What is NIS 2?

Main changes introduced by NIS 2

The NIS 2 Directive sets out new requirements for companies, organisations, and institutions that are essential to Europe’s economic and societal stability.

Expanded scope

NIS 2 affects far more companies than the original NIS Directive. In addition to traditional “critical infrastructure” (CI) such as the energy and healthcare sectors, the directive now also covers logistics companies, food producers, digital services, public administration, and the chemical industry. The regulations now apply not only to large corporations but also to medium-sized companies with at least 50 employees or an annual turnover of €10 million.

Stricter security requirements

Companies must implement comprehensive cybersecurity measures. These include establishing a risk management system, clear access controls, effective incident response processes, and business continuity plans. Supply chain security is given special emphasis: the law requires organisations to ensure that their external service providers and suppliers also meet high cybersecurity standards.

Stricter reporting obligations

In the event of a security incident, companies must submit an initial report to the relevant national authorities within 24 hours. Within 72 hours, they must provide a detailed report describing the impact of the incident and outlining planned countermeasures.

Higher penalties for violations

Companies that fail to comply with NIS 2 requirements face substantial fines – up to €10 million or 2% of global annual turnover. Executives can also be held personally liable and must undertake regular training on cybersecurity topics.

Better cooperation between EU member states

The EU Agency for Cybersecurity (ENISA) will have greater powers to coordinate the exchange of threat information. Member states will also work more closely together to detect and respond to cyber threats more quickly and effectively.

These new provisions make NIS 2 the strictest cybersecurity directive in the EU to date.

Why is NIS 2 important?

Protection of critical infrastructure

The growing interconnection of IT and OT (Operational Technology) systems creates new attack opportunities for cybercriminals. Essential services such as energy supply, healthcare, and transport are particularly at risk. NIS 2 enforces stricter security requirements to better protect these sectors.

Increased cyber resilience for businesses

NIS 2 obliges organisations to develop more secure IT architectures and to conduct regular security assessments. This helps detect and mitigate threats such as ransomware attacks or data breaches at an early stage.

Harmonisation of cybersecurity requirements across the EU

NIS 2 introduces uniform security standards in all EU member states, making it easier for internationally operating companies to meet requirements in different countries.

Stronger response to cyber threats

National authorities will be given greater powers to combat cyberattacks. An EU-wide early warning system will help identify threats early and enable timely countermeasures.

Which companies are affected by NIS 2?

NIS 2 distinguishes between two categories of companies:

Essential Entities This group includes operators of critical infrastructure such as energy suppliers, water and wastewater networks, the healthcare sector, pharmaceutical companies, public administrations, and digital infrastructures such as cloud services and data centres.

Important Entities This category includes postal and courier services, the food and beverage industry, chemical companies, and manufacturers of electronic components.

While similar security requirements apply to both groups, the sanctions and audit mechanisms are stricter for Essential Entities.

Best practices for companies implementing NIS 2

Establish cybersecurity risk management

Companies should implement measures early to identify and assess threats to IT and OT systems. Contingency plans must be developed for various scenarios such as ransomware or DDoS attacks.

Improve access controls and identity management

Multi-factor authentication should be deployed throughout the organisation. User rights should be reviewed regularly, and unnecessary permissions removed.

Implement efficient incident response processes

Ensure that security incidents are reported to the relevant authorities (such as the BSI in Germany) within the prescribed timeframes. Clear response strategies should be in place to quickly contain damage.

Strengthen supply chain security

Suppliers must be contractually required to meet cybersecurity standards. Regular audits and risk assessments are necessary to detect vulnerabilities early.

Raise employee awareness and training

Staff should receive regular training on cyber threats. Training in phishing detection and social engineering can help identify and block attacks early.

Enhance technical security measures

Organisations should adopt zero-trust architectures, encrypt data, and use network segmentation to prevent attackers from moving freely within the system.

NIS 2 in Germany: Delayed implementation

Although NIS 2 has been adopted at the EU level, national implementation in Germany has not yet taken place. The necessary legislation has not been passed, and it is considered unlikely that this will happen during the current legislative period.

For companies, this means a legally uncertain situation. Nevertheless, they should prepare early for the new requirements to avoid delays or legal consequences when the implementation eventually takes place. In Germany, the BSI would play a central role as the supervisory authority.

NIS 2: Why companies should act now

The NIS 2 Directive represents a significant step forward for cybersecurity in Europe. Companies must prepare for stricter requirements, higher fines, and greater regulatory oversight.

Even though implementation in Germany is currently stalled, affected organisations should not wait but proactively improve their security measures. Compliance with NIS 2 is not only a regulatory obligation but also a strategic necessity to successfully defend against cyberattacks.

‍