A man standing at a podium delivers insights on crisis management and BCM to an attentive audience.

NIS2 Implementation Act in practice: 3-core at the European Police Congress

At the European Police Congress, security leaders from authorities, law enforcement, and industry exchange perspectives on strategies that work in practice and meet the requirements of the NIS2 Implementation Act. The 3-core attended the event and demonstrated how business continuity management, crisis management, and security concepts can be implemented in a way that enables organizations to remain capable of acting during incidents. At the same time, the NIS2 Implementation Act is moving further into focus because it further specifies requirements for IT security, risk management, and the handling of security incidents.

Key topics for implementing the NIS2 Implementation Act

Anyone implementing the NIS2 Implementation Act quickly arrives at four core questions: which risks are truly relevant, how the organization remains capable of acting during an incident, how critical processes are secured in emergency operations, and how effectiveness can be demonstrated properly.

  1. Risk management and prioritization so that measures do not get lost in firefighting and the biggest risks are addressed first.
  2. Processes and roles for incidents, situational awareness, decisions, and communication so that incident response and crisis organization work in an emergency.
  3. Business continuity management (BCM) for emergency operations and restart so that critical processes can continue reliably even during prolonged disruptions or can be restored quickly.
  4. Physical security and operational security concepts so that protective measures at sites, access points, and critical facilities are not only planned, but embedded organizationally and implemented effectively.

Verifiability through documentation, reviews, and tests and exercises so that measures are auditable and implementation of the NIS2 Implementation Act can be evidenced in a robust way.

You are currently viewing a placeholder content from YouTube. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.

More Information
Unblock content Accept required service and unblock content

NIS2 Implementation Act and BCM: Making emergency operations and restart reliable

The NIS2 Implementation Act increases the pressure to maintain critical services even during security incidents and to safeguard them in a traceable way. This is exactly where BCM comes in: it ensures that emergency operations and restart are not only planned, but actually feasible.

What matters for BCM in the context of the NIS2 Implementation Act:

  1. Prioritize critical processes and dependencies (what must continue, what can wait?)
  2. Define emergency operations (minimum service level, resources, alternatives)
  3. Structure the restart (sequence, responsible owners, decision points)

Implementation of the NIS2 Implementation Act

To ensure that protective measures work in everyday operations and take effect in an incident, you need clear protection objectives, risk assessment, and responsibilities. Measures are integrated into operations and processes to protect sites and workflows against unauthorized access, sabotage, and disruptions. This is the core of security concepts for operators of critical infrastructure.

Implementation of the KRITIS Umbrella Act

A structured approach is required so that critical processes can continue even during prolonged disruptions or be restored in a timely manner. Business continuity management (BCM) for operators of critical infrastructure includes, among other elements, business impact analyses, emergency operations and restart strategies, documented plans, and regular tests and exercises to verify effectiveness.

Next steps for the NIS2 Implementation Act

  1. Download the free 3-core guide to implementing the NIS2 Implementation Act and use it as a structure for the next workstreams.
  2. Assess applicability and scope using the guide’s checkpoints and define which organizational units, services, and processes need to be covered.
  3. Set up and prioritize risk management to translate the requirements of the NIS2 Implementation Act into a workable package of measures.
  4. Define responsibilities and processes, especially for incidents, situational awareness, decision making, communication, and evidence and documentation.
  5. Document measures and verify effectiveness, for example through reviews, tests, and exercises, so that implementation of the NIS2 Implementation Act can be reliably demonstrated.
Four people in business attire sit around a rectangular wooden table in a modern office, viewed from above, discussing KRITIS implementation. The table holds notebooks, drinks, coffee cups, a potted plant, and bottled water.

The NIS2 Implementation Act transposes the EU NIS2 Directive into national law and is intended to strengthen IT security and resilience across Europe for critical infrastructure and essential entities. At its core, it is about managing cyber risks systematically, handling incidents in a structured way, and implementing requirements in a verifiable manner.

Depending on the applicable criteria, this includes operators of critical infrastructure as well as other essential entities, for example in sectors such as energy, health and hospitals, water supply, or transport. Whether a specific organization falls within scope depends on its sector, role, and further criteria.

The 3-core supports implementation of the NIS2 Implementation Act from applicability assessment through to practical delivery, for example through maturity and gap analyses, building and improving an ISMS, implementing appropriate security measures, and integrating these with BCM and crisis management.

To support implementation of the NIS2 Implementation Act, we provide free tools, such as a risk analysis Excel template and a locally deployable BCM software solution that is GDPR compliant. These tools help capture risks in a structured way, prioritize measures, and document evidence consistently.

Explore more: Projects & other articles

Continue reading this article on LinkedIn