NIS2 Consulting

The NIS2 Directive (Network and Information Security Directive 2) is the most significant expansion of EU cybersecurity legislation in years. It divides affected organisations into two categories: essential entities and important entities. Essential entities face stricter supervision and higher fines; important entities are subject to ex-post supervision but must meet the same technical requirements.

Affected organisations span 18 sectors – including energy, water, healthcare, digital infrastructure, financial services, transport, public administration, and waste management. Sector alone is not the only criterion: the size thresholds matter too. Mid-sized organisations with 50 or more employees or €10 million or more in annual turnover can fall directly under NIS2. Smaller organisations that provide critical services or form part of supply chains of essential entities may also be included.

What many underestimate: NIS2 creates direct personal liability for management. Executives can be held personally liable for violations – not just the organisation. Fines for essential entities can reach up to €10 million or 2% of global annual turnover. This makes NIS2 a board-level issue, not an IT matter.

Article 21 of the NIS2 Directive defines concrete technical and organisational measures that affected entities must implement. These include: risk-based security management; incident response and business continuity plans; supply chain security; network and system security measures; physical access controls; cryptography and encryption; multi-factor authentication; and training for employees and management.

Supply chain security deserves particular attention: organisations must assess the cybersecurity maturity of their direct service providers and suppliers and ensure this contractually. This covers cloud providers, managed service providers, software vendors, and IT service companies. Organisations without structured processes here will not pass audits – and bear liability for failures.

Incident response is another focus area: for significant security incidents, strict reporting deadlines apply. Within 24 hours of detecting an incident, an early warning must reach the competent authority (BSI in Germany). A detailed report is due within 72 hours. A final report must be submitted within one month. These deadlines presuppose that organisations can detect incidents at all – which in turn requires security monitoring and logging.

The first and most important question is: does NIS2 actually apply to your organisation? This question is less straightforward than it sounds. Sector classification, size thresholds, and exemptions can lead organisations to be affected without knowing it – or conversely to believe they are affected when they are not.

We conduct a structured scope analysis that evaluates your sector, organisation size, critical services, and role in the supply chains of essential entities. The outcome is a legally sound assessment of whether and to what extent NIS2 applies to you. If you are affected, we produce a prioritised implementation plan on that basis.

For many mid-market organisations, NIS2 represents first contact with regulatory cybersecurity obligations. We take that starting point seriously: our approach is pragmatic, economically proportionate, and designed to produce genuine security – not just compliance documentation.

The technical requirements of NIS2 are not abstract concepts – they translate into concrete IT measures. Patch management processes must be documented and effective. Access controls must implement the principle of least privilege. Networks must be segmented. Backups must be tested regularly. Security logging must be complete, centralised, and analysable.

Many of these requirements correspond to what a well-run IT organisation does anyway. The NIS2 difference: it is no longer sufficient to have these measures in place – they must be demonstrably documented, tested, and reported. The transition from practised reality to documented compliance is often the most demanding part of the project.

We help you close the gap between existing IT practice and NIS2-compliant documentation. This includes developing or reviewing IT security policies, establishing reporting processes, assessing service providers, and training management – because NIS2 explicitly requires that executive leadership participates in security training.