The NIS 2 Directive:
When cyber security becomes mandatory - what affected companies need to know now
The new NIS 2 directive affects more companies than often assumed and obliges them to take very specific cyber security measures. Those who do not address the issue despite the obligation risk high fines, personal liability and exclusion from tenders.
On this page you can find out whether you are affected by NIS 2, what you can expect if the worst comes to the worst and how you can comply with the law with minimal effort. We will show you in detail:
- Which companies are covered by NIS 2 and which are exempt for the time being
- Which NIS 2 measures you need to implement in the event of a legal obligation - and how you can do this as quickly and cost-effectively as possible
- Why many medium-sized companies are sweating without good reason: Solutions are often (unknowingly) already in place
Sounds promising? Then read on now to get your company in the best possible position for the NIS 2 Directive.
What is NIS 2
and why is the directive
relevant for my company?
The following summary of the NIS 2 directive provides a compact overview of the requirements and criteria that companies will have to meet in future - from technical measures to clear responsibilities.
The abbreviation NIS stands for "Network and Information Systems" and is an EU-wide initiative to strengthen the cyber security of critical facilities.
It replaces the previous NIS Directive with much stricter requirements. The goal: Strengthen the digital resilience of critical and important institutions in Europe. And not just on paper, but with clear obligations and real consequences for violations.
At first glance, NIS 2 sounds like a directive for large corporations or critical infrastructure. But it actually affects companies from over 15 sectors:
- Energy
- Transport
- Banking
- Financial market infrastructures
- Healthcare
- Drinking water supply
- Wastewater disposal
- Digital infrastructure
- Public administration
- Aerospace
- Postal and courier services
- Waste management
- Chemical industry (production & trade)
- Food production, processing & distribution
- Manufacturers of critical products (e.g. machines, electronics, medical technology)
Manufacturers with digital supply chains are also covered by the rule.
As a rule of thumb: If you are active in one of the NIS 2 sectors mentioned and are considered at least a medium-sized company (typically: ≥ 50 employees or turnover > €10 million and total assets > €10 million), you fall within the scope of application. Whether you are considered an "important" or "significant" entity depends on whether your sector is listed in Annex I or Annex II and how large your company is - plus possible special cases regardless of size.
What does the
NIS 2 Directive require in detail?
The directive requires structured information security management - with a clear focus on risk management, organizational measures and real-time response.
The following steps are required for implementation:
- Security strategy & governance: Define clear responsibilities and appoint at least one internal or external security officer who is responsible for compliance with cyber security requirements.
- Risk analysis & action planning: Carry out structured risk analyses on a regular basis, including an assessment of external risks, your supply chain and system criticality - and derive specific protective measures from this exercise.
- Technical & organizational measures (TOMs): Implement effective protective measures, e.g. through access controls, patch management, firewalls, network segmentation and encryption of sensitive data.
- Reporting obligations: Establish processes that allow you to report security incidents to the relevant authority in a timely fashion - including an early warning within 24 hours, a detailed report within 72 hours and a final report within one month of the incident being identified.
- Emergency management: Develop and test contingency plans to maintain critical business processes - including scenarios for cyber attacks, data loss or system failures.
- Documentation & auditability: Ensure that all measures are comprehensibly documented, effectively implemented and verifiable on request, e.g. through internal audits or external audits.
Important to understand: It is not enough to simply introduce a few new tools and regard the issue is settled. NIS 2 explicitly requires that measures not only exist on paper, but that they function permanently day to day and that your company is capable of acting at all times, even in an emergency.
4 Advantages of consistent implementation
the NIS 2 directive for your company
1. More IT security and resilience
A systematic approach to risks leads to clearly defined processes in the event of an emergency. Security incidents can therefore be detected more quickly and contained more effectively. Early warning systems, emergency processes and restart strategies ensure greater resilience and minimize downtimes.
2. Better public image
Instead of answering long questionnaires or providing individual security certificates for each new project, all you need to do is refer to the publicly accessible TISAX® label. This saves time, avoids misunderstandings and relieves your sales department as well as the IT team.
3. Structured IT and security processes
The implementation of NIS 2 automatically leads to a professionalization of internal structures. Safety measures are no longer taken selectively, but are established as part of a practiced system. This reduces the number of ad hoc decisions, increases transparency and makes information security management plannable and controllable.
4. Clear responsibilities and better control
By definitively anchoring responsibilities, safety becomes a management task. This relieves the burden on individuals and makes security-related decisions more comprehensible.
How to make your company
NIS 2 compliant in 5 steps:
Step 1
Sector & clarify affectedness
Check whether your company falls under the NIS 2 directive - based on sector, company size and role in the digital supply chain.
Step 2
Protection requirements analysis & risk analysis
Determine which systems, processes and information are critical. Carry out a structured risk analysis, supplemented by a protection requirements analysis if necessary, to identify specific threats and effects.
Step 3
GAP analysis & action planning
Compare the current status of your security organization with the requirements of the NIS 2 directive - especially pertaining to topics such as governance, technical and organizational measures, reporting obligations and business continuity. Derive a prioritized action plan from this exercise.
Step 4
Implementation & documentation
Implement the planned measures in a structured fashion. Document responsibilities, deadlines, evidence, checks and progress in a comprehensible manner - so that you can be audited at any time.
Step 5
Internal audit or external audit
Review your implementation regularly - through an internal audit or an external evaluation. This allows you to identify weak points at an early stage and create verifiable evidence for authorities, customers and auditors.
How to implement
the NIS 2 Directive successfully in practice
The NIS 2 Directive sounds like a set of paragraphs, but in reality it demands one thing above all: A systematic understanding of cyber security as a management task.
However, we observe the following in practice time and again: Many organizations place too much focus on the technical aspects, i.e.: People are already planning with tools and software solutions before it is clear where the specific security risks actually lie. What usually results is not a safety concept, but a patchwork quilt.
That's why we always start by developing a risk-based roadmap with our customers based on a simple question:
What is at stake and who bears responsibility for it?
The most important recommendations at a glance: This is how you implement the requirements - and become NIS-2 compliant in quick order.
Create clarity
Without a well-founded protection needs analysis, every measure is a shot in the dark. It is therefore advisable to carry out a structured gap analysis at the start - based on the NIS 2 requirements and any existing standards such as ISO 27001. The aim is to create a clear picture of where critical systems, data and processes are located and what risks are associated with them.
Making roles and responsibilities a top priority
The directive makes it clear: Management bears responsibility and is personally liable in case of doubt. It is therefore crucial to clearly define responsibilities within the company at an early stage. This includes the establishment of a governance organization and the definition of operational responsibilities.
Use ISO 27001 and TISAX® certifications
Although there is currently no NIS 2 implementation law, it is likely that many requirements will be mapped via existing frameworks - in particular via ISO 27001, TISAX®. And even if such certification is not mandatory for compliance with the NIS 2 directive, it is considered a sensible preparation for the upcoming requirements.
Create an iterative action plan
A comprehensive security concept does not necessarily have to be a "bureaucratic monster". A prioritized, step-by-step action plan that integrates technical and organizational measures has proven its worth - it saves resources, is auditable and can be implemented in day-to-day business.
Make evidence available
A common problem: Safety measures exist, but are not sufficiently documented or verified. Being auditable requires the effectiveness of technical and organizational measures to be verifiably documented through regular checks. This is achieved, for example, through internal audits, emergency drills, monitoring, logging or targeted effectiveness checks of individual measures - always documented in a comprehensible manner.
Meet NIS 2 requirements with other standards:
Expand your ISO 27001 and TISAX® certifications and reduce your costs.
The NIS 2 directive does not force you to rebuild your security organization from scratch. If approached correctly, many of the required governance, risk management and security measures can be derived directly from an existing ISO 27001 ISMS and your TISAX® processes. This allows you to avoid duplicate structures and fulfill regulatory obligations efficiently with an integrated management system.
Synergies with ISO 27001
An established ISMS in accordance with ISO 27001 forms the backbone of NIS 2: Topics such as risk management, asset inventory and incident management are already established. In many cases, it is sufficient to clarify responsibilities, add reporting channels and extend some controls to NIS 2-specific requirements.
Synergies with TISAX®
Companies from the automotive industry have TISAX® have clear processes available for information security. These structures - for example for partner assessments, protection requirements and auditing - can be used to efficiently integrate NIS 2 requirements for governance, supplier management and data exchange.
Efficient management of reporting obligations
According to NIS 2, defined processes for detecting, evaluating and reporting security incidents must be in place. You set up clear communication channels and reporting formats based on your existing incident management processes. This allows you to meet the legal deadlines without having to set up additional emergency processes.
Technical & organizational measures (TOMs)
Many NIS 2 measures overlap with controls from ISO 27001 and TISAX®, for example in the areas of access protection, network security, logging and backup. A common control set allows you to add NIS 2-specific requirements in a targeted manner while maintaining a consistent overview of all security measures.
Our advice:
Anyone who supplements their existing systems with a clear timetable now will significantly reduce the additional work involved. This is particularly efficient with a customized ISMS (information security management system) that covers all NIS 2 requirements. We at MEMEX will be happy to develop such a system together with you, create the necessary structures and guide you all the way to successful certification.
FAQs:
Other frequently asked questions about the NIS 2 Directive:
Whether a company is affected by the NIS 2 Directive depends primarily on its size, industry and critical role in the digital supply chain. If you are active in one of the 15 relevant sectors and have more than 50 employees or €10 million turnover, implementation is generally mandatory for your company.
NIS 2 has been in force at EU level since January 2023. The member states officially had until October 17, 2024 to transpose the directive into national law. In Germany, the NIS 2 Directive is expected to come into force in the fall of 2025.
The cost of the TISAX® audit is generally between 3,000 and 15,000 Euros - depending on the location, scope and audit level. In addition, there is the internal effort, which can be significantly reduced through careful preparation.
In Germany, fines of up to 10 million euros or 2% of global turnover appear to be possible.
This is difficult to judge from a distance. Depending on the initial situation and complexity, investments of between €10,000 and €100,000 are required, including measures, tools and consulting costs.
There is no official NIS 2 certification. However, the companies concerned are obliged to implement the requirements of the directive and provide evidence of compliance. In Germany, many rely on standards such as ISO/IEC 27001 or TISAX® and the associated certifications to map the NIS 2 requirements in a structured and auditable fashion. Although this does not result in direct NIS 2 certification, it does provide reliable proof of compliance for authorities and interested parties.
This depends on several factors, such as your level of preparation, the complexity of your IT infrastructure, the scope of your data processing and the size of your company. In most of our NIS 2 projects, it is realistic to expect all measures to be implemented within 3 - 9 months.
This can be clarified quickly. The best thing to do is to make an appointment for a free NIS 2 Quick Check and we will give you a non-binding initial assessment.
Your next step to
NIS 2 compliance
Are you unsure about how to approach the topic of NIS 2 compliance in concrete terms?
Then book your free NIS 2 Quick Check now.
In just under 30 minutes, we will examine your current situation, identify typical vulnerabilities and show you the most direct route to implementation.
