What is NIS 2 – and why does it affect (almost) everyone?

The new EU Directive NIS 2 is changing the rules of the game for IT security in Europe. Since October 2024, member states must have implemented it into national law. It obliges companies and authorities to systematically organize their cyber security – with clear processes, reporting obligations, and responsibility at the management level.

For many organizations, this is akin to a turning point: what was previously ‘best practice’ is now mandatory. And many more institutions are affected than before – from energy suppliers to municipal utilities and hospitals to IT service providers and local authorities.

What is behind NIS 2?

NIS 2 stands for “Network and Information Security Directive 2”. It replaces the first NIS Directive from 2016 and pursues a clear goal: 

a high, uniform level of cybersecurity across the entire EU.

New is the significantly expanded scope and the binding liability for management. NIS 2 is intended to ensure that not only technical defense measures are in place, but also that governance, risk management, and supply chain control are practiced.

The directive has been in force since January 16, 2023.

  • In Germany, the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) was passed in the summer of 2025.
  • In Austria, the amendment to the NIS Act (NISG) was delayed; a new version is being prepared for 2025.

Even if national laws are still in progress, the requirements are fixed. Organizations that act now secure valuable time and a compliance advantage.

What does NIS 2 specifically require?

The core of the directive consists of ten mandatory security and organizational measures that all affected institutions must implement:

  1. Risk analysis & security strategy
  2. Incident handling – detection, response, recovery
  3. Business continuity & backup management
  4. Supply chain security
  5. Secure development & maintenance (including vulnerability management)
  6. Effectiveness evaluation of security measures
  7. Cyber hygiene & training
  8. Access and identity management
  9. Cryptography & encryption policies
  10. Policies for system and network security

In addition, there is a strict reporting obligation in the event of security incidents, the so-called 24/72/30 rule:

  • Within 24 hours: “Early Warning” to authority or CSIRT
  • Within 72 hours: Incident report with initial assessment
  • No later than 30 days: Final or progress report

Management responsibility

One of the most serious changes affects the management. According to Article 20 of NIS 2, management must:

  • approve and monitor security risk management,
  • introduce appropriate measures, and
  • regularly participate in training.

In case of violations, severe fines threaten – and personal liability of the management level:

  • Essential Entities: up to 10 million € or 2% of global annual turnover
  • Important Entities: up to 7 million € or 1.4% of turnover

This makes cybersecurity a matter for the boss – comparable to occupational safety or data protection.

Am I affected? – The quick self-check

  1. Active in one of the 18 sectors according to NIS 2?
  2. More than 50 employees or > 10 million € turnover?
  3. Do I provide critical services for citizens or the economy?
  4. Am I a supplier to an affected company or authority?
  5. Do I have documented processes for risk and incident management?

If you answer yes to any of these questions, your organization is most likely within the scope of NIS 2.

What to do now

  1. Conduct a gap analysis: Which requirements are already met, which are missing?
  2. Adapt governance: roles, responsibilities, approval processes.
  3. Create an incident playbook: clear reporting paths and escalation levels.
  4. Review supplier contracts: anchor cybersecurity requirements.
  5. Train management & employees: raise awareness, avoid liability.

Conclusion

NIS 2 is much more than a regulatory issue – it is an impulse for professional security and risk management. Organizations that start today gain not only legal certainty but also trust and resilience in an increasingly digital world.

NIS 2 is here to stay – those who start now have an advantage

Your first step

NIS-2 Readiness Check

Our experts analyze the maturity level of your organization – concrete, practical, and confidential.