Contact now
Contact now
lock in a digital environment, symbolizes cyber security and integrity within the framework of NIS-2.

NIS-2 Directive: Implementing requirements in a legally compliant manner

Protect your company against cyber threats and comply with the legal requirements of the NIS-2 Directive in Germany on a permanent basis.

BMW Group Logo
DeutscheBahn_logo-2
Creditreform Logo
DERTOUR
jochen-schweizer
Dräger Logo
kuka
BMW Group Logo
DeutscheBahn_logo-2
Creditreform Logo
DERTOUR
jochen-schweizer
Dräger Logo
kuka
ProSieben_Logo_2015-2
Mercedes
Volkswagen Logo
DEKRA
stihl
Sonax_logo
Weidmüller logo
Das Logo der Bundesagentur für Arbeit
ProSieben_Logo_2015-2
Mercedes
Volkswagen Logo
DEKRA
stihl
Sonax_logo
Weidmüller logo
Das Logo der Bundesagentur für Arbeit

Definition: What is the NIS 2 Directive?

The NIS-2 Directive is an EU-wide regulation aimed at raising cybersecurity standards for critical sectors and companies. It requires organizations to implement strict risk management and rapid reporting obligations in order to protect European infrastructure against cyberattacks.

Schedule a free consultation

An overview of the most important NIS 2 requirements for companies

  • Who is affected? Companies with 50 or more employees or €10 million in turnover in 18 sectors.
  • What needs to be done? Implement cybersecurity risk management, secure supply chains, and use certified IT products.
  • Reporting deadlines: Security incidents must be reported within 24 hours.
  • Penalties: Violations can result in fines amounting to millions of dollars and damage to reputation.
  • Status in Germany: The directive is regulated nationally by the NIS-2 Implementation Act (NIS-2UmsuCG).

By when must the NIS 2 Directive be implemented in Germany?

Companies in Germany are currently in a phase of regulatory transition. Although the official EU deadline ended on October 17, 2024, the national adoption of the NIS 2 Implementation Act (NIS-2UmsuCG) remains open due to political delays following the end of the traffic light coalition.

Status of NIS 2 implementation (as of 2026):

  • EU legal situation: The directive has been in force since January 16, 2023.
  • Delay in Germany: The draft bill of July 24, 2024 has not yet been finally passed by the Bundestag.
  • Consequence: The EU Commission has initiated infringement proceedings against Germany.
  • Recommended action: Despite pending national adoption, the current draft law already provides a binding framework for cybersecurity risk management.

NIS-2 compliance with MaibornWolff: Your advantages

Holistic risk management

We strategically identify your risks and minimize them in a sustainable manner. This ensures your long-term security, compliance with all NIS 2 requirements, and effective protection of your critical business processes against threats.

Practical compliance solution

Our experts support you in implementing the requirements directly in practice. We ensure that you not only comply with the directive on paper, but also achieve genuine cyber resilience.

Stable business continuity

We ensure your business continuity during the NIS 2 transition. Through targeted measures, we minimize downtime risks and permanently strengthen the resilience of your network and information systems.

Active awareness training

We raise awareness among your employees through targeted training. This enables you to build a strong security culture that reduces the risk of human error and firmly anchors the requirements of the NIS 2 Directive.

A technical drawing of a padlock.
Choose true cybersecurity

With MaibornWolff, you can rely on a partner who does not view compliance as a chore, but as an opportunity for genuine cybersecurity.

Book a free consultation
Graphic representation of a stylized human, symbolizing digital identity and protective measures in the context of NIS-2.
Crucial to the success of the project: the team did not try to bring security into the development teams from outside in a 'police role'. Instead, it empowered our teams themselves to systematically assess security.
Philipp Lindemann, Project Manager, MAN

Who must comply with the NIS 2 requirements?

Three key criteria determine whether your company falls under the NIS 2 Directive: your location, your size, and your sector. It does not matter whether your headquarters are located in the EU—the decisive factor is whether you provide your services in an EU member state.

Diagram shows criteria for NIS-2, symbolizing the provisions and areas of application of the NIS-2 guidelines.

The EU divides affected organizations into two categories: "essential" and "important" institutions. The technical requirements for IT security are the same for both, but there are massive differences in terms of regulatory control and fines.

1. Essential facilities: Strict controls for key sectors

They are considered essential if you operate in a highly critical sector and have more than 250 employees or €50 million in annual revenue.

  • The sectors: Energy (electricity, gas, hydrogen), transportation (air, rail, shipping, road), banking & financial markets, healthcare, drinking water & wastewater, digital infrastructure, public administration, ICT management (B2B), and space.
  • The consequence: They are subject to proactive supervision (regular audits).
  • The risk: Violations of the NIS 2 requirements are punishable by fines of up to €10 million or 2% of global annual turnover.

2. Important institutions: Reactive supervision in cases of suspicion

Companies from other critical sectors with 50 or more employees or €10 million in revenue are considered important.

  • The sectors: Postal and courier services, waste management, chemicals (manufacturing/trade), food (production/distribution), manufacturing (manufacturing of goods), digital service providers, and research.
  • The consequence: Reactive supervision usually only takes place in the event of specific incidents or suspicions.
  • The risk: Fines of up to €7 million or 1.4% of annual turnover may be imposed.
Visual comparison of NIS2 major and important entities, highlighting size thresholds, sector relevance, and differing maximum penalties for non-compliance.
Gut zu wissen

Authorities can upgrade you regardless of size if your activity is strategically important. Remember: as a manager, you are personally liable for NIS 2 violations with up to 2% of global annual revenue.

You must meet these NIS 2 requirements

To comply with the NIS 2 Directive, you need to make several adjustments at the same time. Here is your operational checklist for implementation:

  • Responsibility of managers: Management must actively monitor safety measures and participate in training courses. Important: You are personally liable for any violations.
  • Risk management & IT standards: Emergency plans, encryption, and backups are mandatory. In addition, you must comprehensively record risks and use certified IT products where necessary.
  • Secure supply chains: The security requirements also apply to your service providers and suppliers. Coordinated assessments help to identify weaknesses in the chain at an early stage.
  • Strict reporting deadlines: When incidents occur, the clock is ticking: early warning after 24 hours, analysis after 72 hours, and a final report after no more than one month.
  • Human factor: Regular training on cyber hygiene is essential to minimize the risk of human error within the team.
  • Registration: You must officially register your business with the relevant national authority.

Our refererences & projects

To all references
  • A microcontroller lies under a magnifying glass
    Virtualization of software testing for control units in the AWS cloud
    To the BMW reference
    CloudEmbedded Systems & RoboticsQuality Engineering

    Digital twin for control unit development & testing in cars

    To the BMW reference

    Virtualization of control units & AWS cloud integration

    To the BMW reference

    Setup of virtual cars & control units without expensive hardware setups, worldwide & distributed testing

    To the BMW reference
  • Close-up of colorful puzzle pieces floating in the air, each piece engraved with a different insurance symbol.
    STARTRAIFF: Business Intelligence for the sales force
    To the STARTRAIFF reference
    CloudData/Data PlatformsApps

    Aggregation of internal customer data & external data in a single web application

    To the STARTRAIFF reference

    Data bundling & analysis with Amazon Bedrock

    To the STARTRAIFF reference

    Intuitive user interface for sales, 88% reduced preparation time before customer visits

    To the STARTRAIFF reference
  • A fleet of self-driving trucks from MAN on a spacious test site.
    MAN - ATLAS L4. Control Center for the autonomous truck
    To the MAN reference
    CloudData/Data PlatformsApps

    Control center for the technical monitoring of driverless trucks

    To the MAN reference

    UX design, product strategy, data structure, vehicle data visualization

    To the MAN reference

    Monitoring, remote support, mission management, reports for commercial autonomous transport solutions

    To the MAN reference
  • Header_NOW
    NOW: National Organization for Change in Mobility: development of a data warehouse system
    To the NOW reference
    CloudData/Data PlatformsIT Consulting & Strategy

    Data foundation for nationwide charging infrastructure in Germany

    To the NOW reference

    Cloud data warehouse for integration & analysis of many diverse data sources (AWS)

    To the NOW reference

    Solid architecture, single point of truth ensures data-based evaluation of charging station demand

    To the NOW reference
  • Two people in white protective suits stand in front of a pipeline through which green glowing data streams are pumped
    NETZSCH: Development of an IoT platform
    To the NETZSCH reference
    CloudData/Data PlatformsIoT

    Unified IoT platform for 3 business units, harmonization of existing IoT solutions

    To the NETZSCH reference

    IoT device connectivity, visualization software for data analysis, cloud infrastructure, operations

    To the NETZSCH reference

    Quick testing in the cloud infrastructure, fast integration of use cases such as predictive maintenance, process optimizations, etc.

    To the NETZSCH reference
  • A shot from space with a view of the earth. A satellite hovers in the foreground. A forest fire can be seen on the ground below.
    OroraTech - Security & Compliance Support
    To the OroraTech reference
    CloudCybersecurityIT Consulting & Strategy

    Risk threat analyses for satellite startup

    To the OroraTech reference

    Security process definition, IT security risk register, action plan

    To the OroraTech reference

    Future-proof IT security for successful growth

    To the OroraTech reference
  • A modern high-rise building with an eye-catching orange-purple color gradient featuring a central, transparent exterior elevator unit.
    TK Elevator: Health Check Connectivity for the IoT gateway of elevators
    To the TKE reference
    CybersecurityIoTEmbedded Systems & Robotics

    IoT gateway (MAX Box) for data connection between elevator & IoT platform

    To the TKE reference

    Examination of code quality, architecture, operations & organization

    To the TKE reference

    Optimization of IoT gateway connectivity & digitalization of elevators

    To the TKE reference
  • A person stands on a platform at sunset with digitally superimposed graphics.
    inCTRL Solutions: Modernization of the IoT platform for water treatment plants
    To inCTRL reference
    CloudIoTIT Modernization

    IoT & software modernization, integration of new functions

    To inCTRL reference

    Data warehouse setup, integration of microservices, automated quality assurance, Continuous Integration & Continuous Deployment (CI/CD)

    To inCTRL reference

    Improved resilience, maintainability & further development capability of the platform

    To inCTRL reference
  • Two orthopaedic surgeons view a transparent 3D hologram of the skeleton and musculature on an elegant tablet interface, surrounded by floating UI panels.
    Health.exe: AI-supported platform creates training plans for patients
    To the Health.exe reference
    CloudData/Data PlatformsApps

    AI-supported service for orthopedic & sports medicine practices

    To the Health.exe reference

    Cloud-based web application for doctors for the automated, evidence-based creation of individually tailored patient training plans

    To the Health.exe reference

    New revenue source without fixed costs, higher patient retention, AI-supported & guideline-based

    To the Health.exe reference
  • A red MAN truck drives along an empty road under a clear night sky with shining stars.
    MAN: Efficient threat analysis for control units
    See MAN reference
    CybersecurityIoTEmbedded Systems & Robotics

    Protection of digitalized trucks against virtual attacks

    See MAN reference

    Risk analysis based on 4x6 methodology, ThreatSea, ISO21434

    See MAN reference

    Quick identification of relevant threats for immediately effective security measures

    See MAN reference
  • A technician in a green Siemens jacket sits in front of a computer on a factory floor with industrial equipment in the background.
    Siemens: AI demand prediction platform for industrial production planning
    See Siemens reference
    CloudData/Data PlatformsIndustry 4.0

    Machine learning for time series forecasting

    See Siemens reference

    AutoML for automated adaptation of models to different data

    See Siemens reference

    Unified, scalable solution, optimized inventory costs, efficiency gains

    See Siemens reference
  • Person uses Miele app in modern kitchen.
    Miele domestic appliances are networked worldwide
    See Miele reference
    CloudIoTEmbedded Systems & Robotics

    Further development of the IoT platform for connected home appliances

    See Miele reference

    Container-based architecture, open standards, modular design

    See Miele reference

    Quick availability & scalability of digital services, high added value for users

    See Miele reference
  • Header_Stiehl-IMOW-16-9
    STIHL: Control iMOW robotic mower via app
    See STIHL reference
    CloudAppsIoT

    Control and configuration of the robotic mower via smartphone

    See STIHL reference

    Development of app, web, cloud platform and direct Bluetooth communication

    See STIHL reference

    Digital benefits for users, app controllability, remote software updates

    See STIHL reference
  • Header_ifm
    ifm services: Remote maintenance of systems and machines
    See ifm services reference
    CloudIoTEmbedded Systems & Robotics

    Fully integrated remote access in the IoT platform

    See ifm services reference

    Full stack cloud application, RUST-based clients, UX design

    See ifm services reference

    Analysis of sensor data from production as a basis for sustainable decisions for customers

    See ifm services reference
  • Couple walking on the beach at sunset.
    DER Touristik Online: Development and migration of a multi-client capable travel booking platform
    See DER Touristik reference
    CloudWeb & Portal PlatformsIT Scaling

    Consolidation of websites onto a scalable travel booking platform

    See DER Touristik reference

    Multi-tenant platform in microservice architecture, cloud infrastructure & migration (AWS), digital design, testing

    See DER Touristik reference

    Modern user experience, forward-looking travel experience platform

    See DER Touristik reference
  • Man checks MAN trucks at sunset.
    MAN: Secure Software Development Life Cycle
    See MAN reference
    CybersecurityIT Consulting & StrategyQuality Engineering

    Protection of digitalized vehicles against virtual attacks & digital threats

    See MAN reference

    SSDLC in vehicle backend systems (UNECE R155), cybersecurity management system

    See MAN reference

    Guidelines, methodologies & tools for independent risk identification, assessment & treatment by employees

    See MAN reference
  • High-voltage power lines over a green field at sunset
    Bayernwerk: Knowledge management via teams
    See Bayernwerk reference
    CloudIT Consulting & StrategyIT Modernization

    Teams app for service technicians

    See Bayernwerk reference

    User-centered, intuitive UX/UI design

    See Bayernwerk reference

    Identification & utilization of implicit knowledge within the company

    See Bayernwerk reference
  • Header_It_goes_LOS
    Es geht LOS: Development of a cloud-based application for citizen participation
    See Es geht LOS reference
    CloudAppsWeb & Portal Platforms

    App for digitalizing lottery-based participation processes for municipalities

    See Es geht LOS reference

    Digital Garage, AWS Amplify & Google Maps integration, MVP in just 5 weeks

    See Es geht LOS reference

    Selection, contact & user management via the app: data-secure, efficient, user-friendly

    See Es geht LOS reference
  • Control unit in an automated factory environment.
    Monitoring alarms in industrial plants
    See reference
    CybersecurityIoTEmbedded Systems & Robotics

    Live monitoring platform for visualizing connected warning devices

    See reference

    Automation & cloud services (MS Azure), API management

    See reference

    Alarms visible worldwide within seconds, multi-tenant system

    See reference
  • Header_Global-Requirements-Planning-System-for-Workforce-2-16-9
    Global workforce planning system
    See reference
    CloudData/Data PlatformsPublic/Administration

    Centralized web-based IT system to replace individual isolated solutions

    See reference

    Event sourcing for planning & analytics, domain-driven design, cloud migration

    See reference

    Easy updates, expansion, maintenance, optimized security

    See reference
  • Woman on the beach at sunset with laptop.
    DER Touristik: Become a digital travel companion in 7 months
    See DER Touristik reference
    CloudAppsWeb & Portal Platforms

    App for digital customer support before, during & after the trip

    See DER Touristik reference

    Cross-platform app with Flutter, UX/UI design, requirements engineering

    See DER Touristik reference

    Architecture flexibly integrates and extends to many languages, countries & brands

    See DER Touristik reference
  • Woman smiling while driving into vehicle.
    DEKRA: Modern enterprise architecture thanks to co-creation
    See DEKRA reference
    CloudIT Consulting & StrategyIT Modernization

    Operational & technical harmonization of the legacy IT landscape

    See DEKRA reference

    Enterprise architecture as co-creation by the lead architects of all IT business units

    See DEKRA reference

    EA community worldwide for all operational units

    See DEKRA reference
  • The dashboard of a car shows a display with a notification about a remote software upgrade.
    BMW Group: Remote software upgrade for vehicles
    See BMW Group reference
    CloudCybersecurityIoT

    Software upgrades without the need to visit a service center

    See BMW Group reference

    Backend system for over-the-air communication with the vehicle, 24/7 support

    See BMW Group reference

    IT security, more comfort, on-demand provision of new features

    See BMW Group reference
  • Server room with green planting, demonstrating data platform for the Azure Cloud.
    digikoo: A data platform for the Azure Cloud
    See digikoo reference
    CloudData/Data PlatformsIT Consulting & Strategy

    Data-based information for planning & implementing the climate transition for the public sector & energy providers

    See digikoo reference

    Scalable foundation data platform on MS Azure for migrating & automating differently formatted geo-data into a structured data schema

    See digikoo reference

    Quality-checked data, provision in the form of the target data model, robust, scalable database & infrastructure

    See digikoo reference
  • A person in a modern office checks proof of identity on the web on a laptop and smartphone.
    Creditreform: Secure proof of identity on the web
    See Creditreform reference
    CybersecurityWeb & Portal PlatformsBanking/Insurance/FSI

    Fast, customer-friendly & fraud-proof digital identity verification

    See Creditreform reference

    Pilot for the forgery-proof storage & management of identity & company information in a Decentralized Identity (DID)

    See Creditreform reference

    Verified data reusable across different providers

    See Creditreform reference
  • A person stands in a modern, abstract room and holds a tablet in their hands.
    Weidmüller: Progression of the Industrial Service Platform
    See Weidmüller reference
    CloudIoTWeb & Portal Platforms

    Creation of a centralized, intuitive, expandable portal as the foundation for industrial applications (remote access, data visualization, ML)

    See Weidmüller reference

    Exploration, setup & further development of the base platform for industrial services

    See Weidmüller reference

    Innovative portal for end-to-end solutions, MVP in just 7 months

    See Weidmüller reference
  • A complex labyrinth of floating cloud paths that lead to a shiny, golden piggy bank in the middle.
    Travel information systems: 25 percent savings in cloud costs and stable operation thanks to FinOps
    To the FinOps reference
    CloudIT Consulting & StrategyWeb & Portal Platforms

    Alignment of the distributed travel information system with many data sources & target groups on the AWS cloud

    To the FinOps reference

    FinOps: cost transparency, cloud strategy, system & architecture design, usage-based operating times, early anomaly detection

    To the FinOps reference

    Cost transparency at team level, lean operating processes, robust observability

    To the FinOps reference
  • A slender robotic arm in a production hall, picking up coins and placing them in a piggy bank-shaped cloud, while console screens in the background display cost-waste diagrams.
    Supply chain management: Reducing cloud operating costs by 50 percent with FinOps
    To the FinOps reference
    CloudData/Data PlatformsIT Consulting & Strategy

    Reduction of costs caused by over-dimensioning & manual processes, establishment of transparency

    To the FinOps reference

    Targeted process modernization, automation & rightsizing

    To the FinOps reference

    Annual cloud operating cost reduction: 400,000 EUR, scalability, reliability

    To the FinOps reference

NIS-2 violations: What companies risk if they fail to comply

A violation of the NIS 2 Directive is not a trivial offense. Anyone who ignores the requirements not only risks IT security, but must also expect serious consequences:

  • Hefty Price Tags (Fines): Essential entities risk penalties of up to €10 million or 2% of global annual revenue. For important entities, fines can reach up to €7 million or 1.4% of revenue.
  • Management Responsibility (Liability): Senior management must not only approve measures but also actively oversee their implementation. In the event of failures, personal liability of executives is at risk.
  • Market exclusion (reputation & supply chain): Failure to comply can lead to exclusion from supply chains. This is compounded by massive reputational damage and business losses.

NIS-2 without stress: Your upgrade for true cyber resilience

Our experts provide comprehensive support in implementing complex requirements, from strategic risk assessment to sustainable minimization. We bring security directly into your practice instead of just managing it on paper. With MaibornWolff, you remain secure in the long term and confidently comply with all legal requirements.

Start your NIS 2 implementation now

Contact us for a no-obligation consultation and secure your company against cyber threats in the long term.

Book an appointment now

Frequently asked questions about NIS-2

  • What is the difference between NIS and NIS-2?

    The NIS-2 Directive replaces the NIS Directive (2016/1148) that has been in force since 2016 and raises the cybersecurity level in the EU to a new standard. While NIS laid the foundation for the protection of critical infrastructures (KRITIS), a uniform security level across all member states could not be achieved at that time.

    NIS-2 tightens three key aspects:

    • Requirements: The NIS-2 Directive creates the conditions for a Europe-wide, uniform security level.
    • Scope: NIS-2 significantly expands the scope, meaning that well over 100,000 companies are now affected.
    • Responsibility: Senior management is held to a higher standard of accountability in consistently implementing cybersecurity measures.

  • What happens if my company is not based in the EU?

    Companies based outside the EU must also comply with NIS-2 if they wish to provide services within the EU or collaborate with companies based in the EU. They must appoint a representative who is established in an EU member state and responsible for compliance with the regulations.
Find what suits you best
Refine your search
clear all filters