• Link to Xing
  • Link to LinkedIn
  • English English English en
  • Deutsch Deutsch German de
AT: +43 1 714 00 20 | DE: +49 69 348763610 | Mo-Fr 8am-5pm
Spirit in Projects
  • Training / ACADEMY
  • Blog
  • Innovation
  • Certifications
  • Consulting
  • About us
  • German
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu

What is NIS 2 – and why does it affect (almost) everyone?

21. October 2025

The new EU Directive NIS 2 is changing the rules of the game for IT security in Europe. Since October 2024, member states must have implemented it into national law. It obliges companies and authorities to systematically organize their cyber security – with clear processes, reporting obligations, and responsibility at the management level.

For many organizations, this is akin to a turning point: what was previously ‘best practice’ is now mandatory. And many more institutions are affected than before – from energy suppliers to municipal utilities and hospitals to IT service providers and local authorities.

What is behind NIS 2?

NIS 2 stands for “Network and Information Security Directive 2”. It replaces the first NIS Directive from 2016 and pursues a clear goal: 

a high, uniform level of cybersecurity across the entire EU.

New is the significantly expanded scope and the binding liability for management. NIS 2 is intended to ensure that not only technical defense measures are in place, but also that governance, risk management, and supply chain control are practiced.

The directive has been in force since January 16, 2023.

  • In Germany, the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) was passed in the summer of 2025.
  • In Austria, the amendment to the NIS Act (NISG) was delayed; a new version is being prepared for 2025.

Even if national laws are still in progress, the requirements are fixed. Organizations that act now secure valuable time and a compliance advantage.

What does NIS 2 specifically require?

The core of the directive consists of ten mandatory security and organizational measures that all affected institutions must implement:

  1. Risk analysis & security strategy
  2. Incident handling – detection, response, recovery
  3. Business continuity & backup management
  4. Supply chain security
  5. Secure development & maintenance (including vulnerability management)
  6. Effectiveness evaluation of security measures
  7. Cyber hygiene & training
  8. Access and identity management
  9. Cryptography & encryption policies
  10. Policies for system and network security

In addition, there is a strict reporting obligation in the event of security incidents, the so-called 24/72/30 rule:

  • Within 24 hours: “Early Warning” to authority or CSIRT
  • Within 72 hours: Incident report with initial assessment
  • No later than 30 days: Final or progress report

Management responsibility

One of the most serious changes affects the management. According to Article 20 of NIS 2, management must:

  • approve and monitor security risk management,
  • introduce appropriate measures, and
  • regularly participate in training.

In case of violations, severe fines threaten – and personal liability of the management level:

  • Essential Entities: up to 10 million € or 2% of global annual turnover
  • Important Entities: up to 7 million € or 1.4% of turnover

This makes cybersecurity a matter for the boss – comparable to occupational safety or data protection.

Am I affected? – The quick self-check

  1. Active in one of the 18 sectors according to NIS 2?
  2. More than 50 employees or > 10 million € turnover?
  3. Do I provide critical services for citizens or the economy?
  4. Am I a supplier to an affected company or authority?
  5. Do I have documented processes for risk and incident management?

If you answer yes to any of these questions, your organization is most likely within the scope of NIS 2.

What to do now

  1. Conduct a gap analysis: Which requirements are already met, which are missing?
  2. Adapt governance: roles, responsibilities, approval processes.
  3. Create an incident playbook: clear reporting paths and escalation levels.
  4. Review supplier contracts: anchor cybersecurity requirements.
  5. Train management & employees: raise awareness, avoid liability.

Conclusion

NIS 2 is much more than a regulatory issue – it is an impulse for professional security and risk management. Organizations that start today gain not only legal certainty but also trust and resilience in an increasingly digital world.

NIS 2 is here to stay – those who start now have an advantage

Your first step

NIS-2 Readiness Check

Our experts analyze the maturity level of your organization – concrete, practical, and confidential.

Share this entry
  • Share on Facebook
  • Share on X
  • Share on WhatsApp
  • Share on Pinterest
  • Share on LinkedIn
  • Share on Tumblr
  • Share on Vk
  • Share on Reddit
  • Share by Mail
https://spiritinprojects.com/wp-content/uploads/2025/10/EU_Flag_2025.jpg 450 800 Tanja Meszarits https://spiritinprojects.com/wp-content/uploads/2020/04/sip_web_padding_10px_topbot.jpg Tanja Meszarits2025-10-21 13:18:302025-10-22 09:22:26What is NIS 2 – and why does it affect (almost) everyone?

About the author:

Co Authors :

Wolfgang Hiermann

Wolfgang Hiermann ist CEO von Spirit in Projects. Er befasst sich intensiv mit Projektmanagement und Agilität.

Recent
  • The True Costs of Poor Requirements22. June 2026 - 14:57
  • The 10 Most Common Mistakes in IT Tenders – and Why Many...18. June 2026 - 9:30
  • Agentic AI: Why AI Systems Can Now Act Autonomously –...21. May 2026 - 13:41
  • When AI safety mechanisms fail—and what helps to prevent...5. May 2026 - 15:44
Tags
Agile Agile methods Agile methods and Kanban AI Artificial Intelligence AWS Business Analysis City of Vienna Cloud Demand Management Design Thinking Digitalization Document Analysis Efficient Software Development Enterprise Architecture Eurotax Innovation Invitations to tender ITG KABEG Kanban modeling Organizational Development Organizational Strategy Portfolio Management Process Management Program Management Project Controlling Project Management Project Marketing Projektmanagement Quality Management Requirements Engineering Software Architecture Stakeholder Management System Architecture Test Management Training UML UML Modelling Usability User Experience VIA Videotraining ÖBB

Contact us!

Order information material via email.
  • Mail
  • Xing
  • Linkedin
© Copyright - Spirit in Projects - Enabling digital innovation
  • Terms of Service
  • Imprint
  • Privacy policy
  • Contact
Scroll to top Scroll to top Scroll to top

Our website only uses technical necessary cookies. We do not use third party services.

Close

Cookie and Privacy Settings



How we use cookies

We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.

Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.

Essential Website Cookies

These cookies are strictly necessary to provide you with services available through our website and to use some of its features.

Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.

We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.

We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.

Other external services

We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.

Google Webfont Settings:

Google Map Settings:

Google reCaptcha Settings:

Vimeo and Youtube video embeds:

Privacy Policy

You can read about our cookies and privacy settings in detail on our Privacy Policy Page.

Privacy policy
Accept basic settingsAccept all cookiesClose notification