NIS-2: IT Security
The NIS-2 Directive: Europe’s New Standard for Cybersecurity
The NIS-2 Directive (Network and Information Security Directive) is the European framework for strengthening cybersecurity in critical and digital infrastructures. With an expanded scope, stricter reporting obligations, and higher penalties for non-compliance, it sets new benchmarks. Since January 2026, the BSI portal has been open for registration—but who is affected, what deadlines apply, and how can you best prepare?
ePrivacy helps organizations identify their obligations, implement requirements, and ensure long-term compliance—whether they are directly affected companies or their suppliers in the supply chain.
We advise:
- Directly affected companies (essential/important entities under NIS-2, e.g., energy, healthcare, digital infrastructure, public administration).
- Indirectly affected service providers (e.g., IT service providers, cloud providers, logistics companies) that must implement NIS-2-compliant measures in specific areas due to contractual obligations from their customers.
WHAT SETS US APART?
- Clear Guidance & Legal Certainty: We provide definitive clarity on whether your company is directly or indirectly (e.g., as a supplier) subject to NIS-2—including sector analysis, size assessment, and supply chain evaluation.
- Efficient Implementation with a Prioritized Roadmap: Instead of one-size-fits-all measures, we develop a customized implementation plan with short-, medium-, and long-term steps, tailored to your resources and dependencies.
- Sustainable Compliance & Competitive Advantage: Through regular reviews and adjustments, we ensure your cybersecurity evolves with emerging threats—not just to meet the March 2026 deadline, but for long-term resilience.
OUR SERVICES
With our extensive experience in IT security, we prepare you optimally for implementing the NIS-2 Directive. We support you with comprehensive documentation and processes, handling both the technical and organizational project management—from registration in the BSI portal to employee training. We provide you with practical tools and ready-to-use templates, including:
- Incident reporting processes
- Compliance documentation
All solutions are immediately deployable, ensuring smooth and efficient NIS-2 compliance.
Determining NIS-2 Applicability
- Clarification and consultation on whether your company is directly or indirectly affected by NIS-2
- Sector and size assessment
- Review of employee numbers, revenue thresholds and critical services
- Indirect impact / supply chain security
- Supply chain risk assessment in accordance with Article 21 NIS-2
NIS-2 Registration Process
- Support with registration in the BSI portal
- Assistance with appointing a cybersecurity contact person (NIS-2 Owner and user management)
- Establishing reporting channels for security incidents
GAP Analysis
- Status Quo Assessment: Evaluation of existing cybersecurity measures
- Gap Analysis: Comparison against NIS-2 minimum requirements
- Compliance Mapping: Identification of NIS-2 compliant areas and those requiring adjustments
Prioritization and Action Planning
- Incident reporting processes
- Risk management
- Supply chain security
- Cost-benefit analysis and operational dependencies
- Development of an implementation roadmap with timelines, responsibilities, and milestones
Implementation of Measures
- Implementation support and sustainability assurance
- Project management
- Documentation and evidence management
- Regular review and adjustment of measures
Training and Awareness
- Employee awareness training on IT security risks and risk management practices
- Consultation on relevant training topics
- Optional delivery and provision of training and awareness programs
What is the NIS-2 Directive?
The NIS-2 Directive (Network and Information Security Directive 2) is the revised EU cybersecurity directive that has been in force since January 2023. It replaces the original NIS Directive (2016) and tightens requirements for companies and public institutions to strengthen the resilience of critical infrastructures against cyberattacks.
Objectives of the NIS-2 Directive
- Expanded Scope
- Applies to more sectors and companies than the previous directive (e.g., energy, healthcare, digital infrastructure, public administration, space, logistics services).
- Distinction between "essential" (e.g., energy, healthcare) and "important" entities (e.g., food production, digital services).
- Higher Cybersecurity Standards
- Mandatory risk management measures (e.g., incident response plans, vulnerability management).
- Reporting obligations for security incidents within 24 hours (preliminary report) and 72 hours (detailed report).
- Stronger Regulatory Oversight
- National authorities (in Germany, the Federal Office for Information Security, BSI) gain greater powers for monitoring and enforcement.
- Fines for non-compliance: up to €10 million or 2% of global turnover (whichever is higher).
- Supply Chain Security
- Companies must also assess the cybersecurity of their suppliers (e.g., IT service providers, cloud providers).
- Contractual obligations to comply with NIS-2 requirements in the supply chain.
- EU-Wide Harmonization
- Uniform minimum standards for all member states to better combat cross-border cyber risks.
The NIS-2 Directive is the European standard for cybersecurity and requires companies to protect their IT infrastructure against attacks. Affected entities must act by March 2026—or face substantial fines. The directive applies not only to large corporations but also to SMEs and suppliers.
ePrivacy Cybersecurity Certification
After successfully supporting your implementation, we offer you the opportunity to obtain the ePrivacy Cybersecurity Seal. This seal is based on the NIS-2 Directive, the German NIS-2 Implementation Act, and the fundamental IT security principles outlined in the BSI IT-Grundschutz Compendium.
For more information on the ePrivacyseal NIS-2, click here.
