EU NIS-2 Directive

Based on the requirements of NIS‑2, Eplan follows a risk‑based security approach that addresses not only organizational aspects but also the entire lifecycle of its products. This approach combines strategic foresight, technical depth, and organizational resilience and includes, in particular, the following measures:

Eplan operates a structured risk management process based on established standards. Regular analyses are conducted to assess technological, organizational, and process‑related risks. These assessments result in clearly defined mitigation measures that are continuously reviewed and updated.

Eplan has standardized processes in place for the detection, assessment, and handling of security incidents. An incident response team ensures that incidents are promptly analyzed, contained, and remediated, including transparent communication and the documentation of lessons learned.

Eplan relies on robust business continuity and disaster recovery concepts. Automated backup procedures and regular recovery tests ensure the availability of business‑critical systems. A structured and regularly trained crisis management framework ensures the ability to continue business operations even in challenging situations.

Suppliers and service providers are carefully selected and regularly reviewed using a standardized process and defined security criteria. This ensures that external partners also meet high security requirements.

Eplan develops its software products in accordance with a Secure Software Development Lifecycle (SSDLC). Core principles such as security by design and security by default are consistently applied. Security requirements are already considered during the development phase. Structured testing procedures, including regular penetration tests, as well as comprehensive vulnerability management, ensure that vulnerabilities are identified, prioritized, and remediated on time.

Eplan reviews the effectiveness of its security measures through internal audits, key performance indicators (KPIs), and regular management reviews. The results directly feed into the continuous improvement of the company’s security strategy.

All Eplan employees receive continuous training on information security risks. This includes awareness campaigns, mandatory baseline training, and role‑specific training for positions with elevated security relevance.

To ensure confidentiality for internal data and within its products, Eplan consistently applies cryptographic methods for both data at rest and data in transit (AES‑256 and TLS 1.2).

Throughout the entire employment lifecycle (onboarding, employment, and termination), Eplan has implemented a comprehensive personnel security concept in accordance with recognized standards (e.g., ISO/IEC 27001). Eplan follows a strict authorization and access control model based on the need‑to‑know and least‑privilege principles. Identity and access management processes ensure that only authorized individuals have access to systems and data.

Eplan uses multi‑factor authentication for both internal and external access. In mobile work environments, employees use strongly encrypted VPN connections. Secure communication channels are available for emergencies.

Eplan aligns its measures to strengthen cyber resilience with the requirements of the NIS‑2 Directive. Information security has always been a top priority at Eplan and forms the foundation for protecting its customers, partners, and employees.