NIS-2

Many companies that never saw themselves as critical infrastructure are suddenly regulated: that is the core effect of NIS-2. The directive greatly widens the circle of those obliged and demands specific technical and organizational measures, the absence of which can become personally expensive for executive management.

What is NIS-2?

NIS-2 is EU Directive 2022/2555 on measures for a high common level of cybersecurity, the successor to the first NIS Directive of 2016. The transposition deadline for the member states expired in October 2024; in Germany, transposition takes place via the NIS-2 Implementation Act, which governs the circle of affected companies and oversight by the BSI.

Affected are essential and important entities from 18 sectors, from energy, transport, and health through digital infrastructure and IT service providers to manufacturing, food, and postal services. As a rule of thumb: companies with 50 or more employees or 10 million euros in revenue in one of the sectors fall within the scope; for particularly critical areas, special rules apply regardless of size. In Germany, according to common estimates, this affects around 30,000 companies.

What does NIS-2 specifically require?

At the core are the risk management measures under Article 21, shaped by the state of the art:

  • Risk analysis and security policies: documented management of the risks to network and information systems.
  • Incident handling: processes for detection, response, and recovery, including backup management and crisis plans.
  • Basic technical measures: among others access control, multi-factor authentication, encryption, and network segmentation.
  • Supply chain security: the security of one's own service providers and suppliers is expressly part of this.
  • Reporting duties: significant incidents must be reported to the competent authority in stages, with an early warning within 24 hours, a more detailed report within 72 hours, and a final report.
  • Management responsibility: executive management must approve and oversee the measures, undergo training, and is liable for violations; fines reach, depending on the type of entity, up to 10 million euros or 2 percent of worldwide revenue.

Why it matters

  • The scope is so broad that classic mid-sized companies are affected too, often without knowing it.
  • Cybersecurity moves from an IT task to a demonstrable organizational duty with personal responsibility of management.
  • The required measures are specific: anyone who cannot show segmentation, MFA, or reporting processes has a documented gap.
  • The supply chain requirement cascades: even those not affected themselves receive the requirements passed on through customer contracts.

Typical scenarios

  • A machine builder with 200 employees falls under NIS-2 as manufacturing and, for the first time, has to build up structured risk management.
  • An IT service provider is contractually obliged by its customers to adopt NIS-2-compliant security measures, even though it lies below the thresholds itself.
  • An energy supplier extends its existing KRITIS processes with the new reporting and evidence duties.
  • A healthcare company segments its network to limit the effects of incidents and to meet the incident-handling requirement.

How to prepare

The practical entry follows three steps. First, clarify whether you are affected: check sector, size, and special rules and document the result, because even a well-founded non-applicability needs to be substantiated. Second, a gap analysis against the catalog of measures from Article 21: what already exists, what is missing, what is present only undocumented? Experience shows that the largest gaps lie in network segmentation, in the contingency and reporting process, and in the supply chain view. Third, implement in a prioritized way: first the measures with the greatest risk leverage and the registration and reporting capability, then the rest in an orderly program.

Important for planning: the authorities do not expect a perfect end state on day one, but a demonstrable, serious level of implementation and functioning reporting channels. Anyone who waits until the first official inquiry arrives loses exactly the time that an orderly implementation would have taken.

NIS-2 and ISO 27001: the difference

The two are connected but different: NIS-2 is legislation with a mandatory character for affected entities, ISO 27001 a voluntary certification standard for management systems. A certified ISMS structurally covers many NIS-2 requirements and is a strong means of evidence, but it does not replace the legal duties such as registration and reporting channels. Our entry on cybersecurity compliance provides an overview of how the frameworks interact.

How KAEMI helps

A large part of the technical NIS-2 measures is delivered by the network: Zero Trust microsegmentation limits the effects of incidents and meets the segmentation expectation with demonstrable policies, a SASE/SSE architecture implements access control and MFA-backed access, and KAEMI's managed service operation delivers the monitoring and documentation that auditors want to see. Whether and how individual requirements are met in a specific case, we clarify in a requirements-driven way together with your compliance officers.

Frequently asked questions about NIS-2

Who does NIS-2 affect?

Essential and important entities from 18 sectors, including energy, health, transport, digital infrastructure, IT services, and manufacturing. As a rule of thumb: from 50 employees or 10 million euros in revenue in the sector; particularly critical areas regardless of size. In Germany, an estimated 30,000 companies are affected.

Which measures does NIS-2 require?

Documented risk management with specific building blocks: incident handling, backup and crisis management, access control, multi-factor authentication, encryption, network segmentation, and supply chain security. On top of this come staggered reporting duties with an early warning within 24 hours and the obligation of executive management to approve and oversee the measures.

What are the penalties for violations of NIS-2?

Fines of up to 10 million euros or 2 percent of worldwide annual revenue for essential entities, and somewhat lower ranges for important entities. On top of this come official orders and the personal responsibility of executive management, which cannot be delegated to the IT department.

Is an ISO 27001 certification enough for NIS-2?

It helps considerably, but on its own it is not enough. A certified ISMS structurally covers many requirements and serves as evidence. Legal duties such as registration with the authority, the specific reporting channels, and sector-specific requirements continue to exist alongside it and must be met independently.

How is NIS-2 connected with the network architecture?

Several mandatory measures are network topics: segmentation limits incidents, access control and MFA secure access, monitoring provides the detection and evidence capability. Anyone who implements microsegmentation and identity-based access thereby handles a measurable part of the NIS-2 catalog of measures.

Open questions about this in your environment? KAEMI advises you in line with your requirements and can also take over operations.