Choose country/ region and language

Are you ready for the NIS2 Directive?

NIS-2-directive | TÜV Rheinland

Get ready in time, ensure NIS2 compliance and strengthen your cyber resilience.

The NIS2 Directive is the European Union's response to the growing number of cyber threats: The new “Network and Information Security Directive” introduces stricter cybersecurity regulations for more sectors and companies. The objective remains the same: to protect (critical) infrastructures and increase resilience to cyberattacks.

As an EU directive, this set of rules must be transposed into national law by the member states. In Germany, the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) has been drafted for this purpose. However, due to new elections in early 2025 and the principle of discontinuity (of bills), its entry into force will be postponed until the next legislative period, probably late 2025/early 2026. Nevertheless, national laws have already come into force in more than seven EU member states, including Belgium, Italy, Croatia and Hungary.

German companies would therefore be well advised to use the time they have gained to address the requirements of the NIS-2 Directive now. Failure to comply with the minimum measures could result in fines of up to €10 million or 2% of annual global turnover. In addition, NIS-2 postulates a higher standard of management liability, including liability with private assets.

Prepare and implement the NIS-2 requirements with our expertise: We can assess your current situation, draw up a roadmap and help you become a compliant information and cyber security organisation.

Am I affected by the NIS2 Directive?

The NIS2 Directive makes cybersecurity relevant for many more companies: Experts estimate that approximately 150,000 companies across the EU are affected. This is because NIS2 also applies to smaller companies with 50 or more employees or an annual revenue and balance sheet total of 10 million euros. In addition, the number of sectors affected has been increased from eleven to 18. Eleven sectors are considered highly critical (essential entities) and seven more are otherwise critical (important entities). To determine the extent of the impact (relevance analysis), all business units and associated companies must be considered and evaluated on the basis of the Group's allocation rules and statutes.

What is the difference between essential and important entities?

Essential critical sectors
Important critical sectors

The classification is based on the size of the company and on the sector: Essential entities are organizations that operate in a critical sector and have more than 250 employees or an annual revenue of more than 50 million euros and a balance sheet total of 43 million euros.

Essential critical sectors:

  • Energy: Electricity, oil, natural gas, hydrogen, district heating and district cooling
  • Transport: Aviation, rail transport, shipping, road transport
  • Banking
  • Financial market infrastructure
  • Healthcare: Hospitals, research, pharmaceuticals, medical devices
  • Drinking water supply
  • Waste water treatment
  • Digital infrastructure: Data centers, DNS services, cloud computing
  • ICT service providers: Managed service and managed security service providers
  • Public administration: Public authorities and offices at the national and regional level
  • Outer space: Operators of ground infrastructure

All other organizations with more than 50 employees or an annual revenue of more than 10 million euros are considered important entities.

Important critical sectors:

  • Postal and courier services: Letter and parcel delivery
  • Waste management: Waste collection and recycling
  • Chemicals: Production and trade of chemical substances
  • Food: Production, processing, and distribution of food
  • Production: Manufacturers of medical devices, machinery, vehicles, and electrical appliances
  • Digital services: Search engines, marketplaces, social networks
  • Research: Research institutions

Important: EU member states can expand the requirements if a company meets certain criteria that indicate it plays a key role for society, the economy or for certain sectors or types of services.

What will be changing under NIS2?

The most significant change is the expanded scope of companies required to comply. Additionally, the cybersecurity requirements are now more stringent: affected companies must implement appropriate “state of the art” measures in areas such as risk management, business continuity management (BCM), supply chain security and incident response.

In addition, national regulatory authorities now have stronger enforcement powers, with stricter penalties for violations as well as more rigorous reporting obligations. Companies will now required to report security incidents promptly — no later than ‘24 hours’ after becoming aware of them by submitting an initial early warning report and following up within 72 hours by submitting an updated detailed report.

What are the penalties and liability risks?

Not only are the requirements becoming more stringent, but the pressure to enforce them is also increasing – such as through tighter sanctions and personal liability at the management level. Non-compliance with the NIS2 Directive could result in:

  • Fines of up to 10 million euros or 2% of the total global annual revenue for essential entities
  • Fines of up to 7 million euros or 1.4% of the total global annual revenue for important entities
  • Management liability for violations of the Directive
  • Management can be held liable with their personal assets.
  • Ban/discharge from managerial functions
  • Temporary suspension of services

What NIS2 requirements do I have to meet?

In order to be NIS2 compliant, a security program must cover the following requirements at a minimum:

Risk management

Identification, assessment and management of network and information system risks.

Security measures

Implementation of appropriate technical and organizational protective measures.

Incident reporting

Establishment of mechanisms for detecting and reporting security incidents.

Information obligations

Processes for informing stakeholders (customers, suppliers, employees) in the event of a relevant cyber security incident.

Business continuity management

Continuation and rapid restoration of business operations following incidents.

Supply chain management

Risk assessment and risk management for third-party providers and supply chains.

Employee training

Regular cybersecurity training and awareness-raising activities.

Documentation/reporting

Maintenance of security records, and regular reporting to regulatory authorities.

Review/testing

Regular monitoring and testing of security measures to increase their effectiveness.

Establishing NIS2 Readiness through ISMS implementation

An Information Security Management System (ISMS) to ISO/IEC 27001 provides a solid foundation for meeting the specific requirements of NIS-2. It can be implemented in part or in full and can even be independently certified.

The ISMS helps you to identify and assess risks, take appropriate security precautions, and monitor their effectiveness. It also promotes a proactive approach to information security through regular reviews, audits, and continuous improvement.

How TÜV Rheinland can support you with NIS2:

NIS2 Quick Check

Check IT Compliance Readiness Assessment NIS-2 or NIS-2 QuickCheck Find out if and how the NIS-2 Directive affects your organisation. As part of our IT Compliance Readiness Assessment, we also identify and prioritise company-specific risks and areas for action, and analyse the extent to which the existing system is able to meet further (future) requirements, such as the EU Data Act, Cyber Resilience Act, DORA (for the financial sector), etc. A comprehensive report with an action plan completes the project and forms the basis for setting up an IT compliance management system, with or without an ISO 27001 ISMS, depending on the client's requirements. If you are looking for a short and concise introduction to the subject, we recommend our NIS-2 QuickCheck. In this process, we check whether and in which areas NIS-2 is relevant to your organisation (relevance analysis).

Comprehensive consulting services

Use our consultancy services to comply with the NIS-2 Directive and national implementing legislation, whether in Germany or in other EU member states. These services range from detailed NIS-2, BCM, ISMS, data protection and compliance gap analysis to maturity assessments and security solution design. We also test and evaluate your security technologies to prevent, detect and respond to attacks.

Implementation and operation

With the final report of the NIS-2 IT Compliance Readiness Assessment, you will receive an action and remediation plan that you can either implement with your own resources or, again, rely on the expertise of TÜV Rheinland. We will work with you to implement the measures based on our many years of implementation experience and best practices. We also offer complementary tool-based implementation services: you can purchase your own solution or get it as a managed service with variable modules - from service implementation and basic support to full operation, including SOC (Security Operations Centre) services.

Your benefits at a glance:

  • Comply with legal requirements
  • Protect critical business processes
  • Stay on top of IT risks
  • Introduce targeted security measures
  • Invest in the right measures
  • Minimize personal liability risks
  • Maximize information security

Let us support you towards NIS2 compliance.

If you are unsure whether your business is affected, we are here to help provide clarity by conducting a Relevance Analysis.

We can support you with comprehensive consulting, customized service modules and reliable implementation to get you to your goal.

Contact

Contact us to request a non-binding offer

Contact us to request a non-binding offer

Get in contact with us!

This might also interest you

Business Continuity Management System (BCMS)

Business continuity management systems | TÜV Rheinland

Safeguarding productivity with BCM, IT emergency management and crisis management.

discover more

Governance, Risk and Compliance

Governance, Risk and Compliance

Strengthen your corporate governance with software-supported automation of your management systems.

discover more

ISMS According to ISO/IEC 27001

ISMS According to ISO/IEC 27001

Improve systematic control over your company’s information security.

discover more

IT Compliance

IT compliance ensures secure, efficient and legal data handling | TÜV Rheinland

We offer you optimal support in the field of IT compliance in accordance with legal requirements.

discover more

Industrial and Operational Technology (OT) Cybersecurity Services

Operational technology and industrial IT cybersecurity consulting | TÜV Rheinland

We provide OT and industrial cybersecurity testing, consulting and managed security services.

discover more

Penetration Tests

Penetration test | TÜV Rheinland

Uncover the vulnerabilities in your IT infrastructure with a penetration test.

discover more

Last Visited Service Pages