NIS2 isn't a distant future – the EU Cybersecurity Directive is reality. And it affects far more companies than its predecessor: An estimated 30,000 companies in Germany alone must adapt.
This guide explains what NIS2 means, who is affected, and what concrete steps you need to take NOW.
What Is NIS2?
NIS2 (Network and Information Security Directive 2) is the revised EU directive on cybersecurity. It replaces NIS1 from 2016 and significantly tightens requirements.
The key changes:
| NIS1 | NIS2 |
|---|---|
| ~5,000 affected companies (DE) | ~30,000 affected companies (DE) |
| Focus on critical infrastructure | Expansion to 18 sectors |
| Vague requirements | Concrete measures |
| Low penalties | Up to €10M or 2% revenue |
| No personal liability | Personal liability of management |
Are You Affected?
The Sectors
NIS2 distinguishes between "essential" and "important" entities:
Essential Entities:
- Energy (electricity, gas, oil, hydrogen)
- Transport (air, rail, water, road)
- Banking
- Financial market infrastructure
- Healthcare
- Drinking water
- Wastewater
- Digital infrastructure
- ICT service management
- Public administration
- Space
Important Entities:
- Postal and courier services
- Waste management
- Chemicals
- Food
- Manufacturing (medical devices, computers, electronics, machinery, vehicles)
- Digital services (online marketplaces, search engines, social networks)
- Research
The Size Criteria
You are affected if your company is:
Medium-sized enterprise:
- 50-250 employees OR
- €10-50M annual revenue AND < €43M balance sheet total
Large enterprise:
-
250 employees OR
-
€50M annual revenue OR > €43M balance sheet total
Exception: Some sectors are affected regardless of size (e.g., DNS providers, TLD registries, critical infrastructure).
Quick Check
| Question | Yes | No |
|---|---|---|
| Are you in one of the 18 sectors? | → Continue | → Not affected |
| Do you have > 50 employees OR > €10M revenue? | → Affected | → Check exceptions |
| Are you critical infrastructure or IT service provider? | → Probably affected | → Not affected |
The 10 Core Requirements
1. Risk Management
What NIS2 requires:
- Systematic risk analysis
- Documented risk assessments
- Regular review
Concrete measures:
- Create asset inventory (all IT systems, data)
- Conduct risk assessment
- Maintain risk register
- Quarterly review
2. Incident Handling
What NIS2 requires:
- Detection of security incidents
- Analysis and response
- Recovery processes
Concrete measures:
- Implement Security Information & Event Management (SIEM)
- Create incident response plan
- Runbooks for common incidents
- Regular exercises
3. Business Continuity
What NIS2 requires:
- Backup management
- Disaster recovery
- Crisis management
Concrete measures:
- Conduct business impact analysis
- Define backup strategy (3-2-1 rule)
- Create disaster recovery plan
- Conduct DR tests
4. Supply Chain Security
What NIS2 requires:
- Supplier security
- Risk assessment of service providers
- Contractual requirements
Concrete measures:
- Create supplier inventory
- Conduct security assessments
- Add security clauses to contracts
- Regular review
5. Network Security
What NIS2 requires:
- Secure procurement and development
- Vulnerability management
- Network segmentation
Concrete measures:
- Implement secure development lifecycle
- Introduce vulnerability scanning
- Conduct penetration tests
- Set up network segments
6. Cyber Hygiene
What NIS2 requires:
- Basic security measures
- Training
- Awareness programs
Concrete measures:
- Security awareness training for all employees
- Phishing simulations
- Password policies
- Regular updates
7. Cryptography
What NIS2 requires:
- Data encryption
- Crypto policies
- Key management
Concrete measures:
- Encryption at-rest and in-transit
- Create cryptography policy
- Implement key management
- Maintain crypto inventory
8. Access Controls
What NIS2 requires:
- Human resources security
- Access control policies
- Asset management
Concrete measures:
- Implement Identity & Access Management (IAM)
- Least privilege principle
- Multi-factor authentication
- Regular access reviews
9. Secure Communication
What NIS2 requires:
- Multi-factor authentication
- Secure voice, video, and text communication
- Secure emergency communication
Concrete measures:
- MFA for all systems
- End-to-end encryption
- Secure collaboration tools
- Emergency communication plan
10. Reporting Obligations
What NIS2 requires:
- Early warning within 24 hours
- Incident notification within 72 hours
- Final report within 1 month
Concrete measures:
- Define reporting processes
- Clarify responsibilities
- Create templates
- Test communication channels
Personal Liability of Management
This is new: Managing directors are personally liable for compliance.
What this means:
- Obligation to approve cybersecurity measures
- Obligation to monitor implementation
- Obligation to participate in training
- Personal liability for violations
Recommendation:
- Establish board-level cybersecurity reporting
- Regular security briefings for management
- Documentation of all decisions
- Review D&O insurance
The NIS2 Checklist
Immediate Measures (Priority: High)
- Check if affected (sector + size)
- Appoint responsible person (CISO or equivalent)
- Create asset inventory
- Conduct risk assessment
- Create incident response plan
Short-term (1-3 months)
- Gap analysis against NIS2 requirements
- Business impact analysis
- Supplier assessment
- Start security awareness training
- Define reporting processes
Medium-term (3-6 months)
- Implement technical measures
- Deploy SIEM
- Roll out MFA
- Network segmentation
- Implement backup strategy
- Document policies and processes
- Establish training program
- Update supplier contracts
Long-term (6-12 months)
- Continuous improvement
- Regular audits
- Penetration tests
- Exercises (incident response, DR)
- Pursue certifications (ISO 27001)
Costs and Resources
Typical Cost Factors
| Measure | One-time | Annual |
|---|---|---|
| Gap analysis | €15,000-50,000 | - |
| SIEM implementation | €30,000-100,000 | €20,000-50,000 |
| Awareness training | €5,000-20,000 | €10,000-30,000 |
| Penetration tests | - | €15,000-50,000 |
| External CISO | - | €50,000-120,000 |
| ISO 27001 certification | €30,000-100,000 | €10,000-30,000 |
Personnel Requirements
Minimum for medium-sized company:
- 1 FTE for security (CISO/Security Manager)
- 0.5 FTE for compliance/documentation
- Training time for all employees
Penalties and Consequences
For essential entities:
- Up to €10 million OR
- 2% of global annual revenue
For important entities:
- Up to €7 million OR
- 1.4% of global annual revenue
Additionally:
- Personal liability of management
- Temporary professional ban for managers possible
- Reputational damage
- Possible operational prohibition
Next Steps
Week 1: Clarify Applicability
- Check sector affiliation
- Analyze size criteria
- Obtain legal advice
- Inform management
Week 2-4: Assess Status Quo
- Create asset inventory
- Document existing measures
- Conduct gap analysis
- Prioritize risks
Month 2-3: Implement Quick Wins
- Create incident response plan
- Define reporting processes
- Start awareness training
- Close critical gaps
Month 4-12: Systematic Implementation
- Implement technical measures
- Establish processes
- Complete documentation
- Conduct audits
Conclusion
NIS2 is not optional – it's mandatory. The good news: Many requirements already correspond to IT security best practices. Those who proceed systematically can achieve compliance while genuinely improving security.
The most important step: Start now. Don't wait.
Need support with NIS2 implementation? We help with gap analyses, roadmap creation, and technical implementation. Get in touch. Related: Zero Trust Security.
