The NIS2 Directive is an EU directive that strength­ens the cyber re­silience of European member states and companies through stricter rules. It covers the im­ple­men­ta­tion of security measures for improved IT pro­tec­tion, as well as security checks and fast reporting channels for cy­ber­se­cu­ri­ty incidents.

Free DNS
Reduce page loading speeds with free DNS
  • Faster domain res­o­lu­tion to keep you online longer
  • Added pro­tec­tion against outages and downtime
  • No domain transfer needed

What is the NIS2 Directive?

The European Union’s NIS2 Directive aims to improve re­silience against cy­ber­se­cu­ri­ty threats in essential and important in­fra­struc­tures of the member states. The ab­bre­vi­a­tion NIS2 stands for “Network and In­for­ma­tion Security 2”. When it came into force on January 16, 2023, it replaced the previous NIS1 directive, which had already prompted a shift in how to approach IT security.

To ensure maximum pro­tec­tion in both the private and public sectors of EU member states, the new NIS2 Directive in­tro­duces more com­pre­hen­sive and stricter rules for a wider target group. In this way, the new rules are intended to ensure greater cyber re­silience and more effective action against cy­ber­se­cu­ri­ty threats and security breaches. NIS2 also aims to ensure that essential in­sti­tu­tions that supply the pop­u­la­tion with vital goods or services are protected against outages and dis­rup­tions in the event of a crisis.

The main objective of NIS2 is to better prepare companies against cy­ber­at­tacks and to respond ef­fi­cient­ly and quickly to IT dis­rup­tions. A more con­sis­tent security strategy in the EU member states should therefore create the highest possible cy­ber­se­cu­ri­ty at both national and in­ter­na­tion­al levels in the EU area. All member states must transpose the directive into national law, which affects large companies and small and medium-sized en­ter­pris­es that fall under the new reg­u­la­tions.

What does the NIS2 Directive change?

The oblig­a­tion to implement the NIS2 Cy­ber­se­cu­ri­ty Strength­en­ing Directive (NIS2UmsuCG) entails far-reaching changes in 18 different sectors. Among other things, more than twice as many sectors are clas­si­fied as essential and the list of fines for non-com­pli­ance has been tightened. In addition, managing directors will also be held ac­count­able.

In Germany, Spain, Italy and France, for example, the NIS2 Directive will impact thousands of companies. In Germany, as many as 40,000 companies will need to comply with the new re­quire­ments and in Italy, around 50,000 companies. In Spain, ap­prox­i­mate­ly 25,000 companies will be subject to the new directive, while in France, over 10,000 entities will be affected.

Here’s an overview of all the changes brought about by the NIS2 Directive:

  • Expansion of the sphere of essential areas: NIS2 clas­si­fies even more sectors as essential.
  • Stricter penalties: The directive sig­nif­i­cant­ly increases fines for vi­o­la­tions
  • Executive re­spon­si­bil­i­ty: Ex­ec­u­tives now have direct re­spon­si­bil­i­ty for cy­ber­se­cu­ri­ty com­pli­ance.
  • Extended areas of ap­pli­ca­tion: The NIS2 Directive applies to companies with more than 50 employees or a turnover of more than 10 million euros and to some companies re­gard­less of their size.
  • Need for com­pre­hen­sive risk analyses: Companies have a duty to carry out thorough risk analyses.
  • Required risk and safety man­age­ment: Strict re­quire­ments apply to risk man­age­ment and security measures. Various pro­tec­tive measures such as pen­e­tra­tion tests, hardware firewalls, and backup strate­gies are mandatory.
  • Oblig­a­tory crisis man­age­ment: Rapid and effective crisis man­age­ment strate­gies, com­mu­ni­ca­tion channels and reporting systems are required in the event of security incidents.
  • Use of existing security protocols: Companies can use existing security standards from regulated in­dus­tries as a reference.
My­De­fend­er
Easy cyber security
  • Regular virus and malware scans
  • Automatic backups and simple file recovery

Who is affected by the NIS2 Directive?

NIS2 dis­tin­guish­es between companies in the expanded “essential” category and the “important” category, which is com­plete­ly new. Companies with more than 50 employees or an annual turnover of 10 million euros or more are directly affected. In addition, companies can also fall under NIS2 re­gard­less of their size if their failure results in systemic risks. The “essential” category comprises companies from eleven sectors, including, in par­tic­u­lar, critical in­fra­struc­ture companies that are vital for gov­ern­ment and society. The “important” category in turn applies to seven sectors that are sys­tem­i­cal­ly important.

Essential sectors and companies

  • Energy
  • Water supply
  • Transport
  • Banking
  • Financial market in­fra­struc­tures
  • Health­care
  • Space
  • Sewage
  • Public ad­min­is­tra­tion
  • Digital in­fra­struc­ture
  • ICT service man­age­ment (B2B)

Important sectors and companies

  • Postal and courier services
  • Waste
  • Chemical industry
  • Food supply
  • Digital service providers
  • Industry (pro­cess­ing / man­u­fac­tur­ing)
  • Research (optional)

What oblig­a­tions apply to companies?

As part of NIS2, companies are subject to strict oblig­a­tions and sig­nif­i­cant changes. These include:

Oblig­a­tions Measures
Risk man­age­ment and business con­ti­nu­ity man­age­ment (§30, 31) En­cryp­tion, multi-factor au­then­ti­ca­tion, cryp­tog­ra­phy, cyber hygiene, role as­sign­ment and access control, backup man­age­ment and system recovery, supply chain security and risk analyses are mandatory. The minimum re­quire­ments vary depending on the size of the company thanks to the “size cap” rule.
Reporting and no­ti­fi­ca­tion oblig­a­tions (§32, 35) Sig­nif­i­cant security incidents must be reported to the au­thor­i­ties within 24 hours. Initial as­sess­ments must be available after 72 hours. A detailed final report is required within one month.
Reg­is­tra­tion oblig­a­tions (§33, 34) Affected or­ga­ni­za­tions and domain name registry service providers must submit in­for­ma­tion to the re­spon­si­ble au­thor­i­ties no later than three months after NIS2 comes into force. If the reg­is­tra­tion oblig­a­tion is not fulfilled, it can also be fulfilled by a CSIRT (Computer Security Incident Response Team).
Approval, mon­i­tor­ing and training oblig­a­tions for managing directors (§38) Del­e­ga­tion of safety measures by man­age­ment is no longer suf­fi­cient. Man­age­ment must actively approve necessary measures and is partially obliged to provide training.
Su­per­vi­so­ry and en­force­ment measures (§61, 62) One of the CSIRTs is expected to act as the su­per­vi­so­ry authority for com­pli­ance with the required measures. At the earliest, three years after NIS2 comes into force, the su­per­vi­so­ry authority has the option to request evidence of com­pli­ance with the oblig­a­tions. Measures can be ordered in the event of imminent danger.

In order to comply with your oblig­a­tions as an affected company at an early stage, you should carry out the following measures:

  • ACTUAL and TARGET analysis: Check whether you are affected by the NIS2 oblig­a­tions and determine the status quo of your company’s cyber re­silience as well as potential areas for im­prove­ment.
  • Im­ple­men­ta­tion: Risk analysis and security concepts must be in­tro­duced for all in­for­ma­tion systems.
  • Eval­u­a­tion: The ef­fec­tive­ness of your company’s own risk man­age­ment methods should be reviewed regularly.
  • Creation: De­vel­op­ing a concept for dealing with security incidents is oblig­a­tory.
  • Backup and crisis man­age­ment: Measures for data backup and crisis man­age­ment must be im­ple­ment­ed.
  • Reporting system: An effective reporting system for security incidents should be es­tab­lished.
  • Training: Employees must be trained regularly.
  • Security of the supply chain: Security in the supply chain must be ensured.

What happens if NIS2 is not im­ple­ment­ed?

Companies that do not implement the pre­scribed measures can expect to face sub­stan­tial fines (§65). In ac­cor­dance with NIS2, the su­per­vi­so­ry au­thor­i­ties are given com­pre­hen­sive su­per­vi­so­ry, control and in­struc­tion powers including the en­force­ment of deadlines. In addition, managing directors assume sig­nif­i­cant­ly more re­spon­si­bil­i­ty for pro­tec­tion and security measures and can be held per­son­al­ly liable in the event of vi­o­la­tions or neg­li­gence (§38, §61).

When does the NIS2 Directive come into force?

On December 14, 2022, the European Par­lia­ment and the Council adopted Directive (EU) 2022/2555, known as the NIS2 Directive. It in­tro­duces extensive changes to the eIDAS Reg­u­la­tion (EU) No. 910/2014 and the EECC Directive (EU) 2018/1972. It of­fi­cial­ly came into force on January 16, 2023, replacing the NIS Directive. It must be trans­posed into national law by all EU member states by October 17, 2024.

In different countries, different au­thor­i­ties are re­spon­si­ble for leading the im­ple­men­ta­tion of the directive. For example, in France, ANSSI (National Agency for In­for­ma­tion System Security) is leading the im­ple­men­ta­tion efforts, and has even launched Mon Espace NIS 2, a digital service aimed at sup­port­ing entities in im­ple­ment­ing the directive. The BSI (Federal Office for In­for­ma­tion Security) is the re­spon­si­ble authority in Germany, and in Spain, the National Cryp­to­log­ic Centre (CCN-CERT) oversees cy­ber­se­cu­ri­ty measures and ensures com­pli­ance with the new directive.

Go to Main Menu