Newsletter
Exclusive expert tips, customer stories and more.
Cybersecurity for CRITIS Operators and NIS 2 Facilities
If companies are so-called CRITIS operators or NIS 2 institutions, they are regulated by law with regard to cybersecurity,
- in the European Union (EU) through a mandatory directive to ensure a high level of network and information security (NIS 2 directive)
- in all European countries through national laws transposing the EU NIS2 Directive into national law
Tightening the rules
As a manufacturer of video surveillance solutions, we are responsible for the security of our products – especially in the use and context of critical infrastructures (KRITIS) and under the new European NIS 2 Directive. The Network and Information Security Directive 2 (NIS2) is an EU directive designed to strengthen cybersecurity in key sectors and industries. It expands the scope of the previous NIS1 Directive and introduces stricter requirements and sanctions. Affected operators and companies must better protect their network and information systems and report security incidents.
State-of-the-art technology required
All regulations on CRITIS cyber security are always about ensuring appropriate organizational and technical precautions to prevent disruptions to the
- availability
- integrity
- authenticity
- and confidentiality
of information technology systems, components or processes. These must correspond to the current state of the art in order to achieve a high level of security of network and information systems.
In Germany: NIS-2 implementation in force since December 6, 2025
In Germany, the NIS-2 Implementation Act came into force on December 6, 2025 (“Act Implementing the NIS-2 Directive and Regulating Essential Features of Information Security Management in the Federal Administration”). As an omnibus bill, this German implementation act amends many individual laws, but above all the BSI Act, which is the most important law governing the tasks of the BSI and the security of information technology in institutions. Instead of the previous approximately 4,500 institutions (CRITIS operators, companies of particular interest (UBI), and other special cases), around 30,000 organizations will in future be placed under the regulatory supervision of the BSI (Federal Office for Information Security).
You can find more information on this topic, including our technical and organizational solutions and answers, in our blog article: NIS-2 Directive to enhance cybersecurity across the European Union
Dallmeier supports affected NIS-2 institutions in meeting their requirements under the European NIS-2 Directive with cyber-secure video security solutions.
The Dallmeier promise
Dallmeier products and solutions have the highest level of technical precautions and functions that enable customers and CRITIS operators to implement cybersecurity-compliant video security solutions.
Dallmeier stands for the highest level of security in terms of law and compliance, data protection and cybersecurity:
- Made in Europe, made in Germany
- GDPR-compliant
- Compliant with EU-wide cybersecurity regulations such as the EU NIS-2 Directive or national regulations such as the German BSIG
NIS2 individual requirements
Mirrored in Dallmeier ISO 27001 processes
| NIS2 requirement | NIS2 Directive (EU) | NIS2 Implementation Act / BSIG (Germany) | Dallmeier ISO 27001 | Dallmeier as upstream supplier/manufacturer |
|---|---|---|---|---|
| State of the art | Article 21 (1),EG 85 | § 30 | ISO 27001 = technology-neutral ISO as the basis for state-of-the-art IT security (TeleTrust guideline) + state-of-the-art video surveillance technology + note (*): Dallmeier complies | ✓ |
| Security by Design | Article 21 (2) e) | § 30 | A.5.20, A.5.24, A.5.36, 5.37, A.6.08, A.8.09, A.8.19, A.8.20, A.8.21 | ✓ |
| Supply chain security | Article 21 (2) d),Article 21 (3) | § 30 | A.5.19, A.5.20, A.5.21, A.5.22, A.5.23 | ✓ |
| Integration chain security | Article 21 (2) d) and e) | § 30 | A.5.19, A.5.20, A.5.21, A.5.22, A.5.23 | ✓ |
| Regular updates and patches | Article 21 (2) e) and g) | § 30 | A.5.35, A.5.36, A.5.07, A.5.24, A.5.25, A.5.26, A.5.27, A.5.28, A.6.08, A.8.16 | ✓ |
| Authentication and authorization | Article 21 (2) i) and j) | § 30 | A.5.12, A.5.13, A.5.14, A.5.15, A.5.16, A.5.17, A.5.18, A.8.01, A.8.02, A.8.03 | ✓ |
| Cryptography and data encryption | Article 21 (2) f) | § 30 | A.8.20, A.8.21, A.8.22, A.8.24 | ✓ |
| Reporting and vulnerability management | Article 21 (2) e) | § 30 | A.5.07, A.5.24, A.5.25, A.5.26, A.5.27, A.5.28, A.6.08, A8.07, A8.08, A8.15, A8.16 | ✓ |
| Data protection through IT security | Derivation from Article 20, Article 21 (1), Article 23 (4), EG 14 and 51 | § 30 | in particular: A.5.34 Privacy and protection of personal information (PII) | ✓ |
| Training and awareness measures | Article 20 (1) and (2), Article 21 (2) d) and g); EG 88 and 89 | § 30 | A.5.1, A. 5.2, A.5.3, A.6.3, A. 5.23, A.5.28 | ✓ |
Benefits for NIS2 customers
- Cyber resilience along the entire supply chain
- Proof of NIS2 compliance to regulatory authorities
- Avoidance of downtime costs through stable business continuity
- Avoiding fines for the institution
- Avoiding personal liability for management
(*)
There is no provision in ISO 27001 or in any law that states in a general and binding manner: “Anyone who complies with ISO 27001 automatically complies with the state of the art.”
Why not?
- ISO 27001 is an international management standard for information security management systems (ISMS).
- It defines processes and controls, but it is technology-neutral and does not specify which specific security measures are “state of the art.”
Where does the reference to ISO 27001 ↔ “state of the art” come from?
- Authorities such as the BSI or data protection supervisory authorities often say:
The introduction of an ISMS in accordance with ISO 27001 supports compliance with the state of the art because the standard systematically records security risks and selects appropriate measures. - In practice, ISO 27001 is often accepted as proof that an organization works in a state-of-the-art manner in terms of organization and processes.
- ISO 27001 alone = a good foundation, but does not automatically fulfill “state of the art.”
- Combination of ISO 27001 + current technical security standards = strong evidence.
Further Information
EU NIS 2 cybersecurity directive in force since November 2022:
- EU Parliament online: EU Parliament and Council approved NIS 2 draft in November 2022
- Official document: High common level of cyber security in the Union (P9_TA(2022)0383)
EU Critical Infrastructure Resilience Directive in force since November 2022:
Our CRITIS expertize and core competence video technology
In the following, we would like to provide you with three pieces of information on our own behalf and for your CRITIS video project:
Info 1 / Top Tip: CRITIS Practical Guide to Video Technology
- CRITIS video technology practical guide from Dallmeier provides an overview for security managers (right now in German language only)
- 80 pages of orientation for decision-makers on the subject of video technology.
- Request your personal copy here
Info 2 / Blog post “The EU Regulatory Framework for Critical Infrastructure and other Key Sectors”
- What the EU Directives NIS-2 and RCE/CER will bring
Info 3 / Blog post “Cornerstones for the CRITIS umbrella law”
- Physical security and its regulation in focus
Info 4 / Blog post “NIS-2 Directive to enhance cybersecurity across the European Union”
Whitepaper: NIS-2
[German Version]