NIS2 (Network and Information Security Directive 2, EU 2022/2555) is the revised EU directive on cybersecurity for critical infrastructure. It significantly expands the scope of the original NIS Directive and establishes uniform minimum standards for risk management, incident reporting, and supply chain security across 18 critical sectors. In Germany, NIS2 is transposed into national law through the NIS2 Implementation Act (NIS2UmsuCG) and affects approximately 30,000 organizations.
Contents
What is NIS2?
The NIS2 Directive (Network and Information Security Directive 2, EU 2022/2555) succeeds the original NIS Directive from 2016. Adopted on December 14, 2022, it represents a quantum leap in European cybersecurity regulation.
The central insight behind NIS2: cyberattacks on critical infrastructure can paralyze entire societies. Attacks on hospitals during the COVID-19 pandemic, the Colonial Pipeline hack in the US, and numerous ransomware attacks on utilities and service providers have demonstrated how vulnerable our digitalized society has become.
The Three Pillars of NIS2
🛡️ Higher Standards
Uniform minimum requirements for cybersecurity across the entire EU. Risk management, technical measures, and governance are mandatorily prescribed.
📢 Better Reporting
Structured reporting obligations for security incidents with clear deadlines. Harmonized information exchange between authorities and organizations.
⚡ Stronger Enforcement
Significant fines, personal liability for management, and extensive supervisory powers for authorities.
NIS2 vs. NIS1: What Has Changed?
| Aspect | NIS1 (2016) | NIS2 (2022) |
|---|---|---|
| Sectors | 7 sectors | 18 sectors |
| Affected in DE | ~2,000 organizations | ~30,000 organizations |
| Size thresholds | Individual per sector | 50+ employees or €10M+ turnover |
| Penalties | Left to national law | Up to €10M or 2% turnover |
| Management | No explicit liability | Personal responsibility & training requirement |
| Supply chain | Not addressed | Explicit requirements |
Implementation in Germany: The NIS2UmsuCG
The EU directive must be transposed into national law. In Germany, this is achieved through the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). The law transposes the EU requirements into German law and adapts existing regulations such as the BSI Act accordingly.
The Federal Office for Information Security (BSI) becomes the central supervisory authority for NIS2 in Germany. It receives expanded powers for auditing, ordering measures, and imposing fines.
Who is Affected by NIS2?
NIS2 distinguishes between essential entities and important entities. Both must meet security requirements but differ in their supervisory regime.
The 18 Critical Sectors
Sectors of High Criticality (Annex I)
Essential entities when size thresholds are met:
- Energy – Electricity, gas, oil, district heating, hydrogen
- Transport – Air, rail, water, road
- Banking – Credit institutions
- Financial Market Infrastructures – Exchanges, clearinghouses
- Healthcare – Hospitals, laboratories, pharma
- Drinking Water – Water supply
- Wastewater – Wastewater treatment
- Digital Infrastructure – IXPs, DNS, TLD, cloud, data centers
- ICT Services B2B – Managed services, managed security
- Public Administration – Central government
- Space – Ground infrastructure
Other Critical Sectors (Annex II)
Important entities:
- Postal and Courier Services
- Waste Management
- Chemicals – Manufacturing and distribution
- Food – Production, processing, distribution
- Manufacturing – Medical devices, computers, electronics, machinery, vehicles
- Digital Services – Marketplaces, search engines, social networks
- Research – Research institutions
These sectors are subject to a reactive supervisory regime – audits are conducted on an ad-hoc basis.
Size Thresholds: Am I Affected?
NIS2 generally applies to medium and large organizations in the listed sectors:
| Category | Employees | Annual Turnover | Balance Sheet |
|---|---|---|---|
| Medium Enterprise | 50-249 | €10-50M | €10-43M |
| Large Enterprise | 250+ | €50M+ | €43M+ |
It is sufficient if either the employee threshold OR the turnover/balance sheet threshold is met.
Exceptions and Special Rules
Smaller organizations may also fall under NIS2 if they:
- Provide DNS services, TLD registries, or cloud services (regardless of size)
- Are the sole provider of an essential service in a member state
- Provide a service whose disruption would have systemic impacts
- Are identified as essential by a member state
Are You Affected by NIS2?
Our free NIS2 Health-Check determines in minutes whether your organization falls under the NIS2 Directive and what requirements you need to meet.
Start NIS2 Health-Check →The 10 Core Areas of NIS2
Article 21 of the NIS2 Directive defines ten areas in which affected organizations must implement appropriate measures. These form the backbone of NIS2 compliance:
Risk Analysis & Security Policies
Systematic identification and assessment of risks to network and information systems.
- Establish risk assessment methodology
- Maintain asset inventory
- Threat and vulnerability analysis
- Documented security policies
- Regular review and updates
Incident Handling
Structured processes for detecting, analyzing, and responding to cybersecurity incidents.
- Incident response plan
- 24/7 detection capabilities
- Escalation processes
- Forensic analysis
- Lessons learned and improvement
Business Continuity & Crisis Management
Ensuring business continuity and recovery capability after incidents.
- Business impact analysis
- Backup management
- Disaster recovery plans
- Regular tests and exercises
- Crisis management organization
Supply Chain Security
Managing risks from relationships with suppliers and service providers.
- Supplier assessment and selection
- Contractual security requirements
- Monitoring critical suppliers
- Software supply chain risks (SBOM)
- Exit strategies
Security in Acquisition, Development & Maintenance
Integrating security throughout the system lifecycle.
- Security by design
- Secure development practices
- Vulnerability management
- Patch management
- Secure configuration
Effectiveness Assessment
Continuous verification that security measures are effective.
- Security audits
- Penetration testing
- Vulnerability scanning
- KPI-based monitoring
- Independent reviews
Cyber Hygiene & Training
Basic cybersecurity practices and awareness building.
- Security awareness programs
- Training for all employees
- Specialized training for IT/Security
- Phishing simulations
- Management training (mandatory!)
Cryptography
Appropriate use of encryption to protect data.
- Encryption of data at rest
- Transport encryption
- Key management
- Cryptography policies
- Post-quantum readiness planning
Personnel Security
Security measures regarding employees and partners.
- Background checks
- Onboarding/offboarding processes
- Confidentiality agreements
- Insider threat programs
- Clear responsibilities
Access Control & Asset Management
Control over access rights and asset management.
- Identity and access management
- Multi-factor authentication
- Privileged access management
- Regular recertification
- Asset inventory and classification
Incident Reporting Obligations
NIS2 introduces a three-stage reporting system for significant security incidents. Reports are submitted to the BSI (in Germany) or the competent CSIRT.
Early Warning
Without delay, within 24h of becoming aware. Initial notification with basic information: suspicion of malicious action? Cross-border impact?
Detailed Notification
Within 72 hours. Update with incident assessment, severity, impacts, and indicators of compromise (IoCs).
Final Report
No later than one month after notification. Detailed description: root cause analysis, measures taken, cross-border impacts.
What is a "Significant Security Incident"?
An incident is considered significant if it:
- Has caused or may cause a severe operational disruption of services
- Has caused or may cause financial losses for the affected organization
- Has affected or may affect other natural or legal persons through considerable material or immaterial damage
Public Disclosure
In certain cases, affected organizations must also inform the public:
- When public awareness is necessary to prevent or contain the incident
- When disclosure is in the public interest
- At the instruction of the BSI or competent supervisory authority
NIS2 Implementation: Step by Step
Implementing NIS2 is a comprehensive project that should be approached systematically. Here is our proven approach:
Applicability Assessment
First, clarify whether and to what extent your organization is affected by NIS2. Check sector, size, and criticality of your services. Use our free NIS2 Health-Check for an initial assessment.
Conduct Gap Analysis
Compare your current security status with NIS2 requirements. Identify gaps in all ten core areas. Assess your maturity level and prioritize action items.
Establish Governance
NIS2 explicitly requires management accountability. Define clear responsibilities, establish a security governance framework, and plan the mandatory management training.
Build Risk Management
Implement systematic risk management for your network and information systems. Maintain an asset inventory, identify critical systems, and assess risks continuously.
Implement Technical Measures
Implement required technical security measures: access controls, encryption, network segmentation, monitoring, backup, and patch management.
Build Incident Response
Develop an incident response plan, establish detection capabilities, and practice processes regularly. Ensure you can meet the 24-hour reporting deadline.
Secure Supply Chain
Assess your critical suppliers, integrate security requirements into contracts, and establish continuous supplier monitoring.
Continuously Improve
NIS2 compliance is not a one-time task. Establish regular audits, penetration tests, and improvement processes. Adapt measures to new threats.
Penalties and Liability under NIS2
NIS2 brings a significantly stricter sanctions framework – both for organizations and for management personally.
Fines for Organizations
| Entity Type | Maximum Fine | Alternative |
|---|---|---|
| Essential Entities | €10 million | 2% of global annual turnover |
| Important Entities | €7 million | 1.4% of global annual turnover |
The higher amount applies. For groups, total group turnover is used.
Personal Liability of Management
One of the most significant innovations: NIS2 makes management bodies personally accountable for cybersecurity. This includes:
Management Duties
- Approve risk management measures
- Oversee implementation
- Personally attend cybersecurity training
- Regular review of security reports
Potential Consequences
- Personal fines
- Liability for damages
- Temporary ban from management functions
- Public disclosure of violations
Other Supervisory Measures
Beyond fines, supervisory authorities have extensive powers:
- On-site inspections and security audits
- Binding instructions to remedy deficiencies
- Public warnings for non-compliance
- Temporary suspension of certifications or authorizations
- For essential entities: proactive monitoring through regular audits
NIS2 vs. KRITIS vs. DORA: Overview
In the German regulatory landscape, several overlapping frameworks address cybersecurity. Here are the key differences:
| Aspect | NIS2 | KRITIS (BSI Act) | DORA |
|---|---|---|---|
| Legal form | EU Directive (NIS2UmsuCG) | National law | EU Regulation (direct) |
| Target group | 18 critical sectors | 10 KRITIS sectors | Financial sector only |
| Affected (DE) | ~30,000 organizations | ~2,000 organizations | ~3,500 financial entities |
| Thresholds | 50+ employees / €10M+ | High (e.g., 500,000 served) | All financial entities |
| Reporting deadline | 24h / 72h / 1 month | Without delay | 4h / 72h / 1 month |
| Max. penalties | €10M / 2% turnover | €2M | €10M / 5% turnover |
| Mgmt. liability | Yes | Limited | Yes |
What Applies to Financial Institutions?
A special rule applies to the financial sector: DORA (Digital Operational Resilience Act) is directly applicable as an EU regulation and serves as lex specialis vis-à-vis NIS2. This means:
- Banks, insurers, and other financial entities must primarily comply with DORA
- NIS2 requirements are fulfilled through DORA compliance (no double compliance needed)
- DORA goes beyond NIS2 in many areas (e.g., TLPT, third-party register)
For non-financial organizations in critical sectors, NIS2 is the new standard that expands and harmonizes previous KRITIS requirements.
Niagon's Expertise
We come from the financial sector and know DORA, BAIT, and MaRisk inside out. We now bring this experience to KRITIS sectors like energy, healthcare, and transport – bridging banking compliance and critical infrastructure.
Why Niagon for Your NIS2 Implementation?
Regulatory Expertise
We understand the interplay of NIS2, DORA, ISO 27001, and sector-specific requirements. An integrated approach saves effort and avoids redundancies.
From Banking to KRITIS
Our core competency lies in the financial industry – one of the most heavily regulated sectors. We transfer this experience to other critical sectors.
Pragmatic Implementation
No theoretical concepts, but actionable measures. We know the balance between compliance requirements and operational reality.
Our NIS2 Services
- NIS2 Health-Check: Free applicability assessment and initial evaluation
- Gap Analysis: Systematic analysis against all 10 NIS2 core areas
- Risk Management: Building NIS2-compliant risk management
- Incident Response: Development of IR plans and exercises
- Supply Chain Security: Assessment and securing of critical suppliers
- Governance: Management training and documentation
- Implementation Support: Hands-on assistance with implementation
- Audit Preparation: Ready for regulatory audits and inspections
Frequently Asked Questions about NIS2 (FAQ)
What is NIS2?
NIS2 (Network and Information Security Directive 2) is an EU directive on cybersecurity for critical infrastructure. It replaces the original NIS Directive from 2016 and significantly expands its scope. In Germany, NIS2 is transposed into national law through the NIS2 Implementation Act (NIS2UmsuCG).
Who does NIS2 apply to?
NIS2 applies to organizations in 18 critical sectors: energy, transport, banking, financial market infrastructures, healthcare, drinking water, wastewater, digital infrastructure, ICT services, public administration, space, postal services, waste management, chemicals, food, manufacturing, research, and digital services. Size thresholds are 50+ employees or €10+ million turnover.
How much does a NIS2 gap analysis cost?
A NIS2 gap analysis typically costs between €15,000 and €60,000, depending on company size, IT infrastructure complexity, and sector. Critical infrastructure with complex OT environments are at the upper end of this range.
What are the penalties for NIS2 violations?
NIS2 violations can result in significant fines: for essential entities up to €10 million or 2% of global annual turnover. For important entities up to €7 million or 1.4% of turnover. Additionally, management bodies can be held personally liable.
What is the difference between NIS2 and KRITIS?
KRITIS (under the German BSI Act) previously applied to critical infrastructure with high thresholds (e.g., 500,000 people served). NIS2 significantly expands this: more sectors, lower thresholds (50+ employees), and distinguishes between "essential" and "important" entities. NIS2 covers about 30,000 companies in Germany – ten times more than KRITIS.
When does NIS2 take effect in Germany?
The EU NIS2 Directive had to be transposed into national law by October 2024. Germany has passed the NIS2 Implementation Act (NIS2UmsuCG). Affected organizations should begin implementation immediately as requirements are complex and transition periods are short.
What are the key NIS2 requirements?
The ten core areas of NIS2 include: risk analysis and security policies, incident management, business continuity, supply chain security, security in development and maintenance, effectiveness assessment, cyber hygiene and training, cryptography, personnel security, and access control and asset management.
How quickly must security incidents be reported?
NIS2 requires a three-stage reporting system: early warning within 24 hours, detailed notification within 72 hours, and a final report within one month. For significant incidents, the public must also be informed if necessary for containment.
Is management personally liable under NIS2?
Yes, NIS2 introduces personal responsibility for management bodies. Executives must approve risk management measures and oversee their implementation. They must attend cybersecurity training. Breaches of duty can result in personal liability and temporary bans from management functions.
How does Niagon support NIS2 implementation?
Niagon offers a comprehensive NIS2 consulting approach: free health check for applicability assessment, detailed gap analysis against all NIS2 requirements, creation of a prioritized action plan, implementation support, building incident response capabilities, and preparation for regulatory audits.
Ready for NIS2?
Use our free NIS2 Health-Check now to find out if your organization is affected and what measures you need to take.