EU Directive NIS2

European Network and Information Security Directive (NIS2)

Need for action for German companies

Focus shifts to cyber and information security

The NIS2 Directive (Network and Information Security Directive) aims to improve and harmonise cyber and information security across the EU for organisations that provide essential services in key sectors.

In Germany, implementation began with the entry into force of the NIS2 Implementation and Cybersecurity Strengthening Act on 6 December 2025.

Many companies in Germany and Europe are facing the task of reliably establishing and demonstrating governance, information security, ICT risk management, business continuity and supply chain management in the short to medium term. adesso quickly enables you to take action and accompanies you from the initial assessment to operationalisation in day-to-day business.

Contact us

Field of application

The scope of application of NIS2 includes organisations that provide their services in the Union or carry out their activities there.

In addition to the expansion of the affected sectors, another significant change to the scope of application is that the affectedness of the organisations will no longer be determined by whether the threshold values of the investment categories are reached or exceeded, but rather by the size of the organisations.

Accordingly, large and medium-sized companies are to be covered by the NIS2 Directive:

(medium-sized) facilities
  • 50 - 249 employees and
  • < EUR 50 million annual turnover or
  • < EUR 43 million annual balance sheet total

or

  • < 50 employees and
  • (10 - 50) million EUR annual turnover and
  • (10 - 43) million EUR annual balance sheet total
(large) facilities
  • ≥ 250 employees

or

  • ≥ EUR 50 million annual turnover and
  • ≥ EUR 43 million annual balance sheet total

Sectors

NIS2 adds further sectors that must implement the defined requirements. The directive distinguishes between essential institutions and important institutions. The former are subject to higher sanctions for breaches of the requirements as well as an ex-ante and ex-post supervisory system, while important institutions are subject to lower sanctions and an exclusively reactive ex-post supervisory system.

Material entities
  • Large companies in Essential Sectors
Important institutions
  • Medium-sized companies in Essential Sectors
  • Large companies and medium-sized companies in important sectors

Cyber security measures

Institutions must take technical, operational and organisational measures, taking into account the state of the art, to manage and control the risks to the security of the network and information systems used to provide their services. The NIS2 Directive thus also emphasises the risk approach for implementing an appropriate level of security. A further focus is on the reporting of security incidents that have a significant impact on the provision of services and thus on the establishment of a standardised reporting procedure for security incidents.

The cyber security measures must include at least the following

  • Cyber security management: guidelines and risk management
  • Incident management
  • Business Continuity Management (BCM)
  • Inclusion of supply chains and procurement
  • Measuring the effectiveness of the measures
  • Awareness / training
  • Cryptography concepts
  • Personnel security
  • Asset management
  • Access control and rights management
  • Secure authentication procedures (multi-factor authentication)
  • Acquisition, development and maintenance of network and information systems (incl. vulnerability management)
  • Communication security
  • Secure emergency communication tools

Sanctions

Violations of the requirements will result in the following fines for essential and important facilities:

  • Particularly important facilities: Up to €10 million or 2% of annual worldwide turnover
  • Important facilities: Up to €7 million or 1.4% of annual global turnover

Once the NIS2 Directive comes into force on 16 January 2023, EU member states will have 21 months to transpose the directive into national law. This gives institutions time to deal with the requirements of the NIS2 Directive and to analyse and assess the potential impact.

The fulfilment of all cyber security measures is complex and requires the interaction of various corporate functions. adesso supports you in the successful implementation of the NIS2 requirements:

It is therefore important for affected companies to take the following steps at an early stage:

  • Step 1

    Analysis

    Evaluate requirements (based on CRITIS requirements) & determine degree of fulfilment

  • Step 2

    Action planning

    Identify fields of action & create a roadmap

  • Step 3

    Realisation

    Define work packages and start implementation project to realise measures

Why adesso is the right partner

Our consultants have many years of proven experience in information security, ICT risk management, business continuity and service provider management, particularly in regulated environments. We take a practical approach that combines governance, organisation, processes and technical measures and integrates seamlessly into existing management systems or rebuilds them from scratch. This results in solutions that are not just on paper, but work in day-to-day business operations:

  • We translate regulatory requirements into clear roles and responsibilities, robust processes and appropriate controls.
  • In doing so, we combine conceptual work with implementation strength: from guidelines to practical application.

Do you have any questions?

Please contact us and let us discuss your specific challenges together.

We look forward to talking with you either in person or digitally.