:quality(50))
What Is the NIS 2 Regulation and Who Is Affected?
NIS 2 stands for “Network and Information Security Directive 2” and is an EU-wide regulation aimed at enhancing cybersecurity. It replaces the original NIS Directive, also known as NIS 1, and seeks to establish a high, uniform level of cybersecurity across the EU – especially in sectors that are socially and economically significant, including manufacturing, chemicals, food, mechanical engineering, research, and digital services.
Companies that fall under the scope of NIS 2:
Important Entities: Midsize companies with at least 50 employees or more than €10 million in annual revenue.
Essential Entities: Large enterprises with 250 or more employees or more than €50 million in annual revenue.
Even smaller businesses may be indirectly affected by NIS 2 due to requirements to ensure supply chain security.
The NIS 2 framework primarily applies to operators of Critical Infrastructures (KRITIS) and other businesses across various sectors. Companies in the financial, insurance, and healthcare sectors are not primarily affected, as the DORA regulation takes precedence over NIS 2 in these areas.
Is Your Company Affected by NIS 2?
Click on the image below to enlarge it and take the test.
:quality(50))
When Does NIS 2 Take Effect?
Important dates at a glance:
Published in the EU Official Journal: December 27, 2022
Effective at EU level: January 16, 2023
Deadline for National Implementation by EU Member States: October 17, 2024
Implementation in Germany: March 2025 via the NIS 2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG)
Key NIS 2 Requirements for Midsize Companies
NIS 2 mandates a broad range of measures that go well beyond traditional IT security. These include:
Risk Management: Systematic analysis and documentation of IT and cybersecurity risks
Technical & Organizational Measures: Implementation of Identity Governance & Administration (IGA), Identity & Access Management (IAM), Multi-Factor Authentication (MFA), encryption, and emergency response strategies
Supply Chain Security: Evaluating and securing IT environments of suppliers and partners
Incident Reporting: Fast and structured reporting of cybersecurity incidents to authorities
Accountability: Clear assignment of cybersecurity responsibilities, including at the executive level
Auditing & Monitoring: Regular effectiveness reviews of measures, including external audits and certifications, e.g. ISO 27001 and NIS 2 certification
Documentation: Complete and audit-proof documentation of all security processes
In our NIS 2 webinar with KPMG, we discuss the requirements as well as implementation strategies, impact and risk analysis, governance, risk mitigation and reporting.
NIS 2 is a comprehensive Directive for improving cybersecurity across the EU. While it requires upfront investment, the mandated measures provide real protection against cyber threats.
NIS 2 Implementation Checklist: A Step-by-Step Guide
For midsize companies without an in-house compliance team, NIS 2 can feel overwhelming. The following steps have proven effective in practice:
Determine whether your company is subject to NIS 2 based on headcount, revenue, and sector.
Identify and evaluate your IT and cybersecurity risks.
Identify gaps in your current security setup.
Categorize initiatives by urgency, complexity, and resource needs.
Appoint individuals responsible for cybersecurity and compliance.
Record all measures and processes in an audit-ready manner.
Provide regular cybersecurity and compliance training.
Review and adapt your controls as needed.
Tip: Use NIS 2-compliant software tools like the Garancy Suite to efficiently manage identity governance, access control, and documentation.
Business Pain Points: How to Minimize Effort and Costs
Many companies are concerned about the high investment and resource demands of NIS 2 compliance. The good news: With the right strategy and tools, both can be significantly reduced.
How to address common challenges:
Automation: Modern IGA and IAM platforms automate user and permission management, audit trails, and reporting
Centralized Platform: A solution such as the Garancy Suite consolidates compliance processes, reduces interfaces, and minimizes errors.
Phased Implementation: Prioritize high-risk items to allocate resources efficiently.
External Consulting: Bring in NIS 2 specialists to close knowledge gaps and leverage best practices.
Funding Opportunities: Explore government funding programs, free checking tools or webinars.
Liability Risks and Penalties: What Happens If You Don’t Comply?
The NIS 2 legislation imposes severe sanctions: fines up to €10 million or 2% of global revenue for essential entities and up to €7 million or 1.4% of global revenue for important entities. Executives may be personally liable for non-compliance.
NIS 2 and “Made in Europe” – Compliance as a Future-Proofing Strategy
The NIS 2 regulation is more than just a legal requirement – it’s an opportunity to strengthen your company’s digital resilience, secure its capacity for innovation, and establish trust in the European market. In a global environment with increasing protectionism – as, for instance, in the U.S. – “Made in Europe” is becoming a strategic asset, especially in the broader context of regaining digital sovereignty.
Turn NIS 2 Compliance Into a Competitive Advantage
Yes, NIS 2 demands a lot from midsize companies – but it also helps elevate your IT security and compliance to the next level. With a solid strategy, modern tools like the Garancy Suite, and a step-by-step approach, you can implement NIS 2 efficiently – and protect your business from liability and cyber threats for the long term.
Let Us Help You with Your NIS 2 Strategy
Are you curious how your company can implement NIS 2 pragmatically and with minimal resources? Get in touch with our IAM experts and receive actionable insights for your NIS 2 strategy!
:quality(50))
:quality(50))
:quality(50))
:quality(50))