With the NIS2 Directive, the European Union is pursuing a clear objective: to establish a high level of security for network and information systems across Europe. The aim is to strengthen overall digital resilience — meaning the ability of companies and institutions to withstand cyber threats, manage attacks, and maintain business operations even in times of crisis.
Who falls under NIS2?
In principle, NIS2 applies to medium-sized and large enterprises. Relevant thresholds include at least 50 employees or an annual turnover or balance sheet total exceeding ten million euros. Higher thresholds apply to large enterprises.
Small companies are generally exempt; however, they may fall under the Directive if they operate in particularly critical sectors. These include, among others, energy, transport, finance, healthcare, digital infrastructure, and public administration. Companies in manufacturing, the food industry, or digital platform providers may also be affected.
What does NIS2 mean in practice?
Companies falling within the scope of the Directive must comply with the requirements as implemented in national legislation. At the core is a structured and demonstrable risk management framework for network and information systems.
Technical, operational, and organizational measures are required to control risks and minimize the impact of cybersecurity incidents. These measures include clearly defined security concepts, risk assessment procedures, effective access controls, encryption technologies, emergency and crisis management processes, and regular cybersecurity awareness training.
A key element of the Directive is the obligation to establish a formal reporting process for cybersecurity incidents. Significant incidents must be reported within 24 hours. An initial assessment must be submitted within 72 hours, followed by a detailed report within one month. These strict deadlines require structured processes, clearly defined responsibilities, and a functioning incident management system.
Supply chain security in focus
Regardless of formal applicability, a crucial question arises:
Are your suppliers and partners NIS2-compliant?
Companies must also consider how risks are managed within their business relationships. The security standards of service providers and partners can have direct implications for their own organization. This is particularly critical in digitally interconnected supply chains.
Therefore, it is essential to contractually secure security requirements, conduct risk assessments of suppliers, and ensure that incidents along the value chain can be reported transparently and within the required timeframes.
An established Information Security Management System (ISMS) in accordance with ISO 27001 provides a solid foundation in this context. The standard creates a systematic framework for risk assessment, documentation, and continuous improvement. While ISO 27001 certification does not automatically ensure full compliance with the NIS2 Directive, it covers a substantial portion of the required organizational and technical measures and facilitates the structured implementation of additional regulatory requirements.
Summary: The NIS2 Directive establishes a binding framework for a high level of security for network and information systems. At the same time, it places greater emphasis on the security of business relationships. Cybersecurity does not end at the boundaries of one’s own organization. Risks along the supply chain must therefore be systematically assessed and contractually safeguarded.