NIS-2 Directive: €10M, 2 %, personal liability.
EU Directive 2022/2555 sets the highest cyber fines in EU law: up to €10 million or 2 % of global turnover, plus personal liability for the management body. ~160,000 entities EU-wide are now in scope. What operators must prove — and how to evidence it.
- Max fine
- €10M / 2%
- Notification
- 24 h / 72 h
- EU entities
- ~160k
- In force
- 2023-01-16
Definition
NIS-2 is the EU's high-common-level cybersecurity directive.
Directive (EU) 2022/2555, adopted 14 December 2022, in force 16 January 2023. Replaces the original NIS Directive (2016/1148) and expands scope from ~14,000 to ~160,000 entities EU-wide. Member States had until 17 October 2024 to transpose; Germany's NIS2UmsuCG is in parliament. The directive itself is directly applicable to essential and important entities — operators cannot wait for the national law.
- 01 · Scope · Article 3
Essential entities: 250+ employees or €50M+ turnover in Annex I sectors (energy, transport, banking, health, water, digital, ICT, space, public admin). Important entities: medium / large in Annex II (postal, waste, chemicals, food, manufacturing).
- 02 · Risk measures · Article 21
Ten minimum risk-management measures: risk policies, incident handling, business continuity, supply-chain security, acquisition security, effectiveness assessment, cyber hygiene, cryptography, access control, MFA & secure comms.
- 03 · Reporting · Article 23
24-hour early warning, 72-hour incident notification, final report within one month. Routed to ENISA via the national CSIRT (BSI in Germany). Non-negotiable timelines.
- 04 · Liability · Article 20 + 34
Management body must approve and oversee measures; personal liability for negligent omission. Fines up to €10M / 2 % turnover (essential), €7M / 1.4 % (important). Can order CEO suspension.
Why this matters now
The transposition deadline has already passed.
- 01Direct applicability
EU Member States missed the 17 October 2024 transposition deadline (Germany among them). The Commission opened infringement proceedings November 2024. Operators cannot wait for the national law — Article 21 obligations apply now.
European Commission · INFR(2024) press release
- 02Management liability
Article 20 makes management bodies personally liable for negligent omission of cyber risk measures. The German NIS2UmsuCG draft (§ 38) keeps that liability and adds a Geschäftsleitungs-training obligation. The CEO is now in scope, not just the CISO.
EUR-Lex 2022/2555 · Art. 20 + NIS2UmsuCG-E § 38
- 03State of the art proof
Article 21 demands risk-management measures appropriate to the risk — including physical and environmental security (Recital 79). For KRITIS perimeters, the audit-ready proof is timestamped, AI-classified detection plus TLS-encrypted metadata. BSI publishes the reference list annually; legacy guard logs no longer satisfy.
BSI · Orientierungshilfe Stand der Technik · 2024
Where to next
The German implementation, sector requirements, the perimeter file.
NIS-2 is the EU umbrella; KRITIS-Dachgesetz is the German implementation lever. Read the sector-specific obligations, then the physical-perimeter answer that closes the Article 21(2)(d) supply-chain gap.
FAQ
Eight questions, the ones general counsel asks first.
What is the NIS-2 Directive?
NIS-2 is EU Directive 2022/2555 on measures for a high common level of cybersecurity across the Union, in force since 16 January 2023. It replaces the original NIS Directive (2016/1148) and dramatically widens the scope: any medium or large entity in 18 critical sectors (energy, transport, banking, health, drinking water, digital infrastructure, public administration, space, postal, waste, manufacturing, food, chemicals, research) is now an essential or important entity. Member States had until 17 October 2024 to transpose; Germany's NIS-2-Umsetzungsgesetz (NIS2UmsuCG) is the national implementation, currently in Bundestag deliberation as of May 2026.
Who must comply with NIS-2?
NIS-2 applies to two tiers. Essential entities (Article 3): large enterprises (250+ employees or €50M+ turnover) in sectors of high criticality (Annex I) — energy, transport, banking, financial market, health, drinking water, waste water, digital infrastructure, ICT-management, public administration, space. Important entities (Article 3): medium and large enterprises in other critical sectors (Annex II) — postal, waste, chemicals, food, manufacturing, digital providers, research. The European Commission estimates roughly 160,000 entities are in scope EU-wide, against 14,000 under the original NIS. In Germany alone, approximately 30,000 entities now fall under federal cyber law (BSI estimate, 2024).
What does NIS-2 require operators to do?
Article 21 lists ten minimum risk-management measures that every essential and important entity must implement: (1) risk-analysis and information-system security policies; (2) incident handling; (3) business continuity (backup, disaster recovery, crisis management); (4) supply-chain security; (5) acquisition, development and maintenance security; (6) policies on assessing the effectiveness of measures; (7) basic cyber hygiene and training; (8) cryptography and encryption policies; (9) human-resources and access-control security; (10) multi-factor authentication and secured communications. Article 23 adds 24-hour early-warning, 72-hour incident notification and final report within one month — non-negotiable timelines.
What are the fines under NIS-2?
Article 34 sets the highest cyber fines in EU law to date. Essential entities face administrative fines of up to €10 million or 2 % of global annual turnover, whichever is higher. Important entities face up to €7 million or 1.4 % of global annual turnover. National regulators can also order suspension of authorisations, public disclosure of breaches, and a temporary ban on the CEO and senior management exercising managerial functions. The German NIS2UmsuCG draft mirrors these ceilings exactly. The fines apply per breach and are explicitly designed to be effective, proportionate and dissuasive (Recital 134).
Does NIS-2 hold management personally liable?
Yes. Article 20 introduces personal management-body liability — a structural shift from the original NIS. Management bodies of essential and important entities must approve cyber-risk-management measures, oversee their implementation, and can be held liable for infringements. Management members must follow approved cyber training and must offer similar training to staff on a regular basis. The German implementation goes further: § 38 NIS2UmsuCG draft makes the Geschäftsleitung personally liable for negligent omission of state-of-the-art measures. ENISA (the EU cyber agency) publishes guidance on the training requirement; BSI (Bundesamt für Sicherheit in der Informationstechnik) publishes the German operating standards.
How does NIS-2 relate to physical-security measures like patrol robots?
NIS-2 is sector-agnostic about implementation: Article 21 demands risk-management measures appropriate to the risk, including physical and environmental security (Recital 79). For KRITIS sites with outdoor exposure (substations, water treatment, data centres, hospital perimeters), the audit-ready proof of physical perimeter monitoring is part of the Article 21(2)(d) supply-chain and Article 21(2)(e) acquisition security file. Autonomous patrol robots with timestamped AI classification deliver this proof to the standard the BSI describes as state of the art under § 7 KRITIS-Dachgesetz — the German interpretation of NIS-2 Article 21.
What is the timeline for NIS-2 enforcement in Germany?
The EU directive entered into force 16 January 2023. Member States had until 17 October 2024 to transpose into national law. Germany missed that deadline; the NIS2UmsuCG is currently in parliamentary deliberation, with adoption expected in 2026 H2. However, the European Commission opened infringement proceedings against Germany in November 2024, and BSI has communicated that affected entities should already be operating to NIS-2 requirements — the directive itself is directly applicable to certain provisions, and the eventual national law will not be a fresh start. Operators waiting for legal certainty are accumulating compliance debt.
How do I prove NIS-2 compliance to an auditor?
Three documentary pillars: (1) the cyber-risk-management policy file — covering all ten Article 21 measures, signed by the management body, reviewed at least annually. (2) The incident register — every detection event with timestamp, classification, response, and (where required) the 24/72-hour ENISA-/BSI-notification trail under Article 23. (3) The state-of-the-art file — proof that each control reflects current technical practice (BSI publishes the reference list annually). For physical perimeter, autonomous patrol with AI classification and TLS-encrypted detection metadata is the documented current standard. Cite EUR-Lex 2022/2555, ENISA implementation guidance, and BSI Orientierungshilfe in your audit binder.