NIS2 Guidelines: How to Ensure a Successful Implementation!

NIS2 makes cybersecurity a question of proof. For Swiss providers with a presence in the EU, it is no longer enough to know security standards internally or to implement them selectively - they must also be able to provide EU customers, partners and competent authorities with reliable evidence. This raises the key question for these companies: Where is there a concrete need for action?

NIS2: Why Swiss companies need to act now

The NIS2 Directive has been in force in Germany since December 6, 2025. Swiss companies with activities in the EU are also directly affected.

The focus is particularly on the following areas

• Offering services such as cloud services, IT outsourcing, SaaS solutions and managed services.

• Distribution of products such as IoT devices, medical technology, industrial automation or components for critical infrastructures

• Active as a supplier or subcontractor for EU companies, especially in critical sectors (KRITIS)

• Operating subsidiaries or branches in EU member states.

Possible consequences of non-compliance:

• Fines of up to 10 million euros or 2% of annual global turnover

• Exclusion from EU-wide tenders and public contracts

• Loss of major customers and contractual partners due to lack ofproof of compliance

• Reputational damage due to publicly known safety deficiencies

"By demonstrably implementing the NIS2 requirements, Swiss companies demonstrate higher security standards and differentiate themselves with EU customers."

Current implementation status in Germany and Austria

• Germany (entry into force: 06.12.2025): No transition phase; the obligation to register expired on March 6, 2026. We have summarized what this means in a separate blog article.

• Austria (entry into force: 01.10.2026): 9 months preparation time; registration until 31.12.2026 according to NISG.

Affectedness check: Am I affected as a Swiss provider?

The following overview helps to classify typical impact scenarios and the respective need for action:

The four central NIS2 obligations for Swiss companies

NIS2 does not require individual measures, but a robust combination of governance, processes, technology and evidence.

The following four areas are relevant:

• Risk management and cyber security:

  ▪️Anforderung: Implementation of a systematic risk analysis in accordance with recognized standards (e.g. BSI 200-3 or ISO 27001).

  ▪️Handlungsbedarf: Correct deviations from NIS2 requirements and ensure continuous compliance.

  ▪️Empfehlung: ISO 27001 certification fulfills the requirements of both frameworks and offers international recognition.

• Reporting obligations for cyber incidents (24-hour deadline):

  ▪️NIS2 (EU): Initial notification within 24 hours to the competent authority.

  ▪️Handlungsbedarf: Adaptation of internal processes to comply with the 24-hour deadline for EU activities.

• Security in the supply chain:

  ▪️Anforderung: Proof of compliance with security standards by all suppliers and subcontractors.

  ▪️Vertragsgestaltung: Integration of compliance requirements into contracts.

  ▪️Tools: Use of dependency track to monitor vulnerabilities in the supply chain.

• Business continuity:

  ▪️Anforderung: Business operations can be maintained in the event of an incident (with a short interruption).

  ▪️Handlungsbedarf: Create and test plans for continued operations in the event of a crisis.

3 steps to NIS2 compliance

NIS2 compliance starts with clarity about your own status quo. Systematically identifying gaps, preparing reporting channels and checking the supply chain creates the basis for verifiable implementation.

Implementation takes place in 3 steps:

1. Carrying out a NIS2 gap analysis

   ▪️Identifikation the gaps to the requirements of the NIS2 directive.

2. Adaptation of the reporting processes
   

   ▪️Etablierung a 24-hour reporting process for incidents in the EU.

   ▪️Klare Definition of the responsible authorities (e.g. BSI for Germany, sector-specific or national CSIRT in Austria).

   ▪️ Training of employees for fast and correct reporting.
   

3. Checking the supply chain

   ▪️Bewertung of all suppliers for NIS2 compliance.

   ▪️Anpassung of contracts for compliance with security standards.

   ▪️Erstellung of emergency plans for critical suppliers.

NIS2 as a competitive advantage: Proving is more important than claiming

Those who dovetail the NIS2 requirements with existing measures in a structured manner strengthen compliance and their own position in the EU market.

• Cybersecurity as a unique selling point: Use certifications such as ISO 27001 as a sales argument.

• Acquiring new customers: Use NIS2 compliance as an access criterion for EU tenders and major customers.

• Premium pricing models: Proven security can justify 10 to 20% higher prices for products and services.

Make your NIS2 implementation resilient. Check the impact, gaps and need for implementation at an early stage - and create the basis for comprehensible NIS2 compliance with EU customers.

Personal invitation to the webinar: Make NIS2 tangible!

Interested in how you can implement NIS2 and CRA in practice? On June 11, 2026, Michael Fossati, Principal Cyber Security Consultant, and Patricia Hofmann, Cyber Security Consultant, will translate NIS2 and CRA into concrete fields of action.

• When: June 11 | 10:00 - 10:45 a.m.
• Where: virtual

What are the typical stumbling blocks and which measures should be prioritized now? Find out in the webinar and get ready for the next step: From regulatory pressure to orientation. Register now. We look forward to seeing you!

Caption: Image generated with AI