NIS2-Richtlinie
The NIS2 Directive (Network and Information Security Directive 2) is an EU regulation that harmonizes and strengthens cybersecurity requirements for critical and important infrastructure.
Table of Contents (5 sections)
The NIS2 Directive (Directive (EU) 2022/2555 on measures for a high common level of cybersecurity within the Union) is the successor to the first NIS Directive from 2016. It significantly expands the scope of application, tightens security obligations, and introduces much stricter penalties. In Germany, NIS2 is transposed into national law through the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG).
Timeline and Current Status
| Date | Milestone |
|---|---|
| January 16, 2023 | NIS2 Directive entered into force |
| October 17, 2024 | Original implementation deadline for Member States |
| 2025/2026 | Expected entry into force of the NIS2UmsuCG in Germany |
Germany has missed the deadline. The legislative process for the NIS2UmsuCG is ongoing; however, companies should begin preparing now, as the requirements will apply immediately upon entry into force.
Scope of Application: Who Is Affected?
NIS2 distinguishes between higher-tier entities and important entities:
Higher-tier entities
Companies in particularly critical sectors:
- Energy (electricity, gas, oil, district heating, hydrogen)
- Transport (air, rail, water, road)
- Banking and financial market infrastructures
- Healthcare (hospitals, pharmaceuticals, medical devices)
- Drinking water supply and wastewater
- Digital infrastructure (DNS, TLD, IXPs, data centers, CDN, cloud)
- ICT service management (MSP, MSSP)
- Public administration (federal and state levels)
- Aerospace
Key facilities (lower tier)
Companies in other sectors:
- Postal and courier services
- Waste management
- Chemicals
- Food
- Manufacturing (medical devices, computers, electronics, machinery, vehicles)
- Digital providers (online marketplaces, search engines, social networks)
- Research institutions
Size thresholds
As a rule of thumb: Companies with 50 or more employees or €10 million in annual revenue in the sectors listed above fall under NIS2. Significant entities start at 250 or more employees or €50 million in revenue—or they are designated as critical regardless of size.
Obligations under NIS2
1. Risk management measures (Art. 21)
Affected entities must implement appropriate and proportionate technical and organizational measures. NIS2 explicitly identifies at least the following areas:
- Risk analysis and security policies for information systems
- Incident management (Incident Management)
- Business Continuity and Crisis Management
- Supply Chain Security
- Security in the procurement, development, and operation of network and information systems
- Assessment of the effectiveness of security measures
- Basic cyber hygiene and cybersecurity training
- Cryptography and, where applicable, encryption
- Personnel security, access control, and asset management
- Multi-factor authentication (MFA) or similar solutions
2. Reporting Requirements (Art. 23)
NIS2 introduces a three-tier reporting system:
| Level | Deadline | Content |
|---|---|---|
| Early warning | 24 hours | Initial indication of a significant incident |
| Report | 72 hours | Assessment: Severity, affected systems, preliminary damage assessment |
| Final report | 1 month | Detailed analysis, measures taken, lessons learned |
Reports are submitted to the BSI (Germany) as the national authority (CSIRT). An incident is considered significant if it has caused or could cause significant operational disruptions.
3. Governance and Management Responsibility (Art. 20)
New in NIS2: Senior management and board members must be held personally accountable for cybersecurity. They must:
- Approve risk management measures
- Complete cybersecurity training
- Be personally liable for violations (for essential facilities)
This is a paradigm shift: Cybersecurity is now an explicit management responsibility, not merely a technical matter.
Sanctions
| Category | Maximum Sanction |
|---|---|
| Critical facilities | €10 million or 2% of global annual turnover |
| Important facilities | €7 million or 1.4% of global annual turnover |
In addition, national authorities may take the following measures:
- Enforcement orders (Compliance Orders)
- Mandatory security audits
- Public disclosure of violations
- Temporary removal of senior management (for critical facilities)
NIS2 and ISO 27001
ISO 27001 is not a formal certification equivalent to NIS2, but it is strong evidence of compliance. Organizations that have implemented ISO 27001 already meet most NIS2 requirements—particularly risk analysis, incident management, business continuity, and supply chain security.
For affected organizations, we recommend the following approach:
- Scoping Assessment: Am I a critical or important facility?
- Gap Analysis: What is still missing to achieve NIS2 compliance?
- Implement an ISO 27001 ISMS (optimal): Provides a structured framework for all NIS2 requirements
- Establish reporting processes: 24-hour early warning requires prepared processes and clear escalation paths
- Raise management awareness: Senior management must be personally involved
Further information: AWARE7 NIS2 Consulting | Free Compliance Checker
Sources & References
- [1] Richtlinie (EU) 2022/2555 (NIS2) - Amtsblatt der Europäischen Union
- [2] NIS2UmsuCG - Referentenentwurf - Bundesministerium des Innern
- [3] BSI - NIS2 für Unternehmen - Bundesamt für Sicherheit in der Informationstechnik
Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
Dipl.-Math. (WWU Münster) und Promovend am Promotionskolleg NRW (Hochschule Rhein-Waal) mit Forschungsschwerpunkt Phishing-Awareness, Behavioral Security und Nudging in der IT-Sicherheit. Verantwortet den Aufbau und die Pflege von ISMS, leitet interne Audits nach ISO/IEC 27001:2022 und berät als externer ISB in KRITIS-Branchen. Lehrbeauftragter für Communication Security an der Hochschule Rhein-Waal und NIS2-Schulungsleiter bei der isits AG.
3 Publikationen
- Different Seas, Different Phishes — Large-Scale Analysis of Phishing Simulations Across Different Industries (2025)
- Self-promotion with a Chance of Warnings: Exploring Cybersecurity Communication Among Government Institutions on LinkedIn (2024)
- Exploring the Effects of Cybersecurity Awareness and Decision-Making Under Risk (2024)
