NIS2 Directive
Network & Information Security
EU 2022/2555
The NIS2 Directive requires approximately 30,000 German companies to implement comprehensive cybersecurity measures. Those affected who fail to act in time risk severe fines and personal liability for management.
The EU deadline was October 2024. The German NIS2UmsuCG is expected in 2025. Companies that prepare now have a significant time advantage.
Regulation
EU Directive 2022/2555
~30,000
Affected companies (DE)
€10M
Max. fine (essential)
24 hours
Initial report deadline
18+ sectors
Sectors affected
Who is affected by NIS2?
NIS2 distinguishes between essential and important entities. Both categories have comprehensive obligations – with different fine frameworks.
Essential Entities
- Energy (electricity, gas, oil)
- Transport & traffic
- Financial markets & banking
- Healthcare
- Drinking water & wastewater
- Digital infrastructure
- Public administration
Important Entities
- Postal & courier services
- Waste management
- Chemical industry
- Food production
- Manufacturing
- Digital services
- Research institutions
Size thresholds: An entity is classified as essential or important if it operates in one of the named sectors and employs at least 50 people or has an annual turnover exceeding €10 million. Micro-enterprises are generally exempt unless they play a critical role in a sector's infrastructure.
What does NIS2 specifically require?
Article 21 of the NIS2 Directive defines minimum requirements for technical and organizational security measures – binding for all affected entities.
Risk analysis & security concept
Systematic assessment of cyber risks for network and information systems. A documented security concept is mandatory.
Incident reporting obligation
Significant security incidents must be reported within 24 hours (initial report), with a full report within 72 hours.
Supply chain security
Security in the supply chain must be actively verified. Contractual partners and suppliers must be included in security measures.
Business continuity
Backup management, emergency plans, and recovery procedures must be in place and regularly tested.
Cryptography & access control
Use of encryption, multi-factor authentication, and role-based access control is mandatory.
Training & awareness
Regular security training for employees and management. Demonstrability is part of the compliance requirements.
Deadlines & Timeline
The NIS2 timeline – from adoption to German implementation.
NIS2 Directive adopted
EU Directive 2022/2555 enters into force. Member states have 21 months for implementation.
EU implementation deadline expired
The deadline for national implementation has expired. Germany is delayed with the NIS2UmsuCG.
NIS2UmsuCG in Germany
The national implementation law is expected for 2025. Companies are already obliged to prepare.
Act nowRegistration obligation
Affected companies must register with the BSI. Security measures must be demonstrably implemented.
How we help you with NIS2
From the initial assessment to ongoing support – we guide you through the entire NIS2 process in three clearly structured phases.
Analysis & Classification
We check whether and in which category your company falls, and create a gap analysis of your current security posture.
- Classification as essential/important
- Inventory of existing measures
- Gap analysis against NIS2 requirements
- Risk assessment of critical systems
Implementation & Technology
We implement all technical and organizational measures required by NIS2 – practical and documented.
- Create security concept
- Build incident response process
- Set up backup and BCM systems
- Implement MFA and access controls
- Develop supply chain security clauses
Support & Operations
NIS2 is not a one-time project. We support you permanently with monitoring, training, and regular reviews.
- Support BSI registration
- Training for employees & management
- Regular security reviews
- Updates for legislative changes
Frequently Asked Questions about NIS2
Is your company NIS2-ready?
Let us check together whether and how NIS2 affects you – and which measures you need to implement now. Free initial consultation, concrete assessment.
Schedule free initial consultationWe will get back to you within 24 hours.