Data Protection Academy » Data Protection News » NIS-2 Directive

NIS2: EU directive for cyber security

Update from 13 November 2025

NIS 2 Directive: EU directive for more cyber security

In an increasingly networked world Cybersecurity and the Protecting our digital infrastructures of crucial importance. The NIS2 Directive, The further development of the Network and Information Systems Directive (NIS) aims to strengthen the security of the digital landscape in the European Union. On 13 November 2025, Germany transposed the EU's NIS 2 Directive into national law. For organisations, this means a fundamental tightening of cybersecurity obligations. But what exactly is changing? This article provides an overview. Overview of the new scope and key obligations of NIS2 as well as practical examples of how you can master implementation with the help of ISO 27001.

Key information on the NIS2 Directive

  • NIS2 is the further development of the original NIS Directive (Network and Information Systems Directive), which was first adopted in 2016.
  • The aim of both directives is to Strengthening cyber security and protect the digital infrastructure and critical services from cyber threats.
  • On 16 January 2023 the so-called NIS2 Directive came into force. The EU member states had until 17 October 2024 Time to transpose the directive into national law. On 13 November 2025 Germany has transposed the EU's NIS 2 Directive into national law.
  • The NIS2 directive affects more organisations and requires stricter security measures. Companies that do not fulfil the requirements of NIS2 risk being penalised. Fines. Managing directors are directly liable.

Content on the NIS2 Directive:

Full title of the directive

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 concerning measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS2 Directive)

Whitepaper NIS-2 Directive: EU Directive for more cyber security

Whitepaper: Implementing a Directory of Processing Activities in compliance with the GDPR

In the white paper NIS-2 Directive you will find:

  • Information on the background to the Origin the NIS-2 Directive
  • Information on the connection with other Laws and guidelines
  • Requirements which the organisations concerned must implement
  • Information on Penalties and sanctions

Unfortunately this content is currently only available in German. Please feel free to contact us for more information.

What is NIS2: This is what the new EU cyber security directive says

The complete designation of the NIS Directive is the Network and Information Systems Directive and can be translated into German as the Network and Information Security Directive. The NIS Directive is a European Union directive that aims to strengthen cybersecurity in the EU. The directive was adopted in 2016 and should subsequently be implemented by the EU member states by May 2018.

In December 2022, the successor, the NIS2 Directive entered into force. This NIS2 Directive builds on the original NIS Directive of 2016. NIS2 was developed to further strengthen cybersecurity across the EU and respond to current developments in the digital sphere by tightening requirements for organisations and promoting cooperation at EU level. This is an important step to better manage the increasing cyber threats in the digital world.

The NIS Directive applies to Operators of critical infrastructures (KRITIS)i.e. for companies and organisations whose systems and services are essential for the maintenance of important social functions. These include companies in the energy, water, transport, finance, healthcare and telecommunications sectors.

Innovations: More cyber security through the NIS 2 directive

The reasons for the legislative changes from NIS to NIS2 are the sharp rise in cyber attacks in recent years, the Increasing digitalisation such as the use of artificial intelligence and the Standardised regulation among all EU member states.

The NIS 2 Directive has the clear aim of strengthening cyber security and making the digital landscape in Europe more secure. When the directive comes into force, the requirements for companies and organisations will be increased, security certification will be promoted and cooperation at European level will be strengthened.

Overview of the new features of the NIS 2 Directive:

  • Sectors: The critical essential sectors have been expanded to eleven sectors and the important sectors to seven. Eighteen sectors are therefore covered by the new NIS2 directive. This means that a wider range of companies and organisations will have to raise their security standards.
  • Facilities: Organisations with 50 or more employees or an annual turnover of 10 million euros or more are affected. Some organisations will fall under the NIS2 Directive regardless of their size.
  • Supply chains: The NIS 2 Directive sets out new requirements for the cyber security of supply chains. These requirements are intended to help companies be better prepared for cyberattacks that occur via their supply chains.
  • Cooperation: Supervision and cooperation between authorities and organisations in the EU will be expanded.
  • Certification of products and services: The introduction of cyber security certifications should make it easier for consumers and companies to opt for more secure solutions.
  • Sanctions: The NIS 2 Directive provides for significantly higher penalties for violations of the Directive, ranging from fines to imprisonment.

Current status of implementation in Germany

The NIS2 Directive is already in force in the EU, with the deadline for national implementation having expired in October 2024. On 13 November 2025, Germany transposed the EU's NIS2 Directive into national law.

  • 13 November 2025

    On 13 November 2025, Germany transposed the EU's NIS 2 Directive into national law.

  • 06 June 2025

    New government draft bill is available.

  • 30 January 2025

    Due to the early elections in Germany, the parliamentary procedure for the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG) could not be finalised. The BMI continues to describe the implementation of the NIS-2 Directive as urgent.

  • 17 October 2024

    The EU member states must implement the directive by 17 October 2024 into national law.

  • 24 July 2024

    The German government draft has been adopted.

  • 07 May 2024

    The German draft bill has been published.

  • 22 December 2023

    Fourth draft bill December 2023

  • September 2023

    Third draft bill September 2023

  • July 2023

    Second German draft bill July 2023

  • April 2023

    First German draft bill from April 2023

  • 16 January 2023

    The European Directive was adopted on 16 January 2023 entered into force.

Origin of the NIS 2 Directive

The EU Network and Information Security Directive (NIS) was adopted on 6 July 2016 and has been in force since 9 August 2016. The European NIS Directive was implemented in Germany by the Act to Increase the Security of Information Technology Systems (IT Security Act).

The IT Security Act came into force on 25 June 2017 and previously applied in particular to operators of critical infrastructures (KRITIS), i.e. companies and organisations whose systems and services are essential for the maintenance of important social functions. The NIS 2 Directive now applies to all companies and organisations operating in the sectors listed in Annex I of the Directive. These include energy, water, transport, finance, healthcare and telecommunications. The NIS Directive originally only applied to operators of critical infrastructure (KRITIS).

  • 2023

    NIS-2 (EU)

    The NIS 2 Directive was adopted by the European Parliament and the Council of the European Union on 25 November 2022. It came into force on 27 June 2023 and must be transposed into national law in all EU member states by 27 June 2024.

  • 2021

    IT Security Act 2.0 (Germany)

    IT Security Act 2.0 was adopted on 24 May 2021 and is closely linked to the NIS Directive (Directive (EU) 2016/1148 of the European Parliament and of the Council). The IT Security Act 2.0 serves to transpose the NIS Directive into national German law and sets out specific requirements for operators of critical infrastructure and providers of digital services in order to strengthen cybersecurity in Germany in accordance with European standards.

  • 2016

    Amendment to the BSI Act (Germany)

    The BSI Act grants the Federal Office for Information Security (BSI) specific Authorisations and responsibilities to monitor the implementation of the IT Security Act and ensure that companies and organisations take appropriate security measures. The European Union's NIS Directive requires member states to designate national authorities or bodies responsible for implementing and monitoring the directive. In Germany, the BSI is the body responsible for implementing the NIS Directive. The BSI Act regulates the powers of the Federal Office in connection with the implementation of the NIS Directive, including the monitoring of critical infrastructures and the performance of security audits.

  • 2016

    NIS Directive (EU)

    The Network and Information Systems Directive is a European Union directive that aims to strengthen cybersecurity in the EU. The directive was adopted in 2016 and should be implemented by the EU member states by May 2018.

  • 2015

    IT Security Act (Germany)

    It laid the foundations for the regulation of cyber security in Germany by defining the requirements for the security of critical infrastructures.

Requirements of the NIS2 Directive

The NIS2 Directive is intended to help operators of critical infrastructures to better protect their information systems and prevent or at least mitigate cyberattacks.

The most important requirements of the NIS-2 directive are

Companies and organisations affected by the NIS 2 Directive must have a Information Security Management System (ISMS) introduce and operate. The ISMS is a holistic approach to ensuring information security. It comprises the planning, implementation, monitoring, evaluation and improvement of information security measures.

Companies and organisations must take an active Risk Management including regular risk assessments. The risk assessments should identify the potential threats and risks to the information security of the company's systems and services.

Companies and organisations must report cyber incidents to the competent authorities. Reports must be made within 24 hours if the incident could have a significant impact on the functioning of the organisation's systems and services.

The competent authorities of the EU member states must exchange information on cyber incidents. The exchange of information is intended to improve the response to cyber incidents.

In addition to the requirements of the NIS 2 Directive, the IT Security Act 2.0 will also contain additional requirements that are currently being defined by Germany. These include the obligation to appoint an information security officer and to carry out cyber security exercises.

Which companies must implement NIS2?

The NIS2 Directive (Network and Information Security Directive, Version 2) replaces the previous NIS1 and significantly expands the circle of obligated organisations. In future, the focus will no longer be solely on traditional KRITIS operators, but also on many medium-sized companies too from a total of 18 sectors. In addition to the industry, the size of the company is also a decisive factor. Even medium-sized companies (with >50 employees or >€10 million in turnover/balance sheet total) are considered relevant if they operate in one of the sectors mentioned, such as industry, transport, the digital economy or healthcare.

NIS2 distinguishes between two categories of institutions:

  • „Particularly important facilities“ (essential entities)Large organisations in highly critical sectors such as energy, health, finance, digital infrastructure or public administration. They are essential for maintaining key societal functions and must meet all NIS2 requirements. Accordingly, they are subject to the strictest requirements and the highest level of supervision by authorities.
  • „Important entities“: Medium-sized organisations and institutions in other important sectors, e.g. postal and courier services, chemical trade, food production, research or manufacturers of goods. Disruption to these sectors would still have a significant impact, even if they are not considered highly critical. They must also implement numerous security measures, albeit with slightly less intensity in some cases. Nevertheless, these companies are now also subject to reporting and supervisory obligations by the BSI. Size no longer protects against regulation – many previously unregulated companies are now being targeted.

For all affected organisations, the German Kritis Regulation (BSI-KritisV) will no longer be the sole benchmark. The old threshold logic (e.g. 500,000 people served) will take a back seat. Instead, the EU requirement will be directly binding: Member States will not be able to define any further exceptions. Organisations should therefore independently check whether they fall under NIS2. Any uncertainties can be clarified through consultation or by contacting the authority (BSI).

Major organisations

  • Criticality: Essential for the maintenance of important social functions
  • Requirements: All requirements of the NIS 2 Directive must be implemented.
  • Sectors of the main organisations:
    • Energy
    • Transport
    • Banking
    • Financial market infrastructures
    • Healthcare
    • Drinking water
    • Waste water
    • Digital infrastructure
    • Management of ICT services
    • Public administration
    • Space

Important organisations

  • Criticality: Disruption could nevertheless have a significant impact on important social functions
  • Requirements: Some requirements of the NIS 2 Directive must be implemented, but not all.
  • Sectors of the important organisations:
    • Postal and courier services
    • Waste management
    • Production, manufacture and trade in chemical substances
    • Production, processing and distribution of food
    • Manufacturing/production of goods
    • Provider of digital services
    • Research

Implementation of the NIS 2 Directive

Responsible for the implementation of the NIS 2 Directive

The implementation of the NIS 2 Directive is a joint task of the EU member states and the EU Commission. The EU Commission is responsible for developing the Directive and monitoring its implementation in the Member States.

The Member states are responsible for transposing the directive into national law and monitoring compliance with the requirements by the organisations concerned.

In Germany this is Federal Office for Information Security (BSI) is responsible for the implementation of the NIS-2 Directive. The BSI is a higher federal authority responsible for the security of information technology in Germany.

The BSI has the following tasks as part of the implementation of the NIS 2 Directive:

  • Development of guidelines and recommendations for the implementation of the directive
  • Advice and support for the organisations concerned in implementing the directive
  • Monitoring the implementation of the directive by the organisations concerned

The organisations concerned must implement the defined minimum requirements for cyber security. For implementation and monitoring, the Management of the organisations concerned responsible. The management can be held liable for inadequate implementation.

Advice on the implementation of the NIS2 Directive

The new EU directive on cyber security becomes law in Germany. Increase the cyber security of your organisation, we support you in the comprehensive implementation of security measures and legal obligations.

Further Information Schedule a meeting

Minimum requirements for cyber security

The EU NIS2 Directive specifies for essential and important organisations Minimum requirements for cyber security fixed.

The measures must include at least the following:

  • Concepts relating to risk analysis and security for information systems
  • Management of security incidents
  • Business continuity, such as backup management and disaster recovery, and crisis management
  • Security of the supply chain, including security-related aspects of relationships between individual organisations and their direct suppliers or service providers
  • Security measures in the acquisition, development and maintenance of network and information systems, including management and disclosure of vulnerabilities
  • Concepts and procedures for assessing the effectiveness of risk management measures in the area of cyber security
  • Basic cyber hygiene procedures and cyber security training
  • Concepts and procedures for the use of cryptography and, where applicable, encryption
  • Personnel security, concepts for access control and management of systems
  • Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communication and, where appropriate, secure emergency communication systems within the organisation.

Risk management in accordance with NIS-2

The NIS 2 Directive places stricter requirements on the information security of companies and organisations in the EU. This also includes Risk management measures. The organisations concerned are obliged to meet the risk management requirements of the NIS 2 Directive.

Risk management is a systematic process for identifying, assessing and dealing with risks. In the area of cyber security, risk management aims to reduce the probability and extent of a cyber attack.

The NIS 2 Directive provides for at least the following risk management measures:

  • Introduction of an information security management system (ISMS)An ISMS is a holistic approach to ensuring information security. It comprises the planning, implementation, monitoring, evaluation and improvement of information security measures.
  • Regular performance of risk assessments: Risk assessments should identify the potential threats and risks to the information security of the company's systems and services.
  • The implementation of technical and organisational risk mitigation measures: The identified risks must be minimised through suitable technical and organisational measures.

Robin Data ComplianceOS® Compliance field Risk management

Digitally implement the requirements of NIS2 for your organisation's risk management. With ComplianceOS, you can systematically identify, assess and treat risks and thus reduce the probability and extent of a cyberattack on your organisation.

Schedule a meeting

Reporting obligations in accordance with NIS2

The NIS2 Directive provides for extensive reporting obligations for the organisations concerned. The reports are intended to provide the competent authorities with an overview of the organisations' information security measures and help them respond to cyber incidents. The reporting obligations apply to all affected organisations, regardless of whether they are classified as significant or important.

The following reports are required according to NIS2:

  • Annual Report: The annual report should provide an overview of the organisation's information security measures. These include the introduction of an ISMS, the performance of risk assessments and the implementation of risk minimisation measures.
  • Reporting of cyber incidents: The affected organisation must report cyber incidents to the competent authorities. The report must be made within 24 hours if the incident may have a significant impact on the functioning of the organisation's systems and services.
  • Exchange of information on cyber incidents: The affected organisation must share information about cyber incidents with other organisations. The exchange of information is intended to improve the response to cyber incidents.

Implementation of an ISMS in preparation for NIS2

There is some overlap between ISO 27001 and NIS2, particularly with regard to the basic principles and security aspects. We therefore recommend the implementation of the ISO 27001 requirements or the implementation of a Information security management system in preparation for the German NIS2 Directive.

Risk assessment:
Both standards require a comprehensive risk assessment. ISO 27001 requires organisations to identify and assess information security risks in order to implement appropriate security measures. NIS2 also requires risk assessments to ensure the security of critical services.

Security measures:
Both ISO 27001 and NIS2 emphasise the implementation of security measures. ISO 27001 defines general security controls and procedures that organisations can apply to ensure their information security. NIS2 sets out specific requirements for critical service providers to ensure that appropriate safeguards are in place.

Protection of confidentiality, integrity and availability:
Both standards aim to ensure the confidentiality, integrity and availability of information. ISO 27001 aims to ensure these objectives for all types of information in an organisation, while NIS2 aims to ensure the availability of critical services in important sectors.

Emergency planning:
Both ISO 27001 and NIS2 emphasise contingency planning. ISO 27001 requires the development of contingency plans to restore information security following security incidents. NIS2 requires critical service providers to develop contingency plans to minimise the impact of cyber-attacks and restore service availability.

Monitoring and improvement:
Both standards emphasise the importance of continuous monitoring and improvement of security measures. ISO 27001 requires regular review and adaptation of the information security management system. NIS2 requires service providers of significant importance to constantly review and update their security measures and processes.

Implement ISMS with Robin Data ComplianceOS®

Implement the requirements of NIS2 for an information security management system and achieve NIS2 compliance in good time. Robin Data GmbH's external information security officers will help you to develop and monitor an ISMS in close coordination with your management and other responsible parties.

Schedule a meeting

Role of management: Liability makes cybersecurity a top priority

One of the most important changes: management is now directly accountable. According to NIS2 (and the BSIG n. F.), board members and managing directors must ensure that cybersecurity measures are implemented and monitored. If they ignore these obligations or fail to take essential precautions, they can be held personally liable. This is a paradigm shift: IT security is no longer just a matter for the IT department, but a central component of good corporate governance.

Specifically, this meansManagement must provide resources, set up appropriate structures (e.g. CISO or external ISB) and obtain regular reports on the status of information security. The law also requires managers to attend cybersecurity training courses to keep up to date. This makes it clear that cybersecurity is a matter for top management.

This also presents an opportunity for organisations: when senior management prioritises the issue, the overall security culture often improves. Ultimately, the threat of liability serves to encourage a serious approach to cyber security in the face of ever-new threats such as ransomware, state-sponsored hackers and digital sabotage.

Penalties and sanctions for violation of NIS2

The NIS2 Directive provides for strict sanctions for violations of the Directive's requirements. The sanctions are intended to motivate companies and organisations to comply with the requirements of the directive and improve cyber security. The competent authorities of the EU member states are responsible for imposing sanctions. The sanctions apply to all affected organisations, regardless of whether they are classified as essential or important.

The following sanctions are possible under NIS2:

  • FinesFines can be imposed in the amount of up to 10 million euros or 2 % of global turnover, whichever is higher.
  • Imposing administrative fines: Administrative fines of up to 10 million euros can be imposed.
  • Arrangement of measures to improve information security: The competent authorities can order companies and organisations to take measures to improve information security.
  • Closure of facilities: In particularly serious cases, facilities may be closed.

Here are some Examples of violations of the NIS2 Directivewhich can lead to sanctions:

  • Failure to introduce an information security management system (ISMS)
  • The failure to carry out risk assessments
  • Failure to report cyber incidents to the competent authorities
  • Non-compliance with the requirements for reporting deadlines
  • The provision of insufficient information when reporting cyber incidents

Practical examples: Implementation of NIS2 obligations with ISO 27001

How can this be implemented in practice? Here are some practical examples of how ISO 27001 can serve as a framework to help meet NIS2 requirements:

  • Practical example 1 – Risk management: A regional Energy supplier (approx. 200 employees) now falls under NIS2. It is initially setting up ISO 27001-compliant risk management. In workshops, the company identifies its critical assets (e.g. SCADA systems, customer database) and assesses cyber risks such as power failures caused by hacker attacks. example measureThe risk analysis shows that the communications infrastructure has insufficient redundancy. As a countermeasure, a second Internet backbone connection with automatic failover is installed. This structured approach complies with NIS2 requirements for risk analysis and preventive measures. In addition, the utility documents everything in the ISMS, which serves as evidence in a BSI audit.
  • Practical example 2 – Incident response & reporting process: A hospital (500 beds) develops an emergency plan for IT security incidents in accordance with ISO 27001. When a ransomware incident occurs, the incident response plan kicks in: the IT team isolates affected systems, activates data recovery plans and immediately informs the hospital management. Within 24 hours, the management reports the incident to the BSI and the data protection supervisory authority (due to patient records). Thanks to prepared reporting templates and previously practised procedures, this is achieved within the deadline. In the following 72 hours, the hospital prepares a detailed report with technical analyses and measures. This procedure complies exactly with the NIS2 requirements for incident management and shows how an ISO 27001-based process ensures compliance.
  • Practical example 3 – Supply chain security: A engineering company (120 employees) sources specialised parts from various suppliers. Under NIS2, it must ensure that key suppliers have adequate security measures in place. The company therefore integrates a supplier security check into its ISO 27001 ISMS: all critical suppliers are checked annually by means of a questionnaire or on-site audit. Criteria include, for example, whether an ISMS is in place, whether regular penetration tests are carried out, and whether there is an emergency strategy. Suppliers with poor ratings must make improvements within six months, otherwise they risk being replaced. In addition, the machine manufacturer supplements its purchasing contracts with cybersecurity clauses that grant rights to security checks, among other things. In this way, the NIS2 requirement for greater supply chain security is implemented in practice. ISO 27001 provides the control points (Annex A chapter on supplier security) to approach this in a structured manner.

These examples illustrate that ISO 27001 offers a proven toolkit for meeting NIS2 requirements in everyday organisational life. Those who are already ISO-certified have already put many pieces of the puzzle in place and can now concentrate on new aspects such as official reporting channels or extended documentation requirements.

Conclusion: NIS2 realisation picks up speed again

After months of delays, the German implementation of the NIS2 Directive has now been finalised, without any transition periods. For organisations, the key recommendation remains: Act now, don't wait:

  • introduce or tighten up an information security management system (ISMS),
  • are based on ISO/IEC 27001 or BSI basic protection and
  • Define clear reporting processes and responsibilities.

This enables them to meet regulatory requirements while significantly strengthening their digital resilience.

Achieve NIS2 compliance for your organisation with Robin Data

The new EU directive on cyber security becomes law in Germany. Our consultants implement solutions specifically for the needs of your organisation. From risk and asset management to business continuity concepts and employee training. Together, we implement the requirements of the NIS2 directive step-by-step. Achieve NIS2 compliance for your organisation - book a no-obligation introductory meeting.

Further Information Schedule a meeting
Caroline Schwabe
Latest posts by Caroline Schwabe (see all)

This might interest you too:

Manage audits efficiently

Understanding and implementing audit management: Step-by-step explanation, background information, examples and definitions. Read now!
Read more

Asset management: Practical implementation

Efficient asset management: structure, implementation, example for classes and categories, protection needs assessment. Read now!
Read more

Environmental management according to ISO 14001

Environmental management according to ISO 14001: structure, implementation, example of measures and requirements Environmental management system. Read now!
Read more