Successfully mastering the NIS2 Directive with QSEC

NIS2: Your path to digital resilience and compliance
The new NIS2 directive poses significant challenges for companies in the areas of cybersecurity and risk management. With QSEC, we support you in proactively meeting these requirements, acting in compliance with the law, and creating synergies.

What you need to know about NIS2

What is NIS2?

The Network and Information Security Directive 2 (NIS2) is a revised and expanded version of the original NIS Directive from 2016. Its goal is to strengthen the resilience of critical infrastructures in Europe, eliminate security deficits, and establish a uniform cybersecurity basis in the EU.

NIS2 defines stricter security requirements, strengthens reporting systems, optimizes crisis management, and also places greater responsibility on supply chains and management. The directive responds to the increasing threats posed by AI-supported attacks, geopolitical conflicts, and remote work.

Adopted in January 2023, NIS2 should have been transposed into national law by October 2024. However, due to political developments, the German implementation law is not expected until fall 2025 at the earliest. Companies should nevertheless begin implementation now, as no further transition period is planned after the directive comes into force.

Who is affected?

More than 50,000 companies in Germany must implement NIS2. This affects all organizations with:
- More than 50 employees or
- Over €10 million in annual revenue

The decisive factor is the business activity: anyone who provides or supports critical services or products falls under the directive. The assessment is the responsibility of the company itself.

Newly affected sectors include:

Drinking water & wastewater
ICT service providers (B2B)
Public administration
Space
Postal & courier services
Digital services & research

Manufacturing

Why is NIS2 important for your business?

Legal obligation & avoidance of penalties: Implementation is mandatory. A late start carries considerable risks—especially if there is no extension of the deadline. QSEC provides the foundation for your preparation.
Response to increasing threats: Protect your company from downtime caused by cyberattacks—with a robust, NIS2-compliant infrastructure.
Facilitating implementation & compliance: We accompany you on your path to compliance and support you every step of the way.
Competitive advantage & increased trust: Show partners and customers that security is a priority for you – and strengthen your market position.
Future-proof & scalable: QSEC is not only designed for NIS2 – but also for future regulatory requirements.

The four core areas of nIS2

Holistic risk management & technical protective measures

Companies must identify and assess risks early on and minimize them through appropriate technical measures such as access controls, MFA, and attack detection. This reduces security incidents and ensures operational capability.

✔ Early risk identification and assessment

✔ Integration of technical protective measures (e.g., cryptography, MFA, SIEM)

✔ Establishment of robust BCM and emergency processes

Strengthening cybersecurity in the supply chain

Service providers and external partners must be actively involved in the security strategy. In addition, incidents must be reported and documented within clear time limits – from early warning to final notification.

✔ Mandatory supplier risk management

✔ Early warning notification within 24 hours

✔ Complete final report within 1 month

Embedding cybersecurity at management level

Responsibility for cybersecurity lies with the board of directors, supported by mandatory training and a clear division of responsibilities. Security awareness must be embedded throughout the company.

✔ Liability and responsibility of management

✔ Obligation to provide evidence of training and awareness programs

✔ Cybersecurity as part of corporate strategy

Harmonization and cooperation in the EU

NIS2 promotes uniform standards, mutual reviews, and cooperation between member states. Peer reviews strengthen Europe-wide resilience to cyberattacks.

✔ Uniform requirements for all member states

✔ Coordinated crisis communication via EU-CyCLONe

✔ Peer reviews and exchange of best practices

Our webinar on NIS2

Language: german

Are you ready for your NIS2 implementation?

We accompany you on the path to compliance—with expertise, best practices, and the right software solution.

How QSEC meets the requirements of NIS2

QSEC provides the necessary infrastructure for implementing NIS2 in a single platform:

Risk & Emergency Management

Emergency management (BCM / BIA / crises) IT risks Security incidents Service provider risks / supply chain Consideration of international standards

Technical protective measures

Multi-factor authentication Cryptography Access mechanisms/controls Attack detection (SIEM, etc.)

Monitoring & reporting requirements

Reporting requirements: - Early warning means initial report - Report includes an assessment of severity, impact, etc. Within one month of the initial report, a final report is required, containing a comprehensive assessment and details of the incident. The supervisory authority (BSI) has far-reaching new powers of inspection: On-site inspections, including random checks in significant cases Requests for documentation on relevant measures/systems Security scans.

Management responsibility

The responsibility of the management body is consistent with other laws (Section 43 GmbHG; Section 76 Akt; Section 91 AktG; Section 93 AktG; Section 1 (1) StaRUG). NIS2 thus confirms the change that has taken place in recent years. Management is responsible and, in case of doubt, may even be held personally liable. This is particularly relevant in the context of other laws.

QSEC implementation concept

4-step model

1. Current situation analysis

How are NIS2 topics already being implemented? Are there existing processes in the compliance, ISMS, or BCM team? Existing structures can often be reused—provided they meet the requirements.

2. synergy detection

Are relevant teams already working together, or are they operating in isolation? The aim is to identify silos and avoid duplication of work. A shared database creates efficiency.

3. harmonization

Many organizations use different systems, data sources, and tools, often without coordination. Internal harmonization is also recommended—for transparency, quality, and resource conservation.

4. Administration of

Ultimately, there is an obligation to provide evidence. Centralized control with QSEC allows processes, reports, and measures to be documented in a traceable manner. This reduces the likelihood of errors and saves valuable resources.

QSEC implementation.

1. actual analysis

Recording existing security measures and system landscape.

2. synergy detection

Identification of redundant tools, processes, and data sources.

3. harmonization

Consolidation into a central control system (QSEC).

4. Administration of

Monitoring, reporting, and continuous improvement.

Get to know QSEC better!

We will guide you through the software in approximately 60 minutes, with no obligation, and identify the potential benefits for your company.

This is how your personal QSEC web demo works:

15-minute preliminary discussion
First, arrange a short preparatory meeting to discuss your requirements and general conditions. This will enable us to tailor our services to your specific needs.
Approximately 60-minute demo
Afterwards, we will arrange a detailed demo with you.
During this time, you will receive:
- Insight into all product features
- Tailored to your priorities
- Individual consulting for you and your team

What our customers say

In summary, we are very satisfied with the performance of QSEC and will continue to develop and use the software intensively in the future. The manufacturer of the software, Nexis GRC, is a reliable partner for us, always providing us with the best possible support thanks to its decades of experience in implementing global GRC and ISMS projects.
Dr. Paul-Martin Steffen, Head of Data Protection and Information Security, DSW 21 Dortmunder Stadtwerke AG
In the end, QSEC was convincing in the cost-benefit analysis and in terms of scalability as a single-source tool. QSEC supports the dissemination of a uniform understanding of processes. The system acts as a central platform in which all business processes are recorded.
Marcel Reifenberger, Chief Information Security Officer & CSO, CANCOM SE
In Nexis GRC, we have found a partner that speaks our "language" and responds openly to our requirements and ideas. The partnership with Nexis GRC has convinced me throughout the entire duration of the collaboration.
Thomas Prigge, Information Security Officer, HanseMerkur Krankenversicherung AG
Auditing our infrastructure has become much easier and more efficient with the support of QSEC. Based on the auditors' positive assessment of the system's performance, we will continue to expand QSEC in line with our requirements.
Hardy Krüger, Data Protection Officer, Information Security Officer and Head of Document Management, Harzklinikum Dorothea Christiane Erxleben GmbH
The methods and processes already integrated in the standard QSEC have significantly supported us in the professional development and operation of our information security management system. The maturity assessment and development enable us to continuously operate, monitor and further develop our Techem ISMS with QSEC in a resource-saving manner.
Sebastian Fingerloos, Head of Information Security, Techem GmbH

QSEC at a glance – your management software for NIS2

How QSEC covers the requirements of NIS2

QSEC supports organizations in systematically and sustainably meeting the complex requirements of the NIS2 directive. As an integrated ISMS and GRC platform, QSEC combines all relevant functions in one central system—from risk management and incident handling to reporting processes and awareness.

QSEC specifically covers the NIS2 requirements:

Risk management & BCM: Identification, assessment, and control of risks as well as emergency planning in accordance with BIA & BCM standards.
Technical measures: Mapping of access controls, cryptography, SIEM integration, and MFA requirements.
Supply chain management: Risk assessment of service providers and their security measures.
Reporting processes: Automated workflows for early warning, interim and final reports.
Documentation & evidence management: Audit-proof logging of all measures, reports & audit trails.

This makes QSEC the central control unit for your NIS2 compliance and helps to minimize liability risks for management.

Selected success stories

DSW21 on the successful introduction of an Information Security Management System (ISMS) with QSEC

Cancom on the global introduction of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001 with QSEC

Techem on the challenges and experiences in information security and risk management with QSEC

Dorothea Christiane Erxleben Hospital on software-supported security management in accordance with B3S Health, ISO 27001, and GDPR with QSEC

HanseMerkur on the development of a comprehensive management system taking into account insurance law aspects in accordance with VAIT

Upcoming webinars

Grundschutz++ in 20 minutes: the BSI's next step
Date: October 29, 2025 | 4:00 p.m.

In this compact live session, Jonas Link will take you on a clear and practical introduction to the new Grundschutz++. He will show you how the requirements have fundamentally changed, what advantages the new must/should/can structure brings and why Grundschutz++ will replace the previous IT Grundschutz.

What to expect:

The most important differences to the previous IT baseline protection
The new focus on target objects instead of classic building blocks
Clear reduction and structuring of requirements
Outlook: Transition periods, next steps and practical experience