New: EU CAPTCHA – GDPR-compliant bot protection. Try it free for 3 months!
Home>
NIS-2
At a
Glance
- 01. What is the NIS 2 Directive?
- 02. Scope: Who is affected by NIS 2?
- 03. What does the NIS 2 Directive require?
- 04. When did NIS 2 take effect?
- 05. How does NIS 2 differ from existing regulatory frameworks?
- 06. What penalties apply for non-compliance with NIS 2?
- 07. How is NIS 2 being implemented in Germany?
- 08. What role does the BSI play under NIS 2?
- 09. How does Myra support NIS 2 implementation?
- 10. What you need to know about NIS 2
02
Geltungsbereich: Wer ist durch NIS-2 betroffen?
The German BSIG distinguishes between "essential entities" and "important entities" and defines these categories in Section 28 and in Annexes 1 and 2 by sector and thresholds. Essential entities include, among others, operators of critical installations and additional companies in sectors such as energy, finance, healthcare, transportation, information technology and telecommunications, water, food, space, and municipal waste management, whose failure would result in significant supply shortages or threats to public safety.
Important entities are companies and organizations in similar or complementary sectors whose disruption would have relevant but less critical impacts than those of essential entities. The law also subjects federal administration entities to the regime applicable to essential entities (Section 29), with certain exceptions, including the Federal Foreign Office, the Federal Armed Forces, intelligence services, and specific constitutional bodies.
Not covered are certain legally dependent organizational units of regional authorities and purely municipal or legal persons wholly owned by federal states or municipalities, provided they are subject to comparable NIS 2 regulations under state law (Section 28 (9)). Managed service providers, managed security service providers, cloud and data center services, DNS service providers, CDNs, online marketplaces, search engines, social media platforms, and trust service providers are explicitly addressed as relevant entity types.
03
What does the NIS 2 Directive require?
The core of NIS 2 consists of risk management and reporting obligations. Essential and important entities must take and document "appropriate, proportionate, and effective" technical and organizational measures to prevent and mitigate security incidents. Additional requirements apply to operators of critical installations.
Overview of NIS 2 measures
Risk analysis and information security policies
Incident management
Business continuity, backup management, disaster recovery, and crisis management
Supply chain security, including security-related requirements for direct suppliers and service providers
Security measures in the acquisition, development, and maintenance of network and information systems, including vulnerability management (security by design and by default)
Procedures for assessing the effectiveness of risk management measures (controls, tests, audits)
Basic cyber hygiene as well as employee training and awareness
Policies and procedures for the use of cryptography and encryption
Personnel security, access control policies, and ICT asset management
Use of multi-factor authentication, secured communications, and secured emergency communications
Specific requirements for operators of critical installations
Elevated level of protection: More extensive protective measures are considered proportionate as long as the effort required is not disproportionate to the consequences of a failure.
Attack detection systems: Continuous, automated collection and analysis of operational parameters, ongoing threat detection, and the provision of suitable remediation measures in line with the state of the art.
Reporting obligations
Significant security incidents must be reported to the BSI without undue delay. The reporting requirements follow a three-stage structure:
Early warning: Initial notification without undue delay, at the latest within 24 hours of becoming aware of the incident
Updated notification: No later than 72 hours after becoming aware of the incident, including an initial assessment of severity, cause, and measures taken
Final report: No later than one month after the initial notification, including a complete description of the incident, its cause, impact, and any cross-border effects
05
How does NIS 2 differ from existing regulatory frameworks?
Some requirements of the NIS 2 Directive are already familiar from previous regulations such as the IT Security Act. However, NIS 2 goes beyond these in several key areas:
NIS-2 | Cross-sector cybersecurity of services and entities, including critical infrastructure | Essential and important entities, federal administration, certain digital services | Risk management, reporting obligations, oversight, BSI roles, sanctions |
DORA | Resilience of the financial sector against ICT risks | Financial institutions, critical ICT service providers | ICT risk management, testing, third-party management, incident reporting |
CRA | Cybersecurity of products with digital elements | Manufacturers, importers, distributors | Security-by-design obligations, vulnerability management, conformity, market surveillance |
KRITIS Umbrella Act | Physical resilience of critical infrastructure | Operators of critical installations (KRITIS sectors) | Resilience measures, risk analyses, registration, incident reporting, government oversight |
NIS 2 explicitly obligates the BSI to cooperate and exchange information with BaFin "particularly with regard to the measures taken pursuant to Regulation (EU) 2022/2554" (DORA). This makes clear that DORA applies as a sector-specific regime for financial services providers, while NIS 2 addresses overarching cybersecurity requirements and the BSI's role as the central authority.
A clear distinction also exists with the Cyber Resilience Act (CRA): While the CRA regulates obligations for the security of ICT products, NIS 2 primarily addresses the secure operation of services and infrastructures. At the same time, under Section 18, the BSI can require manufacturers of ICT products whose products are affected by significant security incidents to cooperate in remediating or preventing such incidents at essential and important entities—underscoring the interface with product-related EU law.
A further distinction applies to the KRITIS Umbrella Act, which governs the physical resilience of critical infrastructure and thus complements NIS 2: While NIS 2 focuses on the cybersecurity of services and entities, the KRITIS Umbrella Act addresses protection against physical threats such as natural disasters, sabotage, or terrorist attacks. Operators of critical installations are therefore regularly subject to both regimes in parallel—meaning that risk management, reporting obligations, and resilience measures must be implemented in an integrated manner. Regulatory responsibility is divided: The BSI remains the central cybersecurity authority under NIS 2, while the BBK (Federal Office of Civil Protection and Disaster Assistance) oversees the physical resilience requirements of the KRITIS Umbrella Act. A close integration of reporting channels and supervisory practice is therefore foreseen.
07
How is NIS 2 being implemented in Germany?
NIS 2 is being implemented in Germany primarily through a comprehensive revision of the BSIG as an omnibus act that simultaneously amends numerous sector-specific laws (including the Atomic Energy Act, the Energy Industry Act, the Metering Point Operation Act, the Social Code, the Telecommunications Act, and the Trust Services Act). The BSI is established as the central national authority for information security, oversight, and enforcement, with expanded powers for investigation, issuing warnings, imposing orders, and cooperation.
For federal administration entities, separate information security requirements are defined that are based on BSI minimum standards (IT-Grundschutz) and mandate information security officers at agency and ministry level. The law also provides for extensive reporting obligations of the BSI to the Bundestag and the Federal Commissioner for Data Protection, particularly regarding the use of certain investigative powers and the effectiveness of the measures.
The detailed implementation is being carried out incrementally through legal ordinances that, in particular, define critical installations, sector-specific requirements, and any certification obligations for ICT products and services. In parallel, industry-specific security standards are being developed by operators and associations and are reviewed and published by the BSI.
08
What role does the BSI play under NIS 2?
The BSI is the central authority for information security at the national level and the key institution for implementing the NIS 2 Directive in Germany.
Core roles of the BSI under NIS 2
National point of contact and liaison authority: The BSI serves as the central authority for essential and important entities as well as the national liaison office within the meaning of the NIS 2 Directive.
Reporting authority for security incidents: As the central reporting authority for IT security at the federal level and as a general reporting authority, the BSI operates reporting channels, receives reports of security incidents and vulnerabilities, and informs entities and the public.
Supervisory and enforcement authority: The BSI monitors compliance by essential and important entities and can conduct audits, issue orders, apply administrative coercion, and impose fines.
Cybersecurity certification authority: As the national cybersecurity certification authority, the BSI can support certifications and, through ordinances, promote the use of certified ICT products and services.
The BSI thus consolidates the functions of reporting authority, supervisory authority, coordination body, and certification authority for cybersecurity in Germany under the current NIS 2 regime.
Section 30 – Risk management
NIS 2 requires essential and important entities to implement appropriate measures to protect the availability, integrity, and confidentiality of their services. Myra addresses these requirements through:
DDoS Protection to maintain availability even under attack.
Web Application Firewall (WAF) to defend against application-layer attacks.
Bot Management to block malicious access and selectively manage requests.
Section 31 – Operators of critical installations
For operators of critical installations, NIS 2 prescribes higher standards and more comprehensive risk management measures as well as the use of attack detection systems that continuously collect and analyze security-relevant parameters. Myra supports this through:
Extensively certified and audited processes and infrastructure for fulfilling comprehensive risk management measures.
Real-time monitoring that enables granular identification, classification, and logging of anomalies and security incidents at the traffic level.
Seamless SIEM integrations for incorporation into existing detection and response processes.
Would you like to learn more about our solutions, use cases, and best practices for defending against attacks? In our download area, you will find product sheets, fact sheets, white papers, and case studies.
FAQ: NIS-2 | Key Questions and Answers
NIS-2 stands for "Network and Information Security" and refers to EU Directive (EU) 2022/2555, which establishes a uniform minimum standard for cybersecurity throughout the European Union. The NIS 2 Directive replaces the original NIS Directive from 2016 and significantly expands its scope: Far more sectors, companies, and organizations are covered by the framework than before.
About the author
Stefan Bordel
Senior Editor
About the author
Stefan Bordel has been working as Editor and Technical Writer at Myra Security since 2020. He is responsible for the strategic development and editorial management of all content formats – from website content and specialist publications to whitepapers, social media communication, and technical documentation. In this role, he combines solid expertise from IT journalism with in-depth technical understanding in the field of cybersecurity. As a long-time Linux enthusiast, he closely follows developments in the IT industry both professionally and personally.