Directive vs. National Law: What Is the Difference? #

NIS2 (Directive (EU) 20222555): The EU directive. It defines sectors, size thresholds, security measures, reporting obligations, and minimum fine levels for all member states.

National implementation acts: Each member state transposes the directive into its own law. In Germany this is the NIS2UmsuCG, which amends the BSIG; other member states have equivalent acts. The substance is largely identical, because the directive sets the floor. Details such as registration procedures, competent authorities, and proof deadlines differ by country.

For your compliance work, this means: the requirements below come from the directive and apply EU-wide. Always check the national act of the member state(s) in which your organisation operates for procedural specifics.

Who Is Affected? Sectors and Thresholds #

NIS2 distinguishes between essential and important entities.

Essential Entities (stricter supervision) #

Essential entities are large organisations in the sectors of high criticality listed in Annex I of the directive, including:

  • Energy: electricity, gas, district heating, oil, hydrogen
  • Transport: air, rail, water, road
  • Banking and financial market infrastructure: credit institutions, trading venues, central counterparties
  • Healthcare: hospitals, reference laboratories, manufacturers of critical medical devices
  • Drinking water and waste water
  • Digital infrastructure: cloud providers, data centres, DNS service providers, TLD registries, content delivery networks, internet exchange points, trust service providers
  • Public administration: central government entities (member states decide on regional and local levels)
  • Space

As a rule, an entity in these sectors is essential if it exceeds the large-enterprise threshold: 250 or more employees, or more than EUR 50 million annual turnover and more than EUR 43 million balance sheet total. Some entities are covered regardless of size, for example qualified trust service providers and TLD registries.

Important Entities (proportionate supervision) #

Important entities are medium-sized organisations in the Annex I sectors plus organisations in the Annex II sectors, including:

  • Postal and courier services
  • Waste management
  • Chemicals (production and distribution)
  • Food (production, processing, distribution)
  • Manufacturing (medical devices, electronics, machinery, vehicles)
  • Digital providers: online marketplaces, search engines, social networks
  • Research organisations

The general threshold for important entities: 50 or more employees, or more than EUR 10 million annual turnover and balance sheet total.

In plain terms: most mid-sized companies in the listed sectors fall under important entities”. In Germany alone, an estimated 29,000 entities are affected.

Public Administration: National Differences #

The directive lets member states decide how far NIS2-type obligations extend into regional and local government. Germany, for example, brought federal administration under the amended BSIG but excluded municipalities (towns, districts) from the NIS2UmsuCG; they may still be covered by other rules such as critical infrastructure legislation. Other member states have made different choices. If you serve or operate public sector bodies, check the national implementation that applies.

What Does NIS2 Require? #

Article 21 of the directive lists ten minimum cybersecurity risk management measures. They apply to both essential and important entities, proportionate to risk:

  1. Policies on risk analysis and information system security
  2. Incident handling
  3. Business continuity: backup management, disaster recovery, crisis management
  4. Supply chain security
  5. Security in network and information system acquisition, development, and maintenance, including vulnerability handling
  6. Policies and procedures to assess the effectiveness of the measures
  7. Basic cyber hygiene practices and cybersecurity training
  8. Policies on cryptography and, where appropriate, encryption
  9. Human resources security, access control policies, and asset management
  10. Multi-factor or continuous authentication, secured communications, and secured emergency communication systems

In practice, the highest-impact measures are:

  • Offline or air-gapped backup copies (ransomware protection)
  • Patch and vulnerability management
  • Employee training (reducing phishing risk)
  • A written incident response plan (who does what in an emergency?)
  • A management system such as ISO 27001 as the structural backbone

Incident Reporting: Three Deadlines #

NIS2 introduces a staged reporting obligation for significant incidents, identical across the EU:

  • 24 hours: early warning to the competent national authority or CSIRT
  • 72 hours: incident notification with an initial assessment
  • 1 month: final report

Management Obligations #

The management body must approve the cybersecurity risk management measures, oversee their implementation, and attend cybersecurity training. A breach of these duties can trigger personal liability towards the company under national corporate law. More on this in the article on personal liability under NIS2.

Fines: What Happens If You Do Not Comply? #

The directive sets EU-wide minimum maximums:

Essential entities: fines of up to EUR 10,000,000 or 2% of global annual turnover, whichever is higher.

Important entities: fines of up to EUR 7,000,000 or 1.4% of global annual turnover, whichever is higher.

Example: a mid-sized company with 100 employees and EUR 20 million turnover falls under important entities”. The fine ceiling is EUR 7 million, because the fixed amount exceeds 1.4% of EUR 20 million (EUR 280,000). Actual fines will typically sit well below the maximum, but the deterrent is real, and supervisory measures (binding instructions, in serious cases temporary suspension of managers of essential entities) come on top.

Timeline: Where We Stand in Mid-2026 #

  • 17 October 2024: EU transposition deadline for member states
  • 2024/2025: national implementation acts enter into force (Germany: 6 December 2025, with no general transition period)
  • 2026: registration with national authorities is underway or complete. In Germany, registration with the BSI was due by 6 March 2026 (the portal opened on 6 January 2026); particularly important entities must prove implementation to the BSI by December 2028
  • Ongoing: supervisory activity has started. Essential entities face proactive supervision, important entities are supervised after the fact

If your organisation is in scope and has not yet registered or implemented the Article 21 measures, you are late, not early. Treat the gap analysis as urgent.

First Steps: What You Should Do Now #

Step 1: Determine Your Status #

  • Are you an essential” or important” entity under the national implementation act?
  • Does your organisation meet the size thresholds, or are you covered regardless of size?
  • Have you registered with the competent national authority?

Step 2: Conduct a Risk Assessment #

  • Which data is critical?
  • Which systems are mission-critical?
  • Where are the vulnerabilities? (Security audit, penetration test)

Step 3: Plan Measures #

  • Develop a backup concept with an offline or  copy
  • Document a patch management process
  • Write an incident response plan with the 24h/​72h/​1‑month reporting deadlines built in
  • Organise employee and management training

Step 4: Implement #

  • Procure hardware and software
  • Configure systems
  • Document processes
  • Conduct tests

Step 5: Audit and Evidence #

  • Work towards ISO 27001 (optional, but it covers much of Article 21)
  • Conduct internal or external audits
  • Document compliance so you can prove it to the supervisory authority

Frequently Asked Questions #

Does NIS2 apply to us if we have fewer than 50 employees? Usually not, unless you are in a category covered regardless of size (for example qualified trust service providers, TLD registries, or sole providers of a critical service). Not being in scope does not mean you are safe from cyberattacks; the Article 21 measures are sound practice for any organisation.

We operate in several EU countries. Which law applies? As a rule, you fall under the jurisdiction of the member state where you are established; for some digital services, the main establishment principle applies. You may need to register in more than one country. Check each national act.

What if we are not compliant: will we be penalised immediately? Supervisory authorities typically start with audits and binding instructions to remediate. Persistent non-compliance leads to fines, and for essential entities, in serious cases, to suspension of certifications or management functions.

Is ISO 27001 sufficient? ISO 27001 is a strong foundation and covers many NIS2 requirements structurally. It is not a 1:1 equivalent: you must map the Article 21 measures and the national reporting and registration duties explicitly.

Further Resources #

NIS2 Implementation Deadlines: Timeline and Fines (/en/blog/nis2-umsetzungsfristen/) → NIS2 Personal Liability: What Executives Need to Know (/en/blog/nis2-persoenliche-haftung/) → NIS2 and IT Resilience: What the Directive Requires (/en/blog/nis2-it-resilienz-anforderungen/) → Under NIS2 (/en/blog/supply-chain-security-nis2/) → Silent Brick System: Hardware for NIS2 Compliance (/en/produkte/silent-brick-system/) → Request a Demo (/​en/​kontakt/​demo/​)

Disclaimer

This article was written by our editorial team and edited using AI. It provides a general overview and does not constitute legal advice – we recommend seeking professional advice for your specific situation.