Question 1

What is the NIS2 Directive?

Accepted Answer

NIS2 (Network and Information Security Directive) is an EU directive to enhance cybersecurity across 18 critical and important sectors. It replaces the original NIS Directive and tightens requirements for risk management, reporting obligations, and sanctions. In Germany, it is transposed into national law through the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG).

Question 2

Which companies are affected by NIS2?

Accepted Answer

Four groups: (1) Operators of critical facilities (KRITIS), (2) particularly important entities (≥ 250 employees or > EUR 50m revenue / > EUR 43m total assets), (3) important entities (≥ 50 employees or > EUR 10m revenue/total assets), (4) certain federal institutions. Special rules apply to trust services, TLD/DNS, and telecommunications.

Question 3

What reporting deadlines apply under NIS2?

Accepted Answer

Three stages: (1) Early warning within 24 hours of becoming aware of the incident, (2) initial report (Incident Notification) within 72 hours, (3) final report within one month. For ongoing incidents, interim reports must be provided upon request by the competent authority (in Germany: BSI).

Question 4

What sanctions apply for NIS2 violations?

Accepted Answer

For particularly important entities: up to EUR 10m or 2% of global annual revenue (whichever is higher). For important entities: up to EUR 7m or 1.4%. Additionally, personal liability of management is possible if security measures were not adequately implemented or monitored.

Question 5

By when must NIS2 be implemented?

Accepted Answer

The EU deadline was October 17, 2024. Germany missed the deadline - the NIS2UmsuCG is expected to be enacted in 2025/2026. Nevertheless, companies should start implementation now, as supervisory authorities can begin auditing immediately upon entry into force and transition periods will be short.

Question 6

Do I need a Security Operations Center for NIS2?

Accepted Answer

Not strictly required, but practically essential. NIS2 demands continuous risk management, rapid incident detection, and 24-hour early warning - requirements that are nearly impossible to meet without a SOC. SMEs can choose a Managed SOC as an external solution rather than building their own team.

NIS2 Directive

NIS2-Meldefrist 24 Stunden – Wie ein SOC die Einhaltung sicherstellt

NIS2 und SOC: Braucht mein Unternehmen ein Security Operations Center?

NIS2 - Einführung für Ihr Unternehmen

Frequently Asked Questions

NIS2 Directive

NIS2-Meldefrist 24 Stunden – Wie ein SOC die Einhaltung sicherstellt

NIS2 und SOC: Braucht mein Unternehmen ein Security Operations Center?

NIS2 - Einführung für Ihr Unternehmen

Frequently Asked Questions