Cybersecurity im Lichte NIS 2 – neue Herausforderung für Unternehmen – wie beeinflusst NIS 2 das Risikomanagement, das Interne Kontrollsystem und die Lieferkettensicherheit?

Abstract

Cybersecurity is an important topic that is subject to legal regulations. The motivation for this thesis was to take a closer look at these regulations and establish a practical reference. The NIS 2 Directive (Network and Information Systems) came into force on 17 October 2024. In Austria, NIS 2 is to be implemented in the National Network and Information Security Act 2024 (NISG 2024).4 The directive is an instrument to strengthen and ensure cyber security within the European Union. It represents an extension of the scope of the NIS 1 Directive and presents companies with new challenges in implementing these requirements within the company in accordance with the law. Around 4,000 companies and organisations will be affected by this new directive. Companies from 18 sectors covered by the directive must adapt their security measures in line with the requirements and report security incidents.5 NIS 2 affects risk management, ICS systems and supply chain security of companies. The directive is already in force and companies must check whether they are affected by the new security requirements and reporting obligations. Failure to comply with the standards may result in penalties for big-sized companies of up to EUR 10 million or 2% of the total annual turnover, for middle-sized companies up to EUR 7 million or 1.4% of total annual turnover.6 In a first step, this research paper uses the literature found and selected to show the extent to which the NIS 2 Directive affects entrepreneurs, with a particular focus on the areas of internal control systems, risk management and supply chain security. After the theoretical part of these subject areas, the selected areas are discussed in more detail, the main aspects in the individual areas are presented and concrete questions/checklists are worked out on how entrepreneurs can prepare for this challenge. The methodology used was literature research and the snowball method. The aim of the paper is not only to provide an overview of the NIS 2 directive, but also to explain the interplay with risk management, supply chain security and the internal control system. The aim is to raise awareness of cybersecurity issues among the companies concerned, the risks and additional burdens that NIS 2 entails, but also to highlight opportunities for companies.

Date of Award	2025
Original language	German (Austria)
Supervisor	Johanna Salzinger (Supervisor)