Home Knowledge Hub NIS2: What companies need to know and implement now

Knowledge Hub

NIS2: What companies need to know and implement now

Last update: 09.03.2026

Important findings

The NIS2 directive improves EU cybersecurity through expanded minimum standards.
Affected entities should begin implementation now to be prepared.
Compliance with NIS2 alone does not provide comprehensive protection against cyber threats.
Expanded scope now includes critical sectors and their suppliers.
Additional EU legislation strengthens cybersecurity measures in various areas.

The EU NIS2 Directive creates a uniform European framework for cybersecurity and requires significantly more companies to implement structured security measures, clear reporting processes, and stronger governance. The requirements of NIS2 have now also been implemented nationally in Germany. For affected organizations, the most important thing now is to assess how they are affected and adapt existing security structures to the new requirements.

This document will provide you with:

What you need to know about the EU NIS2 Directive
Who is affected
How you can prepare now

What is NIS2?

NIS2 is the revised EU Network and Information Security Directive, which replaces the previous directive from 2016 (NIS1). The NIS2 Directive has been in force since January 16, 2023, and had to be transposed into national law in all EU member states by October 17, 2024.

The aim of the EU NIS2 Directive is to establish a uniformly high level of cybersecurity in the European Union. The EU is thus laying down binding minimum requirements and reporting obligations for cyber incidents. It applies to an expanded number of organizations in a wider range of sectors.

In Germany, the NIS 2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) was passed on November 13, 2025, transposing the requirements into German law. The NIS2 regulation came into force on December 6, 2025, without a transition period. The central authority for NIS2 is the BSI (Federal Office for Information Security). It provides reporting channels, coordinates communication with affected institutions and other national and European bodies, and publishes guidance.

The meaning behind NIS2

With the rapid digitisation of daily life, protection against cyber threats has become essential for the smooth functioning of society. The European Parliament has therefore updated NIS2 with a series of new cybersecurity regulations. Cybersecurity encompasses all activities necessary to protect network and information systems, their users, and others affected by cyber threats.

The most far-reaching regulation in the European Union is the revised Directive on Security of Network and Information Systems (NIS2 Directive), which replaces the 2016 directive. Having been in force since January 16, 2023, the NIS2 Directive must be implemented in all EU member states by October 17, 2024. It applies to an expanded number of organisations across a wide range of sectors.

The directive aims to increase the level of cybersecurity within the EU, strengthening resilience against cyberattacks. Nancy Faeser, Member of the Bundestag and former Federal Minister of the Interior, has summarised the goals of the NIS2UmsuCG in Germany:

"The threat situation in the area of cybersecurity remains high... With our law, we are increasing protection against cyberattacks, regardless of whether they are state-directed or criminally motivated. In the future, more companies in more sectors will have to meet minimum cybersecurity standards and reporting obligations for cyber incidents."

Nancy Faeser Member of the Bundestag and former Federal Minister of the Interior

NIS2 is more than compliance

Compliance with the minimum legal requirements of NIS2 and accompanying standards is an important starting point for many organisations. These requirements and standards provide a broad framework that often brings previously neglected areas outside of IT (so-called ‘blind spots’) into the focus of information security management for the first time. After all, cybersecurity is no longer just a technical IT issue, but an issue that requires the active participation of the entire organisation – from technology to production, and sales to management.

However, those who want to use resources effectively in the long term are well advised to not just meet compliance laws and standards from the outset but exceed them. Compliance does not automatically equate to security against theft, manipulation, and the publication of business-critical information or negative headlines with a wide media reach. For this reason, the legislator has based the NIS2 requirements on a risk-based approach. Accordingly, affected organisations can decide on appropriate and proportionate technical, operational, and organisational measures, taking into account the likelihood of security incidents and their severity (including social and economic impacts).

This approach aims to promote the effective development of resilient systems rather than the efficient compliance with rigid requirements. Rather than slowing down business, effective information security controls enables organisations to move faster into a digital future.

What sectors are affected by NIS2?

The NIS2 Directive expands the scope of its 2016 predecessor to eleven ‘highly critical’ sectors, including energy, transport, banking, public administration, and healthcare. Organisations operating in these areas may fall under the NIS2 category of essential entities, depending on their size, role, and the nature of the services they provide. It also affects other ‘critical’ sectors such as postal and courier services, food production, processing, distribution, and digital services.

Even organisations that do not directly fall into these sectors but act as suppliers or partners can be indirectly affected by the NIS2 regulation. They, too, can represent potential gateways for cyberattacks.

Key requirements of the NIS2 Directive

Affected organisations must fulfil extensive NIS2 requirements. These include:

in particular, the responsibility of management bodies and regular cybersecurity training for all employees (Article 20),
risk management measures including regular risk analyses, the management of security incidents and the maintenance of operations (Article 21),
specific reporting (Article 23)
and documentation obligations (Recital 122).

Management bodies must approve the risk management measures taken, monitor their implementation and be personally liable in the event of breaches of their obligations. In the event of significant security incidents, companies must issue an early warning within 24 hours, submit an initial assessment within 72 hours and submit a detailed final report no later than one month after the assessment.

However, the NIS regulation also emphasises the importance of security in the supply chain. Companies should scrutinise their supplier relationships and carry out risk assessments.

NIS2 framework for implementing the requirements

The NIS2 regulation itself does not define a separate cybersecurity framework. In practice, companies often implement NIS2 measures using established security frameworks or management systems.

Typical approaches include ISMS-based certification according to ISO 27001 or national standards such as BSI IT-Grundschutz. These help to translate the requirements of the NIS2 Directive into concrete security measures, processes, and controls.

A structured NIS2 cybersecurity framework typically includes the following elements:

Risk management for IT and OT systems
Technical and organizational security measures
Incident management and reporting processes for security incidents
Security requirements for suppliers and service providers
Continuous review and improvement of security measures

With the help of the structured NIS2 framework, organizations can systematically implement NIS2 requirements, document security measures, and ensure the necessary verifiability for regulatory authorities.

Further EU cybersecurity regulations

To promote cyber resilience and combat cybercrime, the EU legislator has enacted additional cybersecurity regulations alongside the NIS2 regulation. These include:

EU Directive on the Resilience of Critical Entities (CER Directive): Member states must identify critical entities and strengthen their physical resilience against threats such as natural hazards, terrorist attacks, or sabotage.
Digital Operational Resilience Act (DORA): Contains regulations for the financial sector to protect, detect, contain, and recover from risks in the area of information and communication technologies.
EU Cybersecurity Act: Establishes an EU-wide certification system and a new and stronger mandate for the EU Agency for Cybersecurity.
Cyber Resilience Act: Introduces binding cybersecurity requirements for products with digital elements.

What can you do today for NIS2 compliance?

The NIS2 regulation presents significant challenges for affected organisations but also offers an opportunity to significantly improve their cybersecurity. A holistic approach that goes beyond IT and provides risk-based decision-making enables organisations to not only meet the requirements of the NIS2 Directive but also strengthen their overall resilience.

A1 Digital Welcomes NIS2

A1 Digital sees the NIS2 Directive as an important step towards increasing the overall level of cybersecurity in the EU. We help organisations understand their risks and actively drive their risk management measures with our NIS2 consulting. To this end, we develop solutions tailored to the individual needs of each organisation.

Furthermore, we offer our customers our expertise in operational technology security to support organisations in protecting their industrial systems and critical infrastructures. We consider the risk-based approach to information security and the corresponding assessment to be the most effective in protecting critical infrastructures.