The NIS2 Directive (Network and Information Security Directive 2) is an important development of the European Union's original NIS Directive. With the aim of strengthening cyber security in critical sectors, it introduces new obligations for affected companies. These include enhanced security measures and the need to establish comprehensive security awareness among employees.
EXCURSUS: NIS2 implementation in Germany
Who is affected?
- Particularly important entities (approx. 8’250 companies): large companies (≥250 employees or >EUR 50 million in revenue) in critical sectors such as energy, transportation, and healthcare; as well as, regardless of size: operators of critical infrastructure (KRITIS), qualified trust services, DNS services
- Important entities (approx. 21’600 companies): Medium-sized companies (≥50 employees or >EUR 10 million turnover) in critical sectors as well as companies in additional sectors such as postal services, chemicals, food
- Federal institutions: Federal authorities and public IT service providers of the federal administration
Current implementation status
The NIS2 Implementation Act (NIS2UmsuCG) was approved by the cabinet in July 2024 but could not be passed before the federal elections. Implementation is not expected to take place until sometime in 2025.
Fines
- Up to EUR 10 million or 2% of global turnover for particularly important entities
- Up to EUR 7 million or 1.4% of global turnover for important entities
- Graduated lower fines for specific violations
The difference between fines for particularly important and important entities:
The NIS2 Directive distinguishes between “essential” and “important” entities. Particularly important entities (corresponding to “essential” entities) are companies that operate in critical sectors and where security incidents could have far-reaching consequences. Important entities include medium-sized and large companies in less critical sectors. The fines for violations are higher for particularly important entities to reflect their greater significance and risk.
Entry into force:
The fines for both categories will come into force when the NIS2 Implementation Act enters into force in the course of 2025.
EXCURSUS: Swiss regulations for critical infrastructure
The NIS2 Directive does not apply in Switzerland. Instead, Switzerland has its own regulations for the protection of critical infrastructure.
Who is affected?
- Operators of critical infrastructure such as energy supply, drinking water supply, transport companies
- Cantonal and municipal administrations
- The sectors are similar to those defined in the NIS2 Directive
Current status
Since April 1, 2025, a reporting obligation for cyberattacks on critical infrastructure has been in force in Switzerland. Operators must report cyberattacks to the Federal Office for Cyber Security (BACS) within 24 hours of their discovery.
Sanctions
For the first six months until October 1, 2025, failure to report will not be subject to sanctions. After this transition period, fines will come into effect.
TreeSolution supports companies in EU countries with NIS2 compliance and Swiss organizations with the implementation of national requirements for the protection of critical infrastructure with customized security awareness solutions.
The NIS2 Directive (Network and Information Security Directive 2) is a comprehensive revision and extension of the original NIS Directive of the European Union from 2016. It was adopted in December 2022 and should be transposed into national law by EU member states by October 2024. However, many countries have been unable to meet this deadline. Although EU member states are required to implement NIS2 locally, the current status varies greatly. In Germany, for example, the NIS2 Implementation Act is not expected to come into force until sometime in 2025.
This directive has significantly expanded the scope of application and includes considerably more sectors and companies than the previous version. It imposes much higher cyber security requirements and defines stricter obligations for affected organizations, which must be implemented after the respective national implementation.
The directive affects companies in critical sectors that are of a certain size and importance. The exact criteria vary depending on the sector and national law.
A key element of the NIS2 Directive is improved cooperation between EU member states, which is already helping to strengthen pan-European resilience against cyberattacks. The intensified exchange of information and coordinated responses to cyber incidents are showing initial positive effects in practice.
Under the new regulations, a medium-sized energy supplier must:
Management is personally responsible for compliance and must provide adequate resources. Failure to comply can result in heavy fines.
The NIS2 Directive represents a significant step toward strengthening cyber security in Europe and requires companies to invest continuously in security measures and employee training.
The NIS2 Directive has significantly expanded the scope of application compared to the original directive. This reflects the increasing digitalization and interconnectedness of almost all sectors of the economy and responds to the recognition that cyberattacks are increasingly targeting sectors that were previously less noticed.
The directive distinguishes between “essential” and “important” entities, with stricter requirements applying to the former. Classification is based on the criticality of the sector, the size of the company, and the potential impact of incidents on society and the economy.
The sectors affected include:
It is particularly noteworthy that the NIS2 Directive also includes medium-sized companies in these sectors, whereas the original NIS Directive was mainly aimed at large organizations. This underscores the recognition that security breaches in smaller entities can also have a significant impact on the entire value chain.
The following key requirements apply to affected companies:
The implementation of comprehensive risk management practices is now mandatory. Organizations must systematically identify, assess, and minimize cyber risks. A structured risk management process forms the basis for this and enables continuous adaptation to new threats.
The directive requires security incidents to be reported to authorities within 24 hours, with more detailed follow-up reports. Automated incident response processes are essential for this.
Continuous monitoring of IT security and regular audits are crucial to ensure the effectiveness of the measures implemented. NIS2 explicitly requires proof of the effectiveness of security measures.
Regular training and awareness measures for employees are a central component of the NIS2 requirements. These measures must demonstrably increase security awareness within the organization. TreeSolution offers particular expertise in this area with its Security Awareness Academy, which provides customized, interactive training programs for all employee levels and makes the success of awareness measures measurable. For small and medium-sized enterprises, the Cyber Security Learning Journey is available, a fully automated training option that requires only minimal time from IT managers and employees.
A new and important requirement of NIS2 is to ensure cyber security throughout the entire supply chain. Organizations must assess the security measures of their suppliers and enter into appropriate contractual agreements.
Implementing these requirements poses a significant challenge for many companies. Integrated solutions can help to meet the various requirements in a coordinated and efficient manner while providing the necessary documentation for regulatory authorities.
One of the most challenging but crucial requirements of the NIS2 Directive is the need not only to implement security measures but also to measure and document their effectiveness in a verifiable manner. Regulatory authorities are increasingly demanding quantifiable evidence that security measures actually improve security levels and have not merely been implemented for form's sake.
In the area of security awareness in particular, companies face the challenge of objectively proving the success of their training and awareness measures. Simply conducting training courses or providing information material is no longer sufficient to meet regulatory requirements. Instead, organizations must be able to demonstrate that these measures actually have a positive impact on employee security behavior.
The Security Awareness Radar (SAR) from TreeSolution offers a scientifically based solution. This measurement tool accurately assesses the actual security awareness and behavior within the organization and delivers quantifiable results that meet the strict NIS2 verification requirements. With SAR, companies can:
This evidence-based approach not only enables compliance with NIS2 requirements, but also offers a clear competitive advantage: Companies can target their resources to the most effective security measures and demonstrate continuous improvement through repeated measurements.
In audits and regulatory reviews, the ability to demonstrate the effectiveness of security measures is becoming a decisive factor. SAR provides exactly the kind of evidence-based data that regulatory authorities increasingly expect.
As a pioneer in security awareness, TreeSolution has been offering a comprehensive suite of services tailored specifically to the requirements of the NIS2 Directive since 2005:
Detailed analysis of your employees' current security awareness to identify vulnerabilities and areas for improvement. Our measurements have led to additional cyber security budgets being allocated in over 50% of cases.
Development of a customized strategy to raise awareness and train your employees, tailored to your corporate culture for faster and more efficient results.
Interactive and gamified learning opportunities that strengthen security awareness in the long term and ensure better engagement.
Regular phishing simulations to prepare your employees for real attacks and promote security-conscious behavior.
Detailed reports and analyses to measure progress and continuously improve your security strategy – for sustainable security awareness.
With the increasing threat of cybercrime and growing regulatory requirements such as the NIS2 Directive, sustainable security awareness is becoming increasingly important. Raising awareness and training employees is not just a mandatory exercise to comply with legal requirements, but a crucial success factor for protecting your company.
A strategic approach to raising awareness has been proven to lead to measurable improvements in security: more security-conscious employees, fewer successful attacks, and a more robust defense against social engineering methods such as phishing. Such results not only support compliance with NIS2 requirements, but also strengthen your company's resilience against digital threats in the long term.
The tried-and-tested TreeSolution approach combines precise analysis, tailored awareness strategies, and continuous performance measurement. Our security experts support you in meeting regulatory requirements while establishing a positive security culture in your company – a decisive competitive advantage in times of growing cyber threats.
Invest in your security awareness now and turn your employees into active security ambassadors. Schedule a free online consultation and learn how TreeSolution can help you efficiently implement the NIS2 directive – for a secure future for your company.
Form, E-mail, Phone
You can fill out a short form or send us an email. We will get back to you within two working days. You can also call us directly. Click on "Contact" and you will receive all the necessary contact details.
