NIS 2 Summary: The directive explained in brief

The most important thing in brief:

In this post, we will give you a compact NIS 2 summary: The NIS2 policy (Network and Information Security Directive 2) is a significant step by the EU to strengthen cybersecurity. It builds on the original NIS Directive from 2016 — but goes much further. What is changing in practice? And what does that mean for IT practice in companies?

NIS 2 Policy Summary: What does it say?

Die NIS2 policy aims to increase the cyber resilience of critical infrastructures and key companies across the EU. It requires certain companies and organizations to take comprehensive measures to protect their networks and IT systems. Although EU Member States were required to comply with the Directive to be transposed into national law by October 2024, Implementation is still faltering in many countries. Companies should nevertheless familiarise themselves with the requirements at an early stage, as there is usually a transition period of up to three years following national implementation to provide full proof. Detailed information about the policy can be found in our blog article NIS2: Requirements, penalties and implementation.

Key contents of the NIS-2 Directive:

• Introduction of uniform safety requirements in the EU
• Expanded scope: More companies and sectors are affected
• Reporting requirements for security incidents within 24 hours
• Stricter oversight and enforcement mechanisms by national authorities
• Personal liability for management in the event of violations

As there are country-specific differences, please also read our blog articles on implementation in Germany or Austria.

What does NIS2 change?

Compared to the first NIS Directive, NIS2 not only tightens existing requirements, but also significantly expands the circle of affected companies. Not only operators of critical infrastructures are affected anymore, but also numerous medium-sized companies, e.g. in the areas of IT services, energy, transport, health or digital services.

Overview of important changes:

• Clear definition of “essential” and “important” institutions
• Higher security requirements for technical and organizational measures
• Commitment to risk analysis and implementation of appropriate protective measures
• Increased corporate governance responsibility (governance obligation)

Two categories are affected by the new Directive:

• Essential facilities such as energy suppliers, banks, healthcare or public administration
• Key facilities such as manufacturers of critical products, digital services, or postal and courier services

We have summarized the exact differentiation by sector and company size as well as information on the impact assessment for you in another blog article: NIS2: Who is affected?

Differences between NIS and NIS2

NIS 2 formulates significantly more specific and comprehensive requirements. The focus is on a Risk and resilience-oriented approach: Instead of trying to prevent every attack preventively, the policy aims at a continuous improvement of the security situation off. Not only technical but also organizational processes are considered — from incident response to emergency planning.

The goal: Protecting populations and maintaining critical services, even in the event of successful attacks.

‍

More protection — more effort?

For many companies, the implementation of NIS 2 means a noticeable additional personnel and financial expenses. According to the BSI, in Germany alone, the directive concerns around 30,000 companies — significantly more than the previous 4,600 companies under KRITIS regulation. What is also new is that medium-sized companies with 50 employees or less may fall under the regulation.

The following applies to these companies: The measures must always be appropriate and proportionate be implemented to the size of the company and the risk. In addition, following the entry into force of the German Implementation Act (NIS2umsuCG), a transitional period of up to three yearsto meet all requirements.

For many companies, the documented verification safety measures and processes — in particular for companies that have had little contact with regulatory requirements so far.

NIS2 checklist for companies

Practical guide to prepare for the NIS 2 Directive

The following checklist helps companies implement the requirements of the NIS 2 Directive in a structured manner. It provides orientation in key areas of action — from risk analysis to IT documentation — and takes into account both technical and organizational measures.

1. Define responsibilities and responsibilities

• Name a responsible executive-level person who is responsible for cybersecurity in the company.
• Define internal roles and responsibilities, such as for IT security officers or contacts in case of security incidents.
• Establish clear decision-making processes and documentation requirements in the event of a crisis.

2. Risk analysis and assessment of protection requirements

• Carry out a structured analysis of potential IT risks and assess their probability of occurrence and effects.
• Determine the protection needs of your systems, networks, data, and processes.
• Consider both external threats (such as cyber attacks) and internal vulnerabilities (such as misconfigurations).

3. Set up or update IT documentation

• Create a complete overview of your IT infrastructure, including network topologies, servers, clients, applications, and user permissions.
• Make sure that the IT documentation is always up to date, complete and audit-proof.
• Use an automated solution like Docusnap to minimize effort and improve the quality of IT documentation.

4. Implement technical and organizational security measures

• Implement basic IT security measures, such as firewalls, access controls, encryption, and monitoring.
• Establish clear guidelines and processes for the secure handling of IT systems and data.
• Review the effectiveness of these measures regularly and adjust them as risks change.

5. Prepare emergency management and incident response

• Develop an incident response plan that governs the detection, reporting, and response to security incidents.
• Set up internal reporting channels that allow an initial report within 24 hours — as required by the NIS 2 Directive.
• Create one Emergency and recovery plan to remain able to act in the event of a failure of essential IT systems.

6. Sensitize and train employees

• Conduct regular IT security training tailored to different roles and departments.
• Share knowledge about current threats, reporting requirements and the secure use of IT systems.
• Foster a security culture in the company in which IT risks are identified and openly communicated.

7. Involve supply chains and external service providers

• Check which external partners have access to critical systems or data.
• Make sure that your service providers also implement appropriate security measures and that these are contractually regulated.
• Conduct regular safety assessments of your supply chain.

8. Document implementation and prepare evidence

• Record all implemented measures and processes in writing — ideally in a structured and digital form.
• Prepare yourself for potential audits by regulatory authorities (such as the BSI in Germany) by providing verifiable evidence.
• Use tools such as Docusnap to automatically collect technical information and provide it in an evaluable form.

Conclusion - NIS 2 summary‍

Die NIS 2 Policy is not just a legal requirement — it is a wake-up call for more IT security. Companies that act now not only provide themselves with legal certainty, but also more stable IT operations and better resilience against cyber attacks. With Docusnap as an IT documentation tool, you can get started with NIS 2 compliance efficiently and sustainably. Read the blog article to find out how our tool can help you implement the Directive NIS2: Requirements, penalties, and implementation.