Skip to content

NIS-2 Directive

NIS-2

IT security requirements

The NIS 2 Directive is the European legal framework for operators of critical infrastructure (KRITIS) and sets minimum standards for cybersecurity within the EU. On this page, you will find everything you need to know about NIS 2.

What is the NIS-2 Directive?

The EU Directive NIS-2 ("The Networkand Information SecurityDirective") aims to strengthen the resilience of critical infrastructures (KRITIS) to cyber threats and increase the level of cyber security within the EU.

NIS-2 imposes new obligations and extensive security measures on many companies and organisations, primarily affecting critical infrastructures and digital services in the EU, which must meet a series of minimum requirements in order to secure their own systems and networks against cyber attacks.

Free NIS-2 white paper

Contents of the white paper:

  • Is my company affected by the NIS 2 Directive?
  • What obligations do I have as an affected company?
  • What sanctions could be imposed on my company?
  • Who monitors the implementation of the NIS 2 Directive?
  • How do I make my company NIS-2 compliant?
To the whitepaper

Who is affected by NIS-2?

NIS-2 applies to companies with 50 or more employees and a turnover of 10 million euros in 18 defined sectors. The two criteria of company size and company sector are therefore decisive in determining whether a company is affected by the directive. There are also some special cases.

Essential facilities

  • Companies with 250 or more employees or
  • Companies with a turnover of over EUR 50 million and a balance sheet of over EUR 43 million
  • Operators of critical infrastructures (KRITIS operators)
  • Special cases, e.g. qualified trust services, DNS or telecommunications providers

Important facilities

  • Companies with 50 or more employees or
  • Companies with a turnover of more than EUR 10 million and a balance sheet of more than EUR 10 million
  • Special facilities, e.g. trust services

Sectors concerned:

  • energy
  • Transport
  • Banking
  • Financial market infrastructures
  • Healthcare
  • Drinking water
  • Waste Water
  • Digital infrastructure
  • Management of ICT services (B2B)
  • Public administration
  • Space

Sectors concerned:

  • Postal & courier services
  • Waste management
  • Chemicals (production, manufacturing and trade)
  • Food (production, processing and distribution)
  • Manufacturing/production of goods
  • Digital service providers
  • Research

NIS-2 to listen: The most important information in 15 minutes

#82 Discovered. Explained. Told
To the podcast

For more cyber security in the EU

Stricter guidelines with NIS2: Interview with Jacques Kruse Brandao

According to the NIS 2 Directive, affected companies must implement at least the following measures to increase their resilience to attacks and prevent security incidents as far as possible or minimise their impact.

Requirements under NIS-2 for affected companies

Risk management

Monitoring of measures to minimise cyber risks

Responsibility of the management

Ensuring the implementation of legal requirements

Policies

Concepts relating to risk analysis and security for information systems

Incident management

Prevention, detection and management of security incidents

Purchasing

Security measures for the acquisition, development and maintenance of network and information systems

Business Continuity

Business continuity (such as backup management and disaster recovery) and crisis management

Effectiveness

Concepts and procedures for evaluating the effectiveness of risk management measures

Supply Chain

Reliability of the supply chain

Training courses

Cyber hygiene and training in the area of cyber security

Cryptography

Concepts and procedures for the use of cryptography and, where applicable, encryption

Personnel, access & asset management

Personnel security, access control concepts and asset management

Authentication & Communication

Use of solutions for multi-factor authentication or continuous authentication, secure voice, video and text communication and, if necessary, secure emergency communication systems

We will support you – no matter what

Get started at last!

We advise you


TÜV NORD IT Secure Communication I Berlin
Goal achieved?

We check that


TÜV Informationstechnik I Essen

With these services, we support you in meeting NIS-2 requirements

Suspension bridge in a green jungle

Is your company affected by NIS-2?

Overview in the jungle of IT regulation & legislation
Brussels strengthens resilience against cyber attacks. And it is doing so with a complex and demanding regulatory agenda. The requirements are growing and so are the penalties for non-compliance. Is your company affected? We will clarify.

- Initial consultation
A woman averages in flight in the long jump

From NIS-1 to NIS-2

How big a leap do you need to make?
As a KRITIS company already affected by NIS-1, you are well positioned in terms of IT security. From October 2024, however, the requirements of NIS-2 will apply, some of which are significantly stricter. What is on the plus side and what still needs to be done? We know it.

- Delta audits
- Pre-audits
One person does pull-ups

Long-distance qualities in demand

Prepare in good time and persevere!
Implementing measures takes time and a lot of personal commitment. We will accompany you:

- §8a and §10 audits
- ISO 27001, also based on IT baseline protection
- Business continuity management (ISO 22301)
- EUCS/ISO 27001 for Cloud
- Incident management
- NESAS
Rails at night

Only half the battle

It all depends on the supply chain
IT systems, devices and components must be developed and manufactured in such a way that they fulfil the high IT security requirements.

- BSZ
- Audits according to IEC 62443-X
- SQ (EN303645 or harmonised standard)
- Common Criteria (EU CC)
- CSC (EN303645 + Cloud)
- GSMA NESAS

Tightening of sanctions

The NIS 2 Directive entails stricter penalties and sanctions. These are based on the EU General Data Protection Regulation (EU GDPR).

  • For significant entities, the fines can be up to EUR 10 million or 2 per cent of global annual turnover (depending on which amount is higher)
  • For significant entities, the maximum fine is EUR 7 million or 1.4 per cent of annual global turnover (whichever is higher)

Management must monitor compliance with IT security measures. If obligations are breached, there is a risk of internal liability of the management towards the organisation.

Government inspections are also planned to check compliance.

Mandatory reporting of security incidents

Significant security incidents must be reported to the Federal Office for Information Security (BSI). The following deadlines apply:

  • Within 24 hours: Initial notification of the security incident, stating whether the incident is due to illegal or malicious behaviour or could have cross-border implications
  • Within 72 hours: Confirmation or update of the initial report, including an assessment of the incident (severity, impact, compromise)
  • Within one month: final report with a detailed description and information on causes, measures and cross-border effects
The implementation of the new NIS 2 Directive offers KRITIS operators and the public sector the opportunity to position themselves robustly in terms of IT security. TÜV NORD GROUP accompanies them on this path. Across Europe!

Axel Lange

Head of Marketing & Sales at TÜVIT

NIS-2: Status of implementation

Berlin

The European NIS 2 Directive will be enshrined in national legislation in Germany with the NIS 2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG) - on 24 June 2024, the Federal Ministry of the Interior (BMI) published what is now the fourth draft bill for this law.

Vienna

During the parliamentary vote in the National Council on the Information System Security Act 2024 (NISG 2024) on 3 July 2024, the necessary two-thirds majority was not achieved. The law was therefore not passed for the time being.

Madrid

In Spain, the Ministry of Digital Transformation and Public Services is responsible for implementing the NIS 2 Directive. The directive has not yet been implemented and is still being finalised. There is currently little information in the media about the exact status.