Skip to main content

Understand NIS2 and its requirements

NIS2 is the abbreviation for "Network and Information Security 2" and refers to the directive on measures for a high common level of cybersecurity in the Union (EU Directive 2022/2555), which came into force in 2023, already. The focus of NIS2 is on the areas of cybersecurity and information technology. The NIS2 Directive completely replaces the 2016 NIS Directive.


What is the aim of NIS2?

With NIS2, the European Union is setting minimum requirements to strengthen IT security and improve the resilience of critical economic sectors. The aim is to protect large parts of the European economy and achieve a uniform implementation of cybersecurity in the European Union.


What IT service providers and specialist retailers should know about NIS2

Implementing NIS2 for customers in good time is a challenge - and an opportunity. System houses and specialist retailers are leading the way with their own expertise in IT security when advising their customers and providing the necessary protection.

Under certain conditions, IT service providers can also fall within the scope of the directive themselves. What aspects are important for this?

We have compiled the most important information on NIS2 in a white paper. Further information is also provided in a presentation that took place as part of a webinar for IT service providers.


Download now!

When will NIS2 become national law in Germany?

The NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG for short) is intended to implement the EU directive in Germany. Various draft bills and a discussion paper are currently under discussion. A final version of the implementation law is not yet available. A new draft bill is expected in March 2024.

In Austria, the system of the existing NIS Act (Network and Information System Security Act) is to be adapted to the EU's NIS2 Directive.

By submitting, you agree explicitly that data will be transmitted to Vimeo

When will NIS2 apply?

NIS2 stipulates that the EU member states must adopt and publish the necessary regulations by October 17, 2024. Accordingly, the regulations are to apply from October 18, 2024.

Read more about the legislative procedure

Who does NIS2 apply to?

The scope of the NIS2 Directive goes far beyond the previously known critical infrastructures (KRITIS). Companies fall within the scope of NIS2 if they

  • meet the defined thresholds,
  • are active in the 18 economic sectors listed in NIS2 and/or
  • provide services related to network and information security.

In principle, NIS2 applies to medium-sized companies or companies that exceed the thresholds for medium-sized companies.


Medium-sized companies

  • at least 50 and less than 250 employees and
  • either an annual revenue of at least 10 million euros but no more than 50 million euros or
  • an annual balance sheet total of at least EUR 10 million but no more than EUR 43 million.

Irrespective of the size of the institutions, the NIS2 Directive also applies to institutions that are active in one of the 18 sectors listed in NIS2. These include, for example, the energy sector or administration of ICT services or manufacturing/production of goods or providers of digital services.


Essential and important entities

NIS2 also distinguishes between "essential entities" and "important entities".

Companies are considered "essential entities" if they are active in a sector with high criticality and exceed the threshold for a medium-sized company, i.e. have at least 250 employees and either an annual revenue of more than EUR 50 million or a balance sheet total of more than EUR 43 million.

Companies are considered "important entities" if they are active in one of the 18 sectors listed and do not fall under the definition of "essential entities".

Learn more about the scope of NIS2.

Important: Implementation for small businesses

Small and micro enterprises may also be covered by the Directive if they operate in one of the 18 sectors or in one of the services designated as special cases by NIS2.


What requirements does NIS2 specify?

NIS2 sets out numerous requirements for the individual IT security measures – from a risk management concept to technical measures and reporting deadlines for security incidents.

NIS2 requires a preventative approach to IT security and corresponding risk management. Network and information systems must be secured in accordance with these requirements. The following measures, among others, are provided for under NIS2: Risk analysis, management of security incidents, supply chain security, evaluation of risk management measures, cyber security training.

What does cyber hygiene according to NIS2 mean?

Against the backdrop of an increase in cyber attacks and a high threat level, prevention is becoming increasingly important in IT security. The NIS2 Directive enshrines better prevention of IT security incidents throughout Europe. The principle is: reliable cyber hygiene protects the hardware and software as well as the business and end user data of companies. This includes, for example, regular updates, password changes, backing-up of data, and the limitation of administrator-level access accounts.

NIS2 directive: Download whitepaper & presentation

Please provide the following contact information to download the NIS2 white paper and presentation.