top of page
NIS2 Who is affected
NIS2-Compliance.jpg

NIS2 Directive: Transposition in Germany:
Who is affected?

The NIS2 government draft from October 2, 2024 is still being coordinated.

The NIS2 directive is scheduled to come into force in March 2025. 

You can view the current implementation status (BMI) here.

The NIS2 sectors are defined in Appendices 1 and 2 of the 

NIS2 government draft (DE) and further subdivided into “important” and “essential entities”.

Both important and essential entities are required by NIS2 to take appropriate, proportionate and effective technical and organizational measures to prevent disruptions to the availability, integrity and confidentiality of information technology systems, components and processes and to minimize the impact of security incidents.

In addition to the NIS2 security sectors, the sectors of the critical infrastructure will also remain in place. Operators of critical infrastructure with identified critical installations will remain regulated accordingly and will receive further requirements from the NIS2 directive.

1. Important entities

Important entities are businesses or organizations that provide essential services, the disruption of which would have a serious, but not necessarily catastrophic, impact on public welfare or the economy. The classification as “essential” carries with it specific security and notification requirements that are designed to ensure that these entities take appropriate protective measures against cyber threats.

 

Important entities include:

  1. Trust service providers.

  2. Providers of publicly available telecommunications services or public telecommunications network operators that a) have fewer than 50 employees and 

    b) have an annual turnover and an annual balance sheet total of 10 million euros or less.

  3. The types of institutions to be assigned are defined in Annexes 1 and 2 of the NIS2 government draft (DE) and the 

    a) at least 50 employees or 

    b) an annual turnover and an annual balance sheet total of more than 10 million euros.

2. Essential entities

Essential entities are those whose impairment could lead to serious, nationwide or cross-industry crises. These entities are subject to the strictest provisions of the NIS2 Directive, including rigorous security audits and ongoing monitoring.

 

Essential entities include:

  1. Operators of critical facilities.

  2. Qualified trust service providers, top-level domain name registries or DNS service providers

  3. Providers of publicly available telecommunications services or operators of public telecommunications networks thata) employ at least 50 employees orb) have an annual turnover and an annual balance sheet total of more than 10 million euros each.

  4. The following applies if the organization can be assigned to an organization type listed in Appendix 1 of the NIS2 government draft (DE) and has at least 250 employees or an annual turnover of more than 50 million euros and an annual balance sheet total of more than 43 million euros.

3. Operators of critical facilities

A facility is critical if it can be assigned to the energy, transport and traffic, finance and insurance, health, water, nutrition, information technology and telecommunications, space or municipal waste disposal sectors and exceeds specified thresholds.

The sectors for critical infrastructure operators are defined separately from the facilities and are defined in both the NIS2 Directive and the KRITIS umbrella law. Critical facilities are those whose failure or impairment could have a significant impact on the security of supply or public safety. Some of the critical services and facilities still have to be defined in an ordinance. The KRITIS framework law is still in the works. Thresholds for critical facilities are defined in the “Ordinance on the Determination of Critical Infrastructure under the BSI Act” BSI-KritisV.

 

Operators of critical facilities are classified as essential entities, regardless of the size of their business.

❗️ Companies are responsible for identifying critical infrastructure and determining whether they are affected as NIS2 entities.

 

NIS2-Assistant:

Complete and highly detailed  guide to NIS2 in Germany: who is affected and NIS2 requirements and learn more about your individual obligations and possible fines for non-compliance.

(currently only available in German)

​​

Our Services

Our Services:

Requirements elicitation:
Gap analysis

Defining the solution architecture

  • We create a gap analysis against security best practices and specific standards

  • Carry out a risk analysis to assess the specific cyber security risks.

  • The result is processed as a heat map of the entire control standard.

  • We create an action plan with prioritization and milestones.

  • Consulting and implementation planning to eliminate audit issues

  • IS policies: creation of company-specific information security guidelines

Project Management

  • Business Plan (Scope, Costs, Benefit, Risik, Roadmap)

  • Project Organisation,

  • Project Management,

  • Programm Management.

Certificates:

Prince2 (classic & agil)

Scrum Product Owner

Scrum Master

ITIL4

CISSP

Business Analysis

Requirements Engineering

Arrange a consultation appointment:

Dr. Johannes Faassen

mobil: +49  170 4168039

 

Contact Us
bottom of page