Im IT-Notfall @-yet anrufen
02175 - 16 55 0

NIS2: Be prepared with @-yet

The EU NIS2 Directive has been part of German national law since December 6, 2025, and presents new challenges for businesses and public institutions. These challenges are significant: heightened security requirements, stricter reporting obligations, and more comprehensive risk management measures. These are just a few of the aspects that more businesses and organizations than ever before must now implement.

Get advice now, no obligation

Step-by-step NIS2 implementation with @-yet

Many companies are facing the daunting task of modernizing their IT infrastructures and strengthening their security measures. But NIS2 is much more than just a bureaucratic burden. Implementing the directive is an important step toward greater security in the digital realm.

@-yet supports you in implementing the NIS2 requirements. Our experts analyze your existing organizational measures and security structures, develop customized solutions, and guide you step by step toward full implementation.

Why choose @-yet?

Haken in einem Kreis. Symbolbild für erledigte Aufgaben

Many years of experience

The experts at @-yet draw on experience from more than 20 years of IT forensic analyses and security assessments in all industries.

 

Haken in einem Kreis. Symbolbild für erledigte Aufgaben

Cost savings

@-yet helps make your business more resilient. It significantly reduces the risk of high follow-up costs resulting from a cyberattack.

Haken in einem Kreis. Symbolbild für erledigte Aufgaben

Independent advice

@-yet works without contractual ties to hardware and software manufacturers. This independence ensures that you receive neutral and individual advice.

 

What is NIS2?

The NIS2 Directive (Network and Information Security Directive) is an extended EU directive. It was published on December 27, 2022 and came into force on January 16, 2023. The aim of the directive is to increase cyber security for companies and organizations throughout the EU. It replaces the original NIS Directive and expands its scope and requirements.

The aim is to ensure a uniform level of security for network and information systems in the European Union and to establish a uniform register for security notifications. To this end, NIS2 – and the resulting German law – obliges companies and public institutions to implement stricter security measures, systematic risk management and better cooperation with authorities. The directive is intended to increase resilience against cyber attacks and ensure that the EU can effectively respond to digital threats by tracking trends and developments.

As an EU directive, NIS2 still has to be transposed into national law by the EU member states. In Germany, this is regulated by the “Law on the Implementation of EU NIS2 and Strengthening Cyber Security” (NIS2UmsuCG), which was initially scheduled to come into force on October 17, 2024. According to the current status, the law is not expected to be passed until the beginning of 2025.

The NIS2 directive is often seen as a superfluous bureaucratic instrument. However, the implementation of NIS2 will bring numerous advantages.

 

NIS2 requirement met: @-yet mandatory training for management

Are you part of the management team?

The NIS2 Directive places direct responsibility on you. Management bodies must regularly participate in training to ensure they can assess risks effectively. In a cross-industry NIS2 training course, we’ll equip you with the necessary knowledge. The content is concise, practical, and delivered through interaction with other decision-makers. Find out more now!

Lower costs by increasing availability

One of the biggest advantages of the NIS2 directive is the improvement of cyber security for companies. The implementation of stricter requirements for IT and information security increases resilience against cyber attacks. Through the regular risk assessments provided for by NIS2, companies also recognize and remedy existing vulnerabilities more quickly and effectively. Overall, this leads to a more robust security infrastructure.

Companies therefore benefit from a reduced susceptibility to security breaches. On the one hand, this guarantees the long-term stability and security of business operations. On the other hand, increased resilience to attacks also means lower costs that would be incurred for eliminating the consequences of a security incident or due to production downtimes. Many companies will have to make investments in security at the beginning. In the long term, however, these investments will pay off through higher availability.

 

What will NIS 2 bring to companies?

The NIS2 directive affects a larger number of economic sectors than previous regulations. Previously, only certain sectors such as energy, transport and banking were affected. NIS2 will also include telecommunications providers, postal services and food production, for example, and will extend to facilities and companies from 18 industries. This means that the new rules will apply to around 30,000 to 40,000 companies in Germany that were not previously affected.

Another new feature of NIS2 is the significantly stricter requirements for IT and information security. NIS1 prescribed basic security measures for companies and the reporting of serious security incidents. NIS2 requires regular risk assessments and significantly stricter measures. In addition, organizations and companies are obliged to report significant incidents within 24 hours. Detailed information about security-critical incidents must then be subsequently transmitted to the authorities.

The directive also requires the training of employees on cyber security topics (“awareness”) and the implementation of emergency plans. Companies must ensure continuous monitoring and updating of their IT infrastructures.

A positive side effect will be the closer cooperation and exchange of information between national and European authorities. The bundled knowledge gained in this way will enable threats to be identified and combated at an early stage.

 

Frequently Asked Questions regarding the NIS2 Directive

Whether you are subject to the NIS2 requirements depends primarily on your industry and the size of your company. In general, NIS2 applies to companies that:

  • Operate in one of the 18 critical sectors (e.g., energy, healthcare, waste management, food, or digital services).
  • Employ at least 50 employees or have an annual turnover/balance sheet total exceeding 10 million euros.
  • Certain companies (e.g., providers of public communications networks) are affected regardless of their size.

Penalties for violations of the NIS2 requirements are severe and comparable to those under the GDPR. The potential fines vary depending on the classification.

  • €10 million or 2% of the previous year’s global turnover (for critical entities)
  • €7 million or 1.4% of the previous year’s global turnover (for important entities) may be imposed. The higher amount applies in each case.

In short: Yes, but …

Section 38 of the German NIS2 Implementation Act stipulates that the management of critical and highly critical infrastructure entities is liable to the company for (culpable) violations of the NIS2 Directive. However, the law does not create new liability rules but rather links the issue of liability to existing corporate law. This means that, under the NIS2 Implementation Act, managing directors are liable only if there is no specific legal provision for the respective corporate form. For a limited liability company (GmbH), this is covered by the GmbH Act (Section 43), and for a stock corporation (Aktiengesellschaft), by the Stock Corporation Act (Section 93).

However: NIS2 is fundamentally a matter for top management. This means that management is obligated to implement and monitor the implementation of measures in accordance with NIS2.

Furthermore, managing directors must also regularly participate in training sessions in which they learn to identify and assess cyber risks and to evaluate the practical application of risk management measures.

The reporting requirements for critical and important facilities are set forth in Section 32. The relevant report must be submitted to the Federal Office for Information Security.

  1. The initial report must be submitted immediately, but no later than within 24 hours, after becoming aware of a “significant” security incident.
  2. A more detailed update must also be provided “immediately,” but no later than within 72 hours. This update must confirm or update the initial report, include the severity and any potential impacts, and identify possible indicators of a compromise.
  3. After no later than one month, a comprehensive final report must be submitted, containing a detailed description of the security incident, its causes, its impacts, and the measures currently being taken or already implemented. If the security incident is still ongoing after one month, a progress report must be submitted instead of a final report.

Yes. The Federal Office for Information Security (BSI) has set up a dedicated portal for this purpose, where critical and highly critical facilities are required to register. This portal can be accessed at https://portal.bsi.bund.de/.

Please note: Affected companies must register with the BSI on their own initiative and provide their master data and contact information. The BSI will not send out any requests.

Note: The following information does not constitute legal advice, nor is there any guarantee of its completeness or accuracy.

The BSI Act refers to “important” and “particularly important” facilities. The classification is based primarily on how critical a sector is to the functioning of society and on the size of a company or facility.

The following classification generally applies:

Important facilities:

  • Postal and courier services
  • Waste management
  • Production, manufacturing, and trade in chemical products
  • Production, trade, and processing of food
  • Manufacturing industry / Production:
    • Manufacture of medical devices.
    • Manufacture of data processing equipment, electronic, and optical products.
    • Manufacture of electrical equipment.
    • Mechanical engineering.
    • Manufacture of motor vehicles and motor vehicle parts.
    • Other vehicle manufacturing.
  • Digital services
  • Research institutions (excluding universities).

Particularly important institutions:

  • Electricity, district heating and cooling, petroleum, natural gas, and hydrogen.
  • Air transport, rail transport, shipping, and road transport.
  • Credit institutions (banks).
  • Financial market infrastructures: operators of trading venues
  • Healthcare
  • Drinking water extraction, treatment, and distribution
  • Wastewater disposal and treatment.
  • Digital infrastructure:
    • Internet nodes and DNS services.
    • Top-level domain name registries (TLD).
    • Cloud computing services and data center services.
    • Content delivery networks (CDN).
    • Trust service providers.
    • Providers of public electronic communications networks or services.
  • Managed services (ICT services): Managed Service Providers (MSP) and Managed Security Service Providers (MSSP).
  • Space: Operators of ground infrastructure.
  • Public administration: Federal and state institutions

However, classification as a critical or particularly critical sector is not determined by industry alone, but by a combination of industry and company size.

  • Large enterprises (≥ 250 employees OR ≥ €50 million in revenue & €43 million in total assets) in the “particularly critical” sectors are automatically considered particularly critical entities.
  • Medium-sized companies (≥ 50 employees OR ≥ €10 million in revenue/total assets) in “particularly important” sectors, or all affected companies in “important” sectors, are important entities.

The experts at @-yet are happy to assist you if you have questions about this classification or would like to know which sector your company falls under.

Advice and assistance with the implementation of NIS2

The implementation of the NIS2 directive will bring a wealth of new and complex tasks for companies. This requires not only in-depth know-how, but above all personnel resources.

@-yet is at your side to provide you with comprehensive support in implementing the NIS2 directive. Our experienced security experts ensure that you can meet all requirements.

 

@-yet NIS2 consulting

NIS2 means increased security requirements and more comprehensive risk management for many companies. @-yet accompanies you, starting with a maturity level assessment. A subsequent business impact analysis serves as the basis for risk management. Step by step, the experts at @-yet develop your organization’s conformity with NIS2 on the basis of the implementation law. In addition to awareness training for the management level, @-yet supports technical and organizational measures.

 

Methodology of @-yet NIS2 consulting

  • Maturity level analysis and implementation status compared to conformity with NIS2
  • Establishment of a risk management system based on the results of a business impact analysis
  • Assistance with the implementation of logging measures and network security
  • Security training for the management level with regard to risk and emergency management
  • Evaluation and implementation of IT security in supplier management

 

These are your advantages

  • Extensive experience from the KRITIS areas with systems for attack detection
  • Practical preparation for incidents thanks to the high level of up-to-dateness of attack practices
  • Documentation templates and methods for processing governance topics
  • Support for both IT environments and OT areas

 

With @-yet, you can protect what is most valuable.

Arrange your free, no-obligation consultation now.

Arrange your personal appointment now for a non-binding and free consultation. Our security and data protection experts will be happy to answer your questions.

Direct contact:

Phone: +49 2175 16 55 0
Email: info@at-yet.de

Or via this form.

We look forward to hearing from you!

Name(Required)
Further information
Privacy protection(Required)
Back To Top