• Link to Rss this site
  • Link to LinkedIn
  • Link to Youtube
  • Link to X
  • Link to Instagram
  • English English English en
  • Deutsch Deutsch German de
Sales: +49 5251 304-800 | Support: +49 5251 304-636
NoSpamProxy
  • PRODUCT
    • NoSpamProxy Cloud
    • NoSpamProxy Protection
    • NoSpamProxy Encryption
    • NoSpamProxy Large Files
    • NoSpamProxy Disclaimer
  • SOLUTIONS
    • M365 Mail Security
    • Managed Certificates
    • 32Guards
    • AS4
  • RESOURCES
    • Documentation
    • Forum
    • Webcast Training
    • Training Courses
    • Support
    • Software Download
  • PARTNERS
    • Finding Resellers
    • Becoming Reseller
    • Partner Portal
    • NFR Licenses
  • COMPANY
    • Contact
    • Testimonials
    • Team
    • Career
    • Events
    • Awards
  • PRICES
  • BLOG
  • FREE TRIAL VERSION
    • Price Request
    • Free Trial Version
  • English
    • Deutsch
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu
  • NIS2 Network and Information Systems Directive

NIS2 – What the directive means for you

Stefan Feist | Technischer Redakteur
Author: Stefan FeistTechnical Writerhttps://www.linkedin.com/in/stefan-feist-23b257b0/–Connect on LinkedIn

In Germany, between 30,000 and 40,000 companies will soon be affected by the requirements of the NIS-2 directive. About 80% of them are not aware of this, even though there are severe penalties for non-compliance. Learn in this blog article what NIS2 is and how you can prepare your company for the new directive.

08.09.2023|Last edited:07.09.2023

What is NIS2?

NIS2 stands for Network and Information Systems Directive 2 and is an EU directive to strengthen cyber security in Europe. In particular, it aims to improve the security of critical infrastructure by defining minimum cybersecurity standards for critical infrastructure. The directive is an evolution of the original NIS directive and aims to better protect organizations and critical infrastructure from cyber threats and enable a high level of security across the EU.

The NIS2 Directive was proposed by the European Commission in December 2020, entered into force at the EU level on January 16, 2023, and requires that the obligations of the Directive be implemented by October 17, 2024.

What are critical infrastructures?

Critical infrastructures (CRITIS) are organizations and facilities with important significance for the state community, the failure or impairment of which would result in lasting supply bottlenecks, significant disruptions to public safety or other dramatic consequences.

What are the objectives of NIS2?

NIS2, just like NIS, defines a set of measures to ensure a high common level of security of network and information systems in the European Union. The directive created a uniform legal framework for the EU-wide development of national capacities for cyber security, stronger cooperation between the member states of the European Union, and minimum security requirements for and reporting obligations on critical infrastructures.

What is new in NIS2?

NIS1 required critical infrastructure operators to implement various measures to ensure cybersecurity. However, NIS1 was quite abstract and was not uniformly implemented. It also lacked specific requirements for cyber risk disclosure.

Because of the increased threat level and cybersecurity requirements during the Corona pandemic, NIS2 was eventually developed.

NIS2 describes which companies or organizations are classified as critical services and in which sector they fall. It affects more companies, mandates improved risk management, and imposes more obligations and stricter penalties. In addition, NIS2 clearly defines the procedures, content and deadlines for reporting security incidents and their implementation in national law.

To whom does NIS2 apply?

The following sectors are defined as highly critical or critical according to NIS2:

Sectors with high criticality

  • Energy
  • Transportation
  • Banking
  • Financial market infrastructures
  • Healthcare
  • Drinking water
  • Wastewater
  • Digital infrastructure
  • ICT services management (B2B)
  • Public administration
  • Space

Other critical sectors

  • Postal and courier services
  • Waste management
  • Production, manufacture and trade of chemical substances
  • Production, processing and distribution of food
  • Manufacturing/production of goods
  • Digital service providers
  • Research

An attack on the energy infrastructure, for example, could lead to power outages and significant disruptions. The AS4 protocol, which will soon be mandatory, is intended to ensure that messages can be exchanged securely between trading partners.

Requirements and deadlines for reporting security incidents

  1. Early warning within 24 hours of knowledge: suspicion of whether the incident is based on illegal or malicious action and whether it is transboundary.
  2. Detailed report within 72 hours of knowledge: initial assessment of security incident including severity, impact, and indication of compromise, if applicable.
  3. Progress/final report one month after notification: Detailed description, indication of the nature of the threat, root causes, remedial actions, cross-border impact if applicable.

What does NIS2 mean for companies?

For affected companies, NIS2 imposes a number of obligations, including registration with the competent authority in their own Member State, disclosure of contact details, and reporting of significant security incidents, i.e., incidents that may lead to serious operational disruptions. The biggest change for companies, however, will be the additional security requirements imposed by NIS2.

NIS2 expands the original scope of NIS1 to new essential facilities and now includes government institutions. In the future, companies will have to report all security-related incidents within their IT infrastructures without delay and agree to certain control mechanisms by national supervisory authorities.

This should make it easier to anticipate potential security risks and initiate more targeted countermeasures. Failure to comply consistently with the regulations could result in fines and penalties, which have become even stricter with NIS2.

State of the art is mandatory

The NIS2 directive obliges companies and institutions to implement adequate technical and organizational security measures that address the respective risks. Indispensable for this is knowledge of the typical dangers of the new technologies and the possibilities and methods of attack – especially by cybercriminals: NIS2, for example, requires companies to conduct regular risk assessments regarding cybersecurity. In addition, companies and institutions must implement preventive measures to protect against security incidents.

What measures does NIS2 require?

Some of the most important requirements that NIS2 brings with it are:

  • Policies

    Concepts for risk analysis and security for information systems

  • Incident Response

    Incident detection, analysis, containment and response.

  • Backup management and recovery, crisis management

    Business continuity: backup management and recovery, crisis management

  • Supply Chain

    Security in the supply chain

  • Purchasing

    Security in the acquisition, development and maintenance of IT systems

  • Effectiveness

    Evaluation of the effectiveness of the risk management measures

  • Cyber hygiene, training

    Cyber hygiene (e.g. updates) and training in cyber security

  • Cryptography

    Use of cryptography and, where appropriate, encryption

  • Personnel, accesses, assets

    Personnel security, access control and asset management

  • Authentication

    Multi-factor authentication or continuous authentication

  • Communication

    Secure voice, video, and text communications, including emergencies, if necessary.

  • Encryption Managed Certificates

For the area of email security, this means the use of cryptography and encryption in email communication to ensure the protection of critical data. However, the law implementing NIS2 in the EU is not yet much more concrete: it has been available as a draft since spring 2023, so we still have to wait for more specifics. Nevertheless, this shows that effective email encryption is a fundamental part of complying with the NIS2 directive.

What does NIS2 mean for email security?

In the context of NIS2, email service providers are required to take appropriate security measures to protect their services from cyberattacks and to ensure the confidentiality, integrity and availability of email communications. Protection against malware, phishing and spam is the goal here.

This may include implementing security standards, monitoring security incidents, and cooperating with the relevant authorities in reporting security incidents.

What happens if NIS2 is not complied with?

Here, NIS2 again distinguishes between sectors with high criticality and other critical sectors.

Sectors with high criticality

Here, NIS2 means large companies with more than 249 employees or more than 50 million euros in sales and more than 43 million euros in balance sheet. In addition, there are some special cases that are independent of size.

In the event of non-compliance, these companies face penalties of up to a maximum of at least 10 million euros or 2% of global sales in the previous year – whichever is higher.

Other critical sectors

NIS 2 here means large companies with more than 249 employees or more than 50 million euros in sales and more than 43 million euros in balance sheet. In addition, there are medium-sized companies from both sectors mentioned above with at least 50 employees or 10 million euros in sales and more than 10 million euros in balance sheet, as well as special cases that are independent of size, such as facilities that are classified as “important” by the state (for example, sole providers).

In the event of non-compliance, these companies face penalties up to a maximum of at least 7 million euros or 1.4% of global sales in the previous year – whichever is greater.

Enhance cybersecurity – with NoSpamProxy.

Take important steps towards NIS2 compliance by securing your IT infrastructure and protecting your email communication. Try NoSpamProxy now for free!

NoSpamProxy kostenfrei testen

  • share 
  • share 
  • share 
  • email 

SEARCH

PRODUCT

  • All Topics
  • NoSpamProxy Cloud
  • NoSpamProxy Protection
  • NoSpamProxy Encryption
  • NospamProxy Large Files

You need support?

You can find more information about NoSpamProxy in our documentation and forum.

CATEGORY

  • All Topics
  • News
  • Product
  • Tech & Support
  • Events
RSS Feed Logo RSS Feed Logo Subscribeto RSS Feed

NoSpamProxy

  • NoSpamProxy Cloud
  • NoSpamProxy Encryption
  • NoSpamProxy Large Files
  • NoSpamProxy Disclaimer
  • Price request
  • Team
  • Career
  • General terms and conditions
  • Data Protection Information for Business Partners and Applicants
  • Cybersecurity (PSIRT)

Partners

  • Becoming a reseller
  • Partners
  • Order Certificates
  • Newsletter

Categories

  • All topics
  • News
  • Support
  • Updates
  • Order certificates

Latest News

  • Was ist ein Zero Day Exploit Preview
    What is a Zero-Day Exploit?23.04.2025 - 14:00
  • Info Icon
    UPDATE: New Google email sender guidelines: What you need to do17.04.2025 - 12:00
  • Was ist Spoofing Preview
    What is spoofing?11.04.2025 - 14:00
IMPRINT • EULA • Privacy Policy • • © 2025 Net at Work GmbH
  • Link to Rss this site
  • Link to LinkedIn
  • Link to Youtube
  • Link to X
  • Link to Instagram
Link to: NoSpamProxy 14.1 available now Link to: NoSpamProxy 14.1 available now NoSpamProxy 14.1 available nowInfo Icon Link to: MalDoc in PDF: Danger from Word files hidden in PDFs Link to: MalDoc in PDF: Danger from Word files hidden in PDFs MalDoc in PDF Gefahr durch in PDFs versteckte Word Dateien PreviewMalDoc in PDF: Danger from Word files hidden in PDFs
Scroll to top Scroll to top Scroll to top