NIS2 in focus: What changes and how to master the directive

With NIS2, cybersecurity takes its rightful place in the executive suite. The new EU directive not only tightens the approach to information security but also significantly broadens the scope of affected companies. But what does this mean for you in concrete terms? We provide you with an overview: Who needs to take action? What are the deadlines? And how can you implement the requirements pragmatically?

The NIS2 Directive (EU 2022/2555) is the latest update on Europe's digital security. Its clear objective: to significantly enhance the cyber resilience of organizations in critical sectors.

• The framework: Applicable across the EU and implemented into national law. In Germany, the NIS2 Implementation Act includes an update to the BSI Act, which defines the responsibilities and powers of the German Federal Office for Information Security (BSI) as well as key obligations and regulations for IT/cyber security in Germany.
• The start: In Germany, the law comes into effect on January 1, 2026.
• The urgency: There are no transitional periods; the obligations apply immediately.

NIS2 distinguishes between "essential entities" and "important entities." Whether you are affected depends on your industry and size.

• The rule of thumb for size
  Typically, companies with at least 50 employees or an annual turnover of more than 10 million euros are involved. But beware: smaller businesses can also come under scrutiny if they play a critical role in the supply chain.
  
  
• Affected industries
  The range of affected industries has expanded significantly. These include, among others:
  • food industry
  • chemical and pharmaceutical
  • healthcare
  • energy, water, and waste management

Important: NIS2 goes far beyond the traditional KRITIS law. Many companies will face regulated requirements for the first time.

NIS2 requires not only security but also demonstrable risk management. It's no longer just about technology; documented processes are essential. The focus is on:

• Risk management and clear security governance
• Emergency plans (business continuity) and crisis management
• Securing the supply chain
• Consistent patch and vulnerability management
• Clean identity and access management
• Comprehensive logging

NIS2 demands much more than technical barriers - the directive calls for clear organizational and strategic steps. Cybersecurity becomes a top priority: Business leaders bear the responsibility for implementation, are accountable, and must always be aware of current risks. At the same time, knowledge becomes a crucial protective factor, as mandatory training for executives and employees instills awareness of dangers and reporting channels throughout the team.

This is based on a consistently risk-based approach. Measures are not aligned with theoretical models but with real threat scenarios and are regularly reviewed. External partnerships also come into focus: Collaborations with IT service providers require contracts that firmly establish security standards.

Additionally, the protection of sensitive data through encryption and physical security are included. In short, NIS2 demands a dynamic security management system that integrates technical, organizational, and strategic levels and continuously evolves.

During a security incident, time is of the essence, and deadlines are tight:

• 24 hours for an initial warning
• 72 hours for the detailed report
• 1 month for the final report

One thing is clear: violations of the NIS2 directive do not go unnoticed. The penalties are significant and can quickly become expensive. For "essential entities," fines of up to 10 million euros or 2% of annual global turnover are possible, whichever is higher. "Important entities" can face fines of up to 7 million euros or 1.4% of annual turnover.

However, the risk does not only affect the company as a whole. In cases of severe negligence, executives can be held personally liable. Authorities also have the power to impose conditions, order special audits, or even temporarily restrict the activities of those responsible. Do not view the reporting requirements as mere formalities, but as crucial tools to minimize financial and legal risks and to protect your good reputation.

The most common stumbling blocks are typically:

1. Unclear status: Am I affected? If so, to what extent?
2. Legacy issues: Outdated servers (legacy IT) and on-premise systems often do not meet today's security standards.
3. Time management: 24 hours leave no room for improvisation.
4. Burden of proof: Measures must not only exist but also be verifiably documented.

While NIS2 does not mandate a specific architecture, modern cloud and SaaS models can greatly reduce your workload. Why? Because updates, system hardening, and availability are often included in the service. The "shared responsibility principle" still applies, but you significantly reduce your operational risks.

Approach the topic systematically:

1. Clarify status: Assess your impact and category. 
2. Assign responsibility: Define clear roles. 
3. Identify gaps: Conduct a gap analysis against NIS2 requirements. 
4. Assess risks: Identify your critical assets. 
5. Rehearse incidents: Test your incident response plans. 
6. Secure the supply chain: Also keep an eye on your partners. 
7. Strengthen technology: Implement the necessary security measures. 
8. Stay committed: Document everything and strive for continuous improvement. 

View NIS2 not as a bureaucratic burden, but as a strategic lever. Acting now not only minimizes regulatory risks but also ensures the sustainability of your company. In our complex industries, stability and resilience are the currency of tomorrow.