What does the 
NIS2 Directive regulate?

The NIS2 Directive (Network and Information Security Directive 2) sets binding minimum standards for technical and organizational security measures. Its key points include:

  • comprehensive risk management
  • clear reporting obligations for security incidents
  • active risk oversight by company management

The focus is on protecting critical processes, which can be threatened both by attacks on OT components and by vulnerabilities in traditional IT systems.

Who is affected 
by NIS2?

NIS2 significantly expands existing cybersecurity requirements. In addition to traditional operators of critical infrastructure, the following sectors are now covered as well:

  • Chemical industry,
  • Food supply chains,
  • Automotive industry,
  • other manufacturing sectors.

Small and medium-sized enterprises with at least 50 employees or €10 million in revenue may also fall under the directive. In Germany alone, an estimated 25,000 companies are affected.

What exactly 
does NIS2 require?

It mandates comprehensive risk management, including:

  • Backup and recovery concepts
  • Supply chain security
  • Patch management
  • encrypted communications
  • Multi-factor authentication

Executive management is explicitly accountable. They must actively oversee cybersecurity risks and demonstrate control.

What happens in the event 
of noncompliance?

Strict reporting deadlines apply in case of a security incident.

  • Early warning: 24 hours
  • Detailed report: 72 hours
  • Final report: One month

Companies that fail to meet their obligations may face fines of up to €10 million or 2% of their global annual revenue, whichever is higher. In extreme cases, operating licenses may be revoked.

Implementation 
across Europe

The NIS2 Directive has been binding in all EU member states since October 2024. Each member country must transpose the directive into national law and enforce it. National legislation may impose stricter requirements as long as the overall level of protection is maintained.

Many EU countries are currently adjusting their supervisory structures to enable stricter oversight. Companies should expect that violations will be pursued more rigorously going forward.

Why is 
NIS2 important?

NIS2 is designed to strengthen the resilience of Europe’s digital infrastructure, effectively preventing outages, attacks, and manipulation. Consequently, IT networks and OT systems used in production and operations become more robust and less susceptible to disruption.

Modern cybersecurity solutions, such as octoplant, help companies efficiently implement NIS2 requirements and minimize downtime.

For more details, download our NIS2 compliance fact sheet.

Download Factsheet
AMDT Image AMDT Image