NIS2 — Am I in scope?

The NIS2 directive (Network and Information Security) massively expands the group of companies that must meet strict cybersecurity requirements. In Germany alone, it is estimated to affect 30,000 companies.

European Union NIS2 Directive

What is NIS2?

The NIS2 directive (EU 2022/2555) is the successor to the NIS directive of 2016. It entered into force on January 16, 2023 and must be transposed into national law by member states by October 2024 (in Germany: NIS2UmsuCG).

Who is in scope?

NIS2 distinguishes two categories:

  • Essential entities — energy, transport, banking, health, water, digital infrastructure, public administration, space
  • Important entities — postal/courier, waste, chemicals, food, manufacturing (medical devices, IT, electronics, machinery, vehicles), digital services, research

Thresholds

  • From 50 employees or EUR 10m revenue in an in-scope sector
  • Critical infrastructure operators are in scope regardless of size

NIS2 scope check

Choose your sector and company size — find out right away whether NIS2 applies to you.

Inspiriert von European Union — NIS2 Directive

Applied to

Weiterlesen

Trivia

  • NIS2 is estimated to affect 30,000 companies in Germany — ten times more than the old NIS directive.
  • Executive management is personally liable for cybersecurity — delegation is not enough.
  • Incidents must be reported within 24 hours (initial) and within 72 hours (full report).
  • The supply chain is also in scope: even suppliers who are not directly in scope must meet security standards.
  • Fines for essential entities: up to EUR 10m or 2% of global annual revenue.