NIS2 Directive – What Companies Need to Know

Directive (EU) 2022/2555 on measures for a high common level of cybersecurity (NIS2)

In Force Effective: 18/10/2024 EU-wide EU Directive

Overview

The NIS2 Directive (Network and Information Security Directive 2) is the revised EU directive on cybersecurity. It replaces the original NIS Directive from 2016 and significantly broadens its scope.

Who Is Affected?

NIS2 distinguishes between essential entities and important entities across 18 sectors:

  • Energy (electricity, gas, oil, district heating, hydrogen)
  • Transport (air, rail, water, road)
  • Banking and financial market infrastructure
  • Healthcare
  • Drinking water and wastewater
  • Digital infrastructure and IT services
  • Public administration
  • Space
  • Postal and courier services
  • Waste management
  • Chemicals and food
  • Manufacturing (medical devices, electronics, mechanical engineering, automotive)

Core Obligations

  1. Risk management: Technical and organisational cybersecurity measures
  2. Reporting obligations: Report security incidents within 24 hours
  3. Supply chain security: Cybersecurity requirements for suppliers
  4. Management liability: Personal liability of senior management
  5. Training: Regular cybersecurity training for management and employees

National Transposition

EU member states were required to transpose NIS2 into national law by 17 October 2024. Status in the DACH region:

  • Austria: NISG 2024 in preparation
  • Germany: NIS2UmsuCG in legislative process
  • Switzerland: Not directly affected (non-EU member) but relevant adaptations in the ISG

Legal Sources

NIS2: Does it affect you?

Find out if and how this regulation affects your company – we're happy to advise you.

Frequently Asked Questions

Who is affected by NIS2?

Companies with at least 50 employees or EUR 10 million turnover in 18 critical sectors, including energy, transport, healthcare, digital infrastructure, and manufacturing.

When does NIS2 need to be implemented?

National transposition was due by 17 October 2024. Legislative procedures in Austria and Germany are still ongoing.

What are the penalties for non-compliance?

For essential entities up to EUR 10 million or 2% of global annual turnover; for important entities up to EUR 7 million or 1.4%.