The NIS 2 Directive: What You Need to Know

The NIS 2 Directive lifts cybersecurity requirements across the EU to a substantially higher level. It massively expands the set of covered organizations, places personal accountability on executive management, and demands concrete technical and organizational measures. This article explains what matters for affected organizations.

What Is the NIS 2 Directive?

The NIS 2 Directive (Network and Information Security Directive 2, EU 2022/2555) is the successor to the 2016 NIS Directive. It must be transposed into national law – in Germany via the planned NIS2 Implementation Act (NIS2UmsuCG). Its goal is a uniformly high level of security for network and information systems across the EU.

Who Is Affected?

NIS 2 distinguishes between essential and important entities and generally applies to organizations with 50 or more employees or €10M annual turnover in one of the listed sectors:

• Sectors of high criticality: Energy, transport, banking, financial market infrastructures, health, drinking and waste water, digital infrastructure (cloud, data centers, DNS, TLD), space, public administration.
• Other critical sectors: Postal and courier services, waste management, chemicals, food, manufacturing (medical devices, electronics, machinery, motor vehicles), digital providers (online marketplaces, search engines, social networks), research.

Regardless of size, providers of critical services, qualified trust service providers, TLD name registries, DNS service providers, and parts of public administration also fall under the directive.

Core Obligations

• Risk management measures: At minimum risk analysis, incident handling, business continuity, supply chain security, vulnerability management, cryptography, access control, multi-factor authentication, and training.
• Reporting obligations: Significant security incidents must be reported to the competent authority as an early warning within 24 hours, with an assessment within 72 hours, and a final report within one month.
• Responsibility of management bodies: Executive management must approve the measures, oversee their implementation – and are held personally accountable. Regular training is mandatory.
• Registration: Affected entities must register with the competent national authority (in Germany: BSI).
• Fines: Up to €10M or 2% of global annual turnover (essential entities) or €7M or 1.4% (important entities) – whichever is higher.

How to Prepare Your Organization

1. Assess applicability: Determine whether and in which category your organization falls under NIS 2.
2. Gap analysis: Compare your current security posture to NIS 2 requirements. An existing ISMS – particularly one aligned with ISO 27001 – already covers many requirements.
3. Map supply chains: Document critical service providers and their security posture, update contractual requirements.
4. Establish an incident response process: Define the 24/72-hour reporting chain, build technical detection capabilities (SOC, EDR).
5. Train management bodies: Regular, documented training for executive leadership and managers.
6. Registration and reporting channels: Designate responsible contacts, prepare communication with the competent authority.

Conclusion

NIS 2 is not a paper tiger: the set of covered organizations grows sharply, requirements become more precise, and personal management accountability is new – backed by meaningful fines. Organizations that already operate a mature ISMS have a clear head start. Everyone else should start now with a structured gap analysis and prioritize implementation – rather than waiting for national transposition.