NIS2 Directive Adopted: What’s Ahead for Companies

The European Parliament has adopted the NIS2 Directive. It dramatically expands the scope of affected companies and tightens compliance obligations. Member states must transpose it into national law by October 2024. Here’s an overview of the key changes.

TL;DR

10× more companies: NIS2 is expected to affect approximately 30,000 companies in Germany (up from roughly 3,000 under NIS1).
18 sectors: Expanded to include food, postal services, waste management, chemicals, research, and others.
Personal liability: Executive management bears personal responsibility for implementation.
Fines: Up to €10 million or 2% of global annual turnover.
Transposition deadline: October 2024 into national law.

How NIS2 Differs from NIS1

The original NIS Directive (2016) primarily applied to operators of essential services (KRITIS) and large digital service providers. NIS2 drastically broadens its scope: all medium and large enterprises across 18 sectors now fall under its obligations. These newly included sectors encompass food production, postal and courier services, waste management, chemicals, research, and public administration.

The most significant innovation: executives bear personal liability for compliance with cybersecurity requirements. They can no longer delegate accountability solely to the IT department – cybersecurity is now legally enshrined as a top-management responsibility.

Obligations Ahead for Companies

NIS2 mandates comprehensive cybersecurity risk management: risk analysis and security concepts for information systems; incident handling and business continuity planning; supply-chain security – including third-party vendors; secure procurement and development practices; management training and awareness; cryptography and encryption; and mandatory incident reporting within 24 hours. Companies should begin gap analyses now.

Timeline

The Directive enters into force 20 days after its publication in the Official Journal of the European Union. EU member states must transpose NIS2 into national law by October 2024. In Germany, the BSI Act (BSI-Gesetz) will be correspondingly amended. Companies therefore have less than two years to meet the new requirements.

Key Facts at a Glance

Affected in Germany: ~30,000 companies (10× more than under NIS1)

Sectors: 18 (previously 7)

Fines: Up to €10 million or 2% of global turnover

Reporting deadlines: First notification within 24 hours; detailed report within 72 hours

Transposition deadline: October 2024

Source: EU Directive 2022/2555 (NIS2), December 2022

Fact: According to Munich Re, cyber insurance premiums rose by an average of 15% in 2024.

Fact: Mandiant reports the average attacker dwell time inside a network stands at 10 days.

Frequently Asked Questions

Is my company subject to NIS2?

Likely yes – if you operate in one of the 18 designated sectors and employ more than 50 people or generate over €10 million in annual turnover. Covered sectors include energy, transport, health, finance, IT, food, postal services, chemicals, and research.

What does personal executive liability mean?

Managing directors and board members are personally accountable for implementing cybersecurity measures. They must attend training and formally approve risk assessments. Violations may trigger personal fines and civil liability claims.

How do “essential” and “important” entities differ?

“Essential entities” face stricter oversight, including proactive audits. “Important entities” are subject only to reactive supervision – i.e., audits triggered by suspicion or following an incident. Fines are higher for essential entities.

When must NIS2 be implemented?

EU member states have until October 2024 to transpose NIS2 into national law. In Germany, the NIS2 Implementation Act (NIS2UmsuCG) is currently under development. Yet companies should start preparing now, given the breadth and complexity of the requirements.

What should companies do right now?

First: Determine whether your company falls within scope (sector + size criteria).
Second: Conduct a gap analysis – what’s missing relative to NIS2 requirements?
Third: Build or enhance risk management and incident response capabilities.
Fourth: Train leadership and institutionalize cybersecurity as a strategic, board-level priority.