NIS2 in Practice

What is NIS2?

NIS2 is the second Network and Information Systems Directive, Directive (EU) 2022/2555. It is the EU's horizontal cybersecurity baseline for essential and important entities across the economy. It replaced the original NIS Directive of 2016 and significantly widened the scope.

NIS2 is a directive, not a regulation. Each Member State transposes it into national law. The transposition deadline was 17 October 2024. Germany transposed it through the NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz, with the BSI (Federal Office for Information Security) as the lead competent authority.

Are you in scope?

NIS2 covers 18 sectors split into two categories. The substantive obligations are similar; the difference is supervisory intensity.

Essential entities (high-criticality sectors)

• Energy (electricity, gas, oil, hydrogen, district heating)
• Transport (air, rail, water, road)
• Banking and financial market infrastructure
• Health (hospitals, EU reference labs, critical medical device manufacturers)
• Drinking water, waste water
• Digital infrastructure (Internet Exchange Points, DNS, top-level domain registries, cloud providers, data centres, content delivery networks, trust service providers, public electronic communications)
• ICT service management (managed service providers, managed security service providers)
• Public administration, space

Important entities (other critical sectors)

• Postal and courier services
• Waste management, chemicals manufacture and distribution
• Food production, processing and distribution
• Manufacturing (medical devices, computers and electronics, electrical equipment, machinery, motor vehicles, transport equipment)
• Digital providers (online marketplaces, search engines, social networks)
• Research

Size threshold

Medium-sized enterprise or larger: at least 50 employees, or annual turnover and balance sheet total above 10 million EUR. Some categories are in scope regardless of size, including trust service providers, top-level domain name registries, and sole providers of a critical service in a Member State.

The ten baseline measures (Article 21)

These are not optional and not pick-and-choose. Every in-scope entity implements all ten, proportionally to size and risk:

1. Policies on risk analysis and information system security
2. Incident handling: detection, response, recovery
3. Business continuity, backup management, crisis management
4. Supply chain security, including direct supplier relationships
5. Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure
6. Policies and procedures to assess the effectiveness of cybersecurity risk management measures
7. Basic cyber hygiene practices and cybersecurity training
8. Policies on cryptography and, where appropriate, encryption
9. Human resources security, access control, asset management
10. Multi-factor or continuous authentication, secured communications, secured emergency communication systems

These map cleanly onto ISO 27001, BSI IT-Grundschutz, and NIST CSF. Compliance with an established framework covers the substance. The work is in evidencing it formally and closing sector-specific gaps.

The reporting cascade

NIS2 has the strictest reporting clock in EU operational law. For a significant incident:

• 24 hours: early warning. Short and indicative. Must indicate whether the incident is suspected to be malicious and whether it could have cross-border impact
• 72 hours: incident notification. Initial assessment, severity, impact, indicators of compromise where available
• On request: intermediate reports during the incident lifecycle
• 1 month: final report. Root cause, impact, mitigations, cross-border implications

A "significant incident" is defined by criteria including operational disruption, financial loss, and harm to other persons or organisations. National competent authorities can set more specific thresholds.

Management liability (Article 20)

This is the part that changes the boardroom conversation. Under Article 20:

• The management body must approve the cybersecurity risk management measures
• The management body must supervise their implementation
• Members of the management body can be held personally liable for infringements
• Management body members must follow specific cybersecurity training

Fines

• Essential entities: up to €10 million or 2% of worldwide annual turnover, whichever is higher
• Important entities: up to €7 million or 1.4% of worldwide annual turnover, whichever is higher
• National regimes can go further, including temporary prohibitions on managerial functions

Timeline

• 16 January 2023: NIS2 entered into force
• 17 October 2024: deadline for Member States to transpose into national law
• 18 October 2024 onwards: national NIS2 laws began to apply as they came into force
• April 2025: registration deadlines in most Member States
• 2026 onwards: full enforcement regime; significant sanctions become a real risk

Who enforces it

• The European Commission and ENISA coordinate at EU level
• Each Member State designates a competent authority and a national CSIRT
• In Germany: BSI as the lead competent authority and CSIRT, BNetzA for telecoms, BaFin for financial subjects where they remain inside NIS2

How NIS2 interacts with the other frameworks

• DORA: lex specialis for financial entities. DORA takes precedence; NIS2 still reaches the surrounding ecosystem (data centres, cloud providers, telcos)
• EU AI Act: an AI in an NIS2 entity is part of that entity's network and information systems. Article 21 measures apply to AI as to anything else
• ISO 27001: NIS2 Article 21 measures map cleanly onto ISO 27001 controls. Certified entities are close to baseline
• GDPR: significant overlap on incident reporting. The two regimes often fire together. Integrated incident response is essential
• BaFin and German national rules: the NIS2-Umsetzungsgesetz integrates with the earlier BSIG framework and recalibrated KRITIS thresholds

NIS2 reach into your supply chain

Even if NIS2 does not apply to your company directly, it can reach you through your customers' Article 21 measure 4 (supply chain security). Expect in-scope customers to:

• Request evidence of your security controls (ISO 27001, SOC 2, BSI IT-Grundschutz, NIST CSF)
• Impose contractual security clauses
• Require notification of incidents on your side that could affect them
• Pull you into incident response exercises

What to do next

• Confirm whether your sector and size place you in scope, and check your Member State's national transposition for specific registration obligations
• If in scope: implement and evidence the ten Article 21 measures. Mapping to ISO 27001 is the practical starting point
• Set up a single incident classification process that fires both NIS2 and (if applicable) DORA and GDPR pathways. Avoid parallel processes that drift apart
• If your customers are in scope: prepare a supplier security pack that anticipates their supply chain questions
• Engage the management body. Personal liability under Article 20 makes this a board-level conversation
• Use the classifier tool to check NIS2 alongside the other six frameworks