Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen

Pillar Guide

NIS-2 Compliance

The NIS-2 Directive affects tens of thousands of organisations across the EU. Fines up to EUR 10 million, personal liability for management and 24-hour reporting obligations. Here you will find everything you need to know.

Check NIS-2 readiness Am I affected?

What is the NIS-2 Directive?

The NIS-2 Directive (EU 2022/2555) is the second generation of EU legislation on network and information security. It was published on 16 January 2023 and had to be transposed by all EU Member States into national law by October 2024.

The Directive pursues three central objectives:

  • Raising the level of cybersecurity across the EU through binding minimum standards
  • Harmonising requirements between Member States for a level playing field
  • Improving cooperation on cross-border security incidents

Compared to its predecessor NIS-1 from 2016, NIS-2 dramatically expands the scope: from roughly 4,500 to approximately 29,500 affected organisations in Germany alone. It also tightens sanctions and introduces personal liability for management.

Who is affected by NIS-2?

NIS-2 distinguishes between essential entities and important entities. Classification depends on the sector and company size.

Sectors of high criticality

Essential entities (Annex I)

  • Energy (electricity, gas, oil, district heating, hydrogen)
  • Transport (air, rail, water, road)
  • Banking and financial market infrastructure
  • Healthcare
  • Drinking water and wastewater
  • Digital infrastructure (DNS, TLD, cloud, data centres)
  • ICT service management (B2B)
  • Public administration
  • Space

Other critical sectors

Important entities (Annex II)

  • Postal and courier services
  • Waste management
  • Chemical industry
  • Food production and distribution
  • Manufacturing (medical devices, computers, vehicles, machinery)
  • Digital services (marketplaces, search engines, social networks)
  • Research

Size threshold

In principle, organisations with 50 or more employees or EUR 10 million annual turnover are affected. Exception: certain sectors such as DNS services, TLD registries and trust services fall under NIS-2 regardless of size.

The 10 NIS-2 requirements under Article 21

Article 21 of the NIS-2 Directive defines 10 minimum measures that affected organisations must implement. These cover technical and organisational measures.

1

Risk analysis and security policies

Systematic analysis of information security risks and derivation of security policies for information systems.

2

Handling of security incidents

Processes for detection, analysis, containment and response to security incidents (incident response).

3

Business continuity and crisis management

Backup management, disaster recovery and crisis management to maintain operations.

4

Supply chain security

Assessment and management of cybersecurity risks throughout the supply chain and with service providers.

5

Security in acquisition, development and maintenance

Security requirements in procurement, development and maintenance of network and information systems.

6

Assessment of effectiveness

Policies and procedures for assessing the effectiveness of risk management measures.

7

Cyber hygiene and training

Basic cyber hygiene practices and regular cybersecurity training for all staff.

8

Cryptography

Policies and procedures for the use of cryptography and, where appropriate, encryption.

9

Human resources security and access controls

Personnel security, access control policies and asset management.

10

Multi-factor authentication

Use of MFA, secured communication systems and secured emergency communication systems.

Fines and personal liability

NIS-2 introduces significant sanctions - both for organisations and for management personally.

Essential entities

EUR 10 million

or 2% of global annual turnover

(whichever is higher)

Important entities

EUR 7 million

or 1.4% of global annual turnover

(whichever is higher)

Personal liability of management

The NIS-2 Directive makes management personally responsible for implementing cybersecurity measures. For essential entities, supervisory authorities can:

  • Issue orders to implement specific measures
  • Temporarily ban executives from management positions
  • Hold management personally liable for damages

Incident reporting obligations

NIS-2 introduces a three-stage reporting system for significant security incidents. Reports are made to the competent national authority.

24h

Early warning

Within 24 hours of becoming aware of the incident. Contains: suspected type of incident, indication of whether there is suspicion of unlawful conduct, possible cross-border effects.

72h

Full notification

Within 72 hours. Contains: assessment of the incident including severity and impact, indicators of compromise (IoCs), measures taken and planned.

1M

Final report

Within one month after the full notification. Contains: detailed description of the incident, root cause analysis, remediation measures implemented, cross-border effects.

NIS-2 implementation step by step

Implementing the NIS-2 requirements requires a structured approach. AWARE7 recommends the following procedure:

1

Applicability analysis

Check whether your organisation falls under NIS-2. Sector, company size and turnover determine the classification as an essential or important entity.

Check applicability
2

Gap analysis

Comparison of the current state against the 10 NIS-2 requirements. Where are the gaps? Which measures are already in place?

Commission ISMS gap analysis
3

Risk assessment

Systematic identification and assessment of your cybersecurity risks. The basis for prioritising measures.

4

ISMS implementation

Building an information security management system per ISO 27001. The ISMS forms the foundation for sustainable NIS-2 compliance.

Request ISO 27001 consulting
5

Technical measures

Implementation of technical controls: penetration tests, vulnerability management, incident response planning, multi-factor authentication, backup & recovery.

Commission penetration test
6

Awareness & training

Training all staff in cyber hygiene. Regular phishing simulations to measure and improve awareness.

7

Continual improvement

Regular audits, vulnerability scans and effectiveness assessments. NIS-2 is not a one-time project - it is a continuous process.

Commission internal audit

NIS-2 and ISO 27001

A certified ISMS under ISO 27001 fulfils most technical and organisational requirements of the NIS-2 Directive. Linking the two standards is the most efficient route to sustainable NIS-2 compliance.

What ISO 27001 covers for NIS-2

  • Risk management - ISO 27001 requires systematic risk management (NIS-2 requirement 1)
  • Incident management - ISO 27001 Annex A.5.24-28 covers NIS-2 requirement 2
  • Business continuity - ISO 27001 Annex A.5.29-30 addresses NIS-2 requirement 3
  • Supply chain security - ISO 27001 Annex A.5.19-23 covers NIS-2 requirement 4
  • Awareness and training - ISO 27001 Clause 7.2-7.3 fulfils NIS-2 requirement 7
  • Cryptography - ISO 27001 Annex A.8.24 corresponds to NIS-2 requirement 8
  • Access controls - ISO 27001 Annex A.5.15-18, A.8.2-5 covers NIS-2 requirement 9

What you additionally need

ISO 27001 does not cover all NIS-2-specific requirements. You additionally need:

  • Setting up reporting processes to the competent authority (24h/72h/1M scheme)
  • Registration obligation with the competent authority as an essential or important entity
  • Specific requirements for multi-factor authentication and secured emergency communication

AWARE7 supports you on both fronts simultaneously: ISO 27001 certification as the foundation, supplemented by NIS-2-specific measures.

NIS-2 checklist for organisations

Use this checklist as orientation for your NIS-2 implementation. It does not replace individual consulting, but provides a structured overview.

Schedule free NIS-2 initial consultation
Affected organisations in Germany alone
29,500+
Max. fine (essential entities)
EUR 10M
Initial report after security incident
24h
Sectors covered by NIS-2
18

Sector-specific

NIS-2: Who is particularly affected?

The requirements apply across sectors, but implementation priorities differ significantly by industry. AWARE7 knows the specific challenges of your sector.

Energy & utilities

Essential entity

Electricity, gas and district heating providers are in the spotlight. OT security, supply chain security and 24-hour reporting obligations are priority areas.

View ISMS consulting

Financial services

Essential entity

Banks and financial market infrastructure must meet particularly high requirements for business continuity, incident response and supply chain security.

View ISMS consulting

Healthcare

Essential entity

Hospitals and healthcare providers are preferred attack targets. Data protection, availability and reporting processes require special attention.

View ISMS consulting

IT service providers

Essential & important entities

Managed service providers, cloud providers and data centre operators are key actors in the supply chain and subject to strict NIS-2 requirements.

Start ISO consulting

Manufacturing

Important entity

Mechanical engineering, automotive manufacturers and medical device manufacturers. Particular challenge: convergence of IT and OT and complex supply chains.

View ISMS consulting

Research & education

Important entity

Research institutions and universities protect sensitive research data and intellectual property. Awareness and access controls are the priority.

Request consulting

Your NIS-2 experts

Our certified consultants guide you from applicability analysis to full compliance.

Chris Wojzechowski
Chris Wojzechowski

Geschäftsführender Gesellschafter

E-Mail
PGP 465C26E1AF161AFA

Geschäftsführender Gesellschafter der AWARE7 GmbH mit langjähriger Expertise in Informationssicherheit, Penetrationstesting und IT-Risikomanagement. Absolvent des Masterstudiengangs Internet-Sicherheit an der Westfälischen Hochschule (if(is), Prof. Norbert Pohlmann). Bestseller-Autor im Wiley-VCH Verlag und Lehrbeauftragter der ASW-Akademie. Einschätzungen zu Cybersecurity und digitaler Souveränität erschienen u.a. in Welt am Sonntag, WDR, Deutschlandfunk und Handelsblatt.

IT-Grundschutz-Praktiker (TÜV) IT Risk Manager (DGI) § 8a BSIG Prüfverfahrenskompetenz Ausbilderprüfung (IHK)
Vollständiges Profil ansehen
Jan Hörnemann
Jan Hörnemann

Chief Operating Officer · Prokurist

E-Mail
PGP A3FD64BB96C888E2

M.Sc. Internet-Sicherheit (if(is), Westfälische Hochschule). COO und Prokurist mit Expertise in Informationssicherheitsberatung und Security Awareness. Nachwuchsprofessor für Cyber Security an der FOM Hochschule, CISO-Referent bei der isits AG und Promovend am Graduierteninstitut NRW.

ISO 27001 Lead Auditor (PECB/TÜV) T.I.S.P. (TeleTrusT) ITIL 4 (PeopleCert) BSI IT-Grundschutz-Praktiker (DGI) Ext. ISB (TÜV) BSI CyberRisikoCheck CEH (EC-Council)
Vollständiges Profil ansehen

Referenzen aus der Praxis

Live Hacking & Awareness

Gelsenwasser AG

Konzernweite Cyber Security Awareness Kampagne

1.500+

Mitarbeiterinnen und Mitarbeiter

6

Monate Kampagnendauer

Beratung Informationssicherheit

brainbits GmbH

Ausbau und Begleitung des ISMS zur ISO 27001 Zertifizierung

9

Monate bis zur Zertifizierungsreife

70

Mitarbeitende im Team

Complementary services

These services support your NIS-2 compliance

NIS-2 compliance is not a standalone project. The following services directly address the 10 mandatory measures and accelerate your implementation.

Penetration Testing

Fulfils NIS-2 requirement 6 (effectiveness assessment). Practical proof of your security measures through simulated attacks.

NIS-2 Requirement 6

ISMS per ISO 27001

The most efficient foundation for NIS-2 compliance. ISO 27001 covers 7 of the 10 mandatory requirements and creates permanently auditable processes.

NIS-2 Requirements 1-4, 6-9

Security Awareness Training

Mandatory under NIS-2 requirement 7 (cyber hygiene & awareness). Measurable improvement of the human security culture in your organisation.

NIS-2 Requirement 7

Frequently asked questions about the NIS-2 Directive

The NIS-2 Directive (Network and Information Security Directive 2) is an EU directive to strengthen cybersecurity across Europe. It was published on 16 January 2023 and must be transposed into national law by all EU Member States. It replaces the original NIS Directive from 2016 and significantly expands the scope of application.
Across the EU, tens of thousands of organisations are affected - approximately six times more than under the predecessor regulation. Affected are organisations from 18 sectors (e.g. energy, health, transport, digital infrastructure, manufacturing) with 50 or more employees or EUR 10 million annual turnover. Critical infrastructure operators are subject to additional obligations.
Essential entities face fines of up to EUR 10 million or 2% of global annual turnover (whichever is higher). For important entities the ceiling is EUR 7 million or 1.4% of turnover. In addition there is personal liability for management, who in extreme cases can be temporarily banned from holding management positions.
Article 21 of the NIS-2 Directive defines 10 minimum measures: risk analysis and security policies, incident management, business continuity, supply chain security, security in acquisition and development, assessment of measure effectiveness, cyber hygiene and awareness training, cryptography, access management and asset management, and multi-factor authentication.
A certified ISMS under ISO 27001 fulfils most technical and organisational requirements of the NIS-2 Directive. ISO 27001 covers risk management, documentation, incident management, awareness and regular review. AWARE7 recommends achieving NIS-2 compliance through building an ISO 27001-compliant ISMS.
Yes, NIS-2 introduces a three-stage reporting system: initial notification within 24 hours to the competent authority, full report within 72 hours with assessment and countermeasures, and a final report within one month. Essential entities must also inform affected recipients.
Costs vary considerably depending on maturity level and company size. For a mid-sized company without an existing ISMS, expect EUR 30,000-100,000 for the initial implementation. AWARE7 will provide you with an individual quote.
AWARE7 supports you holistically: applicability analysis (are you subject to NIS-2?), gap analysis against the 10 NIS-2 requirements, ISMS implementation per ISO 27001 as the NIS-2 compliance foundation, penetration tests and vulnerability scans, incident response planning, awareness training and phishing simulations, and regular audits.
In principle the threshold of 50 employees or EUR 10 million annual turnover applies. However, exceptions exist for certain sectors: providers of public electronic communications networks, qualified trust service providers, TLD registries and DNS services are subject to NIS-2 regardless of their size. Additionally, small companies may indirectly receive requirements as important links in the supply chain of large affected organisations.
The NIS-2 implementation deadline was October 2024. Affected organisations should start implementation immediately. The competent authorities have announced that registration obligations and inspections will be enforced incrementally. Acting now minimises the risk of fines and creates lasting cyber resilience.
Essential entities (Annex I, e.g. energy, health, banking) are subject to the strongest regulation: proactive supervision, fines up to EUR 10 million and the possibility of temporarily banning management from their positions. Important entities (Annex II, e.g. food, chemicals, manufacturing) are primarily regulated reactively, i.e. the supervisory authority only investigates in the event of incidents. Fines are somewhat lower at max. EUR 7 million, but the technical and organisational obligations are largely identical.

Our services for your NIS-2 compliance

ISMS Consulting

ISO 27001 certification as the foundation for NIS-2 compliance.

Penetration Testing

Identify technical vulnerabilities and fulfil NIS-2 measure 6.

Vulnerability Scanning

Continuous vulnerability management as a mandatory NIS-2 measure.

Phishing Simulation

NIS-2 requirement 7: cyber hygiene and awareness training.

Internal Audit

Effectiveness assessment of your measures per NIS-2 requirement 6.

External CISO

Responsible person for information security - ready to deploy immediately.

Aus dem Blog

Weiterführende Artikel

Does NIS-2 affect your organisation?

Check your NIS-2 readiness now in a free initial consultation with our experts.

Schedule free NIS-2 initial consultation

Kostenlos · 30 Minuten · Unverbindlich