European NIS2 Directive

Implications for businesses and institutions

Your expert for questions

André Glenzer
Partner, Cyber Security & Privacy at PwC Germany
Tel: +49 160 94470376
Email

What you need to know about NIS2

The Network and Information Security Directive, or NIS2, was published in the Official Journal of the European Union on December 27, 2022, and came into force on January 16, 2023. NIS2 governs the issue of cybersecurity and information security at businesses and institutions. EU member states have time until October 2024 to transpose the directive into national law. In July, September and December 2023, Germany’s Federal Ministry of the Interior and Community drafted a bill known as the NIS2 Implementation and Cybersecurity Strengthening Act (NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz, NIS-2UmsuCG).

The NIS2 Directive expands cybersecurity standards and penalties with the aim of harmonizing and improving the level of security in member states. It also outlines stricter requirements for various sectors. Businesses and organizations need to consider the issues of cyber risk management, control, and monitoring, as well as how to deal with incidents and business continuity. In addition, the directive increases the number of organizations covered, with stricter liability provisions in place for the management of those organizations affected.

“In Germany, the legislation pertaining to critical infrastructure, or KRITIS, has so far mainly affected larger institutions. But now NIS2 is making cybersecurity and resilience a major issue for an even wider range of businesses in Europe and Germany.”

André Glenzer,Partner at PwC Germany

Our NIS2 services

We work with you to assess whether you are affected by the NIS2 Directive and gauge your NIS2 readiness.

Once the groundwork has been laid, we identify shortcomings when it comes to meeting requirements under the directive.

In partnership with you, we identify the measures needed to comply with the directive.

You need a strong cybersecurity framework in the event of a cyber incident.

We develop procedures to ensure that incidents are properly reported to the authorities.

We develop constant checks to safeguard the measures you have developed.

< Back

< Back
[+] Read More

Does NIS2 affect you?

The NIS2 Directive is an EU-wide act of network and information security legislation that came into force on January 16, 2023. Member states have until October 17, 2024, to transpose it into national law. Germany’s Federal Ministry of the Interior and Community has already published a draft bill implementing the NIS2 Directive (NIS-2UmsuCG). The new directive will increase the number of affected businesses dramatically. Due to higher potential penalties and management liability provisions, the businesses affected also face higher standards and greater pressure to take the proper steps.

Use our fast impact analysis tool to find out whether the NIS2 Directive affects your business.

Impact analysis tool

NIS2 standards

The NIS2 Directive differentiates between “essential” and “important” entities. The main difference is that important entities face lower fines and are subject to reactive supervision by the authorities, whereas essential entities will be subject to proactive supervision. The German drafts differ in the terminology by naming the entities “very important” and “important”.

Instead of a minimum threshold, as in the past, the EU will use “uniform criteria” to determine what kind of entities are affected. The regulations are expected to apply to medium and large enterprises:

  • Medium: 50-249 employees or turnover of 10-50 million euros, total assets of less than 43 million euros
  • Large: at least 250 employees or at least 50 million euros in turnover

As a result, the number of affected businesses in Germany is expected to increase substantially.

Extended and enhanced liability

Essential entities may face fines of up to 10 million euros or 2 percent of their annual turnover, whichever is higher. Important may face fines of up to 7 million euros or 1.4 percent of their annual turnover, whichever is higher.

The businesses and organizations affected must take appropriate measures in areas such as cyber risk management, supply chain security, business continuity management, encryption, access restrictions, reporting to authorities, and mitigation.

Please note: Under the draft put forward by the Federal Ministry of the Interior and Community, company executives may be held personally liable for compliance with risk management measures. In this case, liability is capped at the equivalent of 2 percent of the company’s global annual turnover.

  • Various categories of fines up to a maximum of 20 million euros 
  • Negligent and willful misconduct
  • Critical entities may face fines of up to 7 million euros or a maximum of at least 1.4 percent of their global turnover in the most recent fiscal year 
  • Highly critical entities may face fines of up to 10 million euros or a maximum of at least 2 percent of their global turnover in the most recent fiscal year 
  • No differentiation between highly critical entities and critical facilities
  • Example: a cyberattack that impedes operations due to an insufficiently monitored risk management process at a highly critical entity
  • Consequences: 
  • Expenses such as 
    • Ransom payments
    • Costs for external service providers
    • Fines for GDPR or BSIG violations
  • General managers and CEOs are liable for damage incurred due to breaches of monitoring obligations (except for the central government sector)
  • An entity cannot waive the general manager’s liability or agree to a settlement on the matter
  • However, managerial staff can settle with an entity’s creditors in the event of bankruptcy or insolvency – or if the obligation to pay compensation is regulated in an insolvency plan

NIS2: The directive affects more than just critical infrastructure

It’s clear: The scope of application goes well beyond the already familiar types of critical infrastructure. In the energy sector, for instance, the scope of the NIS has so far always been limited to companies that generate, provide, or regulate energy in the electricity and gas sector. We expect NIS2 to extend the requirements to include the supply chain as well, such as the manufacturers of wind turbines and the operators of charging stations for electric vehicles.

Essential entities

Energy

Provision, distribution, transmission, and sale of electricity, gas, oil, heating/cooling, hydrogen; operators of charging stations for electric vehicles

Find out more

Health

Healthcare providers, research laboratories, pharmaceuticals, manufacturing of medical devices

Find out more

Public administration

How will NIS2 affect public administration? What aspects of the federal government are subject to NIS2? We take a closer look at the requirements NIS2 places on information security management, as well as the duties and risk of penalties.

Find out more

Air, rail, road, and water transport

Including shipping companies and port facilities

Water

Drinking water suppliers and wastewater disposal providers

Space

Operators of ground-based infrastructure

Banking/finance

Loans, trading, market and infrastructure; Update: draft version of the NIS-2UmsuCG also covers the insurance sector

Digital infrastructure and IT services

DNS service providers and TLD registries

Find out more

Important entities

Providers of postal and courier services

Food

Production, processing, and distribution

Research organizations

Production and distribution

Find out more

Waste management

Waste collection, transport, treatment, and disposal

Cyber incidents in waste disposal and recycling can have a significant impact on public life. That is why the sector has been considered critical infrastructure since January 2024 and requires a particular degree of protection. NIS2 will apply to such businesses from October 2024 onward, even if they do not exceed the KRITIS thresholds.

Find out more

Manufacturers

Medical/diagnostic devices, computers, electronics, optical products, machinery, motor vehicles, trailers, semitrailers, other transport equipment

Find out more

Chemical products

Production, manufacturing, and trade

Digital providers

Online marketplaces, search engines, social networking platforms

EMEA NIS2 Competence Network

PwC has established a combined NIS2 capability, developed through our communities of Cybersecurity, risk management, incident response, governance, compliance and legal specialists.

These communities have been brought together to form a team of over 150 specialists across EMEA, focussed on supporting our clients with the NIS2 Directive. We are supporting our clients in understanding the relevance of the NIS2 Directive to their organisation; their own ability to meet the requirements or identify where gaps exist, along with supporting them in achieving compliance with the regulatory requirements both local and at EU-level in a proportionate and cost effective manner.

Contact our team

“NIS2 is set to be a real game changer and alter cyber regulation in Europe for good.”

André Glenzer, Partner at PwC Germany

Does NIS2 affect you?

Use our fast impact analysis tool to find out whether the NIS2 Directive affects your business.

How does NIS2 affect your organization?

Check out our white paper to learn more about the directive and who will be affected. You will also get exclusive access to our checklist to help you prepare for NIS2.

Follow us

Required fields are marked with an asterisk(*)

 
 

You can find our privacy policy here.

Contact us

André Glenzer

André Glenzer

Partner, Cyber Security & Privacy, PwC Germany

Tel: +49 160 94470376

Jörg Asma

Jörg Asma

Partner, Cyber Security & Privacy, PwC Germany

Tel: +49 221 2084-103

Florian Gibala

Florian Gibala

Senior Manager, Cyber Security & Privacy, PwC Germany

Mailin von Knobelsdorff

Mailin von Knobelsdorff

Manager, PwC Germany

Hide