NIS2

Also: NIS2 Directive, Directive (EU) 2022/2555

EU directive on network and information security. Replaces NIS1, widens scope to around 30,000 German companies in 18 sectors, introduces personal management body liability, sets ten minimum cybersecurity measures under Article 21.

NIS2 is the second generation of European cybersecurity regulation. It entered into force on 16 January 2023; the EU transposition deadline was 17 October 2024. Germany transposes via the NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG), still in legislative process.

Scope: essential entities (energy, transport, banking, health, drinking water, digital infrastructure, ICT services, public administration, space) and important entities (postal, waste, chemicals, food, manufacturing, digital services, research).

Core duties: ten Article 21 minimum measures (risk analysis, incident handling, business continuity, supply-chain security, secure procurement and maintenance, effectiveness review, cyber hygiene, cryptography, personnel security, MFA). Reporting deadlines 24 h / 72 h / 1 month. Fines up to 10 M EUR or 2% of turnover. Personal liability of management body.

NIS2

Related terms