Skip to Content
Compliance Guide

IT Security & NIS-2: What Companies Need to Do Now

The EU directive NIS-2 drastically tightens IT security requirements. Since October 2024, new obligations apply to thousands of German companies — with severe penalties for violations. This guide shows whether you are affected, what you need to implement, and where you can start today.

Cybersecurity expert analyzing a security dashboard

What NIS-2 means for your company

The NIS-2 Directive (Network and Information Security Directive 2) is the EU's response to the growing threat landscape in cyberspace. It replaces the original NIS Directive from 2016 and massively expands its scope: Instead of a few hundred, according to the Federal Office for Information Security (BSI), an estimated 30,000 companies in Germany alone are now affected.

The directive distinguishes between "essential entities" and "important entities." Both categories must implement comprehensive cybersecurity measures and report security incidents — the difference lies primarily in the intensity of supervision.

The consequences for violations are significant: fines of up to 10 million euros or 2% of global annual revenue (pursuant to NIS-2 Directive Art. 34) — whichever is higher. Additionally, managing directors are personally liable for the implementation of measures.

Are you affected? The quick check

NIS-2 applies to companies operating in specific sectors AND exceeding certain thresholds. Check both criteria:

Affected sectors

  • Energy (electricity, gas, oil, district heating)
  • Transport & Traffic
  • Healthcare
  • Digital Infrastructure (Data Centers, DNS, Cloud)
  • ICT Service Providers (Managed Services, SaaS)
  • Finance & Insurance
  • Wastewater & Waste Management
  • Manufacturing (chemicals, food, mechanical engineering, automotive)
  • Postal & Courier Services
  • Research

Thresholds

You fall under NIS-2 if you operate in one of the listed sectors and meet at least one of these criteria:

  • From 50 employees — You qualify as an "important entity"
  • From 10 million euros annual revenue — also threshold for "important entity"
  • From 250 employees or 50 million euros revenue — You qualify as an "essential entity"

Attention: Certain companies fall under NIS-2 regardless of size — such as DNS providers, TLD registries, qualified trust service providers, and operators of public telecommunications networks.

The 10 most common IT security vulnerabilities in mid-sized companies

We see these vulnerabilities regularly — and each one can become a problem during an audit or an attack.

01

Outdated software & missing patches

Unpatched systems are the number one entry point. Many attacks exploit vulnerabilities for which updates have long been available.

02

Weak passwords & no MFA

Without multi-factor authentication, a single compromised password is enough to take over entire systems.

03

No backup concept / untested backups

Backups exist on paper — but nobody has tested whether a restore actually works.

04

Lack of network segmentation

Flat networks allow attackers to move laterally unhindered after gaining entry.

05

No incident response processes

When an emergency occurs, there's no action plan. Who is responsible? Who gets notified? Which systems are isolated?

06

Untrained employees (phishing)

People remain the weakest link. Without regular awareness training, employees open the door for attackers every day.

07

Unencrypted data

Data at rest and in transit without encryption — in a breach, sensitive information is exposed in plain text.

08

Lack of access rights management

Everyone has access to everything. No least-privilege principle, no regular review of permissions.

09

No monitoring / no anomaly detection

Without monitoring, you only notice an attack after the damage is already done. On average, it takes 200+ days according to the IBM Cost of a Data Breach Report.

10

Shadow IT — uncontrolled tools and cloud services

Employees use their own tools and cloud services without IT's knowledge. Data flows into uncontrolled channels, compliance becomes impossible.

NIS-2 requirements: What you need to implement

Risk management

You must establish systematic risk management for your IT systems — including regular risk assessments and documented measures.

  • Conduct regular risk assessments
  • Document technical and organizational measures
  • Verify effectiveness of measures

Incident Reporting

Security incidents must be reported within strict deadlines. This requires functioning detection and reporting processes.

  • Early warning within 24 hours
  • Detailed report within 72 hours
  • Final report within one month

Supply Chain Security

You are also liable for the security of your supply chain. Service providers and suppliers must be included in your security concept.

  • Define security requirements for suppliers
  • Contractual safeguards (SLAs, audit rights)
  • Regular review of third-party providers

Business Continuity

You need robust plans for a crisis — so your company can quickly resume operations after an attack.

  • Create emergency and recovery plans
  • Backup strategy with regular restore tests
  • Crisis management team and communication

Training obligation

Management must demonstrably participate in cybersecurity training. All employees must be regularly sensitized.

  • Mandatory training for management
  • Regular awareness training for all employees
  • Documentation and evidence management

Personal liability

New in NIS-2: Managing directors are personally liable for the implementation of cybersecurity measures. Delegation does not release them from responsibility.

  • Managing directors must approve and oversee measures
  • Personal liability for breach of duty
  • Proof of own training participation required

Immediate actions: Where you can start today

You don't have to solve everything at once. These four measures immediately improve security — and are a good starting point for NIS-2 compliance.

Implement MFA

Enable multi-factor authentication for all critical systems — email, VPN, admin panels, cloud services. The single most effective step against account takeovers.

Perform backup tests

Plan a restore test. Make sure your backups actually work, are complete, and can be restored within an acceptable timeframe.

Set up patch management

Create an inventory of all systems and software. Define a process for regular updates — critical patches within 48 hours, all others within 30 days.

Start awareness training

Conduct an initial phishing simulation and train your employees to recognize social engineering attacks. Plan regular repetitions.

Our Honest Conclusion

NIS-2 is no paper tiger. The directive brings real obligations with real consequences — up to personal liability for management. Those who haven't started yet should do so soon.

The good news: Most requirements are not rocket science. Much of this should be standard practice anyway — patch management, backups, access controls, training. NIS-2 turns best practices into binding obligations.

Our advice: Start with the immediate measures, conduct an honest assessment of your IT security, and get external support if needed. Not because it's mandated — but because a security incident can cost your company significantly more than any preventive measure.

Further Reading

Technology Guide Monitoring & Observability: What Should Your System Monitor? Practical Guide Implementing DevOps: Where to start when everything is manual? Technology Guide Infrastructure as Code: Why Your Infrastructure Belongs in Git

Frequently Asked Questions

Who is affected by NIS-2?

NIS-2 affects companies with 50+ employees or €10M+ annual revenue in 18 critical sectors — including energy, transport, healthcare, digital infrastructure, IT services, and manufacturing. According to the BSI, around 30,000 companies in Germany are affected, many for the first time.

When does NIS-2 take effect in Germany?

The EU directive was supposed to be transposed into national law by October 2024. Germany has adopted the NIS-2 Implementation Act (NIS2UmsuCG). Companies should implement the requirements now, as immediate compliance is expected when it takes effect.

What penalties apply for non-compliance?

The NIS-2 directive provides for fines of up to €10M or 2% of global annual revenue — whichever is higher. Additionally, managing directors are personally liable for implementing adequate security measures.

Is an ISO 27001 certificate sufficient for NIS-2 compliance?

ISO 27001 is an excellent foundation and covers many NIS-2 requirements, but it's not sufficient on its own. NIS-2 additionally requires active incident reporting obligations (within 24 hours), supply chain security, and management training. ISO 27001 plus supplementary measures together achieve NIS-2 compliance.

What is the difference between NIS-1 and NIS-2?

NIS-2 massively expands the scope: more sectors, lower thresholds, and stricter requirements. While NIS-1 only affected a few thousand companies, NIS-2 applies to an estimated 30,000 companies in Germany alone. Additionally, reporting obligations were tightened and personal liability for management was introduced.

NIS-2 compliance unclear?

We help you assess your IT security posture and show which measures are relevant for your company — pragmatically and without fearmongering.

Get free advice