What is the NIS2 Directive?

NIS2 (Network and Information Security Directive) is an EU directive that ensures a high common level of cybersecurity across the European Union by establishing stricter security requirements, supervisory measures, and sanctions for companies in critical sectors.

What does the NIS2 Directive state?

The directive obliges companies to take proactive risk management measures to ensure the security of their network and information systems. This includes not only technical precautions but also organizational processes such as securing the supply chain and structured incident management. The goal is to significantly increase the resilience of the European economy against cyberattacks such as ransomware or espionage.

Who must implement NIS2 and who is affected?

The NIS2 Directive massively expands the circle of affected organizations. In principle, companies are affected if they employ more than 50 people or achieve an annual turnover of over 10 million euros and operate in one of the regulated sectors. The classification is divided into two categories:

Essential entities: Energy, transport, banking, healthcare, drinking water, digital infrastructure.
Important entities: Postal and courier services, waste management, chemicals, food, manufacturing.

Difference between KRITIS and NIS2

Although both concepts aim for the security of critical infrastructures, there are clear differences in scope and application.

KRITIS: In Germany, this traditionally refers to facilities with a very high degree of supply (e.g., large power plants).
NIS2: Expands the focus away from pure threshold values toward sector affiliation and company size. Many companies that were previously not considered KRITIS operators now fall under NIS2 regulation.

What specifically needs to be implemented for NIS2?

Implementation requires a bundle of measures that must be based on the state of the art. Central requirements include:

Risk management: Concepts for risk analysis and security for information systems.
Incident management: Prevention, detection, and response to security incidents.
Supply chain security: Auditing security standards at suppliers and service providers.
Cryptography: Use of encryption and multi-factor authentication (MFA).
Management liability: Company management must monitor the measures and is personally liable in the event of violations.

Timeline: When will NIS2 become mandatory in Germany?

The EU-wide implementation deadline ended on October 17, 2024. In Germany, the legal obligation is established through the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). Following delays in the legislative process, the Cybersecurity Strengthening Act was passed by the German Bundestag on November 13, 2025, and the EU NIS2 Directive came into force on December 6, 2025.

firstcolo expert assessment:

“An often underestimated aspect of NIS2 is supply chain security. Even if your company does not fall directly under the directive, you may be contractually forced to comply with NIS2 standards as a service provider for ‘Essential Entities.’ Choosing a certified data center partner (e.g., ISO 27001) is a decisive building block for your own compliance strategy.”