Contact now
Contact now
lock in a digital environment, symbolizes cyber security and integrity within the framework of NIS-2.

NIS-2: New requirements for cyber security

What you need to know to implement the new EU directive quickly
BMW Group Logo
DeutscheBahn_logo-2
Creditreform Logo
DERTOUR
jochen-schweizer
Dräger Logo
kuka
BMW Group Logo
DeutscheBahn_logo-2
Creditreform Logo
DERTOUR
jochen-schweizer
Dräger Logo
kuka
ProSieben_Logo_2015-2
Mercedes
Miele Logo
Volkswagen Logo
DEKRA
stihl
Sonax_logo
Weidmüller logo
ProSieben_Logo_2015-2
Mercedes
Miele Logo
Volkswagen Logo
DEKRA
stihl
Sonax_logo
Weidmüller logo

NIS-2: Summary of the most important information

The NIS 2 Directive is an EU-wide regulation that obliges companies and organizations to meet higher security standards for network and information systems.

  • NIS-2 came into force in January 2023 and applies to companies with 50 or more employees or a turnover of EUR 10 million in 18 defined sectors

  • Failure to comply with NIS 2 requirements can result in high fines, loss of business and reputational damage

  • Companies must implement cyber security risk management, report security incidents within 24 hours, secure their supply chains and use certified IT products where appropriate

  • The directive should be transposed into national law by October 2024. Although the German draft law (NIS-2UmsuCG) has been adopted, it has not yet been passed.

What is NIS-2?

The Network and Information Security (NIS) Directive is an EU-wide regulation that expands and tightens cyber and information security standards for certain organizations and sectors. With NIS-2, the EU aims to strengthen the resilience and security of network and information systems throughout the European Union. Experts assume that the NIS-2 directive will become for cyber security what the GDPR has become for data protection.

By when must NIS-2 be implemented?

The NIS-2 Directive came into force on January 16, 2023, and the EU member states then had until October 17, 2024 to transpose the directive into national law. In Germany, this was to be done through the NIS-2 Implementation and Cyber Security Strengthening Act (NIS-2UmsuCG).

Although the draft law was approved by the cabinet on July 24, 2024, it failed to be passed by the Bundestag. Negotiations continued after the end of the traffic light coalition, but were ultimately unsuccessful. This means that the implementation of NIS-2 in Germany remains open and the EU implementation deadline will be significantly exceeded. The EU Commission has already initiated infringement proceedings against Germany. Nevertheless, the specific requirements of the directive and the draft implementation law provide a clear framework for companies.

NIS 2 compliance made easy - with MaibornWolff

Are you affected by the NIS 2 Directive? Our experts will be happy to support you in implementing the requirements of the NIS 2 Directive. MaibornWolff offers holistic risk management right from the start: We help you to strategically identify risks, minimize them sustainably and remain secure in the long term. This gives you exactly the security your company needs - not just on paper, but above all in practice.

Implementation of NIS-2 with existing business continuity
Cybersecurity training courses
Security Check-Up
Outstanding risk management

Opt for real cyber security

With MaibornWolff, you can rely on a partner who sees compliance not as a compulsory exercise, but as an opportunity for real cyber security.

book a free consultation
Graphic representation of a stylized human, symbolizing digital identity and protective measures in the context of NIS-2.
Crucial to the success of the project: the team did not try to bring security into the development teams from outside in a 'police role'. Instead, it empowered our teams themselves to systematically assess security.
Philipp Lindemann, Project Manager, MAN

Which companies are affected by NIS-2?

NIS-2 affects companies that operate in an EU country. It does not matter whether they are also based in the EU. With the NIS-2 Directive, the EU holds so-called "essential" and "important" entities accountable. These include companies and institutions from a total of 18 economic sectors. In addition to the location and field of activity, the number of employees and annual turnover also play an important role: companies with 50 or more employees or an annual turnover of at least ten million euros must implement the NIS 2 Directive.

Be sure to check whether your company is affected by NIS-2, as non-compliance with the NIS-2 requirements can result in heavy fines.

Diagram shows criteria for NIS-2, symbolizing the provisions and areas of application of the NIS-2 guidelines.

These sectors are covered by the NIS 2 Directive

Whether your company must meet the requirements of the NIS 2 Directive depends on whether it belongs to one of the 18 defined business sectors. These are divided into sectors of high criticality and other critical sectors.

Red train runs fast, symbolizes the transport sector and safety requirements according to NIS-2.

Sectors of high criticality

  • Energy (electricity, district heating and cooling, crude oil, natural gas, hydrogen)
  • Transportation (air transport, rail transport, shipping, road transport)
  • Banking, financial market infrastructures
  • Public health
  • Drinking water, waste water
  • Digital infrastructure & public administration
  • Management of ICT services (business-to-business)
  • Space
Person in the laboratory, symbolizes scientific research in the context of NIS-2 guidelines.

Other critical sectors

  • Postal and courier services
  • Waste management
  • Production, manufacture and trade in chemical substances
  • Production, processing and distribution of foodstuffs
  • Manufacturing industry / production of goods
  • Providers of digital services
  • Research

Essential and important facilities: What's the difference?

With the introduction of the NIS 2 Directive, the previous distinction between operators of essential services (OES) and digital service providers (DSP) no longer applies. These have been transferred to the new categories of essential and important facilities. The cybersecurity requirements are the same for both groups, but there are differences in terms of regulatory control and possible sanctions:

➜ Essential entities are large companies with at least 250 employees or an annual turnover of more than €50 million that operate in a high-criticality sector. They are subject to strict, proactive monitoring by the authorities, i.e. regular inspections and audits. Violations can be punished with fines of up to 10 million euros or 2% of annual turnover.

➜ Important facilities are companies from other critical sectors with at least 50 employees or 10 million euros in turnover. They are only inspected if there are concrete grounds for suspicion(reactive supervision). The maximum fines amount to 7 million euros or 1.4% of annual turnover.

National authorities can also classify companies as significant or important regardless of their size if their activities are of particular security relevance. In addition, management can be held personally liable for violations - with an upper limit of 2% of global annual turnover.

Visual comparison of NIS2 major and important entities, highlighting size thresholds, sector relevance, and differing maximum penalties for non-compliance.
Visual comparison of NIS2 major and important entities, highlighting size thresholds, sector relevance, and differing maximum penalties for non-compliance.

NIS 2 requirements for companies

In order to meet the requirements of the NIS 2 Directive, companies must implement comprehensive security measures. These include, among other things:

  • Management responsibility: Managers must not only approve cyber security measures, but also actively monitor them. They are obliged to take part in training courses and are personally liable in the event of breaches.
  • Cybersecurity risk management: Companies should take technical, operational and organizational measures to minimize security risks. These include emergency plans, access controls, encryption as well as backup and crisis management. Effective risk management also includes the complete recording, assessment and comprehensible handling of risks - including the option of consciously accepting certain risks.
  • Security in the supply chain: Not only the affected companies themselves, but also their service providers and suppliers are subject to clear security requirements. Coordinated risk assessments help to identify potential vulnerabilities at an early stage.
  • Notification and reporting obligations: Security incidents must be reported within 24 hours as an early warning. An initial analysis must be carried out after 72 hours and a final report after one month at the latest.
  • Certified IT products & security standards: Companies may be obliged to use certified IT and communication products and implement European security standards. Security requirements must also be taken into account when procuring IT and network systems.
  • Training & sensitization of employees: Regular training on cyber hygiene, secure data handling and threat detection should minimize human error as a security risk.
  • Obligation to register: Companies are obliged to register with the competent national authority to ensure compliance with the NIS 2 requirements.
Two people discussing something in front of a laptop, symbolizing collaborative application of the NIS 2 guidelines.

Implement the NIS 2 directive efficiently and benefit now from our comprehensive NIS 2 advice.

NIS-2 Consulting Services

Our references & projects

A reference is worth more than 1,000 words. Fortunately, we have dozens of them. Click through a selection of our most exciting projects and see for yourself!

See all references
  • A red MAN truck drives along an empty road under a clear night sky with shining stars.
    MAN: Efficient threat analysis for control units

    Digitalization increases cyber risks - especially for MAN's new CM4 control unit. Our experts use the 4×6 methodology and ThreatSea to identify threats at an early stage and develop targeted protective measures. Find out how MAN uses intelligent risk analysis to strengthen the security of its vehicles.

    Learn more
    MAN: Efficient threat analysis for control units
    7 months

    Project duration

    Over 20 workshops

    Threat analyses

    Over 500

    Potential risks evaluated

    Learn more

What happens if my company does not comply with the NIS 2 directive?

Non-compliance with the NIS 2 Directive can have serious consequences for companies. Essential entities risk fines of up to €10 million or 2% of annual global turnover, while important entities risk fines of up to €7 million or 1.4% of annual turnover. In addition, management has a direct responsibility: according to the NIS 2 Directive, it must not only approve cybersecurity risk management measures, but also monitor their implementation. If these requirements are not met, they can be held personally liable.

In addition to financial and legal consequences, there is a risk of reputational damage and business losses, such as exclusion from supply chains, if companies cannot provide evidence of the required security measures.

This makes it all the more important to implement the requirements of the NIS 2 directive at an early stage and actively minimize security risks . MaibornWolff supports you with individual solutions and practical expertise. Our aim is to ensure that your company not only meets the legal requirements, but is also secure in the long term.

FAQ: Frequently asked questions about NIS-2

  • What is the difference between NIS and NIS-2?

    The NIS 2 Directive replaces the NIS Directive (2016/1148), which has been in place since 2016, and raises the level of cybersecurity in the EU to a new level. While NIS laid the foundation for the protection of critical infrastructures (KRITIS), it was not yet possible to achieve a uniform level of security in all member states.

    NIS-2 tightens up three key aspects:

    • Prerequisites: The NIS-2 Directive creates the prerequisites for a uniform level of security across Europe.
    • Scope of application: NIS-2 greatly expands the scope of application, so that well over 100,000 companies are now affected.
    • Responsibility: Upper management is made more responsible for consistently implementing cyber security measures.

  • What is the NIS-2UmsuCG?

    The NIS-2 Implementation and Cybersecurity Strengthening Act (NIS-2UmsuCG) is the German draft law to transpose the NIS-2 Directive into national law. It is intended to regulate the cybersecurity requirements for companies in critical and important sectors and was passed by the Federal Cabinet on July 24, 2024, but has not yet been adopted (as of February 2025).

  • How can I prepare for the NIS 2 Directive?

    Companies should develop a cyber security strategy at an early stage, review and adapt existing IT security measures and establish clear emergency and reporting processes. Close cooperation with IT security experts can help to implement all requirements efficiently.

  • What happens if my company is not based in the EU?

    Companies based outside the EU must also comply with NIS-2 if they provide services within the EU or wish to work with companies based in the EU. They must appoint a representative who is established in an EU member state and is responsible for compliance.

  • Do companies have to register under NIS-2?

    Yes, essential and important entities must register with the competent national authorities in accordance with the NIS 2 Directive. The purpose of this registration is to monitor compliance with cybersecurity requirements and enable better coordination in the event of security incidents. The exact requirements and deadlines for registration are set individually by each EU member state.

A small selection of our customers

Finden Sie, was zu Ihnen passt
Verfeinern Sie Ihre Suche
clear all filters