The NIS2 Directive is fundamentally reshaping Europe's cybersecurity landscape. What previously only affected critical infrastructure operators now applies to an estimated 30,000 to 40,000 companies in Germany alone. Violations carry fines of up to 10 million EUR and personal liability for management.
This guide explains what NIS2 means for your company, what measures need to be implemented, and how to plan the implementation efficiently. No legal theory -- practical steps you can apply immediately.
What Is the NIS2 Directive?
The NIS2 Directive (Network and Information Security Directive 2) is the revised EU regulation on cybersecurity. It replaces the original NIS Directive from 2016 and addresses its biggest weaknesses: too narrow scope, inconsistent implementation across member states, and insufficient sanctions.
Key changes at a glance:
- Massively expanded scope: Instead of just 7 sectors, NIS2 now covers 18 sectors, including food, chemicals, postal services, and waste management.
- Clear size criteria: Companies with 50+ employees OR 10M EUR annual revenue in affected sectors fall under the directive.
- Strict reporting obligations: Security incidents must be reported within 24 hours (previously 72 hours).
- Personal liability: Managing directors and board members are personally liable for compliance with cybersecurity obligations.
- Significant fines: Up to 10M EUR or 2% of global annual revenue.
Who Is Affected by NIS2?
NIS2 distinguishes between essential entities and important entities. The difference lies in the supervisory regime and fine levels.
Essential Entities (proactive supervision)
- Energy (electricity, gas, oil, district heating, hydrogen)
- Transport (air, rail, road, water)
- Banking and financial market infrastructure
- Healthcare (hospitals, laboratories, pharma)
- Drinking water and wastewater
- Digital infrastructure (DNS, TLD, cloud, data centres)
- Public administration
- Space
Important Entities (reactive supervision)
- Postal and courier services
- Waste management
- Chemicals (manufacture, production, distribution)
- Food (production, processing, distribution)
- Manufacturing (medical devices, electronics, machinery, automotive)
- Digital services (marketplaces, search engines, social networks)
- Research institutions
The 6 Core Obligations Under NIS2
1. Risk Management
Companies must establish systematic risk management for their network and information systems. This includes identification, assessment, and treatment of risks, as well as regular reviews. Technical and organisational measures must correspond to the current state of the art.
2. Incident Response and Reporting
For significant security incidents, a three-stage reporting procedure applies: early warning within 24 hours, detailed notification within 72 hours, and final report within one month.
3. Business Continuity
Affected companies need plans for maintaining business operations during cyber attacks, including backup management, disaster recovery, crisis management, and regular testing.
4. Supply Chain Security
Companies must assess and manage cybersecurity risks throughout their supply chain: security requirements in contracts, regular audits, and assessment of critical suppliers.
5. Training and Awareness
Management must participate in cybersecurity training -- this cannot be delegated. All employees must be regularly trained and training must be documented.
6. Technical Measures
NIS2 requires appropriate technical measures: encryption, multi-factor authentication (MFA), regular vulnerability scans and penetration tests, network segmentation, and least-privilege access controls.
Reporting Obligation: 24 Hours Count
| Stage | Deadline | Content |
|---|---|---|
| Early warning | 24 hours | Type of incident, suspected cause, cross-border impact |
| Detailed notification | 72 hours | Initial assessment, severity, indicators of compromise, measures taken |
| Final report | 1 month | Detailed description, root cause analysis, measures taken and planned |
Fines and Management Liability
- Essential entities: Up to 10M EUR or 2% of global annual revenue (whichever is higher)
- Important entities: Up to 7M EUR or 1.4% of global annual revenue
Critically: management liability. For the first time in an EU cybersecurity directive, managing directors and board members are personally liable for implementing cybersecurity measures. Delegation to the CISO or IT department does not release management from responsibility.
Implementing NIS2 in 7 Steps
Step 1: Impact Assessment (Week 1-2)
Determine whether your company falls under NIS2. Analyse your sector, company size, and the criticality of your services.
Step 2: Gap Analysis (Week 2-4)
Compare your current IT security posture with NIS2 requirements. Identify gaps in risk management, incident response, business continuity, supply chain security, and training.
Step 3: Prioritisation and Roadmap (Week 4-6)
Prioritise identified gaps by risk and effort. Create a realistic roadmap with milestones, responsibilities, and budget. Tools like PathHub AI can help structure the implementation as a project.
Step 4: Technical Measures (Week 6-20)
Implement prioritised technical measures: MFA rollout, network segmentation, backup strategy, vulnerability management, logging and monitoring.
Step 5: Establish Processes (Week 8-24)
Build organisational processes: incident response plan, business continuity plan, risk management process, supplier assessment process, and training concept.
Step 6: Conduct Training (Week 12-28)
Train management (mandatory under NIS2!), the IT security team, and all employees with practical exercises.
Step 7: Test and Document (Week 20-36)
Test all processes and document everything. During an audit, you must demonstrate that your measures are appropriate and effective.
Ensuring Compliance with Digital Tools
PathHub AI offers an integrated compliance database that automatically incorporates regulatory requirements like NIS2 into project planning, ensuring no obligation is forgotten.