• NIS2 Network and Information Systems Directive

NIS2 – What the directive means for you (Update 2026)

Stefan Feist | Technischer Redakteur
Author: Stefan FeistTechnical WriterConnect on LinkedIn

In Germany, between 30,000 and 40,000 companies are affected by the requirements of the NIS 2 Directive. Around 80% of them are unaware of this, even though failure to comply can result in severe penalties. In this blog article, you can find out what NIS2 is, what changes the EU Commission has proposed for 2026, and how you can prepare your company for the directive.

29.01.2026|Last edited:04.02.2026

What is NIS2?

NIS2 stands for Network and Information Systems Directive 2 and is an EU directive to strengthen cyber security in Europe. In particular, it aims to improve the security of critical infrastructure by defining minimum cybersecurity standards for critical infrastructure. The directive is an evolution of the original NIS directive and aims to better protect organizations and critical infrastructure from cyber threats and enable a high level of security across the EU.

Since December 6, 2025, the provisions of the NIS2 Directive have been transposed into German law via a NIS2 implementation act that specifically amends the BSI Act (BSIG) and KRITIS regulations.

What are critical infrastructures?

Critical infrastructures (CRITIS) are organizations and facilities with important significance for the state community, the failure or impairment of which would result in lasting supply bottlenecks, significant disruptions to public safety or other dramatic consequences.

What are the objectives of NIS2?

NIS2, just like NIS, defines a set of measures to ensure a high common level of security of network and information systems in the European Union. The directive created a uniform legal framework for the EU-wide development of national capacities for cyber security, stronger cooperation between the member states of the European Union, and minimum security requirements for and reporting obligations on critical infrastructures.

What is the difference between NIS1 and NIS2?

NIS1 required critical infrastructure operators to implement various measures to ensure cybersecurity. However, NIS1 was quite abstract and was not uniformly implemented. It also lacked specific requirements for cyber risk disclosure.

Because of the increased threat level and cybersecurity requirements during the Corona pandemic, NIS2 was eventually developed.

NIS2 describes which companies or organizations are classified as critical services and in which sector they fall. It affects more companies, mandates improved risk management, and imposes more obligations and stricter penalties. In addition, NIS2 clearly defines the procedures, content and deadlines for reporting security incidents and their implementation in national law.

What changes have been made to NIS2 since 2026?

In January 2026, the European Commission presented a proposal to amend NIS2 in several areas in order to simplify its application and achieve better coordination with other EU regulations. The basic structure of NIS2 will remain unchanged, but will be “fine-tuned.” The adjustments mentioned here are currently only a proposal by the EU Commission. They will only take effect once they have been adopted and implemented by the Parliament, the Council, and the member states.

More precise scope of application

  • Introduction of a lower limit of 1 megawatt for power generation facilities so that very small power generators—such as many small PV systems—are not covered by NIS2.
  • New category of “strategic dual-use infrastructure” for infrastructure that is used for both civilian and military purposes and can be classified as particularly critical regardless of size.
  • Sector-specific fine-tuning, for example in the chemical sector (focus on manufacturing/production instead of manufacturing and distribution), as well as more accurate recording of DNS providers based on the usual NIS2 size thresholds.

New size category “small mid-caps”

In addition to the categories “essential” and “important,” a new category of so-called “small mid-caps” is to be introduced. It covers companies with fewer than 750 employees and an annual turnover of less than €150 million that operate in NIS2 sectors. These companies are to be treated in the same way as “important” companies.

Greater harmonization and coordination

  • National exceptions are to be restricted so that security measures and reporting processes are applied more uniformly across the EU.
  • NIS2 will be more closely integrated with DORA, the CER Directive, and the Cyber Resilience Act to avoid double regulation.

Certifications and supply chain

  • In future, certain NIS2 obligations will be verifiable through EU cybersecurity certifications and established standards.
  • Guidelines and a stronger focus on certificates are intended to stem the “flood of questionnaires” in the supply chain.

To whom does NIS2 apply?

The following sectors are defined as highly critical or critical according to NIS2:

  • Energy
  • Transportation
  • Banking
  • Financial market infrastructures
  • Healthcare
  • Drinking water
  • Wastewater
  • Digital infrastructure
  • ICT services management (B2B)
  • Public administration
  • Space
  • Postal and courier services
  • Waste management
  • Production, manufacture and trade of chemical substances
  • Production, processing and distribution of food
  • Manufacturing/production of goods
  • Digital service providers
  • Research

An attack on the energy infrastructure, for example, could lead to power outages and significant disruptions.

Requirements and deadlines for reporting security incidents

  1. Early warning within 24 hours of knowledge: suspicion of whether the incident is based on illegal or malicious action and whether it is transboundary.
  2. Detailed report within 72 hours of knowledge: initial assessment of security incident including severity, impact, and indication of compromise, if applicable.
  3. Progress/final report one month after notification: Detailed description, indication of the nature of the threat, root causes, remedial actions, cross-border impact if applicable.

What does NIS2 mean for companies?

For affected companies, NIS2 imposes a number of obligations, including registration with the competent authority in their own Member State, disclosure of contact details, and reporting of significant security incidents, i.e., incidents that may lead to serious operational disruptions. The biggest change for companies, however, will be the additional security requirements imposed by NIS2.

NIS2 expands the original scope of NIS1 to new essential facilities and now includes government institutions. In the future, companies will have to report all security-related incidents within their IT infrastructures without delay and agree to certain control mechanisms by national supervisory authorities.

This should make it easier to anticipate potential security risks and initiate more targeted countermeasures. Failure to comply consistently with the regulations could result in fines and penalties, which have become even stricter with NIS2.

State of the art is mandatory

The NIS2 directive obliges companies and institutions to implement adequate technical and organizational security measures that address the respective risks. Indispensable for this is knowledge of the typical dangers of the new technologies and the possibilities and methods of attack – especially by cybercriminals: NIS2, for example, requires companies to conduct regular risk assessments regarding cybersecurity. In addition, companies and institutions must implement preventive measures to protect against security incidents.

What measures does NIS2 require?

Some of the most important requirements that NIS2 brings with it are:

  • Policies

    Concepts for risk analysis and security for information systems

  • Incident Response

    Incident detection, analysis, containment and response.

  • Backup management and recovery, crisis management

    Business continuity: backup management and recovery, crisis management

  • Supply Chain

    Security in the supply chain

  • Purchasing

    Security in the acquisition, development and maintenance of IT systems

  • Effectiveness

    Evaluation of the effectiveness of the risk management measures

  • Cyber hygiene, training

    Cyber hygiene (e.g. updates) and training in cyber security

  • Cryptography

    Use of cryptography and, where appropriate, encryption

  • Personnel, accesses, assets

    Personnel security, access control and asset management

  • Authentication

    Multi-factor authentication or continuous authentication

  • Communication

    Secure voice, video, and text communications, including emergencies, if necessary.

Will additional measures be necessary due to the changes in 2026?

The proposed adjustments for 2026 do not change the fundamental obligations under NIS2, but rather clarify the scope, categories, and means of verification. For companies that are already dealing with NIS2, this primarily results in minor adjustments rather than completely new packages of measures. In practical terms, this means that

  • risk management,
  • technical and organizational protective measures,
  • reporting processes,
  • governance, and
  • supply chain controls

remain the central benchmark, supplemented by a more detailed review of the company’s own classification (see “small mid-cap”) and strategic use of certifications as a means of verification.

  • Encryption Managed Certificates

For the area of email security, this means the use of cryptography and encryption in email communication to ensure the protection of critical data. However, the law implementing NIS2 in the EU is not yet much more concrete: it has been available as a draft since spring 2023, so we still have to wait for more specifics. This shows that effective email encryption is a fundamental part of complying with the NIS2 directive.

What does NIS2 mean for email security?

In the context of NIS2, email service providers are required to take appropriate security measures to protect their services from cyberattacks and to ensure the confidentiality, integrity and availability of email communications. Protection against malware, phishing and spam is the goal here.

This may include implementing security standards, monitoring security incidents, and cooperating with the relevant authorities in reporting security incidents.

What happens if NIS2 is not complied with?

Here, NIS2 again distinguishes between sectors with high criticality and other critical sectors.

Sectors with high criticality

Here, NIS2 means large companies with more than 249 employees or more than 50 million euros in sales and more than 43 million euros in balance sheet. In addition, there are some special cases that are independent of size.

In the event of non-compliance, these companies face penalties of up to a maximum of at least 10 million euros or 2% of global sales in the previous year – whichever is higher.

Other critical sectors

NIS 2 here means large companies with more than 249 employees or more than 50 million euros in sales and more than 43 million euros in balance sheet. In addition, there are medium-sized companies from both sectors mentioned above with at least 50 employees or 10 million euros in sales and more than 10 million euros in balance sheet, as well as special cases that are independent of size, such as facilities that are classified as “important” by the state (for example, sole providers).

In the event of non-compliance, these companies face penalties up to a maximum of at least 7 million euros or 1.4% of global sales in the previous year – whichever is greater.

Enhance cybersecurity – with NoSpamProxy.

Take important steps towards NIS2 compliance by securing your IT infrastructure and protecting your email communication. Try NoSpamProxy now for free!

NoSpamProxy kostenfrei testen
How cloaking disguises phishing attacksWie Cloaking Phishing-Angriffe tarnt 800x80025Reports launches: A new standard for DMARC analysis