What is the NIS2 Directive?
The NIS2 Directive (EU 2022/2555) is the central European regulation for strengthening cybersecurity and significantly expands the previous requirements. It no longer only affects operators of critical infrastructures, but a much larger group of companies.
Affected organizations are obligated to systematically manage risks to their network and information systems and implement suitable security measures. In addition to technical measures, the focus is also on organizational requirements - in particular the responsibility of company management.
The key requirements include structured risk management, clear reporting obligations in the event of security incidents and the verifiability of security measures. Companies must be able to demonstrate how they identify, assess and deal with risks at all times.
This also increases the importance of IT service providers and Managed Service Providers, who are often part of the regulatory supply chain and contribute significantly to the level of security and verifiability for their customers.
What has Changed Since 2024: Current Status of Implementation
Since the original implementation deadline expired in October 2024, the situation has become much more concrete. National laws have been passed or finalized, authorities have begun to actively identify affected companies and the requirements are increasingly being demanded in audits, contracts and safety assessments.
At the same time, specific technical requirements and guidelines have been published at EU level. An announced regulation has thus become an operational compliance issue. The NIS2 Directive came into effect on January 16, 2023 and had to be transposed into national law by the EU member states by October 17, 2024. In practice, however, the implementation status is inconsistent:
Germany
The NIS2 Implementation Act has been in force since December 2025. Since then, companies must comply with the requirements immediately; there is no transition period.
Mandatory Registration with the BSI
Affected companies are obliged to register with the Federal Office for Information Security (BSI). For companies that were already covered by the directive when it came into force, the original registration deadline ended on March 6, 2026. However, the obligation to register still applies: organizations that only discover that they are affected later or are newly covered by the directive must register immediately or within the statutory deadline. Failure to register or late registration constitutes a compliance violation and can be punished with fines.
Austria
This will be implemented via the new Network and Information System Security Act (NISG 2026), which is expected to come into force in Autumn 2026.
Which Companies are Subject to the NIS2 Directive
The NIS2 Directive expands the scope of affected organizations compared to the original NIS Directive. While the first version focused primarily on operators of critical infrastructure, NIS2 now covers significantly more companies. The directive generally distinguishes between essential (particularly important) facilities and important facilities. Both groups are subject to mandatory cybersecurity risk management requirements as well as reporting obligations in the event of security incidents.
How is Classification Determined?
Whether a company falls under NIS2 and how it is classified depends on its Sector and Company Size. The sectors define which companies are generally covered. The size determines whether they are considered essential or important facilities.
High-Criticality Sectors
The particularly critical sectors listed in Annex I of the Directive include, among others:
Energy
Transport
Banking & Financial market infrastructures
Healthcare
Drinking water & Waste water
Digital infrastructure (e.g. internet nodes, DNS services, cloud and data center providers)
ICT service management (Business-to-Business)
Parts of the public administration
Space
Other Critical Sectors
Other critical sectors, as defined in Annex II of the Directive, include, among others:
Postal and courier services
Waste management
Manufacture, production and distribution of chemicals
Food production, processing and distribution
Manufacturing/production of goods
Digital service providers (e.g. online marketplaces, search engines, social networks)
Research
Size Criteria
Whether a company is classified as significant or important depends primarily on the thresholds for number of employees and revenue, with the sector to which it belongs setting the framework.
Sample Classification of a Managed Service Provider (MSP)
Size of the MSP | Organization | Supervision & Sanctions |
|---|
Large (≥ 250 employees or > €50 million in revenue + > €43 million in total assets) | Essential | Proactive: Regular audits without cause. Fine: up to €10 million / 2% of annual turnover. |
Medium-sized (50–249 employees or > €10 million in revenue + > €10 million in total assets) | Important | Reactive: Audit only in the event of an incident or suspicion. Fine: up to €7 million / 1.4% of annual revenue. |
Small (< 50 employees and < €10 million in revenue/total assets) | Partially affected indirectly | Contractually: No direct supervision by the BSI, but supply chain obligations imposed by regulated customers. |
An MSP is considered an essential entity if it meets the criteria for a large enterprise. This is the case if it employs at least 250 employees or reports both an annual turnover of over 50 million euros and a balance sheet total of over 43 million euros.
In contrast, companies that meet the criteria for medium-sized enterprises but fall below the thresholds for large enterprises are classified as important entities. This applies if an MSP employs at least 50 employees or achieves both an annual turnover and a balance sheet total of over 10 million euros.
Micro and small enterprises that employ fewer than 50 employees and whose annual turnover and total assets are each below 10 million euros are generally not subject to direct regulation. An exception applies only if the BSI explicitly designates them as regulated entities due to their specific systemic importance or as sole providers of critical services.
Difference Between Essential and Important Entities
The requirements for security measures are fundamentally the same for both groups, but differ in the intensity of oversight and the severity of potential penalties.
Essential facilities are subject to proactive oversight. This means that the BSI can request documentation, audits, or on-site inspections at any time and without a specific reason to proactively ensure compliance with standards.
Important facilities, on the other hand, are only subject to reactive oversight: The authority typically takes action only when there are indications of a violation, such as following a reported security incident.
In addition to this difference in the frequency of inspections, the groups differ in terms of the maximum amount of fines and more extensive enforcement powers for essential institutions, such as the temporary suspension of management in cases of serious negligence.
Why NIS2 Still Matters for “Small” Managed Service Providers
Many IT service providers are not formally directly covered by the directive. In practice, however, they are often part of the regulatory supply chain.
The systems they operate are a central component of their customers' security architecture. They therefore have a direct influence on the security status of the infrastructure, the ability to respond to security incidents and the ability to demonstrate a traceable security status to authorities or auditors.
For companies that fall under NIS2, the security of their service providers is therefore also an important factor.
What Role Managed Service Providers Play for Customers
The NIS2 directive is also changing the role of managed service providers. Customers increasingly expect support in assessing their security risks and documenting technical security measures.
As a result, MSPs are increasingly confronted with questions such as:
Which systems in our infrastructure are publicly accessible?
Are there any known vulnerabilities or misconfigurations?
Which risks should be prioritized for remediation?
How can we document our security status in a comprehensible manner?
IT service providers are thus increasingly becoming security and transparency partners for their customers. In addition to the operation of systems, the ability to clearly present and continuously monitor security statuses is becoming increasingly important.
Central Requirements of NIS2
The directive requires a range of technical measures to ensure the secure operation of network and information systems. These include functioning vulnerability management, reliable patch and update capability, secure system configurations, suitable access controls and identity management. Measures such as multi-factor authentication, backup and recovery strategies as well as monitoring and logging concepts are also part of the requirements.
It is crucial that these measures are regularly reviewed and documented in a traceable manner. Without transparency about the current security status of your own systems, it will be difficult to implement these requirements in practice.
In addition to technical security measures, the NIS2 directive also expressly requires comprehensive organizational risk analyses. These include, for example, risks in business processes, dependencies on service providers, personnel risks or physical security aspects. Companies must therefore establish holistic risk management that goes beyond pure IT security. In addition, the German implementation law explicitly obliges management to participate in training and awareness-raising measures in the area of cyber security.
Reporting Obligations for Security Incidents
Structured reporting processes are a central component of NIS2 . Affected companies must report security incidents in several stages:
Early warning within 24 hours
Initial assessment within 72 hours
Final report within one month
These requirements expect that companies can quickly identify security incidents, assess their impact and document all relevant information in a structured manner.
Violations of the requirements can result in significant penalties. Depending on the classification, these can include fines of up to 10 million euros or 2% of annual global turnover. In addition, the management can also be held personally liable.
Crisis Management and Business Continuity
A central component of the NIS2 requirements is functioning crisis management as well as suitable business continuity and recovery plans. Companies must be able to remain capable of acting even in the event of serious security incidents, maintain critical processes and quickly restore business operations.
This includes defined emergency processes, clear responsibilities, communication plans and regular tests and exercises. Without these measures, the required reporting and response times can hardly be met in practice.
NIS2 in Practice: The Biggest Challenge is Transparency
Many companies already have individual security measures in place. In practice, however, the implementation of the policy often fails not due to a lack of tools, but due to a lack of transparency.
Typical challenges include an incomplete overview of publicly accessible systems, unknown vulnerabilities or misconfigurations and a lack of prioritization of risks. At the same time, the documentation of security measures is often time-consuming and is done manually. At the latest during audits or security assessments, it then becomes apparent that technical evidence is missing or difficult to trace.
How lywand Supports the Implementation of NIS2
Lywand supports IT service providers and companies in continuously analyzing the technical security status of their IT systems, making risks visible and documenting them in a traceable manner. The platform thus creates a technical basis for many NIS2 requirements.
Risk Analysis and Continuous Vulnerability Assessment
A central component of NIS2 is the continuous assessment of risks. Companies must regularly check which vulnerabilities or misconfigurations could make their systems vulnerable.
Lywand analyzes publicly accessible systems such as domains, IP addresses or mail servers as well as the internal IT infrastructure. Common Vulnerabilities and Exposures (CVEs), outdated software versions, misconfigurations and insecure protocols and services are detected.
In addition, the lywand agent is used to directly analyze Windows clients and servers. Among other things, it checks patch levels, security configurations and basic protection mechanisms such as firewalls and anti-virus software.
Furthermore, automatic asset discovery ensures transparency across the entire network. All accessible devices - from servers and laptops to printers and mobile devices - are detected and inventoried. This also makes unknown or forgotten systems visible.
A network check extends the analysis to all other systems in the network - even those without agents installed, such as Linux or macOS devices.
The results are collated centrally, prioritized and continuously monitored. This provides a complete picture of the actual attack surface, and risks can be reduced in a targeted and sustainable manner.
Reviewing Security Configurations and Preventive Measures
In addition to identifying vulnerabilities, the secure configuration of systems also plays an important role.
Lywand detects misconfigurations in TLS, missing security headers, or insecure email security configurations such as SPF, DKIM, or DMARC. It can also identify exposed administrative interfaces or open services. This allows typical attack vectors to be detected early and mitigated.
Recommended measures can be planned in a structured manner, and their implementation status can be tracked. During the next review, the system automatically verifies whether the measures have been effectively implemented and whether the identified vulnerabilities have actually been resolved.
Identifying Risks in the Digital Supply Chain
The NIS2 Directive explicitly requires that risks within the digital supply chain be taken into account. Companies must understand which external services or providers are part of their infrastructure.
With lywand, IT service providers can analyze customer infrastructures from an external perspective, identify dependencies on hosting, DNS, or email services, and objectively assess security statuses.
Documentation and Verifiability
In addition to technical safety, documentation is a key component of the directive.
Lywand supports this process with transparent security reports and historical trends in security assessments. This provides a technical foundation that can be used during audits, internal reviews, or client meetings.
What Software Can Do – and What It Can't
Software alone does not meet regulatory requirements. Platforms like lywand can perform technical risk analyses, provide transparency regarding security statuses, and deliver traceable reports. However, they cannot replace management decisions, organizational processes, or legal assessments. Implementing NIS2 always requires a combination of technology, organization, and clear responsibilities.
Connection to Existing Standards and Certifications
Many of the requirements of the NIS2 Directive overlap with established standards such as ISO 27001 or industry-specific frameworks such as TISAX. Companies that are already certified to such standards generally have a solid foundation – particularly in the areas of risk management, documentation, and organizational processes.
Nevertheless, existing certification does not automatically replace NIS2 compliance. Additional requirements – particularly regarding reporting obligations, communication with regulatory authorities, and the involvement of senior management – must be specifically addressed.
Sources, Further Information, and Implementation Guides
Various official resources are available to assist with the practical implementation of NIS2. The European Network and Information Security Agency (ENISA) provides comprehensive guidance, including technical implementation aids, examples of security measures, and recommendations for risk management and incident response. These resources help translate the directive’s requirements into concrete actions and implement them in a structured manner.
An overview of the most important official sources:
Conclusion
The NIS2 Directive raises cybersecurity requirements across Europe and mandates a security process that is traceable over the long term.
For IT service providers, this primarily means greater responsibility, higher transparency requirements, and an increasing emphasis on technical security analyses. Companies and IT service providers that wish to implement their NIS2 requirements effectively need one thing above all else: transparency regarding their actual attack surface.
Platforms like lywand provide the technical foundation to visualize risks, document measures in a traceable manner, and continuously monitor security statuses.
The biggest challenge is usually not the implementation of individual measures, but the establishment of a consistent, traceable, and actively practiced security process—spanning technology, organization, and management.
