NIS2 Directive — EU Cybersecurity Directive

A 400-person machine-builder learns from an industry newsletter that it counts as an “important entity” under NIS2. The management realises: risk management, incident reporting, supplier assessment and personal liability have to be in place within a few months — otherwise fines of up to EUR 7 million or 1.4 % of global turnover apply. Existing IT compliance is not enough; a systematic gap analysis is needed.

Directive (EU) 2022/2555 (NIS2) replaced the NIS-1 Directive and significantly expands EU-wide cybersecurity supervision. It formally applied from 16 January 2023, and the deadline for transposition into national law ended on 17 October 2024. For Germany this means a substantial widening of the addressees compared with the previous KRITIS regime — from mid-sized businesses to large groups, with clear requirements for governance, supply chains and response.

Who is affected?

NIS2 expands the NIS-1 scope considerably. The directive distinguishes two categories:

Essential entities (Annex I) — sectors of particularly high importance: energy, transport, banking, financial market, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space.
Important entities (Annex II) — further sectors: postal and courier services, waste management, chemicals, food, manufacturing (medical devices, electronics, machinery, motor vehicles), digital providers (online marketplaces, search engines, social networks), research.

The size threshold is 50 employees or EUR 10 million annual turnover (medium-sized enterprises). Certain key providers are in scope regardless of size — for example qualified trust service providers, TLD registries, DNS service providers and providers of public electronic communications networks.

What does the law require?

NIS2 rests on three pillars: governance, risk management, incident reporting.

Management accountability (Art. 20) — management bodies approve the risk management measures, supervise implementation and can be held personally liable. Obligation to train the management in cybersecurity.
Risk management measures (Art. 21) — appropriate technical, operational and organisational measures, with ten mandatory topic areas:
- Risk analysis and security policies
- Incident handling
- Business continuity and crisis management
- Supply chain security
- Security in acquisition, development and maintenance
- Evaluation of the effectiveness of risk management measures
- Cyber hygiene and training
- Cryptography and encryption
- Personnel security, access control, asset management
- Multi-factor authentication, secured voice/video/text communications
Reporting obligations (Art. 23) — staged reporting of significant incidents:
- Early warning within 24 hours of becoming aware
- Incident notification within 72 hours with initial assessment
- Final report within one month
Registration (Art. 27) — national supervisory authorities maintain a register; entities in scope register actively.
Supervision and enforcement (Art. 31 et seq.) — audits, inspections, instructions, fines and in extreme cases temporary suspension of business activities.

In practice

Run a gap analysis against the ten topic areas. The ten topics from Art. 21 form the mandatory curriculum. Every entity should document its status per topic — what exists, what is missing, what maturity level is reached. This is the starting point for the roadmap.

Hold management accountable — and train them. Management liability is real. Managing directors and board members must approve the cybersecurity strategy, attend training and exercise their oversight in documented form. An annual cyber training session with attendance records is the standard.

Set up supply chains as a dedicated programme. Supplier security is one of the ten mandatory topics. What matters is not only the direct supplier but also their upstream suppliers (software libraries, cloud components, managed services). ENISA has published sector-specific recommendations that serve as a benchmark.

Mapping to ISO 27001

The NIS2 Art. 21 topic areas align substantially with the ISO 27001 Annex A catalogue. An ISO 27001 certification is not a NIS2 proof, but it simplifies compliance considerably.

Directly relevant controls:

A.5.4 — Management responsibilities: bridge to management accountability under Art. 20.
A.5.7 — Threat intelligence: evaluation of national and EU-wide situation reports (CSIRT network, ENISA).
A.5.19 — Information security in supplier relationships: supplier assessment under the NIS2 supply chain obligation.
A.5.20 — Addressing information security within supplier agreements: contractual anchoring.
A.5.21 — Managing information security in the ICT supply chain: multi-tier supply chain assessment.
A.5.23 — Information security for use of cloud services: assessment of critical cloud providers.
A.5.24 — Information security incident management planning and preparation: prerequisite for the 24-/72-hour reporting.
A.5.25 — Assessment and decision on information security events: classifying significance.
A.5.26 — Response to information security incidents: structured containment.
A.5.29 — Information security during disruption: maintaining critical services.
A.5.30 — ICT readiness for business continuity: recovery plans.
A.5.36 — Compliance with policies, rules and standards for information security: compliance check against NIS2 requirements.
A.6.3 — Information security awareness, education and training: cyber hygiene training, including management.
A.8.7 — Protection against malware: baseline protection.
A.8.8 — Management of technical vulnerabilities: vulnerability management.
A.8.16 — Monitoring activities: prerequisite for timely incident detection.

Typical audit findings

No self-assessment of NIS2 applicability — the entity belongs to Annex II but has never registered with the BSI.
Management training without evidence — managing directors have not engaged with cybersecurity in any measurable way; an oversight failure is on the table.
Supply chain assessment incomplete — direct suppliers are covered, sub-suppliers and open-source dependencies are missing.
24-hour early warning not rehearsed — the SOC has no direct reporting channel to the BSI; every report has to go through legal.
Risk management does not cover all ten topic areas — multi-factor authentication or cyber hygiene training is missing; the mandatory curriculum is incomplete.
No effectiveness evaluation of the measures — measures are documented, but nobody checks whether they work (no penetration test, no maturity review).

Sources

Directive (EU) 2022/2555 — NIS2 (EUR-Lex) — official text in all EU languages
ENISA — NIS2 Directive — guidelines, sector profiles, implementation aids
BMI — Information on the German NIS2 transposition — status of the NIS2UmsuCG, background
BSI — NIS-2 information for entities in scope — registration, reporting obligations, minimum measures

ISO 27001 Controls Covered

A.5.4 Management responsibilities A.5.7 Threat intelligence A.5.19 Information security in supplier relationships A.5.20 Addressing information security within supplier agreements A.5.21 Managing information security in the ICT supply chain A.5.23 Information security for use of cloud services A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.26 Response to information security incidents A.5.29 Information security during disruption A.5.30 ICT readiness for business continuity A.5.36 Compliance with policies, rules and standards for information security A.6.3 Information security awareness, education and training A.8.7 Protection against malware A.8.8 Management of technical vulnerabilities A.8.16 Monitoring activities

Frequently asked questions

Am I in scope of NIS2?

Scope depends on sector and size. NIS2 distinguishes essential entities (Annex I, e.g. energy, transport, banking, health, IT services) from important entities (Annex II, e.g. postal services, waste, food production, digital providers). Medium-sized companies with 50 or more employees or EUR 10 million annual turnover are typically in scope; for key services the obligation applies regardless of size.

What are the main obligations under NIS2?

Risk management measures under Art. 21 (risk analysis, incident handling, business continuity, supply chain security, access control, multi-factor authentication, training, encryption, secure procurement, secure development), reporting obligations under Art. 23 (early warning within 24 hours, incident report within 72 hours, final report within one month) and management accountability under Art. 20.

How far along is the German transposition?

The deadline to transpose the directive into national law ended on 17 October 2024. Germany has not finally adopted the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) -- after several drafts the law remains delayed. Entities in scope should still prepare on the basis of the current draft and use the NIS2 Directive itself as the benchmark.