What is NIS2?

The NIS2 Directive (Directive EU 2022/2555) is the fundamental EU cybersecurity regulation for operators of critical and important infrastructure. It replaces the original NIS Directive and massively expands the scope: instead of a few hundred undertakings, tens of thousands across 18 sectors are now affected.

Who does NIS2 affect? #

NIS2 applies to undertakings in 18 sectors, divided into two groups:

High criticality (11 sectors): Energy, Transport, Banking, Financial market infrastructures, Health, Drinking water, Waste water, Digital infrastructure, ICT services (B2B), Public administration, Space
Other critical sectors (7 sectors): Postal and courier services, Waste management, Chemicals, Food, Manufacturing, Digital services, Research

Classification as an "essential" or "important" entity depends on the sector and company size.

What does NIS2 specifically require? #

Article 21 obliges affected undertakings to adopt comprehensive cybersecurity measures. For open source dependencies, the following are particularly relevant:

Risk analysis and security policies for information systems (Art. 21(2)(a))
Supply chain security as a mandatory measure (Art. 21(2)(d))
Assessment of vulnerabilities and development processes of direct suppliers (Art. 21(3))
Vulnerability management and disclosure (Art. 21(2)(e))
Regular assessment of the effectiveness of risk management (Art. 21(2)(f))
Asset management including access control (Art. 21(2)(i))
Reporting obligations: 24-hour early warning, 72-hour notification with assessment, 1-month final report (Art. 23(4))
Personal responsibility of management bodies for implementation and oversight (Art. 20(1))
Training obligation for members of management bodies (Art. 20(2))

What are the consequences of non-compliance? #

Essential entities: EUR 10 million or 2% of worldwide annual turnover (Art. 34(4))
Important entities: EUR 7 million or 1.4% of worldwide annual turnover (Art. 34(5))
Personal liability: Management bodies can be held personally liable (Art. 20(1), Art. 32(6))
Temporary ban: Directors can be temporarily prohibited from exercising management functions (Art. 32(5)(b))
Public disclosure of infringements by the supervisory authority (Art. 32(4)(h))
Suspension of authorisations and certifications (Art. 32(5)(a))

Implementation in Germany #

NIS2 is a Directive and must be transposed nationally. In Germany, this is done through the NIS2UmsuCG (NIS-2 Implementation and Cybersecurity Strengthening Act). The competent authority is the BSI. German specificities:

Three-tier categorisation instead of the EU two-tier system: particularly important entities, important entities, and operators of critical installations
Thresholds: Particularly important entities from 250 employees or EUR 50 million turnover; important entities from 50 employees or EUR 10 million turnover
Personal liability for damages of management towards the undertaking (§ 38(2))
Registration obligation with the BSI within 3 months (§ 33(1))
Turnover-based fines only from EUR 500 million total turnover onwards (§ 65(6-7))

Other EU countries have different transpositions — each country implements the Directive independently.

What does this mean for you? #

If your undertaking operates in one of the 18 sectors, Article 21 affects you in two ways:

IT asset inventory: Art. 21(2)(i) requires asset management — a complete inventory of all IT assets. Every server, every appliance, every network device must be recorded, classified, and assigned to a responsible person. Without this inventory, you can neither conduct a risk analysis (point a) nor assess your supply chain security (point d).

Supply chain: Art. 21(2)(d) makes you responsible for your entire software supply chain — including all open source components. "We use open source, so it is not our problem" is not a permissible position. Article 21 requires you to assess the security of your suppliers, and that includes the projects in your SBOM.

Both belong together: A Linux server in your data centre belongs in the IT asset inventory (point i). The software running on it — the operating system, the packages, the dependencies — belongs to the supply chain (point d). Anyone who only considers one or the other has a gap in their risk management.