NIS2 (NIS-2-Richtlinie)
EU Directive (2022/2555) on strengthening cybersecurity. In Germany, this applies to approximately 30,000 companies across 18 sectors with 50 or more employees or annual revenue of at least €10 million. Fines of up to €10 million.
The NIS 2 Directive (Network and Information Security Directive 2, EU 2022/2555) is the second generation of EU legislation on network and information security. It was published in the Official Journal of the European Union on January 16, 2023, and had to be transposed into national law by October 2024. In Germany, this was done through the NIS 2 Implementation and Cybersecurity Strengthening Act (NIS2UmsG). Compared to its predecessor, the NIS-1 Directive (2016), NIS-2 expands the scope from approximately 4,500 to about 29,500 affected companies in Germany—a sixfold increase.
What is NIS-2?
NIS-2 pursues three central objectives:
- Uniform cybersecurity level across the EU through binding minimum standards
- Harmonization of requirements among member states to ensure a level playing field
- Improved cooperation in the event of cross-border security incidents
Who is affected by NIS-2?
NIS-2 distinguishes between essential facilities (Annex I, 9 sectors with high criticality) and important facilities (Annex II, 9 additional sectors). Companies with 50 or more employees or an annual turnover of EUR 10 million in the following 18 sectors are affected:
| Essential facilities (Annex I) | Important facilities (Annex II) |
|---|---|
| Energy (electricity, gas, oil, district heating) | Postal and courier services |
| Transportation (air, rail, water, road) | Waste management |
| Banking and financial market infrastructures | Chemical industry |
| Healthcare | Food production and distribution |
| Drinking water and wastewater supply | Manufacturing (medical devices, automotive, mechanical engineering) |
| Digital infrastructure (DNS, cloud, data centers) | Digital services (marketplaces, search engines) |
| ICT service management (B2B) | Research |
| Public administration | - |
| Space | - |
Exception: Certain services (DNS, TLD registries, trust services) fall under NIS-2 regardless of company size.
The 10 Minimum Measures under Article 21
Article 21 of the NIS 2 Directive defines ten mandatory risk management measures:
- Risk Analysis and Security Policies - Systematic risk management
- Incident Handling - Incident response processes
- Business Continuity and Crisis Management – Backup, Disaster Recovery
- Supply Chain Security – Assessment of Service Providers and Partners
- Security in Procurement, Development, and Maintenance – Secure Development
- Effectiveness Assessment – Regular effectiveness testing of measures
- Cyber hygiene and training - Awareness training for all employees
- Cryptography - Encryption strategy
- Personnel security and access controls - Least privilege, asset management
- Multi-factor authentication (MFA) - For critical systems and access
Reporting Requirements
NIS-2 introduces a three-tier reporting system for significant security incidents. Reports are submitted to the BSI (Federal Office for Information Security):
- 24 hours: Early warning – Suspected nature of the incident, potential cross-border impact
- 72 hours: Full report – assessment of the incident, indicators of compromise (IoCs), countermeasures
- 1 month: Final report – root cause analysis, corrective measures implemented
Critical entities must also inform the recipients of their services affected by a significant incident.
Fines and Personal Liability
| Organization Type | Maximum Fine |
|---|---|
| Significant Organizations | 10 million EUR or 2% of global annual turnover |
| Important entities | EUR 7 million or 1.4% of global annual turnover |
Of particular significance is the personal liability of management: The BSI can issue orders to critical entities and, in extreme cases, temporarily remove executives from their management roles. Management is personally liable for damages resulting from compliance violations.
NIS 2 and ISO 27001
An ISO 27001-certified ISMS meets most of the technical and organizational NIS 2 requirements and is accepted by the authorities as proof of compliance. The combination of ISO 27001 certification and NIS 2-specific additions (BSI registration, reporting processes, MFA concept) is the most efficient path to sustainable NIS 2 compliance.
