate potential cascading effects on your organization.
Without effective protection across the entire supply chain, even the best security measures for individual companies are of limited value. Therefore, the NIS-2 directive has an even broader impact on the environment. This requirement is still underestimated by many companies, as it applies to organizations not classified within critical sectors as well.
Based on the specifications, you build your processes or optimize existing processes, for example in risk management, business continuity management, incident management, and general technical and organizational measures, as well as in reporting.
By doing so, you avoid penalties through simplified or even initially possible reporting obligations. You identify gaps and inefficiencies in the organization, resulting in cost savings.
Furthermore, you protect your company and minimize the likelihood of a future cyber attack. You reduce your cybersecurity risks when the pre-developed incident response plan, tailored specifically to your company, is available in case of emergency.
This allows for a swift and effective response to security incidents.
The value of a prepared recovery plan becomes immediately apparent in practice when it's well-planned and practiced!
We already have an ISMS according to ISO 27001 or TISAX®. Is this an advantage?
With the operational implementation of such an ISMS, you already have a solid foundation to fulfill the requirements, such as in risk management, incident management, and general technical and organizational measures, as well as reporting. It's even better if the ISMS is also certified by third-party examination or carries a TISAX® label. As part of a gap analysis, potential deviations, business continuity management, IT-specific implementations, and reporting should still be examined. The report can then be easily generated, and adjustments can be implemented, optimized, and documented as needed.
What is the most efficient approach?
Our recommendation for all companies is to implement a professional Information Security Management System (ISMS) based on the internationally recognized ISO/IEC 27000 series of standards. This provides the organization with a system to cover necessary policies, processes, and evidence requirements. Within the context of NIS-2, this standards series is recognized as a reference framework. Achieving certification according to ISO/IEC 27001 is the optimum approach. As an alternative, the comprehensive automotive standard TISAX® based on this norm can also be utilized for preparation (TISAX® is not explicitly mentioned in the directive). Additionally, utilizing a digital ISMS solution reduces the duration and effort required for implementing NIS-2 measures. This solution not only helps you to comply with cybersecurity and information security requirements but also assists in managing your operational measures and fulfilling reporting obligations. An ISO/IEC 27001 certificate is also a significant indicator of your commitment to information security for customers, suppliers, and the market.
The EU's NIS-2 Directive aims to elevate the cybersecurity level of network and information systems within the European Union. It mandates organizations in 18 sectors to take active measures for their own cybersecurity. The directive outlines a set of requirements, including reporting obligations for security incidents and guidelines for risk management. Hence, all companies operating within the EU should engage with the NIS-2 requirements, take proactive actions, and swiftly implement the NIS-2 guidelines – for their own interest. Opexa assists you in aligning your company swiftly and efficiently with NIS-2 compliance. Utilize our complimentary NIS-2 Readiness Checklist for NIS-2 facilities to assess your conformity!
