Table of Contents

1. NIS-2 Directive: Summary, requirements and implementation
2. What is the NIS-2 Directive?
3. Expanded scope of NIS-2: Who is affected?
4. To which companies does NIS-2 apply?
5. New requirements for information security and obligations
6. IT security in the supply chain
7. Cybersecurity has top priority
8. Sanctions for violations of NIS-2
9. NIS-2: Implementation in Germany
10. The BSI as the central control body
11. Prepare now, benefit later

NIS-2 Directive: Summary, requirements and implementation in Germany 

For once, all stakeholders are in agreement: digital transformation is driving economic growth in Europe. However, this inevitably leads to rising risks. Cyberattacks threaten critical infrastructures, and supply chains are at risk.

A reaction from European policymakers was therefore only logical. Through the NIS-2 Directive (NIS = Network and Information Security Directive), the EU is strengthening digital resilience in Europe.

In doing so, the directive takes numerous aspects of IT security into account. The spectrum ranges from technical measures and organisational processes to employee awareness. In this article, you will learn what you need to prepare for: in the EU in general and in Germany in particular.

What is the NIS-2 Directive?

The NIS-2 Directive is the further development of the first NIS Directive from 2016. It entered into force on 16 January 2023. Who is affected? Companies that provide essential or important services in the EU. Their networks and information systems are to be better protected against attacks through binding minimum standards.

An overview of the most important points of the NIS-2 Directive:

• Goal: The level of cybersecurity in the EU is to be significantly increased.
• Scope: There is an expansion to 18 critical and important sectors, including complex supply chains and digital service providers.
• Affected parties: Significantly more medium-sized and large companies as well as providers of services in the EU are affected by NIS-2. This is regardless of the headquarters.
• Obligations: Comprehensive security measures are introduced and implemented. Additionally, there are strict reporting obligations.
• Sanctions: Significant fines, based on the GDPR, are threatened in the event of violations.
• Registration: This has been mandatory since 18 October 2024.
• Responsibility: Stronger liability and responsibility of company management for cybersecurity apply.

Expanded scope of NIS-2: Who is affected?

A central feature of the NIS-2 Directive is the significantly expanded scope. The 18 affected sectors include ten critical and eight important ones. NIS-2 therefore affects significantly more sectors and company sizes than previous directives. 

Critical sectors

1. Energy (electricity, oil, gas, district heating and cooling as well as hydrogen)
2. Transport (air, rail, water and road transport)
3. Banking
4. Financial market infrastructures
5. Health
6. Drinking water supply
7. Wastewater disposal
8. Digital infrastructure
9. Public administration (central and regional)
10. Space
    
    

Important sectors

1. Postal and courier services
2. Waste management
3. Manufacture and distribution of chemicals
4. Production, processing and distribution of food
5. Manufacture of medical devices
6. Production of motor vehicles and (semi-)trailers
7. Manufacture of other transport equipment
8. Providers of digital service
   
   

To which companies does NIS-2 apply?

The NIS-2 Directive applies to companies with a size of 50 or more employees or an annual turnover of over 10 million euros. Small companies can be affected if they are considered particularly relevant or high-risk.

This means that over 29,000 companies in Germany are affected. The requirements for cybersecurity are formulated in more detail. This is because the focus is explicitly on proactive cyber risk management.

Furthermore, the scope of NIS-2 can extend to companies with a headquarters outside the EU. This applies in the event that they offer services here. You have probably already guessed it: this primarily concerns cloud providers and other digital service providers.

New requirements for information security and obligations

The scope of obligations has been significantly expanded. NIS-2 obliges companies to introduce comprehensive cyber risk management. What does this mean in concrete terms? These organisational measures, among others, are required:

• Structured security policies
• Planning of regular risk analyses
• Clear responsibilities
• Continuous training

Technical measures must also be implemented. These include encryption, access controls, intrusion detection, business continuity management (BCM) and vulnerability management. Modern authentication procedures, internal crisis communication and audit processes are also mandatory.

Incident handling is also required. It includes the following aspects:

• Access controls and entry restrictions
• Use of modern encryption technologies
• Introduction of BCM
• Emergency plans and recovery processes
• Security measures for the acquisition, development and maintenance of IT systems

Therefore, companies require comprehensive and constantly up-to-datedocumentation of their IT security measures. Only then can they prove in black and white that they are complying with the NIS-2 Directive.

IT security in the supply chain

Companies are now obliged to also keep an eye on the security measures of suppliers, service providers and partners. These must be checked and contractually secured. This is intended to reduce potential vulnerabilities in the value chain: there is no way around seamless documentation and transparency across all interfaces. 

Cybersecurity has top priority 

Managing directors and boards of directors are directly responsible for the implementation of the NIS-2 Directive. Cybersecurity is therefore no longer a purely technical task. It is now an important part of entrepreneurial management responsibility. In the event of gross negligence, personal liability can apply, and even fines against individuals are possible. 

Sanctions for violations of NIS-2 

The NIS-2 Directive prescribes sensitive penalties: for critical facilities, fines of up to 10 million euros or 2% of the total worldwide annual turnover can be imposed. For important facilities, it is up to 7 million euros or 1.4% of turnover. Additionally, operational measures can be ordered. These include, for example, the restriction of services or the obligation to undergo audits by the supervisory authorities. 

NIS-2: Implementation in Germany 

The directive had to be transposed into national law by 17 October 2024 at the latest. In Germany, the implementation was carried out through the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). Since 18 October 2024, companies must register with the Federal Office for Information Security (BSI). 

The BSI as the central control body 

As already indicated above: in this country, the BSI has a central role in the implementation of NIS-2. However, it does not only check registrations. In addition, it monitors compliance with the requirements, conducts security audits and imposes sanctions. At the same time, the BSI provides guides, webinars and checklists. The BSI also handles coordination in the event of security incidents.

Companies can protect themselves through the following measures:

• Establishment of cyber risk management
• Implementation of BCM and emergency management
• Introduction of access restrictions and encryption
• Early registration with the BSI
• Integration of IT security into the corporate strategy

How can i-doit support compliance and implementation of the NIS-2 Directive? 

i-doit supports companies in complying with the NIS-2 Directive through central and traceable IT documentation of all systems, processes and dependencies. Risks and protection requirements can be systematically assessed, security measures documented and responsibilities clearly assigned.

Emergency management and business continuity concepts can also be mapped in a structured manner and linked to relevant assets. For audits and official enquiries, i-doit provides clear reports and audit-proof evidence.

Advantages of i-doit at a glance:

• Compliant asset and configuration management as well as protection requirement determination
• Documentation of technical and organisational measures
• Documentation of emergency management and concepts
• Preparation for audits and official enquiries
• Reporting and auditing
  

Prepare now, benefit later 

It cannot be emphasised enough: the NIS-2 Directive is a milestone for cybersecurity in Europe. And it is an unmistakable call to companies to give IT security the necessary attention. If you act early, you will not only avoid fines. You will also strengthen the trust of all stakeholders in your company.

With IT documentation from i-doit and thei-doit ISMS add-on, you ensure secure IT processes and appear legally compliant towards your stakeholders.