Skip to main content

NIS 2

Full text

Up-to-date-link (EU will update in case of updated version):

EU Directive 2022/2555 (NIS 2)

Who is affected?

Article 2

NIS 2 regulates companies based on their size and sector.

  • medium-sized or larger public and private entities
  • from sectors referred to in Annex I or II
  • which provide their services / carry out their activities in EU
Article 2 (2.)

Some sectors are affected regardless of their size:

  • providers of public electronic communication networks and services
  • trust providers
  • top-level domain name registries / service providers

Article 2 (2.) establishes additional criteria that determine when a company is subject to regulation, regardless of its size.

  • Sectors that are critical for society (green = added compared to NIS / KRITIS)
    • Chemicals
    • Digital infrastructure
    • Digital providers
    • Water supply
    • Energy
    • Finance
    • Food
    • Health
    • Manufacturing
    • Postal services
    • Public Administration
    • Research
    • Space
    • Transport
    • Waste Management
  • New limits per sector compared to NIS

Penalties

  • Up to 10 Mio. € or 2% of annual revenue
  • personal liability of CEO and senior management ("leitende Angestellte")

Status

  • Deadline for national laws: 📅 October 2024
  • Germany: NIS2UmsuCG
    • no transition period
    • no proactive controls before October 2027
    • latest draft: 29.11.2024
    • currently on hold due to elections in February 2025

Obligations

  • Risk Management & handling
    • incl. supply chain / procurement
  • Incident Management
  • Requirements for cryptography usage and encryption
  • Business Continuity Management (BCM)
    • including: Secured emergency communication system
  • Assess effectiveness of measures
  • Human Resources Security
  • Training of employees
  • Access control
  • Asset management
  • Multi Factor Authentication and SSO
  • Use of secure communication (voice, video, text)
  • Reporting obligation to national cyber security authority
  • Registration
  • Obligations differ between middle sized companies / large enterprises
  • Operators of critical systems (“Betreiber kritischer Anlagen”)
  • have to use IDS
  • need to provide evidence (KRITIS-Prüfungen)

Sources / Links

General

openkritis.de: EU NIS 2 Cybersecurity

openkritis.de: EU NIS 2 and RCE

Situation in Germany

openkritis.de: NIS2 Umsetzungsgesetz