NIS-2: What companies need to know now


NIS-2 finally makes IT security a management priority. For companies in Germany, the new EU directive means stricter requirements, a wider scope and more critical consequences.

The EU Directive (EU 2022/2555) defines new scopes and stricter IT security requirements for operators of critical infrastructure. The consequence: From October 2024, the group of affected companies will expand immensely. In Germany alone, NIS-2 is expected to increase the number of critical operators from around 4,500 at present to over 30,000.

At the same time, NIS-2 massively tightens the regulatory requirements for IT security and introduces stricter sanction measures. Under the new EU directive, companies must no longer just ensure their own information security, but must also examine the issue of cybersecurity along their supply chains at partners and service providers. Violations of the requirements could result in millions of euros in fines. In addition, there is corporate liability, i.e., management can be held personally liable for violations.