NIS2 Compliance for Critical Infrastructure
Consulting and implementation of the EU Network and Information Security Directive. GAP analysis, risk management, incident response.
What is the NIS2 Directive?
The NIS2 Directive (EU 2022/2555) is the revised EU directive on measures for a high common level of cybersecurity. It replaces the original NIS Directive from 2016 and significantly expands the scope.
In Germany, NIS2 is transposed into national law through the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). The law affects an estimated 30,000 companies in Germany.
EU Directive
EU 2022/2555
German Law
NIS2UmsuCG
Affected in DE
approx. 30,000
Authority
BSI
Is your company affected by NIS2?
NIS2 distinguishes between essential and important entities. Classification depends on the sector and company size.
Size Criteria
- At least 50 employees
- At least EUR 10 million annual turnover
- At least EUR 10 million annual balance sheet total
Companies meeting at least two of three criteria fall under NIS2. Certain sectors are affected regardless of size.
Essential Entities
Companies with more than 250 employees or more than EUR 50 million turnover in critical sectors.
Energy
Electricity, gas, oil, district heating, hydrogen
Transport
Aviation, rail, road, shipping
Banking
Credit institutions
Financial Markets
Trading venues, central depositories
Health
Hospitals, laboratories, pharma, medical devices
Drinking Water
Water supply
Wastewater
Wastewater disposal
Digital Infrastructure
DNS, TLD, cloud, data centers, CDN
ICT Services (B2B)
Managed services, IT security
Public Administration
Federal and state authorities
Space
Ground infrastructure
Important Entities
Companies with 50-250 employees or EUR 10-50 million turnover in additional sectors.
Postal and courier services
Waste management
Chemicals
Food
Manufacturing
Digital services (marketplaces, search engines, social media)
Research
11 Security Measures under Art. 21 NIS2
NIS2 defines eleven specific risk management measures in Art. 21 that affected companies must implement.
Risk analysis and security policies
Systematic analysis of cyber risks and creation of security policies for information systems.
Incident handling
Incident response processes for detection, analysis, containment and recovery after security incidents.
Business continuity and crisis management
Backup management, disaster recovery and crisis management to ensure business continuity.
Supply chain security
Assessment and management of cybersecurity risks in the supply chain and with service providers.
Security in acquisition, development and maintenance
Security requirements in procurement, development and maintenance of IT systems, including vulnerability management.
Effectiveness assessment
Regular review and assessment of the effectiveness of risk management measures.
Cyber hygiene and training
Basic cyber hygiene practices and regular cybersecurity training for all employees.
Cryptography and encryption
Policies and procedures for the use of cryptography and encryption to protect sensitive data.
Personnel security and access control
Security procedures for personnel with access to sensitive systems and access control policies.
Multi-factor authentication
Use of MFA, secured communications and emergency communication systems.
Asset management
Management and protection of all IT assets and resources of the company.
Reporting obligations for security incidents
NIS2 defines strict reporting deadlines for significant security incidents to the competent authority (BSI in Germany).
Early Warning
Initial notification to BSI within 24 hours of becoming aware of a significant security incident.
Incident Notification
Detailed incident notification with severity, impact and countermeasures within 72 hours.
Final Report
Comprehensive final report with root cause analysis, measures taken and lessons learned.
Reports are submitted to the Federal Office for Information Security (BSI) through the designated reporting portal.
Fines and sanctions for violations
NIS2 provides for significant sanctions for violations of compliance requirements.
Essential Entities
EUR 10M or 2%
Up to EUR 10 million or 2% of global annual turnover (whichever is higher).
Important Entities
EUR 7M or 1.4%
Up to EUR 7 million or 1.4% of global annual turnover (whichever is higher).
Personal liability of management
Management must approve and oversee the implementation of measures. In case of violations, management members can be held personally liable.
How KO‑MO‑TEL supports NIS2 compliance
KO‑MO‑TEL guides you through all phases of NIS2 implementation. From initial applicability assessment to continuous compliance.
Applicability Assessment
1-2 weeksAnalysis of whether and to what extent your company falls under NIS2. Classification as essential or important entity.
GAP Analysis
2-4 weeksSystematic comparison of your current security level with NIS2 requirements. Identification of action items.
Measure Implementation
3-6 monthsImplementation of the 11 security measures under Art. 21 NIS2. Integration into existing ISMS structures (e.g. ISO 27001).
Incident Response Setup
2-3 monthsEstablishing an incident management process with defined reporting deadlines (24h/72h/1 month). SIEM integration and training.
Continuous Compliance
OngoingRegular reviews, audits and adjustments. Training and awareness programs. Compliance reporting for management.
Ongoing Compliance & Audits
AnnualAnnual internal audits of the ISMS. Annual penetration tests by certified experts. Quarterly vulnerability scans. Annual business continuity exercises. Support during BSI audits. Adaptation to regulatory changes.
Frequently asked questions about NIS2
Answers to the most important questions about the NIS2 directive and its implementation.