Skip to content

NIS-2 Directive

NIS-2

IT security requirements

The NIS 2 Directive is the European legal framework for operators of critical infrastructure (KRITIS) and sets minimum standards for cybersecurity within the EU. On this page, you will find everything you need to know about NIS 2.

What is the NIS-2 Directive?

The EU Directive NIS-2 ("The Networkand Information SecurityDirective") aims to strengthen the resilience of critical infrastructures (KRITIS) to cyber threats and increase the level of cyber security within the EU.

NIS-2 imposes new obligations and extensive security measures on many companies and organisations, primarily affecting critical infrastructures and digital services in the EU, which must meet a series of minimum requirements in order to secure their own systems and networks against cyber attacks.

Who is affected by NIS-2?

Particularly important facilities §28 (1)

  • Sectors: NIS-2 Annex 1
  • Size: Large company
  • Number of employees: ≥ 250
  • Turnover and balance sheet: > 50 million + EUR 43 million

Important facilities §28 (2)

  • Sectors: NIS-2 Annex 1 & 2
  • Size: medium-sized companies
  • Employees: ≥ 50
  • Turnover and balance sheet: > EUR 10 million + EUR 10 million

Special cases

  • Sectors: NIS-2 Annex 1 & 2
  • Size: independent of size
  • Employees: certain exceptions
  • Turnover and balance sheet: certain exceptions

Operators of critical facilities §28 (8)

  • Sectors: NIS-2 KRITIS
  • Size: Critical facility (KRITIS) above threshold value
  • Employees: Critical facility (KRITIS) above threshold
  • Turnover and balance sheet: Critical facility (KRITIS) above threshold

Federal Administration

  • Sectors: NIS-2 Annex 1
  • Size: Confederation
  • Employees: Various federal agencies, public bodies
  • Turnover and balance sheet: Various federal agencies, corporate bodies

Particularly important facilities

The particularly important entities under NIS-2, also known as "Essential Entities", include large companies from the sectors listed in Annex 1, certain companies regardless of their size and operators of critical infrastructure (KRITIS). The decisive factors for their categorisation are the number of employees (FTE) as well as the annual turnover and the balance sheet total, as defined in Section 28 (1).

The following sectors are defined in Annex 1 of the NIS-2 Implementation Act:

  • Energy
  • Transport and traffic
  • Finance
  • Healthcare
  • water
  • Digital infrastructure
  • Space

Important facilities

The important entities under NIS-2 include large and medium-sized companies from the sectors listed in Annexes 1 and 2 of NIS-2. The number of employees in full-time equivalents (FTE), annual turnover and total assets are decisive for their categorisation.

The following sectors are defined in Annexes 1 and 2 of the NIS-2 Implementation Act:

  • Energy
  • Transport and traffic
  • Finance
  • Healthcare
  • water
  • Digital infrastructure
  • Digital services
  • Space
  • food
  • Waste Management
  • Manufacturing industry
  • Chemicals
  • Research

Operators of critical infrastructure (KRITIS)

In NIS-2, the existing KRITIS operators are referred to as operators of critical facilities. The existing KRITIS logic, which is based on KRITIS sectors, critical services and KRITIS facilities with defined thresholds (at least 500,000 people supplied), remains unchanged. This is set out in Section 28 (2) and Section 2 No. 22. In addition to KRITIS, the operators automatically become particularly important facilities.

NIS-2 to listen: The most important information in 15 minutes

#82 Discovered. Explained. Told
To the podcast

For more cyber security in the EU

Stricter guidelines with NIS2: Interview with Jacques Kruse Brandao

According to the NIS 2 Directive, affected companies must implement at least the following measures to increase their resilience to attacks and prevent security incidents as far as possible or minimise their impact.

Requirements under NIS-2 for affected companies

Risk management

Monitoring of measures to minimise cyber risks

Responsibility of the management

Ensuring the implementation of legal requirements

Policies

Concepts relating to risk analysis and security for information systems

Incident management

Prevention, detection and management of security incidents

Purchasing

Security measures for the acquisition, development and maintenance of network and information systems

Business Continuity

Business continuity (such as backup management and disaster recovery) and crisis management

Effectiveness

Concepts and procedures for evaluating the effectiveness of risk management measures

Supply Chain

Reliability of the supply chain

Training courses

Cyber hygiene and training in the area of cyber security

Cryptography

Concepts and procedures for the use of cryptography and, where applicable, encryption

Personnel, access & asset management

Personnel security, access control concepts and asset management

Authentication & Communication

Use of solutions for multi-factor authentication or continuous authentication, secure voice, video and text communication and, if necessary, secure emergency communication systems

We will support you – no matter what

Get started at last!

We advise you

TÜV NORD IT Secure Communication I Berlin
To the consulting services Contact us
Goal achieved?

We check that

TÜV Informationstechnik I Essen
To the testing offers Contact us

With these services, we support you in meeting NIS-2 requirements

Suspension bridge in a green jungle

Is your company affected by NIS-2?

Overview in the jungle of IT regulation & legislation
Brussels strengthens resilience against cyber attacks. And it is doing so with a complex and demanding regulatory agenda. The requirements are growing and so are the penalties for non-compliance. Is your company affected? We will clarify.

- Initial consultation
A woman averages in flight in the long jump

From zero to NIS-2

How big a leap do you need to make?
As a company already affected by NIS-1, but also as a newly affected company, you need to ask yourself how well you are positioned. What is on the plus side and what still needs to be done? We know.

- Cyber Risk Check (CRC)
- GAP analyses
- Internal audits
One person does pull-ups

Long-distance qualities in demand

Prepare in good time and persevere!
We support you with the following activities:

- §39 BSIG audits
- Auditing and certification of your ISMS
- Auditing and certification of your BCM 200-4
- EUCS/ISO 27001 for Cloud
- Incident management
- NESAS
Rails at night

The supply chain is crucial

IT systems and components must be developed and manufactured securely in order to fulfil the highest IT security standards:

- Supplier audits
- Securing the supply chain (C-SCRM)
- Audits according to IEC 62443-X
- BSZ
- Auditing & certification to standards based on EN 303 645
- Common Criteria (EU CC)

Tightening of sanctions

The NIS 2 Implementation Act does not stipulate any transitional periods for the implementation of the security measures. Sanctions and fines can be imposed from the date of entry into force, in particular for breaches of registration or reporting obligations.

Provisions on fines (Section 65):

  • Extension of KRITIS fines: New offences and increase in existing fines.

Responsibility of the management (§ 38:)

  • Management must implement and monitor risk management measures.
  • Violation of these duties can lead to internal liability or, in the absence of internal liability, to liability under the BSIG.

Offenses and fines

EUR 10 million / 2% of global sales

- for sales > EUR 500 million
- Particularly important facilities
- Deficiencies in cyber security precautions, documentation, reporting and customer information.

EUR 7 million / 1.4% of global sales

- (for sales > EUR 500 million)
- Important facilities
- Similar offences as for particularly important facilities.

EUR 5 million

- Operators of critical systems
- Deficiencies in notifications for critical components

EUR 2 million

- Manufacturer of IT systems: Refusal to co-operate in security restoration
- Telecommunications service providers: failure to comply with ordered measures
- Digital service providers: refusal to take technical and organisational measures

EUR 1 million

- Operators of critical systems
- Deficiencies in evidence of remedial action

EUR 500,000

- Particularly important and important facilities
- Deficiencies in registration details and BSI orders

EUR 100,000

- Particularly important facilities: Deficiencies in access and provision of information
- Operators of critical facilities: Negligent deficiencies in evidence

also EUR 100,000

- Manufacturer of IT systems: Refusal to provide information on products and systems

General violations

  • Non-conforming use of certificates or marks.
  • Operating as an accredited conformity assessment body without authorisation.
  • Breaches of EU regulations on ENISA and certification.

Further specific violations

  • Operators of critical systems: failure to provide necessary information.
  • TLD registries and domain name registry service providers: deficiencies in database information and granting of access.
  • Manufacturers of IT systems: Refusal to co-operate in security incidents.

Mandatory reporting of security incidents

The following reporting obligations are envisaged as part of NIS 2 implementation:

  • 24 hours after knowledge: An early initial report must be made if there is a suspicion that the security incident is due to illegal or malicious acts or has cross-border effects.
  • 72 hours after becoming aware: A detailed initial report must confirm or update the information in the early initial report and contain an initial assessment of the incident, including its severity and impact.
  • Interim notification: Relevant status updates must be provided if requested by the BSI.
  • 1 month after the detailed initial notification: A final notification must contain a detailed description of the incident, the nature of the threat, remediation measures taken and in progress, and possible cross-border impacts. If the incident is still ongoing after one month, a progress report is required and the final report is submitted after the incident has been finalised.

Operators of critical facilities must also provide information on the type of facility affected, the critical service and the impact on the service.

 

The Federal Office for Information Security (BSI) has the authority to instruct particularly important organisations to inform their customers immediately in the event of significant security incidents if their services could be affected. Organisations from the finance and insurance, IT and telecommunications and digital services sectors must inform their customers as quickly as possible in the event of significant cyber threats and communicate possible countermeasures. The BSI endeavours to respond to companies within 24 hours of receiving a report in order to provide support and information. If necessary, the BSI may ask operators to raise public awareness if this is in the public interest.

The implementation of the new NIS 2 Directive offers KRITIS operators and the public sector the opportunity to position themselves robustly in terms of IT security. TÜV NORD GROUP accompanies them on this path. Across Europe!

Axel Lange

Head of Marketing & Sales at TÜVIT

NIS-2: Status of implementation

Berlin

The European NIS 2 Directive will be enshrined in national legislation in Germany with the NIS 2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG) - on 24 June 2024, the Federal Ministry of the Interior (BMI) published what is now the fourth draft bill for this law.

Vienna

During the parliamentary vote in the National Council on the Information System Security Act 2024 (NISG 2024) on 3 July 2024, the necessary two-thirds majority was not achieved. The law was therefore not passed for the time being.

Madrid

In Spain, the Ministry of Digital Transformation and Public Services is responsible for implementing the NIS 2 Directive. The directive has not yet been implemented and is still being finalised. There is currently little information in the media about the exact status.