NIS-2: What companies need to know now

The EU Directive (EU 2022/2555) defines new scopes and stricter IT security requirements for operators of critical infrastructure. The consequence: From October 2024, the group of affected companies will expand immensely. In Germany alone, NIS-2 is expected to increase the number of critical operators from around 4,500 at present to over 30,000.

At the same time, NIS-2 massively tightens the regulatory requirements for IT security and introduces stricter sanction measures. Under the new EU directive, companies must no longer just ensure their own information security, but must also examine the issue of cybersecurity along their supply chains at partners and service providers. Violations of the requirements could result in millions of euros in fines. In addition, there is corporate liability, i.e., management can be held personally liable for violations.