Understanding & implementing NIS-2 compliance – Guidelines for 2025
With the NIS 2 Directive, the EU has launched a fresh power boost for the protection of important and essential organizations and critical infrastructures. It builds on the old NIS-1 Directive, but goes a significant step further to address the growing threats – be it from state-sponsored cyberattacks or ransomware attacks from other attackers. NIS-2 is therefore not just an extension, but a significant upgrade to effectively counter current and future cyber risks.
In times of a tense and uncertain geopolitical world situation, the importance of cyber security for companies and organizations of all kinds is increasing. Since the invasion of Ukraine by Russian troops in 2022, the countries of the European continent have found themselves in a heightened situation. Statistics confirm this threat from cyber attacks. Bitkom, the industry association for the German IT sector, reports that 8 out of 10 German companies have already been victims of data theft, espionage or sabotage. The statistical analysis covers a period of 12 months between 2023 and 2024. According to Bitkom, the main sources of the attacks are China and Russia.(Bitkom, 2024) Companies must raise their protection mechanisms to a new level in order to be armed against attacks by organized crime and hybrid warfare by state actors. After the “turning point”, to use the words of former German Chancellor Olaf Scholz, a professionalization of cyber and information security is required – the EU directive urges that this be carried out across a wide range of organizations and companies in the EU. Compliance with the NIS 2 requirements is therefore more than a regulatory obligation – it is a central building block for Europe’s digital resilience.
What is the NIS-2 directive and why is NIS-2 compliance important?
The Network and Information Security Directive 2 (NIS-2) was adopted by the European Union in January 2023 in order to establish a uniform, higher level of cyber security in Europe. It significantly tightens the requirements for the security of network and information systems – both in terms of the depth and breadth of the companies affected.
The EU member states are currently working on transposing the law into national law – the deadline for this already passed in October 2024. The entry into force of the NIS-2 Implementation Act (NIS-2UmSuCG) was originally planned for March 2025, but was postponed due to the new elections and the formation of a new government. The law is expected to be passed in mid-2025 – national laws are already in place in some other EU countries.
We advise you to check now whether your company or organization is affected and, if so, not to wait for a national law. Similarly, the German Federal Office for Information Security (BSI) makes the following recommendation: “Above all, companies should prepare for the NIS-2 regulation by improving their information security and implementing specific technical and organizational measures”.(German Federal Office for Information Security)
The NIS-2 directive sets out binding minimum standards for risk management, incident response and organizational and technical measures. These include stricter reporting obligations, clearly defined security requirements and the obligation to regularly review the effectiveness of protective measures.
A key feature of NIS-2 is the expansion of the scope of application. As a result, significantly more companies and organizations are required to demonstrate an appropriate level of information security. According to estimates, NIS-2 affects around 30,000 companies in Germany alone, depending on their activity, responsibility, number of employees, turnover or membership of certain sectors.
The aim of the directive is to protect critical economic and social functions in the EU from the growing threats posed by cyber attacks. Adherence to the NIS-2 requirements – i.e. NIS-2 compliance – is therefore a decisive factor for the resilience of companies and the security of entire economies.
The most important NIS-2 data & current developments at a glance
Although the national implementation law for the NIS 2 Directive in Germany is still pending, the pressure to act on cybersecurity is already extremely high. Not least because the European Commission has initiated infringement proceedings against Germany due to the delays at the end of 2024. The new obligations to strengthen cybersecurity will come into force when the future BSI Act, which will be enacted on the basis of the EU directive, enters into force – including the transition periods specified therein.
Despite the political delays, hardly anyone doubts that the national law will be passed in the near future. A survey by VEEAM – a globally active software company – shows that 68% of the companies surveyed have already planned the necessary budget for their NIS 2 compliance – a clear sign of how seriously the issue of cyber security is being taken.
These companies are affected by NIS-2 compliance
These include companies that are essential for the functioning of central social processes – for example in the areas of energy, water, health and transportation.
- Providers of telecommunications services or networks with more than 50 employees or an annual turnover and a balance sheet total of more than EUR 10 million
- Qualified trust service providers and operators of TLD registries or DNS services
- Companies with more than 250 employees or an annual turnover > 50 million euros and an annual balance sheet total > 43 million euros, provided they belong to a sector listed in the NIS-2 Directive
- Companies with more than 50 employees or an annual turnover > 10 million euros and an annual balance sheet total > 10 million euros, provided they belong to a sector listed in the NIS-2 Directive
- Non-qualified trust service providers
Note: Trust service providers offer digital services, such as the creation, validation or storage of electronic signatures, seals or time stamps. They ensure the legal binding nature and integrity of digital processes and are therefore a particular focus of the NIS 2 Directive.
NIS-2 requirements at a glance
Technical requirements:
- Secure access to IT systems
- Establish control over security mechanisms
- Encrypt and protect data
- Maintain an overview of all IT resources
- Addressing risks when using the cloud
Organizational requirements:
- Introduce risk assessments and safety guidelines
- Define emergency and response plans
- Ensuring security along the supply chain
- Strengthening employee awareness and skills
- Regular review and improvement of security measures
Implementing NIS-2 compliance - our guide
Information security is not an isolated IT project, but affects the entire company. Implementing the NIS 2 requirements is therefore also an opportunity to improve structures in the long term – towards greater resilience, efficiency and future security. Of course, every project and the requirements of every company are individual – but our guidelines, which combine the conversion of the security architecture with organizational change, serve as a rough guide.
We start with a status quo analysis. A detailed assessment will help to uncover gaps and starting points. Strengths and weaknesses of the current security architecture are also evaluated in order to prioritize compliance measures and establish a starting point.
Step by step:
- Readiness Assessment & Gap Analysis
- Evaluation of existing control mechanisms and processes
- Identification of vulnerabilities and areas for action – supplemented by penetration tests if required. These tests simulate various types of cyber attacks on your company in order to uncover gaps in your lines of defense. Based on these findings, targeted measures can be taken to uncover potential attack surfaces at an early stage before they are exploited by attackers in real scenarios.
- Prioritization & resource planning based on the determined level and maturity of the ISMS (information security management system)
The technical and organizational requirements of the NIS-2 directive have already been listed above. The specific services and implementation within an NIS-2 project cannot be specified in advance, as the catalog of measures is derived from the analysis of the current situation and the identification of your company’s existing strengths and weaknesses. We choose this project methodology because, firstly, an increase in information security across a company and the creation of fail-safety for the majority of applications is not necessary and, secondly, would impose a tight corset on your company. In addition, we deliberately opt for customized and tailored measures, not least because, firstly, they increase acceptance among your employees and, secondly, they are long-lasting because they can also be maintained afterwards.
An often underestimated part of the compliance process is change management: this requires clear communication and training of employees in order to create a basis for sustainable anchoring. The message that data is of central importance to the company’s success has now reached the minds of most employees. It is also important to communicate that professionalizing information security, whether through two-factor authentication or targeted employee training, is essential, for example to ensure the confidentiality of company data and to quickly restore critical business applications in the event of an emergency.
- Professional communication plan along the implementation project
- Employee training
- Involvement of all areas of the company to create acceptance
- Monitoring, regular audits and KPI-based tracking
- Integration in Enterprise Architecture & Governance
Sustainable anchoring is achieved when the newly developed and modified processes and new monitoring mechanisms are integrated into the corporate architecture.
Resilience as a goal - NIS-2 as an opportunity
Compliance with NIS 2 requirements is more than just a regulatory tick on a checklist. It offers companies the opportunity to analyze their existing security architectures holistically and develop them further in a targeted manner – not as an end in itself, but as a strategic lever for long-term competitiveness. Information security is not a self-sufficient system, but part of an overarching architectural concept that must be in balance with other requirements.
If the NIS 2 project is understood in this context, then NIS 2 compliance does more than just comply with the law:
- It opens up potential for better enterprise architecture management,
- and strengthens the company’s power for permanent change and innovation (also referred to as “transformation readiness”) through an improved view of the company’s building blocks (applications, data, etc.)
A strong focus on increasing information security is a decision about the architecture of your organization. This means that your NIS-2 project, whether intentional or unintentional, will have an impact on performance, reliability, economic costs and sustainability. The measures should therefore be balanced and balanced
Companies that attach great importance to cyber security gain the trust of their customers and business partners, giving them a competitive advantage.
Cyber attacks can cause considerable financial damage. An efficient ISMS helps to minimize risks and prevent security incidents in a targeted manner.
Companies with a proven cyber security strategy not only fulfill important regulatory requirements, but also appear trustworthy to investors and banks.
Common challenges in NIS-2 compliance
01
- Uncertainty as to whether your own company is affected
- Lack of clarity about how to get started and the specific requirements
02
- Cyber compliance is often given lower priority internally
- Other strategic topics such as skills shortages and digitalization are pushing NIS-2 down the list of priorities
03
- Limited IT budgets make it difficult to invest in security
- Lack of qualified personnel in IT security and compliance
04
- High demands on risk management, encryption, backup & incident response
- Difficulties in adapting outdated IT structures (legacy systems)
05
- NIS-2 requires comprehensive evidence of measures, processes and reporting chains
06
- Companies must also assess the security of their service providers and partners
07
- Employees must be made aware of IT security and receive regular training
08
- National implementation (e.g. in Germany through the NIS-2UmsuCG) is still in flux
- Lack of clarity regarding control, enforcement and sanctions
We are your partner for NIS-2
Arrange a non-binding initial consultation now
- Experience: 20 years of expertise in IT security, KRITIS, data protection & compliance
- Individual solutions: Industry-specific strategies through KRITIS experience
- Flexibility: Adapted to your requirements and market changes
- End-to-end service: from analysis to sustainable anchoring - scalable for all company sizes
TISAX and ISO certification for the Munich office only
