NIS-2 Simply Explained: What Businesses Need to Know Now

Rising cyberattacks, supply chain risks and geopolitical tensions are making data security a key issue for companies in the EU. In response, the European Union has introduced NIS-2, which sets out significantly stricter and more widely applicable requirements for cybersecurity, reporting obligations, and risk management.

What is NIS-2?

NIS-2 is the revised EU Directive on Network and Information Security. It replaces the original NIS Directive of 2016, establishing a harmonised cybersecurity framework within the EU.
The aim is to enhance security levels across systemically important sectors by implementing "appropriate technical and organisational protective measures". 

These include:

• Structured risk management
• Measures for detecting and responding to security incidents 
• Stronger supply chain security
• Training for employees 
• Clearly defined responsibilities 
• Documentation requirements
• Regular reviews of the effectiveness of the measures
• Active involvement of senior management in security-related decisions

This means that cybersecurity is no longer purely an IT issue, but a management and corporate responsibility.

Who does NIS-2 apply to?

Until now, the focus has been on critical sectors that are essential to the functioning of the economy and society. These include energy, transport, banking*, healthcare, drinking water, waste water, digital infrastructure and public administration, among others. 
However, NIS-2 now significantly expands the scope of affected public and private entities. Newly included are sectors that were previously unregulated or only partially regulated, yet which play a central role in digital and economic stability. 

Overview of affected sectors

^{*) For banks and other financial institutions, the industry-specific requirements under DORA take precedence. However, depending on their classification, NIS-2 may also be relevant.}
 

In addition to the classification according to sector, the degree of compliance is often contingent upon the size of the company. Generally, NIS-2 applies to companies with more than 50 employees, or with an annual turnover or balance sheet total exceeding €10 million. However, depending on the sector and national implementation, exceptions and special provisions may apply. Therefore, whether a company falls under NIS-2 must always be assessed in its individual context. Companies that do not fall directly within the scope of the regulation may still be affected indirectly as suppliers or service providers in the supply chain of regulated organisations. 

Timeframe and deadlines

The NIS 2 Directive came into force in 2023, requiring EU member states to transpose it into national law. This has resulted in different implementation speeds and deadlines in each country. 

Germany

In Germany, the NIS 2 Implementation Act came into force on 6 December 2025, and the requirements have been applicable since then. 
Since January, affected entities have been required to register via the BSI portal. Formal proof of the implemented measures will not be required until three years have passed. However, an earlier review may take place in special cases or during ad hoc audits.

Austria

The NISG was published in Austria on 1 January 2026, and will take effect on 1 October 2026 after a transition period. Affected companies then have three months (until January 1, 2027) to register. Self-declarations of the implemented measures must be submitted by 1 October 2027. 

Next steps: What companies should do now

• Check whether your company is affected by NIS-2.
• Define internal responsibilities for NIS-2 implementation.
• Register with the national authority responsible for NIS.
• Comply with your cyber incident reporting obligations.
• Ensure that management receives regular training.

• Implement appropriate risk management measures.

   

You can find country-specific information on impact assessment, registration, reporting requirements, and much more here: NIS-2 implementation Germany | NIS-2 implementation Austria