The European Commission's NIS 2 Directive aims to strengthen the cyber resilience of affected companies in the EU. To this end, the group of affected companies has been massively expanded compared to its predecessor, NIS 1, and the requirements for affected companies have been significantly tightened.

Who is affected by NIS 2?

According to expert estimates, the requirements will affect around 30,000 medium-sized and large companies in Germany from 18 sectors of the economy (such as utilities, transport, finance, healthcare and ICT). In reality, however, NIS 2 will affect many more companies, as many directly regulated companies will also require their supply chains to implement the measures and requirements. The legislator distinguishes between particularly important facilities (over 250 employees or over EUR 50 million turnover and over EUR 43 million balance sheet) and important facilities (over 50 employees or over EUR 10 million turnover and over EUR 10 million balance sheet).

What does the NIS 2 sometimes require?

Once the law comes into force, organizations and companies are obliged to register with the competent supervisory authority independently and in good time, to comply with a wide range of obligations and to implement various technical and methodological requirements.

Will I be notified if I am affected?

No, particularly important and important institutions will be obliged to register independently on the online portal of the Federal Office for Information Security (BSI) within three months of the new law coming into force. Don't miss out - you could face heavy fines!

What do those affected have to do?

The government draft obliges you to implement systematic cyber risk management that is based on the relevant European and international standards. To this end, you must meet a series of minimum cyber security requirements and take appropriate and proportionate technical, operational and organizational measures in accordance with the all-hazards approach.

What are the biggest challenges for newly regulated companies?

The new three-stage reporting system will be a major hurdle: Companies must report significant security incidents to the BSI within 24 hours and confirm, explain and assess them within 72 hours. A final report must then be available no later than one month after the notification. This triad of reporting, notification and the ability to provide information requires companies to have clear and efficient processes, many of which need to be redefined.

What happens in the event of violations of the NIS 2 requirements?

Graduated fines are planned for infringements. The upper limits are to be between 100,000 euros and 10 million euros. Alternatively, fines of up to 2 percent of annual global turnover can be imposed on large institutions. And particularly important now in the early stages: a fine of up to 500,000 euros may be imposed for failure to register or incorrect registration.

Nis-2 - Controlware

In order to better protect companies in the EU from cyberattacks in the future, the European Commission launched the NIS 2 Directive at the beginning of 2023, the successor to NIS 1, which has been in force since 2016. It is expected that the NIS 2 directive will be implemented in Germany in 2025.

For a long time, it was unclear exactly what this implementation would look like: although most experts assumed that the group of affected companies would be significantly expanded, some of the measures would be tightened and the fines for violations would be significantly increased, many details were initially left open.

What is NIS 2?: The European Commission's NIS 2 Directive aims to strengthen the cyber resilience of affected companies in the EU. To this end, the group of affected companies has been massively expanded compared to its predecessor, NIS 1, and the requirements for affected companies have been significantly tightened.
Who is affected by NIS 2?: According to expert estimates, the requirements will affect around 30,000 medium-sized and large companies in Germany from 18 sectors of the economy (such as utilities, transport, finance, healthcare and ICT). In reality, however, NIS 2 will affect many more companies, as many directly regulated companies will also require their supply chains to implement the measures and requirements.

The legislator distinguishes between particularly important facilities (over 250 employees or over EUR 50 million turnover and over EUR 43 million balance sheet) and important facilities (over 50 employees or over EUR 10 million turnover and over EUR 10 million balance sheet).
What does the NIS 2 sometimes require?: Once the law comes into force, organizations and companies are obliged to register with the competent supervisory authority independently and in good time, to comply with a wide range of obligations and to implement various technical and methodological requirements.
Will I be notified if I am affected?: No, particularly important and important institutions will be obliged to register independently on the online portal of the Federal Office for Information Security (BSI) within three months of the new law coming into force. Don't miss out - you could face heavy fines!
What do those affected have to do?: The government draft obliges you to implement systematic cyber risk management that is based on the relevant European and international standards. To this end, you must meet a series of minimum cyber security requirements and take appropriate and proportionate technical, operational and organizational measures in accordance with the all-hazards approach.
What are the biggest challenges for newly regulated companies?: The new three-stage reporting system will be a major hurdle: Companies must report significant security incidents to the BSI within 24 hours and confirm, explain and assess them within 72 hours. A final report must then be available no later than one month after the notification. This triad of reporting, notification and the ability to provide information requires companies to have clear and efficient processes, many of which need to be redefined.
What happens in the event of violations of the NIS 2 requirements?: Graduated fines are planned for infringements. The upper limits are to be between 100,000 euros and 10 million euros. Alternatively, fines of up to 2 percent of annual global turnover can be imposed on large institutions. And particularly important now in the early stages: a fine of up to 500,000 euros may be imposed for failure to register or incorrect registration.

Take action now!

Set the course now for seamless NIS 2 compliance - because even if you are not directly affected, your business partners will pass on the relevant requirements and obligations to you! As part of our NIS 2 compliance check, our experts will first help you to identify where you stand in terms of implementation. In the second step, we will also be happy to support you in setting up systematic and sustainable information security management. This will secure the trust of your customers and partners - and allow you to concentrate fully on the success of your company.