EU 2022/2555

What is NIS2?

EU Directive 2022/2555 on cybersecurity - the most significant overhaul of EU-wide cybersecurity regulation since 2016.

Overview

The NIS2 Directive (Directive (EU) 2022/2555) is the European Union's updated framework for achieving a high common level of cybersecurity across all Member States. It replaces the original NIS Directive from 2016.

NIS2 dramatically expands the scope of EU cybersecurity regulation - from approximately 10,000 entities under NIS1 to an estimated 160,000 across Europe. In Germany alone, roughly 29,500 companies are affected.

The directive mandates harmonized risk management measures, incident reporting obligations, and supply chain security requirements. It introduces personal liability for management and significantly higher penalties for non-compliance.

Key Dates
DateEvent
14 December 2022NIS2 Directive published in the EU Official Journal
16 January 2023NIS2 enters into force at EU level
17 October 2024Deadline for Member States to transpose into national law
17 April 2025Deadline for Member States to establish entity registries
17 October 2027European Commission reviews the directive's functioning
NIS1 vs NIS2
AspectNIS1 (2016)NIS2 (2022)
Scope~10,000 entities in the EU~160,000 entities in the EU
Sectors7 sectors18 sectors (11 highly critical + 7 other critical)
Entity classificationOperators of essential services (OES) + digital service providersEssential entities + Important entities (size-based)
PenaltiesSet by Member States, varied widelyHarmonized: up to EUR 10M or 2% of global turnover
Management liabilityNot addressedPersonal liability for management bodies
Incident reportingWithout undue delayStrict 24h / 72h / 1 month cascade
Supply chainNot addressedMandatory supply chain security assessment
SupervisionLeft to Member StatesProactive (essential) + reactive (important)

18 Affected Sectors

Annex I - Sectors of High Criticality
Large entities in these sectors are classified as essential (besonders wichtige Einrichtungen). Medium entities are classified as important.
  1. 01Energy (electricity, district heating/cooling, oil, gas, hydrogen)
  2. 02Transport (air, rail, water, road)
  3. 03Banking
  4. 04Financial market infrastructures
  5. 05Health (hospitals, pharma, medical devices, reference labs)
  6. 06Drinking water
  7. 07Wastewater
  8. 08Digital infrastructure (DNS, TLD, cloud, data centres, CDN, telecom)
  9. 09ICT service management - B2B (MSP, MSSP)
  10. 10Public administration
  11. 11Space
Annex II - Other Critical Sectors
Entities in these sectors are classified as important, regardless of whether they are medium or large.
  1. 01Postal and courier services
  2. 02Waste management
  3. 03Chemicals (manufacturing, production, distribution)
  4. 04Food (wholesale, industrial production, processing)
  5. 05Manufacturing (medical devices, electronics, electrical equipment, machinery, motor vehicles, other transport)
  6. 06Digital providers (online marketplaces, search engines, social networks)
  7. 07Research organizations
Size Thresholds
NIS2 uses the EU SME definition. Classification is determined by employee count OR financial metrics (both turnover AND balance sheet must be exceeded for the financial test).
SizeEmployeesFinancial ThresholdNIS2 Scope
Large≥ 250> EUR 50M turnover AND > EUR 43M balance sheetIn scope
Medium≥ 50 (and < 250)> EUR 10M turnover AND > EUR 10M balance sheetIn scope
Small< 50≤ EUR 10M turnover AND ≤ EUR 10M balance sheetGenerally out of scope

Certain entity types are in scope regardless of size - including DNS providers, TLD registries, qualified trust service providers, KRITIS operators, and sole providers of essential services.

Key Obligations at a Glance
  • Implement 10 mandatory cybersecurity risk management measures
  • Report significant incidents within 24h / 72h / 1 month
  • Management must approve, oversee, and be trained on cybersecurity
  • Assess and manage cybersecurity risks in the supply chain
  • Register with the national competent authority
  • Maintain evidence of compliance (audits for KRITIS operators every 3 years)