NIS2 Implementation – Immediate Measures and Long-Term Roadmap

NIS2 Implementation – Immediate Measures and Long-Term Roadmap2025-11-11T09:11:11+01:00
Person in a green suit confidently points the way through the difficult terrain of the NIS2 roadmap.

Why NIS2 Affects Everyone

The new EU Directive NIS2 marks a turning point in IT security, and the implementation looks different for every company. While previous regulations such as NIS1 or the KRITIS Regulation focused on a few, clearly defined operators of critical infrastructures, the circle of affected companies is now being significantly expanded.

Specifically, this means: Even medium-sized companies, suppliers, and service providers fall within the scope of the directive – even if they do not directly belong to the classic “critical infrastructures” (information from the BSI). In Germany, threshold values such as at least 50 employees and 10 million euros in annual turnover or balance sheet total usually apply. Smaller companies are often excluded, but can still be affected if they provide particularly critical services – for example, in healthcare or digital infrastructure. For internationally active companies, the following also applies: Similar requirements also apply in other EU countries.

For companies, this means: The question is no longer “whether” you are affected by NIS2, but how quickly you can prepare for it.

What Does NIS2 Demand in Practice?

The directive includes a variety of requirements. To make the implementation more tangible, they can be divided into three core areas: governance, technical basic measures, and reporting obligations.

1. Governance – Clarify responsibility and create processes

A central element of NIS2 is the assignment of responsibility. Management and IT management must ensure that information security is organizationally anchored. Here is the EU directive on this:

  • Clear roles and responsibilities are defined.
  • Policies and guidelines must be documented in a binding manner and known to all employees.
  • Management systems that define rules and procedures for information security or emergencies (e.g. ISMS or BCM) are moving into the focus.

Practical example

A medium-sized mechanical engineering company defines an “information security officer” person at management level, supplemented by a small internal team. Together with a consultant, this team creates simple guidelines for password management, access rights and emergency processes.

2. Technical Basics – the indispensable Quick Wins

NIS2 also requires the implementation of basic technical measures. Many of these have long been considered best practice, but in reality they are often still implemented incompletely. These measures in particular are ideal quick wins. They can be introduced relatively quickly and immediately increase the level of security. These include:

  • Multi-factor authentication (MFA): protects sensitive systems from unauthorized access, even if passwords are compromised.
  • Regular patch and update management prevents known vulnerabilities from remaining open for months or years.
  • Security copies (backups) with recovery tests: not only secure data, but also practice recovery.

  • Monitoring and logging: Attacks or anomalies must be detected early before they cause damage. Further information on the role of SIEM systems in the context of NIS2 can be found in our specialist article: NIS2 is coming – Do companies need a SIEM system?

Why Acting Now is Crucial

Many companies tend to postpone security and compliance issues for as long as possible. With NIS2, this is risky – for several reasons:

Fines and Liability Risks

Violations can directly affect not only the company itself, but also the management: The NIS2UmsuCG prescribes a personal responsibility of the management for the implementation. Managing directors and board members in Germany can be held liable for breaches of duty – simply delegating to the IT department is not sufficient. Incidentally, this principle applies throughout the EU, even if the specific sanctioning is regulated nationally.

Market Pressure through Supply Chain

Customers and clients are increasingly demanding proof of compliance. Anyone who cannot demonstrate NIS2 implementation risks being excluded from the competition.

Time Factor

Full implementation takes months. Anyone who starts now can plan in peace instead of having to react hectically under pressure later.

A consultant in a green suit helps an insecure entrepreneur to overcome her fear of NIS2 penalties and ensure compliance.

The Roadmap from Analysis to Lived Practice

Week 1–2: Create clarity
At the beginning is the question: Am I even affected? With an inventory and gap analysis, companies check which systems, processes and suppliers are relevant and where there is a need for action.

Week 3–6: Implement Quick Wins
Now the most visible vulnerabilities are closed. Typical immediate measures are MFA, secure backups or a standardized patch procedure. At the same time, a short training workshop for managers is worthwhile in order to raise awareness of IT security.

Week 7–12: Supply Chain & Test Runs
NIS2 also affects partner companies. Contracts should contain security requirements, evidence should be obtained and, if necessary, audits should be carried out.

Week 13–15: Practice makes perfect

Scenarios are played through, those responsible practice the emergency – without systems actually failing.

Companies that have carried out such exercises report back:

“We were surprised how many small gaps appeared in the processes.”

NIS2 not as a Burden, but as an Opportunity

At first glance, NIS2 looks like another regulation. But the real added value lies in strengthening one’s own resilience. Those who act early win:

  • more trust with customers and partners
  • better market opportunities in tenders
  • lower failure risks due to IT disruptions
  • clear processes in the company
The man in the green suit cordially invites you to a free consultation

Your Advantage with netX Consult

We support you in not only formally implementing NIS2, but also integrating it practically into everyday life:

  • Analysis & Scoping: Clear overview of whether and how you are affected
  • Quick Wins: Immediate measures that quickly show results
  • Roadmap & Implementation: Structured introduction of all mandatory measures
  • Training & Awareness: From management to the IT team – understandable and practical
  • Product-independent: We advise without being tied to specific manufacturers

With over 20 years of experience in large IT group structures, we know how complex requirements can be implemented in practice.

45 Minuten kostenlose Erstberatung

Ihre IT-Beratungsdienstleister

Mit meinem Klick auf „Jetzt Termin vereinbaren” erteile ich freiwillig meine Einwilligung in die Verarbeitung meiner personenbezogenen
Daten zu Zwecken der Kontaktaufnahme. Ich kann die datenschutzrechtliche Einwilligung jederzeit mit Wirkung für die Zukunft widerrufen. Durch den Widerruf der Einwilligung wird die Rechtmäßigkeit der aufgrund der Einwilligung bis zum Widerruf erfolgten Verarbeitung nicht berührt. Mit meiner Handlung bestätige ich ebenfalls, die Datenschutzerklärung und das Transparenzdokument gelesen und zur Kenntnis genommen zu haben.

FAQ: NIS2 for Decision-Makers – What You Need to Know Now

How can netX consult support you with the implementation?2025-11-07T11:43:58+01:00

netX consult accompanies companies from analysis to actual practice:

  • Scoping & impact analysis – Who is covered by NIS2?
  • Quick wins & safety measures – steps that can be implemented quickly
  • Governance & roadmap – structured development of roles, policies and processes
  • Awareness & management training – understandable, practical, product-independent
What are the most important immediate measures for companies?2025-11-07T11:43:53+01:00

Many obligations can already be implemented today – regardless of whether national implementation has already taken place.
The biggest quick wins:

  • Activate multi-factor authentication (MFA) wherever possible
  • Establish patch management and regularly close vulnerabilities
  • Document backups and recovery tests
  • Check access and authorizations
  • Define and practice the incident response process, more on this in our blog article “NIS2 is coming – Do companies need a SIEM system?”

These measures immediately improve the level of security and prepare the company for audits or supply chain checks.

What are the risks of not implementing NIS2?2025-11-07T11:43:49+01:00

The directive provides for significantly higher fines than before – up to €10 million or 2% of global annual turnover (whichever is higher).
In addition, the personal liability of the management may apply if gross negligence is committed or supervisory duties are breached.

Furthermore, there is a risk of reputational damage and exclusion from supply chains if customers or clients demand NIS2 evidence.

What responsibility does the management have for NIS2 implementation?2025-11-07T11:43:49+01:00

NIS2 clearly shifts responsibility to management level:
Managing directors and board members must ensure that information security is organizationally anchored and adequately funded.
Delegation to the IT department alone is no longer sufficient – management remains liable if measures are not taken.

In concrete terms, this means

  • Information security is becoming a top priority.
  • Documented policies and responsibilities are needed.
  • Verifiable training for management and employees is mandatory.

This responsibility is also made clear in theBSI’s training material for managing directors.

SOCIAL MEDIA

LEGAL

Imprint | Data protection
Transparency document | Code of conduct
Reporting office under the HinSchG
 [borlabs-cookie type=”btn-cookie-preference” title=”Cookie settings” element=”link” /] | Dataprotection T&Cs

netX consult Logo

CONTACT

Tilsiter Str. 2
91522 Ansbach
+49 981 826 333 00