What is NIS-2?

NIS-2 is an EU-wide directive aimed at strengthening the cybersecurity and digital resilience of organizations. It is a further development of the previous NIS Directive and responds to the sharp increase in cyber threats, IT failures, and the growing digital dependence of companies and public institutions.

The aim of NIS-2 is to create a uniformly high level of security for network and information systems throughout Europe. To this end, the directive significantly expands both the group of organizations affected and the requirements for cybersecurity, governance, and control.

It is no longer just traditional critical infrastructures that are affected. NIS-2 also applies to many medium-sized and large companies in sectors such as IT services, digital services, industry, energy, health, transport, administration, and research. The decisive factor here is not whether a company classifies itself as "critical," but whether it falls under the defined size, industry, and role characteristics.

NIS-2 focuses on the following areas, among others:

• systematic cyber risk management,
• clear responsibilities at management level,
• Measures for the prevention, detection, and handling of security incidents,
• as well as mandatory reporting and documentation obligations to authorities.

Since when has NIS-2 been mandatory?

The NIS-2 Directive has been in force at EU level since January 2023. However, it will only become binding for companies once it has been implemented nationally in the individual EU member states.

The EU has set a clear deadline for this:
All member states had to transpose NIS-2 into national law by October 17, 2024, at the latest.
From this date onwards, NIS-2 will be mandatory for all affected organizations, depending on the respective national implementation law.

Important:
NIS-2 is not a future requirement. There is no "grace period." Companies must be able to demonstrate that they meet the requirements of the directive as soon as the national law comes into force.

Why NIS-2 is more than just an IT issue

NIS-2 makes cybersecurity a management task. Senior management bears explicit responsibility for compliance with the directive. Security measures can no longer be delegated exclusively to IT. Violations are subject to severe penalties, which may also affect management.

In addition, NIS-2 requires that cybersecurity be implemented in a verifiable and traceable manner. Organizations must be able to demonstrate that risks are assessed, measures are defined, and incidents are handled in a structured manner. Individual technical solutions are not sufficient for this purpose.

Another key point is the reporting requirements for security incidents. Certain incidents must be reported within clearly defined time limits. This requires prepared processes, clear responsibilities, and a common understanding—long before an emergency occurs.

Supply chains and external service providers are also coming under greater scrutiny. NIS-2 requires dependencies to be assessed and security risks to be taken into account along the entire value chain. Cybersecurity therefore does not end at the boundaries of one's own organization.

In short:
NIS-2 is not purely an IT project, but also affects organization, processes, governance, and leadership. Those who prepare early can prioritize in a structured manner, reduce risks, and avoid unnecessary time and cost pressures.

From policy to understanding: NIS-2 Foundation

In order to properly classify NIS-2 and make informed decisions, a solid basic understanding of the directive is crucial. This is exactly where the NIS-2 Foundation training comes in.

The NIS-2 Foundation teaches the basics of the directive, explains key terms, roles, and responsibilities, and clearly shows what NIS-2 means for organizations in concrete terms. It is aimed at executives, IT and security managers, and anyone who needs to understand NIS-2 strategically and practically.

The Foundation thus provides the ideal introduction to NIS-2 – as a basis for further qualification and structured implementation in your own organization.