Understanding and Implementing the EU NIS 2 Directive: What Businesses Need to Know Now

The NIS 2 Directive (EU) brings major new obligations with fixed deadlines for thousands of companies – from strict ICT security requirements to comprehensive incident reporting. Find out which sectors are affected, what the NIS 2 Implementation Law includes, how NIS 2 compares to DORA and ISO 27001, and how smart tools combined with expert guidance can help your business achieve compliance with ease.

 NIS 2 Whitepaper

Table of Contents

Author
Martin Tanzer

What is NIS 2 and What Does It Aim to Achieve?

Adopted on December 14, 2022, the NIS 2 Directive (EU 2022/2555) is a major update and expansion of the original 2016 NIS Directive. As a comprehensive EU cybersecurity regulation, it lays the foundation for protecting network systems across Europe.

Key Goals of NIS 2

  • Safeguard essential and important entities in critical sectors such as energy, transport, healthcare, digital infrastructure, and public administration
  • Harmonize EU cybersecurity requirements to build a free, secure, and more stable digital ecosystem
  • Strengthen cooperation between member states through national CSIRTs and designated points of contact
  • Improve the effective management of cyber incidents at both national and international levels
  • Reduce risks linked to supply chain vulnerabilities and ICT service providers
Information security management software
Change Management success strategies

When Does NIS 2 Need to Be Implemented by?

The NIS 2 Directive came into force on January 16, 2023, with member states required to transpose it into national law by October 18, 2024. In Germany, this is planned through the IT Sicherheitsgesetz 3.0  (IT Security Act 3.0), while in Austria the legal framework will be established via the Netz- und Informationssystemsicherheitsgesetz (Network and Information System Security Act).

However, 19 member states – including Germany and Austria – missed the deadline. On May 7, 2025, the European Commission issued a formal notice (“reasoned opinion”), giving them two more months to comply. If they fail to do so, the case will be referred to the Court of Justice of the European Union.

Is My Company Affected by NIS 2?

Compared to the first NIS Directive, NIS 2 not only introduces much stricter requirements but also significantly expands its scope. In Germany, eight sectors were previously defined as critical under the KRITIS regulation. With NIS 2, this number rises to 18.

Early estimates suggest that in Germany alone, around 30,000 private and public institutions (including government agencies) will be affected by the new regulation. In Austria, the figure is expected to be around 4,000.

Whether Your Company Falls under NIS 2 Mainly Depends on Two Factors

1. Company Size

  • Large enterprises: at least 250 employees or an annual balance sheet total of €43 million or more
  • Medium-sized enterprises: 50–249 employees or an annual balance sheet total between €10 and €43 million

2. Sector

  • Sectors of high criticality: energy, transport, banking, financial market infrastructures, healthcare, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space
  • Other critical sectors: postal and courier services, waste management, chemicals, food, manufacturing, digital service providers, and research

In general, only companies that meet both criteria are classified as essential or important entities and are therefore subject to the requirements of NIS 2. These businesses are required to register and submit specific company details to their national authority within three months.

That said, there are exceptions: smaller companies may also fall under NIS 2 if they’re the sole provider of a critical service or if their activities are vital to public order, security, or health.

What Are the Main Differences between Essential and Important Entities?

Essential Entities

  • Large companies operating in sectors of high criticality. Due to their significant role in maintaining societal and economic stability, essential entities are subject to stricter regulatory oversight, including regular and random ex ante controls. In the event of serious violations, penalties can be substantial, reaching up to €10 million or 2% of annual revenue.

Important Entities

  • Medium-sized companies in sectors of high criticality or in other critical sectors. While their impact is considered somewhat less extensive than that of essential entities, they still carry significant responsibility for public safety and security. Important entities are mainly subject to ex post controls if there is reasonable suspicion, and can be fined up to €7 million or 1.4% of annual revenue.
adaption of processes

What Are the Core Components of NIS 2?

National Cybersecurity Strategy

It’s not only the affected entities themselves that are required to implement a comprehensive cybersecurity framework. Each member state must also do so individually. As part of a national security strategy, the following must be defined:

  • the country’s cybersecurity goals and priorities
  • the evaluation mechanisms used to identify relevant entities
  • clear escalation paths to follow in the event of security incidents
  • which new technologies deserve particular support
  • how to effectively raise cybersecurity awareness among citizens

In addition, dedicated emergency response teams must be set up to act as contact points and provide support in helping organizations detect risks, take preventive action, and respond appropriately to incidents. These emergency teams include both CSIRTs (Computer Security Incident Response Teams) and CERTs (Computer Emergency Response Teams).

Management Responsibility

Risk management can only succeed with leadership commitment, which NIS 2 frames as “governance.” Management is required to implement risk management processes and approve a clear risk treatment plan. The directive also highlights the importance of employee training to strengthen security awareness and foster a strong risk management culture.

To enforce this, national authorities are granted broad powers of oversight and enforcement, including audits, security checks, and the ability to impose fines

ICT Incident Reporting

When a significant security incident occurs, affected entities must report it to the relevant national authorities. A “significant” incident is one that causes major operational disruption or financial losses, or results in substantial (im)material damage to legal or natural persons.

The reporting process follows a tiered approach:

  1. Initial notification: Early warning with a first assessment within 24 hours of becoming aware of the incident
  2. Update: A more detailed damage and risk assessment within 72 hours
  3. Final report: A full incident report, including measures taken and planned, within one month

ICT Risk Management

NIS 2 requires affected entities to conduct a “proportionate” risk analysis covering people, processes, technology, and the supply chain. The focus is on ensuring that the benefits outweigh the effort and on distinguishing what’s truly necessary from what isn’t. In addition to business continuity, safeguarding information to ensure its confidentiality, integrity, and availability is a central priority.

Third-Party Risk Management

NIS 2 also emphasizes supply chain risks, aiming to prevent issues with service providers or contractors from disrupting the operations of critical entities. Managed ICT service providers are considered especially high-risk.

Information Sharing

A key goal of NIS 2 is to enhance international cooperation via national CSIRTs/CERTs, ENISA, and Europol. Improved information flow between these organizations is intended to ensure a coordinated cross-border response and support the creation of a European vulnerability database for better collective preparedness.

How Does NIS 2 Differ from DORA or ISO 27001?

NIS 2 and DORA are currently among the most talked-about regulations in Europe. At first, it’s not always easy to tell them apart, especially since they overlap in several areas. Their security objectives and measures, in particular, show many similarities. So where do NIS 2 and DORA actually differ?

Network and Information Securty Directive (NIS 2)

  • EU Directive (effective once transposed into national law)
  • Wide scope (covers 18 sectors in total)
  • Regulates information security for essential and important entities as well as their suppliers
  • Aims at cybersecurity (ICT risk management, incident management, crisis management, third-party ICT risk management, vulnerability analysis, and information sharing)
  • Demands strong national supervision by a cybersecurity authority and the establishment of CSIRTs/CERTs
  • Information sharing between ENISA, the CSIRT network, and Europol

Digital Operational Resilience Act (DORA)

  • EU Act (directly applicable and immediately enforceable)
  • Specifically targets the financial sector (e.g., banks, payment service providers, rating agencies, insurers)
  • Regulates the digital operational resilience of financial institutions and critical ICT service providers
  • Aims at cybersecurity and resilience (like NIS2, plus scenario analyses and TLPT – Threat-Led Penetration Testing)
  • Relies on existing national supervisory mechanisms and introduces a new EU authority for critical ICT service providers
  • Cooperation between national authorities (including NIS authorities) and EU bodies (ESAs, ECB, and ENISA)

ISO 27001

Another term that frequently comes up in this context is ISO 27001, the internationally recognized standard for information security, cybersecurity, and data protection. Although ISO 27001 itself is not a mandatory regulation, it’s often mentioned alongside NIS 2 and DORA. This is because ISO 27001 certification gives organizations a strong foundation for meeting NIS 2 and DORA requirements much more efficiently.

What Penalties Apply for Violations of NIS 2?

Penalties under NIS 2 depend on the classification and annual turnover of the entity involved.

The fines are set as follows:

  1. Essential Entities:
    Fines of up to €10 million or 2% of annual turnover, whichever is higher
  2. Important Entities:
    Fines of up to €7 million or 1.4% of annual turnover, whichever is higher

In addition, both the organization and its management or board members can be held personally liable if they cannot show that adequate risk and information security measures were in place. Importantly, lack of knowledge or information doesn’t exempt anyone from fines or other sanctions, including dismissal, and can’t be used to reduce penalties.

Stakeholder involvement in EAM

Challenges Companies Face in Implementing NIS 2

slider icon

Different Maturity Levels as Starting Points

Companies that were already subject to NIS regulations or that even hold ISO 27001 certification now have a clear advantage. In fact, those with active ISO certification report that around 80% of their NIS 2 preparation is already complete. However, many organizations that have not previously fallen under the directive are now finding themselves in a situation where they must start from scratch. This means they first need to acquire the right tools, define appropriate cybersecurity measures, and gradually build ICT risk awareness across the organization, from leadership to all employees.

Costs Icon

Resource Constraints and Budget Pressures

A study from late 2024 found that companies affected by NIS 2 spend up to 80% of their IT budgets on cybersecurity and compliance. Total costs range from €100,000 to €1 million, depending on the company size. In 95% of cases, organizations had to divert funds from other areas, including risk and crisis management, HR, or emergency reserves, to cover the increased compliance demands. The administrative and technical effort, particularly around documentation, is significant. Medium-sized companies, in particular, will have to find a way of meeting the required standards without overstretching their budgets.

outsourcing icon

Complex Supply Chain Risk Management

Modern supply chains are dynamic and increasingly complex. Under NIS 2, companies must protect not just their own operations but also monitor emerging risks across the entire supply chain, including those coming from external providers. ISO 27001 provides a useful framework, but implementation is often time- and cost-intensive. Reliable risk assessment requires supplier cooperation, regular audits, and thorough documentation.

independently usable icon

Inconsistent Information Security Standards

NIS2 clearly pushes toward standardized cybersecurity measures, but it leaves much of the implementation open to interpretation. As a result, affected entities are often left to figure out on their own how to translate the requirements into practice, which leads to varying approaches across industries and organizations as well as considerable uncertainty about what "good enough" really means and how to achieve full compliance.

Special Focus: NIS 2 and Public Administration

Cybersecurity should be firmly integrated into both the strategic and operational processes of any organization. While for many companies this is already standard practice, the public administration sector faces far greater challenges. The large number of government agencies and processes makes it hard to maintain oversight, and important decisions are slowed down by layers of bureaucracy. On top of that, advisory bodies often pursue their own agendas, which can delay progress further.

NIS 2 challenges public sector

Why NIS 2 Implementation Is Particularly Tough for Public Authorities

With NIS 2, public administration is now coming particularly into focus. Being part of the highly critical sectors, authorities carry huge responsibility. They not only need to secure their own systems but also act as role models for other organizations. At the same time, they are often the first point of contact for citizens, meaning any disruption can have serious consequences for society as a whole. This makes it all the more important for public agencies to establish clear structures and foster a strong security culture that extends from leadership down to daily operations.

  • Sensitive data: Government systems often store highly sensitive information (e.g., health records, tax data, civil status), requiring extra protection.
  • Complex structures: Multiple departments and stakeholders mean risk management must be integrated and coordinated across the organization.
  • High process and documentation demands: Reporting systems, business continuity, and incident management must work reliably and on time, despite slow administrative processes.
  • Staffing constraints: Limited budgets and a lack of specialized personnel make the use of supportive automation tools indispensable.

NIS 2 Implementation Checklist for Companies

risk company icon
Step 01

Check if NIS 2 Applies

Determine whether your organization falls under NIS 2 based on its size, annual revenue, and industry. You need to check yourself as the authorities in your country won’t do this for you.

gap analysis
Step 02

Conduct a Gap Analysis

NIS 2 likely increases the requirements for your ICT management and related risk management areas. Identify gaps in your current setup and take action on network security, supply chain security, incident management, and more.

Security framework
Step 03

Establish a Security Framework

Put in place technical and organizational measures to ensure business continuity even in the event of a crisis. This includes creating emergency and system recovery plans, assigning risk management responsibilities within the organization, and defining the necessary budget.

process icon
Step 04

Define Processes

Define concrete measures and processes aligned with NIS 2 requirements for ICT risk management. Examples include risk analysis, assessment, and treatment, incident management with clear escalation paths to the authorities, supply chain monitoring, and employee training.

security software
Step 05

Implement Software

To make NIS 2 compliance easier, specialized risk management software is available. Specialized risk management software can make compliance easier. First, define your requirements and compare available solutions. Test the chosen software in a pilot phase, then roll it out organization-wide if you see your needs are fully met.

Monitoring
Step 06

Set Up Monitoring

Implement mechanisms to continuously review the effectiveness of your processes and controls. Conduct regular internal audits to ensure your company is sufficiently protected against cyberattacks and that reporting to authorities works properly in the event of an incident.

Implement NIS 2 Easily and Efficiently
with BIC GRC from GBTEC

BIC GRC from GBTEC provides a comprehensive platform to help you implement NIS 2 with ease. Its integrated modules for risk management, information security, data protection, business continuity, internal controls, and audits enable you to protect your organization from all types of cyber threats while ensuring transparent, demonstrable, and complete compliance with every NIS 2 requirement:

  • Comprehensive and integrated IT risk framework to consistently identify, thoroughly assess, and proactively manage risks
  • Prebuilt assessment catalog for easy NIS 2 implementation
  • In-depth IT security analysis, including detailed Business Impact Analysis (BIA) and systematic vulnerability identification
  • Streamlined incident management with structured workflows
  • Robust crisis and business continuity management, including clearly defined emergency plans, effective response measures, and structured recovery plans
  • Reliable supplier and partner management (vendor administration, contract management, monitoring, security assessments, reintegration plans)
  • Audit-ready archiving of documented information, plus strong reporting capabilities
BIC GRC Modules

NIS 2 Directive (EU) – Key Takeaways

The NIS 2 Directive marks a major step forward for cybersecurity in Europe. It expands the range of organizations affected and sets higher standards for information security, risk management, and incident reporting. Particularly noteworthy are the clear responsibilities for management and the substantial fines for non-compliance.

Organizations impacted by NIS 2 need to review the effectiveness of their current processes, identify gaps, and implement measures in ICT risk management, business continuity, supply chain oversight, and incident reporting. The challenge lies not only in the complexity of the directive but also in tight budgets and limited resources.

Those who act early, however, gain a significant security advantage and greater resilience in times of crisis. Frameworks like ISO 27001 and specialized software solutions such as BIC GRC from GBTEC can make implementation significantly easier.

About the Expert

Martin Tanzer

GRC Solutions Architect

Martin Tanzer brings years of invaluable experience, having designed and implemented data protection management systems with a strong focus on real-world impact. As an IT and organizational coach, he also focused on providing data protection training to help users effectively work with these systems. For over a year, Martin has been driving innovation as a GRC Solutions Architect at GBTEC, where he shapes the development, customization, and enhancement of the BIC GRC standard solutions – creating robust, standard-compliant software that’s easy to use and can be rapidly deployed.

LinkedIn

Do you have any questions?

Do you have any questions about our products or services?
Our experts will gladly assist you and look forward to your request.

Contact form+43 1 3670876 -0

Expand your knowledge with our e-learnings on BPM & GRC.

To the GBTEC Learning Hub