Why NIS2 Affects Everyone
- NIS2 applies to companies with 50+ employees or €10 million in revenue
- Management bears personal responsibility
- Initial measures include MFA, backups, and clear responsibilities
The new EU Directive NIS2 marks a turning point in IT security, and the implementation looks
different for each company. While previous regulations, such as NIS1 or the KRITIS Regulation,
focused on a few clearly defined operators of critical infrastructures, the circle of affected
companies is now being significantly expanded.
Specifically, this means: Even medium-sized companies, suppliers, and service providers fall
within the scope of the directive – even if they do not directly belong to the classic “critical
infrastructures” (information from the BSI). In Germany, threshold values usually apply, such as at
least 50 employees and 10 million euros in annual turnover or balance sheet total. Smaller
companies are often excluded, but can still be affected if they provide particularly critical services
– for example, in healthcare or digital infrastructure. For internationally active companies, the
following also applies: Similar requirements also apply in other EU countries.
For companies, this means: The question is no longer “whether” you are affected by NIS2, but how quickly you can prepare for implementing NIS2.
What Does NIS2 Demand in Practice?
The directive includes a variety of requirements. To make the implementation more tangible, they can be divided into three core areas: governance, technical basic measures, and reporting obligations.
1. Governance – Clarify responsibility and create processes
A central element of NIS2 is the assignment of responsibility. Management and IT management must ensure that information security is organizationally anchored. Here is the EU directive on this:
Practical example
A medium-sized mechanical engineering company defines an “information security officer” at management level, supplemented by a small internal team. Together with a consultant, this team creates simple guidelines for password management, access rights and emergency processes.
2. Technical Basics – the indispensable Quick Wins
NIS2 also requires the implementation of basic technical measures. Many of these have long been considered best practice, but in reality they are often still implemented incompletely. These measures in particular are ideal quick wins. They can be introduced relatively quickly and immediately increase the level of security. These include:
Why Acting Now is Crucial
Many companies tend to postpone security and compliance issues for as long as possible. With NIS2, this is risky – for several reasons:
Fines and Liability Risks
Violations can directly affect not only the company itself, but also the management: The NIS2UmsuCG prescribes a personal responsibility of the management for the NIS2 implementation. Managing directors and board members in Germany can be held liable for breaches of duty – simply delegating to the IT department is not sufficient. Incidentally, this principle applies throughout the EU, even if the specific sanctioning is regulated nationally.
Market Pressure through Supply Chain
Customers and clients are increasingly demanding proof of compliance. Anyone who cannot demonstrate NIS2 implementation risks being excluded from the competition.
Time Factor
Full implementation takes months. Anyone who starts now can plan in peace instead of having to react immediately and under pressure at a later stage. Find out more about NIS2 implementation for companies here.
The Roadmap – from Analysis to Lived Practice
Week 1–2: Create clarity
At the beginning is the question: Am I even affected? With an inventory and gap analysis, companies check which systems, processes and suppliers are relevant and where there is a need for action.
Week 3–6: Implement Quick Wins
Now the most visible vulnerabilities are closed. Typical immediate measures are MFA, secure backups or a standardized patch procedure. At the same time, a short training workshop for managers is worthwhile in order to raise awareness of IT security.
Week 7–12: Supply Chain & Test Runs
NIS2 also affects partner companies. Contracts should contain security requirements, evidence should be obtained and, if necessary, audits should be carried out.
Week 13–15: Practice makes perfect
Scenarios are played through, those responsible practice the emergency – without systems actually failing.
Companies that have carried out such exercises report back:
“We were surprised how many small gaps appeared in the processes.”
NIS2 not as a Burden, but as an Opportunity
At first glance, NIS2 looks like another regulation. But the real added value lies in strengthening one’s own resilience. Those who act early win:
Your Advantage with netX Consult
We support you in not only formally implementing NIS2, but also integrating it practically into everyday life:
With over 20 years of experience in large enterprise IT structures, we know how complex requirements can be implemented in practice.
In 15 minutes, we’ll clarify whether a SIEM makes sense for you or not.
