NIS2 in Germany: Act Now Before It’s Too Late

2 min read

As of October 17, 2024, it is clear: The EU’s NIS2 Directive mandates enhanced security measures for companies, particularly those in critical sectors. With stricter requirements and specific liability provisions for management levels, this directive serves as a clear call to action for businesses. But how can companies meet these demands, and which steps are now essential?

Key Takeaways

• NIS2 since October 17, 2024: The EU directive requires enhanced security measures for companies in critical sectors.
• CEO liability: Management faces personal liability for inadequate cybersecurity.
• Approximately 30,000 companies affected: A significantly larger number than under the previous NIS Directive.
• 24-hour reporting requirement: Security incidents must be reported within 24 hours.
• Fines up to €10 million: Or 2% of worldwide annual turnover in case of violations.

What is NIS2?

NIS2 is a concrete priority for companies in 2024 because it directly shapes cyber resilience, security operations and regulatory duties. This article uses synaforce as an example to show which requirements, figures and operational steps matter in practice.

Background on the NIS2 Directive

The NIS2 Directive (Network and Information Security Directive) is the EU’s response to growing cybersecurity threats. It imposes more comprehensive requirements on companies by assigning responsibility to senior management levels and establishing stricter reporting obligations. According to eco – Association of the Internet Industry e.V., companies must now respond strategically to cybersecurity risks. Klaus Landefeld, a member of the association’s board, urges the German government to promptly transpose the directive into German law to provide businesses with clear guidelines for action.

The Most Important Requirements at a Glance

1. Management Accountability: Company leadership is directly held responsible and must actively participate in cybersecurity strategies and measures.
2. IT Risk Management: Implementing a comprehensive IT risk management system is mandatory. This includes threat assessments and preventive security measures that are continuously monitored.
3. Reporting Obligations and Penalties: Security incidents must be reported promptly. Companies that fail to comply with these requirements face substantial fines.

Solutions for Complying with NIS2 Requirements

Compliance with the NIS2 Directive is challenging and often requires additional resources and expertise. Here, synaforce supports companies in implementation:

• Strategic Consulting: To train cybersecurity leaders and prepare them for strategic decision-making.
• Risk Management and Threat Analysis: Early identification of vulnerabilities and threats helps to take preventive measures and close security gaps.
• Automated Security Solutions: For a rapid response to incidents, synaforce offers automated security processes that can intervene immediately to minimize damage.
• Compliance Management: Tools for documentation and reporting make it easier for companies to meet their notification obligations.

Who is affected and what specifically needs to be done?

NIS2 distinguishes between “essential” and “important” entities. Essential entities-such as energy providers, healthcare organizations, and digital infrastructure operators-are subject to stricter obligations and proactive oversight. Important entities-such as postal services, food producers, and chemical companies-are inspected on an ad-hoc basis.

Specifically, affected companies must implement a risk management system, assess supply chain security, develop incident response plans, conduct regular penetration tests, and train senior management in cybersecurity. The 24-hour initial reporting requirement for incidents necessitates robust detection and notification processes.

Frequently Asked Questions

What is NIS2?

NIS2 (Network and Information Security Directive 2) is an EU directive that establishes minimum cybersecurity standards for critical and important sectors. It replaces the 2016 NIS Directive and significantly expands its scope.

Is my company affected by NIS2?

NIS2 applies to companies with at least 50 employees or €10 million in annual revenue operating in 18 defined sectors, including energy, healthcare, transportation, digital infrastructure, finance, food, chemicals, and postal services. Smaller companies may also be affected if they are classified as critical.

What happens in case of violations of NIS2?

Fines can amount to up to €10 million or 2 percent of the company’s worldwide annual turnover-whichever figure is higher. Additionally, company executives can face personal liability if they fail to fulfill their supervisory duties.

How does NIS2 differ from the previous NIS Directive?

NIS2 broadens the circle of affected organizations from approximately 4,500 to around 30,000 in Germany, introduces personal liability for company executives, tightens reporting requirements to 24 hours, and explicitly mandates supply chain security.

What initial steps should companies take now?

First, determine whether NIS2 applies to your organization. Next, implement risk management processes, develop incident response plans, assess supply chain security, train senior management, and appoint an IT security officer. External consultants can assist with gap analyses and implementation efforts.

Further Reading on the Network

KRITIS Incidents 2024 – the BSI Figures: BSI: KRITIS Particularly Endangered (Security Today)

DORA in the Financial Sector: DORA in the Financial Sector (Security Today)

Compliance and Cloud Security: cloudmagazin.com

Related Articles

• What Was Important in Cybersecurity in 2024
• NIS2 Checklist 2026: What Companies Must Implement Now
• Post-Quantum Cryptography and Bitcoin: How the Security Architecture of the Future Is Taking Shape

More from the MBF Media Network

cloudmagazin | MyBusinessFuture | Digital Chiefs

Image source: AdobeStock / Cavad

About the author: Benedikt Langer

More articles by Benedikt Langer