NIS2 Directive: Who needs to take action and what companies need to know now

X
WhatsApp
LinkedIn
email
Facebook
Telegram

The cybersecurity landscape in Europe is facing fundamental change. With the NIS2 Directive, the European Union is drastically tightening its cybersecurity requirements – and the impact will affect far more companies than many realize. What previously mainly affected operators of critical infrastructure is now becoming a management task for tens of thousands of companies in Germany.

The key message is clear: NIS2 is coming—and it affects far more companies than expected. Those who fail to act now risk not only substantial fines, but also personal liability at management level. At the same time, NIS2 offers an opportunity to systematically strengthen cyber resilience and make organizations fit for the future.

In this article, you will learn exactly which companies are affected by the NIS2 Directive, what specific obligations exist, what fines may be imposed, and what steps you should take now. We will show you how Axsos can support you in implementation—for an IT infrastructure that is secure, stable, and future-proof.

Why the NIS2 Directive is now a top priority

From NIS1 to NIS2: A quantum leap in cybersecurity

The first NIS Directive (Network and Information Security) came into force in 2016 and required operators of critical infrastructures to implement basic cybersecurity measures. In Germany, this affected around 2,000 to 3,000 companies—mainly large corporations in the energy, transport, health, and finance sectors.

The NIS2 Directive, which must be transposed into national law by October 2024, goes much further. It significantly expands the scope of application, tightens requirements, and introduces severe penalties. Estimates suggest that 30,000 to 40,000 companies in Germany are now affected by NIS2—a tenfold increase compared to NIS1.

Cybersecurity becomes a top priority

A key aspect of NIS2: Cybersecurity is no longer just the responsibility of the IT department, but is becoming the responsibility of senior management. Company management must actively monitor and approve the implementation of cybersecurity measures and check their effectiveness. In the event of violations, not only the company but also those responsible are personally liable.

This development reflects a reality that security experts have been emphasizing for years: cyber risks are business risks. Cyber attacks can paralyze operations, disrupt supply chains, destroy reputations, and cause financial damage that threatens the very existence of a company. NIS2 ensures that these risks are addressed at the highest level.

The time pressure is real

EU member states had to transpose the NIS2 Directive into national law by October 2024. In Germany, this is being done through the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). Even though the specific implementing provisions are still being finalized, one thing is certain: affected companies must act now.

Implementing NIS2 requirements is not a sprint, but a marathon. Developing appropriate organizational and technical measures, establishing incident response processes, training employees, and integrating security-by-design principles throughout the organization takes time—often 12 to 24 months. Those who start now will be prepared in time. Those who wait will find themselves under time pressure.

Who is affected by the NIS2 Directive?

The question "Am I affected by NIS2?" is currently preoccupying tens of thousands of companies in Germany. The answer depends on several factors: the industry, the size of the company, and its role in the economic structure.

Relevant sectors and industries

NIS2 distinguishes between sectors with high and particularly high criticality. The following areas fall under the directive:

Sectors with particularly high criticality:

  • Energy: Electricity, district heating and cooling, oil, natural gas, hydrogen
  • Transportation: aviation, rail transport, shipping, road transport
  • Banking: Credit institutions
  • Financial market infrastructures: trading venues, central counterparties
  • Healthcare: Healthcare facilities, pharmaceutical industry
  • Drinking water: supply and distribution
  • Wastewater: Disposal and treatment
  • Digital infrastructure: Internet exchange points, DNS service providers, TLD registries, cloud computing, data centers, content delivery networks, trust service providers, operators of public electronic communications networks/services
  • ICT service management: managed service provider, managed security service provider
  • Public administration: Public administration institutions at federal and state level
  • Space: Operators of ground infrastructure

Other critical sectors:

  • Postal and courier services
  • waste management
  • Chemical industry: production, processing, and distribution
  • Food production and trade
  • Manufacturing/production of goods: medical devices, electronics, machinery, motor vehicles, and other areas
  • Digital services: online marketplaces, search engines, social networks
  • research institutions

This list shows that NIS2 affects not only obviously critical infrastructures, but also large parts of the economy.

Size categories: When do the thresholds apply?

Not every company in a relevant sector automatically falls under NIS2. The directive defines size thresholds:

Medium-sized companies (usually affected):

  • 50 to 249 employees
  • Annual turnover between €10 million and €50 million or annual balance sheet total between €10 million and €43 million

Large companies (generally affected):

  • 250 or more employees
  • Annual turnover exceeding €50 million or annual balance sheet total exceeding €43 million

Small businesses (fewer than 50 employees) are generally exempt, unless they provide particularly critical services (e.g., DNS services, TLD registries) or are the sole provider in a Member State.

Important: These thresholds are not absolute. Authorities may also classify smaller companies as affected if they are particularly critical for security of supply or public safety.

Essential vs. important facilities

NIS2 distinguishes between two categories:

Essential facilities (highest criticality):

  • Large companies (250 or more employees) in sectors of particular critical importance
  • Stricter supervision
  • Higher potential fines (up to 2% of global annual turnover or up to €10 million)

Important facilities (high criticality):

  • Medium-sized companies (50-249 employees) in all critical sectors
  • Large companies in less critical sectors
  • Fundamentally the same obligations, but risk-based supervision
  • Fines of up to 1.4% of global annual turnover or up to €7 million

The supply chain dimension: Indirect impact

An often overlooked aspect: even companies that are not directly subject to NIS2 may be indirectly affected. If you work as a service provider, supplier, or IT partner for companies that are subject to NIS2, they will expect you to meet higher security standards or require this contractually.

NIS2 explicitly requires affected companies to assess and manage risks in the supply chain. This means that your customers will demand security certificates, certifications, or audits. Those who cannot provide these risk losing business.

Impact assessment: Three key questions

To check whether your company is affected by NIS2, answer these questions:

  1. Industry: Does your company belong to one of the critical sectors listed?
  2. Size: Do you employ at least 50 people and generate annual sales of over €10 million?
  3. Criticality: Do you provide services that are particularly critical for public safety, security of supply, or economic activities?

If you answer "yes" to at least two of these questions, a detailed review is strongly recommended. Axsos supports you with a professional impact analysis.

Obligations and requirements under the NIS2 Directive

The NIS2 obligations for companies are extensive and have a profound impact on their organization and operations. They are divided into organizational measures, technical security precautions, and reporting obligations.

Organizational measures: Systematically embedding cybersecurity

NIS2 requires structured, comprehensive security management. This includes:

Risk management: Companies must systematically identify, assess, and address cyber risks. This includes creating a risk analysis that is updated regularly. Risks must be documented, prioritized, and addressed with appropriate measures.

Security policy and concepts: A documented information security policy is mandatory. It defines security objectives, responsibilities, and principles of cybersecurity within the company.

Governance structures: Management must assume overall responsibility for cybersecurity. This means regular reporting on the security situation, approving budgets and resources, and actively monitoring the implementation of measures.

Incident management and business continuity: Companies must establish processes to detect, assess, handle, and learn from security incidents. Business continuity plans ensure that critical business processes continue to run even in the event of a crisis.

Supply chain security: NIS2 requires the assessment and management of cybersecurity risks in the supply chain. This includes selecting secure suppliers, contractual security requirements, and monitoring service providers.

Training and awareness: Employees are often the weakest link in the security chain. NIS2 requires regular cybersecurity training for all employees, tailored to their role and responsibilities.

Technical measures: Security by design and defense in depth

On a technical level, NIS2 requires a multi-layered security approach:

Network and information system security: Firewalls, intrusion detection systems, network segmentation, encrypted communication—the fundamentals must be in place.

Access and access control: multi-factor authentication, least privilege principle, regular review of authorizations. Only those who need access are granted access—and only to what is really necessary.

Cryptography and encryption: Sensitive data must be encrypted both during transmission and storage.

Patch and vulnerability management: Security gaps must be closed promptly. This requires systematic monitoring of vulnerabilities and structured patch management.

Backup and disaster recovery: Regular backups, tested and stored securely, are essential. In an emergency, systems and data must be able to be restored quickly.

Security operations and monitoring: Continuous monitoring of IT infrastructure for anomalies and attacks. Security Information and Event Management (SIEM) and Security Operations Centers (SOC) are becoming a necessity for many companies.

Reporting requirements: 24 hours, 72 hours, 30 days

A key component of NIS2 is the obligation to report security incidents. These obligations are strict and the deadlines are short:

Early warning within 24 hours: If a security incident is detected that could have a significant impact on service provision, an initial report must be made to the competent authority (in Germany, the BSI) within 24 hours of becoming aware of it. This initial report can be brief, but should contain initial assessments of the nature, severity, and possible impact.

Interim report within 72 hours: A more detailed report is required no later than 72 hours after the incident has been identified. It contains an initial assessment of the incident, initial findings on the cause, immediate measures taken, and an assessment of further developments.

Final report within approximately one month: Once incident handling has been completed, but no later than one month after the initial report, a comprehensive final report must be submitted. This report documents the entire incident, the root cause analysis, the measures taken, and lessons learned.

Critical: These deadlines are not recommendations, but legal obligations. Violations can be sanctioned. Companies must therefore establish processes that ensure incidents are detected, assessed, and reported in a timely manner. This requires clear responsibilities, defined escalation paths, and 24/7 availability.

The role of management: Responsibility at the top

A paradigm shift thanks to NIS2: Cybersecurity is a matter for top management. Management bears overall responsibility and can no longer hide behind the IT department.

Specifically, this means:

  • Active monitoring: Management must actively monitor the implementation of cybersecurity measures.
  • Approval of measures: Security policies, budgets, and strategic decisions regarding cybersecurity must be approved by senior management.
  • Mandatory training: Management must also undergo training in cybersecurity issues.
  • Personal liability: In the event of serious violations, members of management can be held personally liable—not just the company.

These regulations ensure that cybersecurity receives the attention and resources it deserves.

Fines and liability risks: What is at stake

NIS2 is not toothless. The directive provides for significant sanctions – both for companies and for responsible individuals.

Amount of fines for NIS2 violations

The NIS2 fines are based on the company's global annual turnover and vary depending on the category of the institution:

For essential facilities:

  • Up to 10 million euros or
  • Up to 2% of the global annual revenue of the previous fiscal year
  • The higher amount applies in each case.

For important facilities:

  • Up to 7 million euros or
  • Up to 1.4% of the global annual revenue of the previous fiscal year
  • The higher amount applies in each case.

These amounts are upper limits. The actual amount of a fine is determined on a case-by-case basis and takes into account factors such as the severity of the violation, its duration, the degree of fault, measures taken to limit damage, and willingness to cooperate.

Sample calculation: A medium-sized manufacturing company with 200 employees and annual sales of €30 million that is classified as an important institution risks a fine of up to €420,000 (1.4% of €30 million) for serious violations—or €7 million if the authority chooses the fixed amount.

When are fines imposed?

Fines may be imposed for:

  • Failure to comply with security requirements: If a company fails to implement the required technical and organizational measures
  • Violation of reporting obligations: Late, incomplete, or omitted reports of security incidents
  • Failure to comply with official orders: If a company disregards the requirements of the supervisory authority
  • Lack of cooperation: In the event of a lack of or insufficient cooperation with authorities
  • Incorrect or misleading information: When authorities are deliberately misinformed

Important: Negligent behavior can also be punished. Intent is not necessarily required.

Personal liability of management

In addition to fines for the company, NIS2 also provides for the possibility of holding members of the management personally liable. This can be done by:

  • Personal fines against managing directors for intentional or grossly negligent violations
  • Civil liability: Claims for damages by customers, partners, or shareholders in the event of breaches of duty
  • Criminal consequences: Criminal investigations may be initiated in the case of particularly serious violations.

This personal dimension significantly increases the pressure to act. Managing directors can no longer argue that they were unaware of security deficiencies—they have a duty to actively seek information and take action.

Further consequences beyond fines

Financial penalties are only part of the risks. Violations of NIS2 can have other serious consequences:

  • Reputational damage: Fines and security incidents often become public knowledge. This damages the trust of customers, partners, and the general public.
  • Business losses: Customers may terminate contracts, and new business may not materialize.
  • Tighter supervision: Companies that attract attention are subject to more intensive regulatory control.
  • Competitive disadvantages: While competitors strengthen their cyber resilience, laggards struggle with the consequences.

The message is clear: the costs of non-compliance far exceed the investment in compliance.

Specific areas of action: What companies should do now

Implementing NIS2 is a challenge—but it is manageable if approached in a structured manner. Here are the key steps:

Step 1: Perform an impact assessment

The first step is clarity: Are we affected or not? Conduct a systematic impact analysis:

  • Check whether your company operates in one of the defined critical sectors.
  • Determine your current number of employees and your annual turnover.
  • Assess whether you provide services that are considered particularly critical.
  • Consider whether you are a supplier or service provider for companies subject to NIS2.

When in doubt: seek external expertise. A wrong assessment can be costly.

Step 2: Assessing the current level of security

If you are affected, the next step is to analyze the current situation: Where do you stand today in terms of cybersecurity?

  • Gap analysis: Compare your current measures with the NIS2 requirements. Where are the gaps?
  • Risk assessment: Identify your critical assets and assess their threat level
  • Process check: Are there documented processes for incident response, patch management, and backup?
  • Technical review: What is the status of firewalls, encryption, monitoring, and access controls?
  • Organizational structures: Are responsibilities clearly defined? Is there a CISO or security officer?

This assessment shows where you stand and what needs to be done.

Step 3: Develop an NIS2 compliance roadmap

Based on the gap analysis, you create a prioritized roadmap:

  • Identify quick wins: Which measures can be implemented quickly and close critical gaps?
  • Prioritize by risk: Address the biggest risks first
  • Resource planning: budget, personnel, external support—what is needed?
  • Schedule with milestones: Set realistic deadlines and define intermediate goals.
  • Assign responsibilities: Who is responsible for which area?

The roadmap is your guide to compliance.

Step 4: Establish an information security management system (ISMS)

A structured ISMS is the backbone of NIS2 compliance. It includes:

  • Security guidelines and concepts: Documented policies for all relevant areas
  • Risk management system: Systematic recording, assessment, and handling of risks
  • Process definitions: Clear procedures for incident response, change management, access control
  • Documentation: Verifiable implementation of all measures
  • Continuous improvement: Regular review and adjustment of the ISMS

Standards such as ISO 27001 provide proven frameworks for ISMS development and are compatible with NIS2 requirements.

Step 5: Establish incident response processes

Given the strict reporting deadlines, a functioning incident response process is essential:

  • Incident response team: Define who does what in the event of an incident
  • Escalation paths: How can you reach the relevant people 24/7?
  • Communication channels: How are reports made to authorities, internally, externally?
  • Playbooks: Predefined procedures for typical incident scenarios
  • Regular exercises: Test your processes through simulated incidents

Only what has been practiced will work in an emergency.

Step 6: Train and raise awareness among employees

Technology alone is not enough. People are crucial:

  • Security awareness programs: Regular training for all employees
  • Role-specific training: In-depth training for IT staff and managers
  • Phishing simulations: Practical tests to raise awareness
  • Establishing a culture of security: Making cybersecurity a natural part of corporate culture

Step 7: Continuous monitoring and improvement

NIS2 compliance is not a one-time project, but rather an ongoing process:

  • Security monitoring: Continuous monitoring of the IT infrastructure
  • Regular audits: Internal and external reviews of the measures
  • Vulnerability management: Systematic identification and remediation of gaps
  • Lessons Learned: Learning from Incidents and Tests
  • Adapting to new threats: The threat landscape is evolving—your security must keep pace

How Axsos supports you in implementing NIS2

The requirements of NIS2 are complex. Many companies do not have the internal resources and specialist knowledge to tackle this challenge alone. As an experienced partner, Axsos guides you through the entire process—from initial assessment to long-term security.

Impact analysis and classification

The first step is clarity. Axsos conducts a structured impact analysis:

  • Review of your business activities against the NIS2 sectors
  • Assessment of your company size and structure
  • Classification as an essential or important facility
  • Analysis of indirect impact through supply chains
  • Clear recommendation for action: affected or not affected

Gap analysis and compliance roadmap

Based on NIS2 requirements, Axsos analyzes your current security level:

  • Systematic evaluation of technical and organizational measures
  • Identification of gaps and areas requiring action
  • Risk assessment and prioritization
  • Development of a customized compliance roadmap
  • Realistic time and resource planning

Implementation of technical and organizational measures

Axsos supports you in practical implementation:

  • ISMS development: Establishment of a structured information security management system
  • Technical security: Implementation of firewalls, SIEM systems, encryption, monitoring solutions
  • Incident response processes: Establishing effective processes for incident handling and reporting
  • Backup and recovery: Secure data backup and tested recovery processes
  • Access controls: Multi-factor authentication and authorization management

Support with reporting processes

The strict reporting deadlines of NIS2 require clear processes. Axsos can assist you:

  • Establishment of reporting processes with clear responsibilities
  • Connection to government reporting systems
  • Definition of thresholds for reportable incidents
  • Templates and checklists for reporting
  • 24/7 availability in case of an incident

Managed Security Services for continuous compliance

NIS2 compliance does not end with initial implementation. Axsos offers comprehensive managed security services:

  • 24/7 Security Monitoring: Continuous monitoring of your IT infrastructure
  • Incident Response Support: Rapid response to security incidents
  • Vulnerability management: Regular scans and patch management
  • Compliance monitoring: Monitoring compliance with NIS2 requirements
  • Regular audits and assessments: Ensuring continuous compliance

Freedom through technology: Security as an enabler

At Axsos, we don't see security as an obstacle, but as the foundation for entrepreneurial freedom. A secure, stable IT infrastructure enables you to:

  • Focus on your core business instead of fighting security incidents
  • Strengthening the trust of your customers and partners
  • Safely tapping into new business areas and digital services
  • Confidently meeting compliance requirements
  • Relieve your IT teams and free them up for strategic tasks

NIS2 is a regulatory requirement—but also an opportunity to make your organization more resilient in the long term.

Frequently asked questions about the NIS2 Directive

What is the NIS2 Directive in simple terms?

The NIS2 Directive is an EU law that requires companies and institutions in critical sectors to implement enhanced cybersecurity measures. It replaces the previous NIS1 Directive, significantly expands its scope, and tightens requirements. The aim is to increase the resilience of critical infrastructures against cyberattacks across the EU and to create a uniform level of security.

Who specifically is affected by NIS2?

This affects medium-sized and large companies (with 50 or more employees and annual turnover of €10 million or more) in defined critical sectors. These include energy, transport, health, finance, digital infrastructure, public administration, manufacturing, and many other industries. Service providers to these companies may also be indirectly affected. In Germany, an estimated 30,000 to 40,000 companies will fall under NIS2.

What obligations does NIS2 impose on companies?

Companies must implement technical and organizational measures for cybersecurity, including risk management, incident management, business continuity, encryption, access controls, backup strategies, and supply chain security. Management bears overall responsibility. In the event of security incidents, there are strict reporting requirements with deadlines of 24 and 72 hours, as well as a final report after approximately one month.

How high are the fines for violations of NIS2?

For major institutions, fines of up to €10 million or 2% of global annual turnover (whichever is higher) may be imposed. For important institutions, fines of up to €7 million or 1.4% of global annual turnover may be imposed. In addition, members of the management board may be held personally liable.

What are the reporting deadlines for security incidents?

In the event of significant security incidents, the following applies: initial report within 24 hours of becoming aware of the incident, detailed interim report within 72 hours, and a comprehensive final report within approximately one month. These deadlines are binding, and violations may be subject to sanctions.

How can companies check whether they are affected?

Check three factors: (1) Does your company belong to one of the defined critical sectors? (2) Do you employ at least 50 people and generate annual sales of over €10 million? (3) Do you provide particularly critical services? If you answer yes to at least two of these questions, a detailed impact analysis is recommended. Axsos can help you with this.

What initial steps should companies take now?

Start by assessing whether you are affected. If so, carry out a gap analysis to evaluate your current level of security. Develop a compliance roadmap with prioritized measures. Establish an ISMS and incident response processes. Train your employees, especially management. The sooner you start, the better—implementation takes time.

Does NIS2 compliance replace other security standards such as ISO 27001?

NIS2 and ISO 27001 complement each other well. An ISMS certified according to ISO 27001 already fulfills many NIS2 requirements. However, NIS2 also requires specific reporting obligations and industry-specific measures. Companies with ISO 27001 have a head start, but must supplement NIS2-specific aspects.

Conclusion: NIS2 as an opportunity for sustainable cyber resilience

The NIS2 Directive marks a turning point in European cybersecurity policy. It affects not only a few large corporations, but tens of thousands of small and medium-sized enterprises in Germany. The message is clear: cybersecurity is no longer a nice-to-have, but a regulatory and business-critical necessity.

The requirements are extensive, the fines for violations are severe, and the personal responsibility of management is clearly defined. Those who fail to act now risk not only sanctions, but also competitive disadvantages and damage to their reputation.

But NIS2 is more than just a compliance exercise. The directive offers an opportunity to systematically make your organization more resilient. Structured security management, robust incident response processes, trained employees, and a secure IT infrastructure not only protect against regulatory risks, but also against real threats. They create stability, trust, and the freedom to focus on your core business.

The time to act is now. Implementing NIS2 requirements takes time, resources, and expertise. The sooner you start, the more structured and stress-free the process will be.

Start your NIS2 compliance journey now

Don't wait until the regulators come knocking on your door. Start preparing for NIS2 today. Axsos is your experienced partner – from the initial impact analysis and implementation of technical and organizational measures to long-term operation and continuous improvement of your cybersecurity.

Contact us for a no-obligation NIS2 check. Together, we will assess whether and to what extent your company is affected, identify areas where action is needed, and develop a customized roadmap to compliance. We will show you transparently what measures are necessary and what the path to compliance looks like.

Create security, stability, and future viability—with an IT infrastructure that meets regulatory requirements while giving your company the freedom to innovate and grow.

Axsos – Freedom through technology.

SEO metadata

SEO title: NIS2 Directive: Who is affected? Obligations, fines, and deadlines

Meta description: NIS2 affects over 30,000 companies in Germany. Find out who needs to take action, what obligations apply, and how high the fines are. Check now!

Focus keywords:

  • NIS2 Directive
  • NIS2 affected
  • NIS2 fines
  • NIS2 Reporting obligation
  • NIS2 obligations for companies
  • NIS2 implementation in Germany
  • NIS2 essential facilities
  • NIS2 important facilities
  • NIS2 compliance
  • NIS2 deadlines 24 72 hours
  • Cybersecurity for small and medium-sized enterprises
  • IT security compliance

URL suggestion: axsos.de/blog/nis2-guideline-who-is-affected-obligations-fines

Internal linking options:

  • IT security and cybersecurity strategy
  • Managed Security Services
  • Modernize IT infrastructure
  • Compliance and data protection
  • Incident response and business continuity
  • ISMS setup and ISO 27001
Scroll up