{"id":8396,"date":"2022-12-15T10:00:00","date_gmt":"2022-12-15T10:00:00","guid":{"rendered":"https:\/\/www.securitytoday.de\/2026\/04\/02\/post_id-3643\/"},"modified":"2026-05-10T19:06:07","modified_gmt":"2026-05-10T19:06:07","slug":"nis2-directive-adopted-whats-ahead-for-companies","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2022\/12\/15\/nis2-directive-adopted-whats-ahead-for-companies\/","title":{"rendered":"NIS2 Directive Adopted: What\u2019s Ahead for Companies"},"content":{"rendered":"<p><strong>The European Parliament has adopted the NIS2 Directive. It dramatically expands the scope of affected companies and tightens compliance obligations. Member states must transpose it into national law by October 2024. Here\u2019s an overview of the key changes.<\/strong><\/p>\n<h2>TL;DR<\/h2>\n<ul>\n<li><strong>10\u00d7 more companies:<\/strong> NIS2 is expected to affect approximately 30,000 companies in Germany (up from roughly 3,000 under NIS1).<\/li>\n<li><strong>18 sectors:<\/strong> Expanded to include food, postal services, waste management, chemicals, research, and others.<\/li>\n<li><strong>Personal liability:<\/strong> Executive management bears personal responsibility for implementation.<\/li>\n<li><strong>Fines:<\/strong> Up to \u20ac10 million or 2% of global annual turnover.<\/li>\n<li><strong>Transposition deadline:<\/strong> October 2024 into national law.<\/li>\n<\/ul>\n<h2>How NIS2 Differs from NIS1<\/h2>\n<p>The original NIS Directive (2016) primarily applied to operators of essential services (KRITIS) and large digital service providers. NIS2 drastically broadens its scope: all medium and large enterprises across 18 sectors now fall under its obligations. These newly included sectors encompass food production, postal and courier services, waste management, chemicals, research, and public administration.<\/p>\n<p>The most significant innovation: executives bear <em>personal liability<\/em> for compliance with cybersecurity requirements. They can no longer delegate accountability solely to the IT department  &#8211;  cybersecurity is now legally enshrined as a top-management responsibility.<\/p>\n<h2>Obligations Ahead for Companies<\/h2>\n<p>NIS2 mandates comprehensive cybersecurity risk management: risk analysis and security concepts for information systems; incident handling and business continuity planning; supply-chain security  &#8211;  including third-party vendors; secure procurement and development practices; management training and awareness; cryptography and encryption; and mandatory incident reporting within 24 hours. Companies should begin gap analyses now.<\/p>\n<h2>Timeline<\/h2>\n<p>The Directive enters into force 20 days after its publication in the Official Journal of the European Union. EU member states must transpose NIS2 into national law by October 2024. In Germany, the BSI Act (BSI-Gesetz) will be correspondingly amended. Companies therefore have less than two years to meet the new requirements.<\/p>\n<h2>Key Facts at a Glance<\/h2>\n<p><strong>Affected in Germany:<\/strong> ~30,000 companies (10\u00d7 more than under NIS1)<\/p>\n<p><strong>Sectors:<\/strong> 18 (previously 7)<\/p>\n<p><strong>Fines:<\/strong> Up to \u20ac10 million or 2% of global turnover<\/p>\n<p><strong>Reporting deadlines:<\/strong> First notification within 24 hours; detailed report within 72 hours<\/p>\n<p><strong>Transposition deadline:<\/strong> October 2024<\/p>\n<p><strong>Source:<\/strong> EU Directive 2022\/2555 (NIS2), December 2022<\/p>\n<p><strong>Fact:<\/strong> According to Munich Re, cyber insurance premiums rose by an average of 15% in 2024.<\/p>\n<p><strong>Fact:<\/strong> Mandiant reports the average attacker dwell time inside a network stands at 10 days.<\/p>\n<h2>Frequently Asked Questions<\/h2>\n<h3>Is my company subject to NIS2?<\/h3>\n<p>Likely yes  &#8211;  if you operate in one of the 18 designated sectors <em>and<\/em> employ more than 50 people or generate over \u20ac10 million in annual turnover. Covered sectors include energy, transport, health, finance, IT, food, postal services, chemicals, and research.<\/p>\n<h3>What does personal executive liability mean?<\/h3>\n<p>Managing directors and board members are personally accountable for implementing cybersecurity measures. They must attend training and formally approve risk assessments. Violations may trigger personal fines and civil liability claims.<\/p>\n<h3>How do \u201cessential\u201d and \u201cimportant\u201d entities differ?<\/h3>\n<p>\u201cEssential entities\u201d face stricter oversight, including proactive audits. \u201cImportant entities\u201d are subject only to reactive supervision  &#8211;  i.e., audits triggered by suspicion or following an incident. Fines are higher for essential entities.<\/p>\n<h3>When must NIS2 be implemented?<\/h3>\n<p>EU member states have until October 2024 to transpose NIS2 into national law. In Germany, the NIS2 Implementation Act (NIS2UmsuCG) is currently under development. Yet companies should start preparing <em>now<\/em>, given the breadth and complexity of the requirements.<\/p>\n<h3>What should companies do right now?<\/h3>\n<p>First: Determine whether your company falls within scope (sector + size criteria).<br \/>Second: Conduct a gap analysis  &#8211;  what\u2019s missing relative to NIS2 requirements?<br \/>Third: Build or enhance risk management and incident response capabilities.<br \/>Fourth: Train leadership and institutionalize cybersecurity as a strategic, board-level priority.<\/p>\n<h2>Further Reading Across the Network<\/h2>\n<p>NIS2 and cloud compliance on cloudmagazin: <a href=\"https:\/\/www.cloudmagazin.com\" target=\"_blank\" rel=\"noopener\">cloudmagazin.com<\/a><\/p>\n<p>Compliance as a competitive advantage on mybusinessfuture: <a href=\"https:\/\/www.mybusinessfuture.com\" target=\"_blank\" rel=\"noopener\">mybusinessfuture.com<\/a><\/p>\n<p>NIS2 as a boardroom topic on Digital Chiefs: <a href=\"https:\/\/www.digital-chiefs.de\" target=\"_blank\" rel=\"noopener\">digital-chiefs.de<\/a><\/p>\n<h2>Related Articles<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/?p=3011\">Pegasus Spyware: What Companies Must Learn from the NSO Scandal<\/a><\/li>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2024\/11\/25\/post_id-3649\/\">AI-Powered SOCs: How Automated Security Operations Address the Skills Shortage<\/a><\/li>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/?p=5044\">ChatGPT and Cybersecurity: Why AI Is Reshaping Both Attack and Defense<\/a><\/li>\n<\/ul>\n<p style=\"text-align: right;\"><em>Header Image Source: Pexels \/ Pixabay<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"The European Parliament has adopted the NIS2 Directive. It dramatically expands the scope of affected companies and tightens compliance obligations. Member states must transpose it into national law by October 2024. Here\u2019s an overview of the key changes. TL;DR 10\u00d7 more companies: NIS2 is expected to affect approximately 30,000 companies in Germany (up from roughly [&hellip;]","protected":false},"author":55,"featured_media":3644,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"nis2 directive","_yoast_wpseo_title":"NIS2 Directive Adopted: What\u2019s Ahead for Companies","_yoast_wpseo_metadesc":"NIS2 Directive compliance: Expand your cybersecurity readiness and avoid penalties. Prepare your company today.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"","_yoast_wpseo_twitter-image-id":0,"footnotes":""},"categories":[251],"tags":[],"class_list":["post-8396","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"wpml_language":"en","wpml_translation_of":3643,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/8396","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/55"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=8396"}],"version-history":[{"count":5,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/8396\/revisions"}],"predecessor-version":[{"id":11901,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/8396\/revisions\/11901"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/3644"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=8396"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=8396"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=8396"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}