Data Protection Academy » Data Protection News » NIS-2 Directive

NIS2: EU directive for cyber security

NIS 2 Directive: EU directive for more cyber security

In an increasingly networked world Cybersecurity and the Protecting our digital infrastructures of crucial importance. The NIS2 Directivethe further development of the Network and Information Systems Directive (NIS), aims to strengthen the security of the digital landscape in the European Union. But what exactly is behind this directive and how does it affect companies and organisations?

In this blog post, we will take a detailed look at NIS2 and the Goals and Requirements of the directive. We will explain the differences between NIS2 and its predecessor version NIS as well as other relevant Laws and standardssuch as ISO 27001. In addition, we will analyse the potential impact on German companies and the Necessity of implementation discuss.

Key information on the NIS2 Directive

  • NIS2 is the further development of the original NIS Directive (Network and Information Systems Directive), which was first adopted in 2016.
  • The aim of both directives is to Strengthening cyber security and protect the digital infrastructure and critical services from cyber threats.
  • On 16 January 2023 the so-called NIS2 Directive came into force. The EU member states had until 17 October 2024 time to translate the directive into national law. The German transposition is currently expected to enter into force End of 2025 expected.
  • Due to the early elections in Germany, the parliamentary procedure for the German government draft of July 2024 could not be finalised. The Draft bill of 6 June 2025 introduces innovations and specifies obligations for organisations and authorities.
  • The NIS2 directive affects more organisations and requires stricter security measures. Companies that do not fulfil the requirements of NIS2 risk being penalised. Fines. These are also significantly higher compared to the predecessor of the directive.

Content on the NIS2 Directive:

Full title of the directive

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 concerning measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS2 Directive)

New draft bill from June 2025 - most important changes

Key changes at a glance:

  • Clarification of the scope of application: Secondary, "negligible" business areas can be disregarded when categorising as a significant or important facility. What is considered negligible, however, remains unclear - as does compatibility with EU law.
  • Limited participation of business and science: The mandatory consultation of operators, associations and research will no longer apply to the KRITIS Regulation (Section 56 (4)) and the definition of significant security incidents (Section 56 (5)).
  • Clarification of the definition of "significant security incident": An incident is significant if it seriously disrupts operations or causes major (material or immaterial) losses. Further details are provided for in a statutory order.
  • Legally regulated cooperation between BSI and BNetzA: The responsibility and cooperation of both authorities in the energy and grid sector will be enshrined in law.

Further adjustments in the draft:

New title: "Act implementing the NIS 2 Directive and regulating the main features of information security management in the federal administration"

Sectoral changes:

  • Finance without insurance in future
  • New KRITIS sectors: social security institutions & basic security
  • New facility: Digital energy services

Further changes:

  • KRITIS Regulation now directly regulated by law
  • Slight adjustments to definitions and EnWG
  • Extension of the rules to the entire federal administration
  • Adjustments to expense forecasts from 2026

Assessment & outlook:

  • The changes remain manageable, but could significantly increase the scope of application - to over 30,000 companies.
  • In future, all business activities will count, not just those relevant to NIS2 - unless they are classified as "negligible".
  • Entry into force in autumn 2025 seems realistic.

Whitepaper NIS-2 Directive: EU Directive for more cyber security

Whitepaper: Implementing a Directory of Processing Activities in compliance with the GDPR

In the white paper NIS-2 Directive you will find:

  • Information on the background to the Origin the NIS-2 Directive
  • Information on the connection with other Laws and guidelines
  • Requirements which the organisations concerned must implement
  • Information on Penalties and sanctions

Unfortunately this content is currently only available in German. Please feel free to contact us for more information.

What is NIS2: This is what the new EU cyber security directive says

The complete designation of the NIS Directive is the Network and Information Systems Directive and can be translated into German as the Network and Information Security Directive. The NIS Directive is a European Union directive that aims to strengthen cybersecurity in the EU. The directive was adopted in 2016 and should subsequently be implemented by the EU member states by May 2018.

In December 2022, the successor, the NIS2 Directive entered into force. This NIS2 Directive builds on the original NIS Directive of 2016. NIS2 was developed to further strengthen cybersecurity across the EU and respond to current developments in the digital sphere by tightening requirements for organisations and promoting cooperation at EU level. This is an important step to better manage the increasing cyber threats in the digital world.

The NIS Directive applies to Operators of critical infrastructures (KRITIS)i.e. for companies and organisations whose systems and services are essential for the maintenance of important social functions. These include companies in the energy, water, transport, finance, healthcare and telecommunications sectors.

Innovations: More cyber security through the NIS 2 directive

The reasons for the legislative changes from NIS to NIS2 are the sharp rise in cyber attacks in recent years, the Increasing digitalisation such as the use of artificial intelligence and the Standardised regulation among all EU member states.

The NIS 2 Directive has the clear aim of strengthening cyber security and making the digital landscape in Europe more secure. When the directive comes into force, the requirements for companies and organisations will be increased, security certification will be promoted and cooperation at European level will be strengthened.

Overview of the new features of the NIS 2 Directive:

  • Sectors: The critical essential sectors have been expanded to eleven sectors and the important sectors to seven. Eighteen sectors are therefore covered by the new NIS2 directive. This means that a wider range of companies and organisations will have to raise their security standards.
  • Facilities: Organisations with 50 or more employees or an annual turnover of 10 million euros or more are affected. Some organisations will fall under the NIS2 Directive regardless of their size.
  • Supply chains: The NIS 2 Directive sets out new requirements for the cyber security of supply chains. These requirements are intended to help companies be better prepared for cyberattacks that occur via their supply chains.
  • Cooperation: Supervision and cooperation between authorities and organisations in the EU will be expanded.
  • Certification of products and services: The introduction of cyber security certifications should make it easier for consumers and companies to opt for more secure solutions.
  • Sanctions: The NIS 2 Directive provides for significantly higher penalties for violations of the Directive, ranging from fines to imprisonment.

Current status of implementation in Germany

The NIS2 Directive is already in force in the EU, but Germany is still working on its implementation. The government draft of the transposition law was passed in July 2024. The process has been delayed due to early elections, but implementation remains a priority for the BMI. The deadline for national implementation already ended in October 2024.

  • 06 June 2025

    New government draft bill is available.

  • 30 January 2025

    Due to the early elections in Germany, the parliamentary procedure for the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG) could not be finalised. The BMI continues to describe the implementation of the NIS-2 Directive as urgent.

  • 17 October 2024

    The EU member states must implement the directive by 17 October 2024 into national law.

  • 24 July 2024

    The German government draft has been adopted.

  • 07 May 2024

    The German draft bill has been published.

  • 22 December 2023

    Fourth draft bill December 2023

  • September 2023

    Third draft bill September 2023

  • July 2023

    Second German draft bill July 2023

  • April 2023

    First German draft bill from April 2023

  • 16 January 2023

    The European Directive was adopted on 16 January 2023 entered into force.

Origin of the NIS 2 Directive

The EU Network and Information Security Directive (NIS) was adopted on 6 July 2016 and has been in force since 9 August 2016. The European NIS Directive was implemented in Germany by the Act to Increase the Security of Information Technology Systems (IT Security Act).

The IT Security Act came into force on 25 June 2017 and previously applied in particular to operators of critical infrastructures (KRITIS), i.e. companies and organisations whose systems and services are essential for the maintenance of important social functions. The NIS 2 Directive now applies to all companies and organisations operating in the sectors listed in Annex I of the Directive. These include energy, water, transport, finance, healthcare and telecommunications. The NIS Directive originally only applied to operators of critical infrastructure (KRITIS).

  • 2023

    NIS-2 (EU)

    The NIS 2 Directive was adopted by the European Parliament and the Council of the European Union on 25 November 2022. It came into force on 27 June 2023 and must be transposed into national law in all EU member states by 27 June 2024.

  • 2021

    IT Security Act 2.0 (Germany)

    IT Security Act 2.0 was adopted on 24 May 2021 and is closely linked to the NIS Directive (Directive (EU) 2016/1148 of the European Parliament and of the Council). The IT Security Act 2.0 serves to transpose the NIS Directive into national German law and sets out specific requirements for operators of critical infrastructure and providers of digital services in order to strengthen cybersecurity in Germany in accordance with European standards.

  • 2016

    Amendment to the BSI Act (Germany)

    The BSI Act grants the Federal Office for Information Security (BSI) specific Authorisations and responsibilities to monitor the implementation of the IT Security Act and ensure that companies and organisations take appropriate security measures. The European Union's NIS Directive requires member states to designate national authorities or bodies responsible for implementing and monitoring the directive. In Germany, the BSI is the body responsible for implementing the NIS Directive. The BSI Act regulates the powers of the Federal Office in connection with the implementation of the NIS Directive, including the monitoring of critical infrastructures and the performance of security audits.

  • 2016

    NIS Directive (EU)

    The Network and Information Systems Directive is a European Union directive that aims to strengthen cybersecurity in the EU. The directive was adopted in 2016 and should be implemented by the EU member states by May 2018.

  • 2015

    IT Security Act (Germany)

    It laid the foundations for the regulation of cyber security in Germany by defining the requirements for the security of critical infrastructures.

Requirements of the NIS2 Directive

The NIS2 Directive is intended to help operators of critical infrastructures to better protect their information systems and prevent or at least mitigate cyberattacks.

The most important requirements of the NIS-2 directive are

Companies and organisations affected by the NIS 2 Directive must have a Information Security Management System (ISMS) introduce and operate. The ISMS is a holistic approach to ensuring information security. It comprises the planning, implementation, monitoring, evaluation and improvement of information security measures.

Companies and organisations must take an active Risk Management including regular risk assessments. The risk assessments should identify the potential threats and risks to the information security of the company's systems and services.

Companies and organisations must report cyber incidents to the competent authorities. Reports must be made within 24 hours if the incident could have a significant impact on the functioning of the organisation's systems and services.

The competent authorities of the EU member states must exchange information on cyber incidents. The exchange of information is intended to improve the response to cyber incidents.

In addition to the requirements of the NIS 2 Directive, the IT Security Act 2.0 will also contain additional requirements that are currently being defined by Germany. These include the obligation to appoint an information security officer and to carry out cyber security exercises.

Which companies must implement NIS2?

According to NIS 2, organisations from a variety of critical sectors must implement the directive. The directive differentiates organisations according to the size and criticality of their systems and services for the maintenance of important social functions. There are special cases that are obliged to implement the directive regardless of the size of the organisation.

Affected organisations

This applies to public and private organisations in the following 18 sectors with at least 50 employees or at least EUR 10 million in annual turnover and annual balance sheet total.

Special cases that are affected regardless of size

  • Providers of public electronic communications networks or publicly available electronic communications services
  • Trust service provider
  • TLD name registries and DNS service providers (except operators of root name servers)
  • Sole providers that are essential for society and the economy
  • Facilities whose failure would have a major impact on public order, safety or health
  • Facilities whose failure could lead to a systemic risk with cross-border consequences
  • Facilities that are critical due to special national or regional importance
  • Central government public administration organisation defined by the EU Member State or critical public administration organisation at regional level
  • Critical infrastructures according to Directive (EU) 2022/2557
  • Entities providing domain name registration services

Major and important organisations

The NIS2 directive distinguishes between and important organisations. The main difference lies in the criticality of their systems and services for the maintenance of important societal functions.

Essential facilities are essential to the maintenance of these functions, while important facilities are not essential to the maintenance of these functions, but their disruption could still have a significant impact.

It is worth noting that under NIS2 in future significantly more facilities obliged to implement the requirements are. This is because the classification of the new directive into critical and highly critical sectors means that the EU member states no longer have the freedom to decide which organisations are addressed. This means that the size of organisations is no longer decisive.

The previous classification criteria of the "Ordinance on the Determination of Critical Infrastructures under the BSI Act - BSI-KritisV" and the catalogue of facilities covered by the IT Security Act 2.0 will no longer apply once it comes into force.

Major organisations

  • Criticality: Essential for the maintenance of important social functions
  • Requirements: All requirements of the NIS 2 Directive must be implemented.
  • Sectors of the main organisations:
    • Energy
    • Transport
    • Banking
    • Financial market infrastructures
    • Healthcare
    • Drinking water
    • Waste water
    • Digital infrastructure
    • Management of ICT services
    • Public administration
    • Space

Important organisations

  • Criticality: Disruption could nevertheless have a significant impact on important social functions
  • Requirements: Some requirements of the NIS 2 Directive must be implemented, but not all.
  • Sectors of the important organisations:
    • Postal and courier services
    • Waste management
    • Production, manufacture and trade in chemical substances
    • Production, processing and distribution of food
    • Manufacturing/production of goods
    • Provider of digital services
    • Research

Implementation of the NIS 2 Directive

Responsible for the implementation of the NIS 2 Directive

The implementation of the NIS 2 Directive is a joint task of the EU member states and the EU Commission. The EU Commission is responsible for developing the Directive and monitoring its implementation in the Member States.

The Member states are responsible for transposing the directive into national law and monitoring compliance with the requirements by the organisations concerned.

In Germany this is Federal Office for Information Security (BSI) is responsible for the implementation of the NIS-2 Directive. The BSI is a higher federal authority responsible for the security of information technology in Germany.

The BSI has the following tasks as part of the implementation of the NIS 2 Directive:

  • Development of guidelines and recommendations for the implementation of the directive
  • Advice and support for the organisations concerned in implementing the directive
  • Monitoring the implementation of the directive by the organisations concerned

The organisations concerned must implement the defined minimum requirements for cyber security. For implementation and monitoring, the Management of the organisations concerned responsible. The management can be held liable for inadequate implementation.

Advice on the implementation of the NIS2 Directive

The new EU directive on cyber security becomes law in Germany. Increase the cyber security of your organisation, we support you in the comprehensive implementation of security measures and legal obligations.

Further Information Schedule a meeting

Minimum requirements for cyber security

The EU NIS2 Directive specifies for essential and important organisations Minimum requirements for cyber security fixed.

The measures must include at least the following:

  • Concepts relating to risk analysis and security for information systems
  • Management of security incidents
  • Business continuity, such as backup management and disaster recovery, and crisis management
  • Security of the supply chain, including security-related aspects of relationships between individual organisations and their direct suppliers or service providers
  • Security measures in the acquisition, development and maintenance of network and information systems, including management and disclosure of vulnerabilities
  • Concepts and procedures for assessing the effectiveness of risk management measures in the area of cyber security
  • Basic cyber hygiene procedures and cyber security training
  • Concepts and procedures for the use of cryptography and, where applicable, encryption
  • Personnel security, concepts for access control and management of systems
  • Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communication and, where appropriate, secure emergency communication systems within the organisation.

Risk management in accordance with NIS-2

The NIS 2 Directive places stricter requirements on the information security of companies and organisations in the EU. This also includes Risk management measures. The organisations concerned are obliged to meet the risk management requirements of the NIS 2 Directive.

Risk management is a systematic process for identifying, assessing and dealing with risks. In the area of cyber security, risk management aims to reduce the probability and extent of a cyber attack.

The NIS 2 Directive provides for at least the following risk management measures:

  • Introduction of an information security management system (ISMS)An ISMS is a holistic approach to ensuring information security. It comprises the planning, implementation, monitoring, evaluation and improvement of information security measures.
  • Regular performance of risk assessments: Risk assessments should identify the potential threats and risks to the information security of the company's systems and services.
  • The implementation of technical and organisational risk mitigation measures: The identified risks must be minimised through suitable technical and organisational measures.

Robin Data ComplianceOS® Compliance field Risk management

Digitally implement the requirements of NIS2 for your organisation's risk management. With ComplianceOS, you can systematically identify, assess and treat risks and thus reduce the probability and extent of a cyberattack on your organisation.

Schedule a meeting

Reporting obligations in accordance with NIS2

The NIS2 Directive provides for extensive reporting obligations for the organisations concerned. The reports are intended to provide the competent authorities with an overview of the organisations' information security measures and help them respond to cyber incidents. The reporting obligations apply to all affected organisations, regardless of whether they are classified as significant or important.

The following reports are required according to NIS2:

  • Annual Report: The annual report should provide an overview of the organisation's information security measures. These include the introduction of an ISMS, the performance of risk assessments and the implementation of risk minimisation measures.
  • Reporting of cyber incidents: The affected organisation must report cyber incidents to the competent authorities. The report must be made within 24 hours if the incident may have a significant impact on the functioning of the organisation's systems and services.
  • Exchange of information on cyber incidents: The affected organisation must share information about cyber incidents with other organisations. The exchange of information is intended to improve the response to cyber incidents.

Implementation of an ISMS in preparation for NIS2

There is some overlap between ISO 27001 and NIS2, particularly with regard to the basic principles and security aspects. We therefore recommend the implementation of the ISO 27001 requirements or the implementation of a Information security management system in preparation for the German NIS2 Directive.

Risk assessment:
Both standards require a comprehensive risk assessment. ISO 27001 requires organisations to identify and assess information security risks in order to implement appropriate security measures. NIS2 also requires risk assessments to ensure the security of critical services.

Security measures:
Both ISO 27001 and NIS2 emphasise the implementation of security measures. ISO 27001 defines general security controls and procedures that organisations can apply to ensure their information security. NIS2 sets out specific requirements for critical service providers to ensure that appropriate safeguards are in place.

Protection of confidentiality, integrity and availability:
Both standards aim to ensure the confidentiality, integrity and availability of information. ISO 27001 aims to ensure these objectives for all types of information in an organisation, while NIS2 aims to ensure the availability of critical services in important sectors.

Emergency planning:
Both ISO 27001 and NIS2 emphasise contingency planning. ISO 27001 requires the development of contingency plans to restore information security following security incidents. NIS2 requires critical service providers to develop contingency plans to minimise the impact of cyber-attacks and restore service availability.

Monitoring and improvement:
Both standards emphasise the importance of continuous monitoring and improvement of security measures. ISO 27001 requires regular review and adaptation of the information security management system. NIS2 requires service providers of significant importance to constantly review and update their security measures and processes.

Implement ISMS with Robin Data ComplianceOS®

Implement the requirements of NIS2 for an information security management system and achieve NIS2 compliance in good time. Robin Data GmbH's external information security officers will help you to develop and monitor an ISMS in close coordination with your management and other responsible parties.

Schedule a meeting

Penalties and sanctions for violation of NIS2

The NIS2 Directive provides for strict sanctions for violations of the Directive's requirements. The sanctions are intended to motivate companies and organisations to comply with the requirements of the directive and improve cyber security. The competent authorities of the EU member states are responsible for imposing sanctions. The sanctions apply to all affected organisations, regardless of whether they are classified as essential or important.

The following sanctions are possible under NIS2:

  • FinesFines can be imposed in the amount of up to 10 million euros or 2 % of global turnover, whichever is higher.
  • Imposing administrative fines: Administrative fines of up to 10 million euros can be imposed.
  • Arrangement of measures to improve information security: The competent authorities can order companies and organisations to take measures to improve information security.
  • Closure of facilities: In particularly serious cases, facilities may be closed.

Here are some Examples of violations of the NIS2 Directivewhich can lead to sanctions:

  • Failure to introduce an information security management system (ISMS)
  • The failure to carry out risk assessments
  • Failure to report cyber incidents to the competent authorities
  • Non-compliance with the requirements for reporting deadlines
  • The provision of insufficient information when reporting cyber incidents

Video on the NIS 2 Directive

Robin Data Hack NIS2 Policy Video

Watch the video NIS-2 Directive for more cyber security:

In an increasingly interconnected world, cybersecurity and the protection of our digital infrastructures are crucial. The NIS2 Directive, the latest evolution of the Network and Information Systems Directive (NIS), aims to strengthen the security of the digital landscape in the European Union. But what exactly is behind this directive and how does it affect companies and organisations?

In the recording of the one-hour Robin Data Hack from 12 December 2023, we will inform you in detail about the objectives and requirements of the NIS2 directive. They explain the differences between NIS2 and the previous version NIS as well as other relevant laws and standards. We also discuss the potential impact on German organisations and show you practical solutions for implementation. The Robin Data Hacks take place online and participation is free of charge. Further information, dates and the opportunity to register.

Unfortunately this content is currently only available in German. Please feel free to contact us for more information.

Conclusion: NIS2 realisation picks up speed again

After months of delay, the German implementation of the NIS2 Directive is now gaining momentum again: the new draft bill from June 2025 specifies key obligations and shows that the BMI is continuing to pursue implementation with high priority - despite the delay caused by the German parliamentary elections and the EU implementation deadline that has already passed (October 2024).

It is therefore realistic that the national NIS2 Implementation Act will come into force in the 4th quarter of 2025. The key recommendation for organisations remains: Act now - don't wait.

Even if the final version of the law is still pending and certain definitions (e.g. "significant security incident") continue to leave room for interpretation, affected organisations should already now:

  • introduce or tighten up an information security management system (ISMS),
  • are based on ISO/IEC 27001 or BSI basic protection and
  • Define clear reporting processes and responsibilities.

This enables them to fulfil regulatory requirements in good time - and significantly strengthen their digital resilience at the same time.

Achieve NIS2 compliance for your organisation with Robin Data

The new EU directive on cyber security becomes law in Germany. Our consultants implement solutions specifically for the needs of your organisation. From risk and asset management to business continuity concepts and employee training. Together, we implement the requirements of the NIS2 directive step-by-step. Achieve NIS2 compliance for your organisation - book a no-obligation introductory meeting.

Further Information Schedule a meeting
Caroline Schwabe
Latest posts by Caroline Schwabe (see all)

This might interest you too:

NIS2: EU directive for more cyber security

What does the NIS-2 Directive mean for organisations in Germany? Implementation obligations, sanctions, tips for implementation.
Read more

Asset management: Practical implementation

Efficient asset management: structure, implementation, example for classes and categories, protection needs assessment. Read now!
Read more

Environmental management according to ISO 14001

Environmental management according to ISO 14001: structure, implementation, example of measures and requirements Environmental management system. Read now!
Read more