What is the NIS2 Directive?
NIS2 (Network and Information Security Directive) is an EU directive that ensures a high common level of cybersecurity throughout the European Union by establishing stricter security requirements, supervisory measures, and sanctions for companies in critical sectors.
What does the NIS2 Directive state?
The directive requires companies to take proactive risk management measures to ensure the security of their network and information systems. This includes not only technical precautions but also organizational processes such as securing the supply chain and structured incident management. The goal is to significantly increase the resilience of the European economy against cyberattacks such as ransomware or espionage.
Who must implement NIS2 and who is affected?
The NIS2 Directive massively expands the circle of affected organizations. In principle, companies with more than 50 employees or an annual turnover of more than 10 million euros and operating in one of the regulated sectors are affected. The classification is divided into two categories:
- Essential entities: Energy, transport, banking, healthcare, drinking water, digital infrastructure.
- Important entities: Postal and courier services, waste management, chemicals, food, manufacturing.
Difference between KRITIS and NIS2
Although both concepts aim to secure critical infrastructures, there are significant differences in scope and application.
- KRITIS: In Germany, traditionally refers to facilities with a very high level of supply (e.g., large power plants).
- NIS2: Broadens the focus away from pure thresholds to sector affiliation and company size. Many companies that were not previously considered KRITIS operators now fall under NIS2 regulation.
What exactly needs to be implemented for NIS2?
The implementation requires a bundle of measures that must be based on the state of the art. The central requirements include:
- Risk management: Concepts for risk analysis and security for information systems.
- Incident management: Prevention, detection, and response to security incidents.
- Supply chain security: Review of security standards at suppliers and service providers.
- Cryptography: Use of encryption and multi-factor authentication (MFA).
- Managing Director Liability: The management must monitor the measures and is personally liable for violations.
Timeline: When will NIS2 become mandatory in Germany?
The EU-wide implementation deadline ended on October 17, 2024. In Germany, the legal obligation is implemented through the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). After delays in the legislative process, the Cybersecurity Strengthening Act was passed by the German Bundestag on November 13, 2025, and the EU-NIS-2 Directive came into force on December 6, 2025.
firstcolo Expert Assessment:
“An often underestimated aspect of NIS2 is supply chain security. Even if your company does not fall directly under the directive, as a service provider for ‘Essential Entities,’ you may be contractually obligated to comply with NIS2 standards. The choice of a certified data center partner (e.g., ISO 27001) is a crucial building block for your own compliance strategy.”
