← Back to blog
4 min read

Successfully Implementing NIS2: A Pragmatic Guide

NIS2ComplianceCritical InfrastructureCybersecurity

The NIS2 Directive (Network and Information Security Directive 2) has been in force since January 2023 and must be transposed into national law by EU member states by October 2024. For many companies, this means: action is required.

Who Is Affected?

NIS2 significantly expands the scope of application. Companies in 18 sectors are affected, divided into "essential" and "important" entities.

Essential Entities:

  • Energy (electricity, gas, oil, district heating, hydrogen)
  • Transport (air, rail, water, road)
  • Banking and financial market infrastructures
  • Healthcare
  • Drinking water and wastewater
  • Digital infrastructure (DNS, TLD, data centers, cloud, CDN)
  • Public administration
  • Space

Important Entities:

  • Postal and courier services
  • Waste management
  • Chemicals
  • Food
  • Manufacturing (medical devices, IT, electronics, mechanical engineering, automotive)
  • Digital services (marketplaces, search engines, social media)
  • Research

Thresholds:

  • More than 50 employees OR
  • Annual turnover/balance sheet total exceeding 10 million euros

The Ten Core Areas of NIS2

The directive defines ten areas where measures must be taken:

1. Risk Analysis and Security Policies

A systematic risk analysis is the foundation of all further measures. It must be regularly updated and consider all relevant threats.

2. Incident Handling

Companies must be able to detect, analyze, and handle security incidents. This includes clear processes and trained personnel.

3. Business Continuity and Crisis Management

Maintaining operations during security incidents is mandatory. This includes backup management, emergency planning, and crisis management.

4. Supply Chain Security

Dependence on suppliers and service providers must be included in risk considerations.

5. Security in Acquisition, Development, and Maintenance

The entire lifecycle of IT systems must consider security aspects.

6. Effectiveness Assessment

Measures must not only be implemented but also tested for effectiveness.

7. Cyber Hygiene and Training

Employees are often the weakest link in the security chain. Basic cyber hygiene and regular training are therefore mandatory.

8. Cryptography and Encryption

The use of cryptography to protect data is an essential element.

9. Personnel Security and Access Control

Access to systems and data must be controlled and limited to what is necessary.

10. Multi-Factor Authentication and Secure Communication

NIS2 explicitly requires multi-factor authentication and secure communication systems.

Understanding Reporting Obligations

A key aspect of NIS2 is the tightened reporting obligations:

Early Warning: Within 24 hours of becoming aware of a significant security incident, an initial notification must be made.

Incident Notification: Within 72 hours, a more detailed notification with initial assessment must follow.

Final Report: No later than one month after the incident, a comprehensive report is due.

Management Liability

NIS2 explicitly holds management accountable. They must:

  • Approve and monitor risk management measures
  • Participate in cybersecurity training
  • Ensure implementation of measures

Violations carry significant fines:

  • Essential entities: up to 10 million euros or 2% of global annual turnover
  • Important entities: up to 7 million euros or 1.4% of global annual turnover

The Path to Compliance: A Roadmap

Phase 1: Assessment (1-2 months)

  1. Check applicability: Does your company fall under NIS2?
  2. Gap analysis: Where do you stand today compared to the requirements?
  3. Identify stakeholders: Who needs to be involved?
  4. Plan resources: What budget and personnel are required?

Phase 2: Design (2-3 months)

  1. Set up governance: Roles, responsibilities, reporting lines
  2. Conduct risk analysis: Systematic and documented
  3. Create action plan: Prioritized by risk and effort
  4. Build documentation: Policies, processes, evidence

Phase 3: Implementation (6-12 months)

  1. Implement quick wins: MFA, backup tests, awareness
  2. Technical measures: Monitoring, encryption, hardening
  3. Establish processes: Incident response, change management
  4. Secure supply chain: Contracts, audits, monitoring
  5. Conduct training: All levels, regularly

Phase 4: Continuous Operation

  1. Test effectiveness: Tests, audits, metrics
  2. Monitor risks: New threats, changes
  3. Maintain documentation: Keep current
  4. Improve: Implement lessons learned

Leveraging Synergies

NIS2 doesn't have to start from scratch. Those who already operate an ISMS according to ISO 27001 have already fulfilled a large part of the requirements.

Overlaps with ISO 27001:

  • Risk analysis and treatment
  • Documentation and control
  • Incident management
  • Business continuity
  • Supplier security

Conclusion

NIS2 is more than a regulatory obligation—it's an opportunity to systematically improve cybersecurity. Those who not only formally meet the requirements but build real security protect their company from real threats.

Time is pressing. Those who start now still have sufficient time for a clean implementation.

Do you need support with NIS2 implementation? We accompany you from gap analysis through design to implementation with pragmatic, results-oriented consulting.

Looking to address these topics in your organization? Siegel Resilience supports you from analysis to implementation – independent, pragmatic and standards-based. Get in touch →

Share: