Digitale blaue Weltkugel mit NIS2 Beschriftung

Implement NIS2
easily with Hays

We accompany you from the analysis to the compliant implementation of the NIS2 directive

Arrange a consultation with us now

What is NIS2?

The NIS2 Directive (Network and Information Security Directive 2) is an EU-wide directive that aims to strengthen cyber security in the European Union. In contrast to the previous NIS Directive, which only affected companies from critical infrastructures (KRITIS) , it affects significantly more companies and sectors . These include, for example, research, digital services and production. NIS2 must be transposed into national law in Germany and the EU member states by October 2024.
The NIS2 Directive (Network and Information Security Directive 2) is an EU-wide directive that aims to strengthen cyber security in the European Union. In contrast to the previous NIS Directive, which only affected companies from critical infrastructures (KRITIS) , it affects significantly more companies and sectors . These include, for example, research, digital services and production. NIS2 must be transposed into national law in Germany and the EU member states by October 2024.
This means considerable pressure for many companies and in particular for their management and cyber security officers. This is because managers can be held personally liable if the directive is breached.

What are the penalties for violations?

Heavy fines can be imposed for violations of the NIS2 Directive. For significant companies , the fines can amount to up to ten million euros or two per cent of annual global turnover. For important companies n, the fines can amount to up to seven million euros or 1.4 per cent of annual global turnover.
Heavy fines can be imposed for violations of the NIS2 Directive. For significant companies , the fines can amount to up to ten million euros or two per cent of annual global turnover. For important companies n, the fines can amount to up to seven million euros or 1.4 per cent of annual global turnover.
Furthermore, the introduction of NIS2 means a considerable effort for organisations. Many organisations lack the resources and knowledge to deal with such important topics as vulnerability scans, incident response management or awareness training.

In addition, many organisations are currently unable to assess the extent of cyber risks in their supply chain or the costs associated with implementing NIS2. Admittedly: Organisations from all sectors are facing quite a few challenges with the introduction of NIS2 in Germany.
In 2023, the total damage caused by cybercrime in Germany amounted to 205 billion euros.
In 2023, the total damage caused by cybercrime in Germany amounted to 205 billion euros.
Nevertheless, one thing is certain: dealing with cyber security is relevant for all of us and protects us significantly from the increasing number of cyber attacks worldwide. The implementation of the directive is therefore not only a comprehensive challenge, but also a necessary measure in the fight against cybercrime.

The implementation of the NIS2 directive is therefore not necessarily another construction site, but rather a sensible protective measure and opportunity. We and our more than 390 strategic partners can carry out a detailed security analysis for you, as well as correct reporting in the event of security breaches or the creation of a holistic cyber strategy with a simultaneous focus on cost minimisation.

NIS2 requirements
How to prepare for NIS2?

Companies and organisations affected by NIS2 need to address cyber risk management, control and monitoring, incident handling and business continuity.

Important steps for preparing for NIS2 are:
1. Risk assessment
Identify the risks associated with your digital operating and information systems. This should include a thorough analysis of all systems and processes that are essential to the operation of your organisation.
2. Implement security measures
Based on the risk assessment, appropriate security measures should be implemented. This could include the encryption of data, the implementation of firewalls and the regular updating of software and hardware.
3. Emergency planning
Create a detailed emergency plan with clear instructions on exactly what to do in the event of a cyberattack.
  • Employee training: Ensure that all employees, as well as management, are trained in the basics of cyber security and understand why it is so important to comply with the NIS2 policy.
  • Regular reviews: Conduct regular reviews and assessments of your security measures. The management is required to monitor the NIS2 measures.

Get ready for NIS2 with Hays

We support you from the initial assessments to the holistic strategy development and regular tests.
Protecting companies
Strengthen customer confidence
Stay profitable

Get ready for NIS2 with Hays

We support you from the initial assessment to the holistic strategy development and regular tests.
Protecting companies
Strengthen customer confidence
Stay profitable

NIS2 - who is affected?

The NIS2 Directive applies to public and private organisations in 18 sectors that either have at least 50 employees or an annual turnover and annual balance sheet of at least €10 million. They are divided into "high criticality sectors" and "other critical sectors".
More

As companies are not informed about this, it is up to you to check whether you are affected by the NIS2 directive. We can help you analyse the impact and determine whether and which measures are required of you.

Some sectors are affected regardless of their size. These include, for example, parts of the digital infrastructure or critical infrastructure (KRITIS), the failure of which would have an effect on public order and security. All sectors that are affected regardless of size can be found here.

In order to avoid double regulation, financial companies that fall under the new EU regulation DORA are not affected by NIS2. They must adhere to the requirements of the Digital Operational Resilience Act.

These are the companies affected by NIS2

The eleven essential sectors are

  1. Energy: The NIS2 Directive applies in particular to operators of critical infrastructures (KRITIS) in the energy sector. This includes companies that generate, distribute or store electricity, gas or district heating.
     
  2. Transport: In the transport sector, the NIS2 Directive affects operators of airports, railway stations and transport networks, for example.
     
  3. Banking: In the banking sector, which primarily includes credit institutions, NIS2 only affects companies that are not affected by the EU-wide DORA Regulation.
     
  4. Public administration: The NIS2 Directive applies to various areas of public administration, including federal agencies, public corporations and public companies that provide IT services for the federal administration.
     
  5. Healthcare: The management of healthcare organisations must actively address cyber security, implement specific information security requirements and be able to demonstrate these measures.
     
  6. Drinking water: The companies responsible for the supply of drinking water and wastewater disposal must be protected against cyber attacks and are therefore affected by NIS2.
     
  7. Wastewater: The disposal of wastewater is an essential part of critical infrastructure and is therefore affected by NIS2.
     
  8. Digital infrastructure: The IT infrastructure is particularly vulnerable to digital attacks and must therefore be adequately protected.
     
  9. Space: In the space sector, CRITIS operators and organisations provide the general public with a critical service - the operation of ground infrastructure. This service must be protected with cyber security obligations in accordance with NIS2.
     
  10. ICT service management: Companies and institutions that offer digital services or operate critical infrastructures must fulfil the security requirements.
     
  11. Financial market infrastructures: In addition to the NIS2 Directive, there is also the DORA Regulation, which focuses on the digital operational resilience of financial organisations and critical ICT third-party service providers. This regulation aims to increase the resilience of the financial sector.
  1. Energy: The NIS2 Directive applies in particular to operators of critical infrastructures (KRITIS) in the energy sector. This includes companies that generate, distribute or store electricity, gas or district heating.
     
  2. Transport: In the transport sector, the NIS2 Directive affects operators of airports, railway stations and transport networks, for example.
     
  3. Banking: In the banking sector, which primarily includes credit institutions, NIS2 only affects companies that are not affected by the EU-wide DORA Regulation.
     
  4. Public administration: The NIS2 Directive applies to various areas of public administration, including federal agencies, public corporations and public companies that provide IT services for the federal administration.
     
  5. Healthcare: The management of healthcare organisations must actively address cyber security, implement specific information security requirements and be able to demonstrate these measures.
     
  6. Drinking water: The companies responsible for the supply of drinking water and wastewater disposal must be protected against cyber attacks and are therefore affected by NIS2.
     
  7. Wastewater: The disposal of wastewater is an essential part of critical infrastructure and is therefore affected by NIS2.
     
  8. Digital infrastructure: The IT infrastructure is particularly vulnerable to digital attacks and must therefore be adequately protected.
     
  9. Space: In the space sector, CRITIS operators and organisations provide the general public with a critical service - the operation of ground infrastructure. This service must be protected with cyber security obligations in accordance with NIS2.
     
  10. ICT service management: Companies and institutions that offer digital services or operate critical infrastructures must fulfil the security requirements.
     
  11. Financial market infrastructures: In addition to the NIS2 Directive, there is also the DORA Regulation, which focuses on the digital operational resilience of financial organisations and critical ICT third-party service providers. This regulation aims to increase the resilience of the financial sector.

The seven important sectors include

  1. Post & courier: This concerns companies that offer postal services, parcel services or courier services.
     
  2. Waste: From 1 January 2024, the disposal of municipal waste such as residual waste, organic waste, paper, glass or bulky waste will officially fall under the KRITIS umbrella and will be considered critical infrastructure.
     
  3. Chemicals: Companies that produce or sell chemicals are affected.
     
  4. Food: In this sector, operators and facilities that supply the general public with food are affected by the requirements of the NIS2 Directive.
     
  5. Manufacturing industry: Companies that manufacture products in the medical sector, electronics, mechanical engineering or motor vehicles must be protected by cybersecurity measures in accordance with NIS2.
     
  6. Digital services: Providers that make digital services such as online marketplaces, search engines and social networks available to the general public must be protected with cybersecurity measures in accordance with the NIS2 Directive.
     
  7. Research: Research is now more dependent on digital services than ever before. This sector must therefore be protected with cybersecurity measures in accordance with the NIS2 directive
  1. Post & courier: This concerns companies that offer postal services, parcel services or courier services.
     
  2. Waste: From 1 January 2024, the disposal of municipal waste such as residual waste, organic waste, paper, glass or bulky waste will officially fall under the KRITIS umbrella and will be considered critical infrastructure.
     
  3. Chemicals: Companies that produce or sell chemicals are affected.
     
  4. Food: In this sector, operators and facilities that supply the general public with food are affected by the requirements of the NIS2 Directive.
     
  5. Manufacturing industry: Companies that manufacture products in the medical sector, electronics, mechanical engineering or motor vehicles must be protected by cybersecurity measures in accordance with NIS2.
     
  6. Digital services: Providers that make digital services such as online marketplaces, search engines and social networks available to the general public must be protected with cybersecurity measures in accordance with the NIS2 Directive.
     
  7. Research: Research is now more dependent on digital services than ever before. This sector must therefore be protected with cybersecurity measures in accordance with the NIS2 directive

Our experienced cyber security team makes
your company NIS2-ready

With the Hays Cyber Security Team, we have created a central point of contact that provides you with highly competent 360-degree support for all cyber security issues and NIS2 requirements: from project and consulting services to suitable technology and software solutions and highly qualified specialists. We also work with strategic and certified partner companies that can offer you the best solution for your concerns relating to the new EU directive at all times.

Unser Expertenteam

  • Mike Beaupre
    Head of Cyber Security (Global)
  • Neil Khatod
    Head of Cyber Security (The Americas)
  • Julius Ponsen
    Cyber Solutions Lead & CISO, EMPOSO GmbH
  • Isabel Höhn
    Channel Manager Cyber Security (DACH & EMEA)
Mike Beaupre
Head of Cyber Security (Global)
  • Over 28 years of experience in IT and security
  • Know-how in 12 different industries 
  • Leadership experience in the US military at C-level
  • Former DAX 30 CISO
Neil Khatod
Head of Cyber Security (The Americas)
  • More than 25 years of military experience 
  • Led the defense of the world's largest IT infrastructure
  • COO Cyber Operations, U.S. Army Cyber Command
  • Managed a $1.9 billion cyber budget and led 16,500 employees
Julius Ponsen
Cybersecurity Services & Solutions Lead + CISO, EMPOSO GmbH
  • Experienced cyber security expert
  • M.Sc. in Cybersecurity & Privacy
  • Experience in over 50+ cyber security projects
  • Specialized in: Endpoint, network, email and human firewall security
Isabel Höhn
Channel Manager Cyber Security (DACH & EMEA)
  • Master in IT Management (M.Sc.) and CompTIA Security+ certified  
  • Over 6 years of experience in personnel services and recruiting
  • C-level consulting for HR and IT strategies in various industries
  • Specialist for cyber security in an international environment

Our portfolio of solutions: From NIS2 audit to cyber security strategy

Cyber Security Recruitment
We specialise in the search and placement of highly qualified cyber security experts. We connect companies affected by NIS2 with the talent they need to protect their data and digital assets.
Upskilling and reskilling of personnel
Cyber security is dynamic, because cybercrime is developing at a rapid pace. In order to stay one step ahead of the impending dangers, we help you to train your staff effectively and in a targeted manner.
C-Level Advisory
Our internal Hays experts are your contacts when it comes to designing your cyber security strategy. We advise both C-level executives and the specialists responsible for implementing NIS2 in your company.
Cyber Security Consulting
Services
Together we will manage the NIS2 implementation. We advise you on all issues relating to the regulation. From strategy development and specific measures to cyber security assessments.
Managed Security Services
Our professional partners offer a comprehensive portfolio of software and hardware tailored to your needs to beat cybercrime, as well as smooth integration and maintenance of the new security solutions.
Technology Solutions
Our network of more than 390 strategic partners supports you with state-of-the-art technological cyber security solutions.

Our wealth of operational experience and certified partner network

390+ partner companies
in long-term collaborations and over 30 highly specialized strategic cyber partners based in Germany
2.000+ projects
successfully supported our customers and partners from over 50 industries in all areas of cyber security
5.200+ skilled professionals
from the cyber security environment - both freelance and in permanent employment and temporary employment

Our portfolio of solutions: From NIS2 audit to cyber security strategy

Cyber Security Recruitment
We specialise in the search and placement of highly qualified cyber security experts. We connect companies affected by NIS2 with the talent they need to protect their data and digital assets.
Upskilling and reskilling of personnel
Cyber security is dynamic, because cybercrime is developing at a rapid pace. In order to stay one step ahead of the impending dangers, we help you to train your staff effectively and in a targeted manner.
C-Level Advisory
Our internal Hays experts are your contacts when it comes to designing your cyber security strategy. We advise both C-level executives and the specialists responsible for implementing NIS2 in your company.
Cyber Security Consulting
Services
Together we will manage the NIS2 implementation. We advise you on all issues relating to the regulation. From strategy development and specific measures to cyber security assessments.
Managed Security Services
Our professional partners offer a comprehensive portfolio of software and hardware tailored to your needs to beat cybercrime, as well as smooth integration and maintenance of the new security solutions.
Technology Solutions
Our network of more than 390 strategic partners supports you with state-of-the-art technological cyber security solutions.

Our wealth of operational experience and certified partner network

390+ partner companies
in long-term collaborations and over 30 highly specialized strategic cyber partners based in Germany
2.000+ projects
successfully supported our customers and partners from over 50 industries in all areas of cyber security
5.200+ skilled professionals
from the cyber security environment - both freelance and in permanent employment and temporary employment

An excerpt from our customers

An excerpt from our customers

Graph . Customer Satisfaction
Graph . Customer Satisfaction

Your benefits from our NIs2 consultation

1. Being competitive and profitable in the long term

NIS2 harmonises and significantly improves the level of security in the companies affected by NIS2, as the directive also obliges them to ensure that their entire supply chain complies with the requirements. This ensures the long-term competitiveness and profitability of the companies concerned.

2. Become resilient

Get a head start against cybercrime. NIS2 includes measures that significantly reduce business and financial risks and protect you from attacks.

3. Increase compliance

Show that your company can operate securely in a complex world. Compliance with the NIS2 directive strengthens the trust of customers and partners. You also avoid sanctions: Penalties of up to ten million euros or up to two per cent of annual turnover can be imposed for violations and management and CISOs can be held personally liable.

Get ready for NIS2 with Hays

We support from the initial assessment to the holistic strategy development and regular tests.
Protecting companies
Strengthen customer confidence
Stay profitable

Get ready for NIS2 with Hays

We support from the initial assessment to the holistic strategy development and 
Protecting companies
Strengthen customer confidence
Stay profitable

NIS2 consulting and implementation
How the collaboration with Hays works

Appointment with Cyber Experts
  • Consultation to assess the current situation
  • Development of an initial roadmap
Deep Dive with NIS2 Experts
  • Impact analysis and classification according to NIS2
  • Agreement on the roadmap
  • Joint mapping of capacities and timeline
  • Preparation of documents for the upcoming GAP analysis
Gap analysis and implementation
  • NIS2 requirements and GAP analysis
  • Development of the implementation plan
  • Workshop on the implementation plan based on the GAP analysis
Establishing NIS2 compliance
  • Finalisation of the roadmap
  • Kick-off
  • Implementation of all measures
  • Internal NIS2 audit to determine compliance
Regular
testing
  • Pentesting
  • Regular NIS2-Audits

The NIS2 gap analysis

At the start of our collaboration, we usually conduct a detailed gap analysis. Our experts conduct a review of your existing documentation to determine whether it meets the requirements of the NIS2 Directive. We then organise a one-day workshop with your team to jointly identify gaps. On this basis, our experts develop a detailed roadmap with customised measures to close the identified gaps.

Individual support

From customized security assessments to penetration tests, we offer services that put your digital infrastructure through its paces.

A team at your side

Our experts are not only specialists, but also your partners. Together, we will walk the path to NIS2 compliance.

Software and hardware solutions

Our solutions are designed to make companies more resilient in a cost-effective and sustainable way. 
From SOCaaS (Security Operations Center-as-a-Service) to advanced deception & detection platforms - we have the tools.

Personnel services from the #1

We offer not only technical solutions, but also highly qualified specialists to drive your security strategy and NIS2 processes forward.

Contact us now

Yesterday's solutions don't solve tomorrow's problems!

FAQ

What does NIS2 mean?

The abbreviation "NIS2" stands for the "Network and Information Security Directive 2" (Directive on Network and Information Systems). This European legislation aims to strengthen cyber resilience in the European Union by defining security measures for affected companies to ensure the integrity, availability, confidentiality and robustness of their network and information systems.

The abbreviation "NIS2" stands for the "Network and Information Security Directive 2" (Directive on Network and Information Systems). This European legislation aims to strengthen cyber resilience in the European Union by defining security measures for affected companies to ensure the integrity, availability, confidentiality and robustness of their network and information systems.


Who has to implement NIS2?

Companies with at least 50 employees or an annual turnover of more than ten million euros are directly affected by NIS2 and should comply with the NIS2 directive in order to avoid fines and liability risks.

Companies with at least 50 employees or an annual turnover of more than ten million euros are directly affected by NIS2 and should comply with the NIS2 directive in order to avoid fines and liability risks.


Who is liable for NIS2?

The NIS2 Directive stipulates that the management of a company is personally responsible for compliance with the Directive. This means that members of the management can be held personally liable if the company does not fulfil the requirements of the NIS2 Directive. Violations of the NIS2 requirements can lead to national fines, penalties and sanctions.

The NIS2 Directive stipulates that the management of a company is personally responsible for compliance with the Directive. This means that members of the management can be held personally liable if the company does not fulfil the requirements of the NIS2 Directive. Violations of the NIS2 requirements can lead to national fines, penalties and sanctions.


When does NIS2 come into force?

The NIS2 Regulation was adopted by the EU Parliament in 2022. It must be applied in the EU countries from 17 January 2025, which is why NIS2 implementation is a time-critical challenge for many companies.

The NIS2 Regulation was adopted by the EU Parliament in 2022. It must be applied in the EU countries from 17 January 2025, which is why NIS2 implementation is a time-critical challenge for many companies.


What is the difference between NIS2 and DORA?

NIS2 is an EU regulation that focuses on improving cyber security and information sharing following cyber attacks in 18 sectors. DORA, on the other hand, is specific to the financial sector and aims to ensure cyber resilience in this sector. Both regulations must be complied with by companies from October 2024.

NIS2 is an EU regulation that focuses on improving cyber security and information sharing following cyber attacks in 18 sectors. DORA, on the other hand, is specific to the financial sector and aims to ensure cyber resilience in this sector. Both regulations must be complied with by companies from October 2024.


NIS2 Directive: Summary

NIS (Network and Information Security Directive) is an important EU directive for the security of critical infrastructures (KRITIS) and has defined the minimum cyber security standards in companies since 2016. The NIS2 Directive is the revised version that must be transposed into national law in Germany by October 2024.

The EU-wide regulation aims to strengthen resilience against cyberattacks in the European Union. It does this by laying down security requirements for affected organisations to ensure the integrity, accessibility, confidentiality and resilience of their network and information systems. NIS2 not only drives the EU-wide development of national cybersecurity, but is also an important measure in the fight against cybercrime.

In addition to the KRITIS companies that were previously subject to the NIS Directive, a broader range of companies are now also affected by the new NIS2 regulation. The expanded number of affected sectors presents many company managements with a number of critical challenges.

As a first step, companies should inform themselves about the changes and check whether they are affected by NIS2. If this is the case, they face the far greater challenge of implementation. A detailed NIS2 audit then helps them to define and implement specific measures.