NIS-2 Directive at a glance

With the NIS 2 Directive (EU) 2022/2555, mandatory security measures and reporting requirements will apply from October 2024 to many companies and organizations in 18 sectors – including many that were not previously affected.

Must be transposed into national law by October 18, 2024

Applies to the following companies

Public or private entities in 18 relevant sectors that provide services or activities in the EU, have at least 50 employees, and have an annual turnover and annual balance sheet total of EUR 10 million.

NIS-2 is a revised version of the NIS-1 Directive, which imposes stricter cybersecurity standards on affected companies.
Companies are required to classify themselves and register with the competent authority. Affected companies must implement an information security management system (ISMS) to meet the legal requirements.

The NIS-2 Directive is a further development of the first EU Directive on network and information security. Starting in October 2024, it introduces mandatory security measures and reporting obligations for companies and organizations in 18 critical sectors. This also affects many entities that were not previously covered. The directive replaces the 2016 NIS Directive and aims to achieve an improved, unified level of cybersecurity across the EU. Compared to the previous NIS Directive, NIS-2 significantly expands the group of affected companies, their obligations, and regulatory oversight. Significant fines may be imposed in cases of non-compliance.

NIS-2 establishes strict security requirements as well as reporting obligations for companies in 18 critical sectors. The goal is to strengthen resilience and defense capabilities against cyberattacks and to improve cooperation between member states. The directive also includes sanctions for non-compliance and reinforces the role of national authorities in its implementation.

  • The EU-wide NIS-2 Directive (EU) 2022/2555 has been in force at the EU level since 2023.
  • It is a directive that does not apply directly but must first be transposed into national law.
  • Transposition into national law must be completed by October 18, 2024.
  • The NIS-2 Directive sets a minimum standard, giving EU member states the option to adopt stricter regulations.
  • In Germany, a draft bill for the NIS-2 Implementation Act is currently available.

In Germany, it is estimated that between 29,000 and 40,000 companies are affected by NIS-2.

The NIS-2 Directive applies to public or private entities in 18 sectors that qualify as medium-sized or larger companies and provide their services or carry out their activities within the Union.

These are companies with at least 50 employees or at least EUR 10 million in annual turnover and annual balance sheet total.

The NIS-2 Directive affects organizations in 18 sectors listed in Annex I and II. For each sector, it is precisely defined which type of organization is affected. It is therefore crucial to determine whether your organization falls into one of the specified categories. A more detailed definition of these organizations can be found in Annex I and Annex II.

Overview of the 18 sectors affected

We are happy to help you find out whether you are affected by the NIS-2 Directive.

Click here

What must affected companies and organizations do?

Companies and organizations affected by the NIS-2 Directive must take a range of measures to enhance cybersecurity and ensure compliance with the regulations. These are described in detail in Chapter 4 of the EU Directive.

Risk management measures in the field of cybersecurity (Article 21)

Appropriate security measures must be taken to manage risks to network and information systems. These measures must be proportionate to the current risk and take into account various factors such as risk exposure, the size of the organization, and the likelihood of security incidents. The necessary measures should follow a holistic approach and include the following aspects:

Concepts relating to risk analysis and security for information systems

Handling of security incidents

Business continuity, such as backup management and disaster recovery, and crisis management

Security of the supply chain, including security-related aspects of relationships between individual entities and their direct suppliers or service providers

Security measures for procurement, development, and maintenance of network and information systems, including management and disclosure of vulnerabilities

Concepts and procedures for assessing the effectiveness of cybersecurity risk management measures

Basic practices in the field of cyber hygiene and cybersecurity training

Concepts and procedures for the use of cryptography and, where appropriate, encryption

Security of personnel, concepts for access control, and management of assets

Use of solutions for multi-factor authentication or continuous authentication, secure voice, video, and text communications, and, where appropriate, secure emergency communication systems within the entity.

Mandatory reporting of security incidents (Art. 23)

The obligation to report security incidents is an essential part of risk management in companies and organizations. The NIS 2 Directive stipulates that significant security incidents must be reported to the national authority and, where applicable, to the recipients of the company’s own services within certain time limits. Responsibility for measures lies with the management (Art. 20). Failure to comply with the NIS 2 regulations, including risk management measures (Art. 21) or the obligation to report security incidents (Art. 23), can have serious consequences. Companies could face severe penalties, including fines based on the severity of the violation. Reporting takes place in three phases:
1. Early warning:
Within 24 hours of becoming aware of
suspected illegal or malicious activities.
Clarification of whether the incident is cross-border in nature.
2. Detailed report:
Within 72 hours of becoming aware
Initial assessment of the security incident, including severity, impact, and indicators of compromise, if applicable.
3. Progress/Final report:
One month after reporting
Detailed description of the incident.
Information on the nature of the threat, causes, and remedial measures taken.
Consideration of any cross-border implications.
Do you have any questions or would you like more information?
Denis Seefeldt and Michael Rode are available as contact persons.
NIS-2 consulting directly from Braunschweig. Contact us now with no obligation.