The NIS2 Directive (Network and Information Security, second version) was published in the Official Journal of the EU on 27 December 2022. It replaces the original NIS Directive of 2016 and significantly expands the scope of application: in Germany alone, an estimated 30,000+ companies and public bodies fall under NIS2 — including many that had not previously considered themselves critical infrastructure.

Covered entities include essential entities (energy, transport, banking, healthcare, drinking water, digital infrastructure, public administration) and important entities (postal services, waste management, chemicals, food, manufacturing, research). The general threshold is 50 employees and €10 million turnover — for certain sectors (e.g., healthcare, energy), NIS2 applies regardless of size.

NIS2 requires specifically: backup management and recovery, crisis management, supply chain security, incident handling, business continuity and vulnerability management. Critically, NIS2 requires not just measures but proof of them. A software-based backup solution whose protection can be deactivated by admin rights does not constitute sufficient evidence of physically isolated backup.

NIS2 establishes personal liability for management bodies: CEOs and board members must not only approve cybersecurity measures but actively monitor them. They cannot plead ignorance if no adequate information structure was established. Fines: up to €10 million or 2% of global annual turnover for essential entities.

Frequently asked questions

Essential entities from the sectors of energy, transport, banking, healthcare, drinking water, digital infrastructure and public administration, as well as important entities from postal services, waste management, chemicals, food, manufacturing and research. Generally from 50 employees and €10 million turnover — in certain sectors (e.g., healthcare, energy) without size threshold.
NIS2 requires backup management and recovery as an explicit minimum measure. This includes: documented backup strategies and procedures, regular recovery tests with documented results and physically isolated backup that cannot be destroyed even with compromised administrator credentials. A physical air gap is the strongest available means of meeting this requirement.