Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen

Regulation · NIS2 Directive

NIS2 Directive:
Everything Organizations
Need to Know.

The NIS2 Directive (EU 2022/2555) is the most comprehensive cybersecurity law the EU has ever enacted. Tens of thousands of organizations across Europe are in scope - many do not yet know it. This guide explains the obligations, liability risks, and the path to compliance.

Book a NIS2 readiness check Free NIS2 compliance check
Last updated: 14 Mar 2026 Reviewed by certified experts Legally referenced
Entities affected across the EU
160,000+
Transposition deadline
Oct. 2024
Maximum fine (essential entities)
EUR 10M
Initial incident reporting deadline
24h

Fundamentals

What is the NIS2 Directive?

The NIS2 Directive (EU 2022/2555) is the revised Network and Information Security Directive of the EU. It replaces the original NIS1 Directive from 2016 and entered into force on 16 January 2023. Member states were required to transpose it into national law by 17 October 2024.

As a directive (unlike DORA, which is a regulation), NIS2 requires national implementing legislation in each member state. The core obligations are harmonized across the EU, but procedural specifics - such as the competent authority, registration process, and exact sanctions - vary by country.

The goal: a uniformly high level of cybersecurity across the entire EU - through clear minimum requirements for risk management, incident reporting, and governance. For the first time, management bodies are personally held accountable for cybersecurity.

NIS2 at a Glance

EU Directive
EU 2022/2555 of 14 December 2022
In force
16 January 2023
Transposition
17 October 2024
Supervisory authority (DE)
BSI (Federal Office for Information Security)
Max. fine
EUR 10M / 2% global turnover

Enforcement is ramping up

National competent authorities are increasing supervisory activity. In-scope entities must be able to demonstrate registration and minimum measures.

Applicability

Who is affected by NIS2?

NIS2 distinguishes two entity types with different obligations and fine levels. The determining factors are sector, company size, and societal function - not self-classification.

Size threshold

50+ employees

or EUR 10M+ annual turnover / balance sheet total

Sector membership

18 sectors

in Annex I (essential) and Annex II (important) of the NIS2 Directive

Regardless of size

Always in scope

TSPs, DNS providers, TLD registries, public telecoms networks, critical infrastructure operators

Essential entities - Annex I

Proactive supervision by competent authority · Fine up to EUR 10M or 2% of turnover

  • Energy Electricity, gas, district heating, oil, hydrogen
  • Transport Aviation, rail, maritime, road
  • Banking Credit institutions, financial market infrastructures
  • Financial market infrastructure Stock exchanges, central counterparties
  • Health Hospitals, laboratories, pharmaceutical manufacturers
  • Drinking water Water supply and treatment
  • Wastewater Wastewater treatment and disposal
  • Digital infrastructure IXPs, DNS, TLDs, cloud, data centres, CDNs, TSPs
  • ICT service management Managed service providers, MSSPs
  • Public administration Central and regional government bodies
  • Space Operators of ground-based infrastructure
Important entities - Annex II

Reactive supervision · Fine up to EUR 7M or 1.4% of turnover

  • Postal and courier services Letter and parcel delivery
  • Waste management Disposal and recycling
  • Chemicals Manufacture and distribution of chemical substances
  • Food Manufacturing, processing, wholesale distribution
  • Manufacturing Medical devices, electronics, machinery, vehicles
  • Digital services Online marketplaces, search engines, social networks
  • Research Research organisations and universities

Supply chain - indirect applicability

Suppliers and IT service providers to affected entities may be contractually required to comply with NIS2 requirements (Art. 21(2)(d) NIS2). Even without a direct legal obligation, de facto compliance pressure arises.

Are you affected by NIS2?

Our free NIS2 scope checker assesses in 3 steps whether your organization falls under the NIS2 Directive - including a compliance score and recommendations.

Check now

Art. 21 NIS2 Directive

The 10 Mandatory NIS2 Measures

Art. 21 of the NIS2 Directive requires affected entities to adopt appropriate and proportionate technical, operational, and organizational measures. The ten minimum requirements are not exhaustive - they represent the baseline.

01

Risk analysis and information security policies

Systematic identification, assessment, and treatment of information security risks. The foundation is a documented risk management system - equivalent to an ISMS per ISO/IEC 27001.

ISMS consulting
02

Security in the acquisition, development and maintenance of network and information systems

Requirements for a Secure Software Development Life Cycle (SSDLC), patch management, and secure configuration of network and information systems. Includes supply chain security in software procurement.

03

Handling of incidents

An established incident response procedure including detection, containment, remediation, and post-incident review. The incident response plan must be documented and regularly tested.

Incident response
04

Business continuity management

Business Continuity Management (BCM): backup concepts, disaster recovery plans, crisis management, and contingency planning. Regular tests and exercises are mandatory.

05

Supply chain security

Verification and contractual commitment of all directly engaged suppliers and service providers to adequate security standards. Particularly relevant for entities with complex IT supply chains.

06

Security in network and information systems acquisition, development and maintenance

Security requirements across the full lifecycle of IT systems, including procurement, development, operation, and decommissioning. Covers vulnerability management and penetration testing.

Penetration testing
07

Policies and procedures to assess the effectiveness of cybersecurity risk-management measures

Regular review and measurement of the effectiveness of all security measures. Internal audits, external assessments, and KPI-based security monitoring are core requirements.

Internal audit
08

Basic cyber hygiene practices and cybersecurity training

Minimum standards for cyber hygiene (password policies, MFA, updates, email security) plus mandatory training for all staff and management. Annual awareness training is required.

Security awareness
09

Cryptography and encryption

Use of appropriate cryptographic methods and encryption for data in transit and at rest. Reference to current ENISA guidelines and national authority recommendations.

10

Access control and multi-factor authentication

Identity and Access Management: least-privilege principle, privileged access management, multi-factor authentication for all critical systems, and secure communication channels.

Note: The ten measures apply to all in-scope entities. For essential entities, competent authorities may additionally recognize sector-specific security standards that cover sector-specific requirements - comparable to the KRITIS B3S concept in Germany. Always verify requirements with your national competent authority.

Practice

Implementation Roadmap: From scope assessment to NIS2 compliance

Full NIS2 implementation takes 4 to 12 months depending on the starting point. This phased plan is based on our project experience across more than 50 NIS2 consulting engagements.

  1. 1 Phase 1 - Weeks 1-2

    Applicability assessment & entity classification

    Binding determination of NIS2 applicability: which sector, which entity type (essential/important)? Gathering all relevant metrics (employees, turnover, activities). Registration obligation with the national competent authority. Output: written classification with reasoning.

  2. 2 Phase 2 - Weeks 3-6

    Gap analysis against Art. 21 NIS2

    Structured as-is vs. should-be assessment of all ten mandatory measures. Evaluation of existing security measures, documentation, processes, and organizational structures. Prioritization of gaps by risk and effort. Output: measure matrix with recommendations and prioritization.

  3. 3 Phase 3 - Months 2-8

    Implementation & documentation

    Prioritized implementation of identified measures: ISMS setup or adaptation, creation of missing policies and processes, technical measures (MFA, patch management, monitoring), supplier audits, and training of staff and management.

  4. 4 Phase 4 - Months 9-12

    Internal audit & readiness check

    Independent review of all implemented measures against NIS2 requirements. Simulated regulatory audit, identification of remaining gaps, remediation. Output: verifiable compliance documentation for regulatory supervision and internal governance.

Personal Liability

Management Liability under NIS2

NIS2 is the first EU cybersecurity law to hold management bodies personally accountable. Art. 20 of the NIS2 Directive explicitly requires executives and board members to approve cybersecurity risk management measures and oversee their implementation.

The obligations include: approving and monitoring risk management measures, personally participating in cybersecurity risk training, and accountability to supervisory authorities. Liability cannot be delegated to the company - it is original and personal.

This represents a fundamental shift: cybersecurity is no longer an IT department matter but a board-level governance responsibility enforceable by regulators across all EU member states.

Sanctions against management

  • Temporary prohibition from exercising management functions
  • Personal fine liability on proven breach of duty
  • Public naming for essential entities (Art. 32(4)(g) NIS2)
  • Civil liability to the company may also arise

What executives should do now

  • Commission and document an applicability assessment
  • Complete documented NIS2 cybersecurity training
  • Formally approve risk management measures (board resolution)
  • Appoint and resource an implementation owner (CISO / ISM)

Consulting services

How AWARE7 supports NIS2 compliance

We accompany you from day one to demonstrated compliance - with a dedicated point of contact, a binding fixed-price proposal, and expertise from more than 50 NIS2 projects.

Applicability check & NIS2 gap analysis

Binding entity classification, structured gap analysis against Art. 21 NIS2, prioritized action plan with timeline and fixed-price proposal.

Start NIS2 consulting

ISMS setup & ISO 27001 certification

Build an ISMS that covers NIS2 while simultaneously laying the foundation for ISO 27001 certification - two objectives, one project.

ISO 27001 consulting

Penetration testing & vulnerability assessment

Technical verification of your IT systems - providing evidence for the Art. 21 NIS2 requirement to assess the effectiveness of security measures.

Request pentest

Security awareness & training

Phishing simulations, live hacking demonstrations, and training for staff and management - a mandatory requirement under Art. 21 NIS2.

View training services

Virtual CISO / ISM as a Service

Your experienced information security manager on demand - covers management responsibility under Art. 20 NIS2 and relieves your executive team.

Enquire about vCISO

Internal audit & NIS2 readiness check

Independent review of your NIS2 compliance by certified lead auditors - delivers documentation for regulatory supervision and board reporting.

Request audit
„NIS2 is the most consequential EU cybersecurity regulation we have ever seen. It changes not just compliance obligations - it makes cybersecurity a personal board responsibility. Organizations that act now protect both themselves and their customers.“

Chris Wojzechowski

Security Auditor, §31 BSIG audit methodology · AWARE7 GmbH

FAQ

Frequently asked questions about NIS2

Answers to the most common questions about the NIS2 Directive and its requirements for organizations.

The NIS2 Directive (EU 2022/2555) entered into force on 16 January 2023 and member states were required to transpose it into national law by 17 October 2024. In Germany it is implemented through the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). Other EU member states have their own implementing legislation. Organizations should be implementing now as the requirements demand significant lead time.
NIS2 covers "essential" and "important" entities in 18 sectors. General thresholds are: 50 or more employees or EUR 10 million annual turnover. Regardless of size, the following always fall under NIS2: qualified trust service providers, TLD name registries, DNS resolution services, providers of public electronic communications networks, and critical infrastructure operators. Suppliers may be indirectly affected if affected entities contractually pass on requirements.
Essential entities (Annex I of NIS2) face stricter proactive supervision: competent authorities can order audits and penetration tests at any time, demand regular compliance evidence, and conduct unannounced on-site inspections. Important entities (Annex II) are subject to reactive supervision: regulatory action is only triggered upon suspicion of violations or after incidents. Fines differ: essential entities up to EUR 10 million or 2% of global annual turnover; important entities up to EUR 7 million or 1.4% of global annual turnover.
The three-tier reporting system under Art. 23 NIS2: (1) Early warning within 24 hours of becoming aware of a significant incident - basic information only. (2) Incident notification within 72 hours - initial assessment, severity, indicators. (3) Final report within one month - full root cause analysis, measures taken, cross-border impact. An incident is "significant" if it causes or is capable of causing severe operational disruptions or significant financial losses.
Art. 20 NIS2 explicitly requires governing bodies to approve risk management measures, oversee their implementation, and bear personal liability. This means: training obligations for executives on cybersecurity risks, personal liability for NIS2 violations, potential temporary prohibition of management functions as a sanction, and personal accountability to supervisory authorities. Liability cannot be delegated to the company - it is original and personal.
An ISO 27001 certification structurally covers many NIS2 requirements - in particular risk analysis, security policies, measure management, and internal audits (Annex A controls). However, it is not a complete NIS2 proof: NIS2-specific elements include reporting obligations, personal management liability, supply chain duties, and sector-specific requirements. Organizations with ISO 27001 certification start significantly better positioned with a substantial compliance head start. We recommend a gap analysis based on ISO 27001 for NIS2 compliance.
Art. 21(2)(d) NIS2 requires affected entities to secure the supply chain - meaning they must verify and contractually commit all key IT suppliers and service providers to adequate security standards. Practically: maintain a supplier register with security ratings, contractually fix security requirements, and treat security incidents at a supplier as a potential own reporting obligation. Smaller suppliers working for affected entities are thus indirectly confronted with NIS2 requirements.
Art. 34 NIS2 provides significant sanctions: Essential entities up to EUR 10 million or 2% of total global annual turnover (whichever is higher). Important entities up to EUR 7 million or 1.4% of global annual turnover. In addition, authorities can: impose temporary bans on management functions, order suspension of certifications or authorizations, and issue public warnings. Fines are per violation and can be cumulative.
Our approach follows four phases: (1) Applicability assessment - within 2 working days we provide a binding determination of whether and as which entity type you are in scope. (2) Gap analysis - structured comparison of your current measures against all NIS2 requirements, prioritized by risk and implementation effort. (3) Implementation support - prioritized action plan, project management, creation of all required documentation. (4) Validation - internal audit and readiness check before regulatory inspection. Full implementation typically takes 4 to 12 months depending on current maturity and complexity.
Yes - essential and important entities must register with their national competent authority. Registration typically includes: name, address and contact details, sector and sub-sector, list of IP address ranges, and country of registration. AWARE7 supports you with the correct classification and registration in your jurisdiction.

Aus dem Blog

Weiterführende Artikel

NIS2 applies now - act today

We analyse your NIS2 compliance gaps and create a prioritized action plan - concrete, actionable, and on a fixed-price basis.

Book a free NIS2 consultation

Kostenlos · 30 Minuten · Unverbindlich