NIS2 Directive and KRITIS Framework Act: New strict security requirements for many companies

By Christian Knittel on May 02, 2025

The digital transformation is progressing and the associated Dependence on digital technologies poses challenges for numerous stakeholders Challenges regarding cybersecurity and resilience. The new NIS2-Directive (Network and Information Security Directive) of the EU aims as Further development of the original NIS Directive aims to Security requirements throughout the European Union standardize and further strengthen. It expands the scope significantly and tightens the security requirements for a variety of Sectors. Additionally, in Germany, the KRITIS umbrella law takes the operators specifically focused on critical infrastructure. We at IT-Resell are here for you as a competent partner in implementing the new requirements.

The new NIS2 directive for more security in IT

With the NIS Directive in place since 2016, the EU has for the first time implemented measures taken to ensure high common security levels of network and to ensure information systems in the European Union and a uniform legal framework for capacity building for the Cybersecurity created. In the course of digital transformation, especially which was further accelerated by the COVID-19 crisis, the EU has new Threats as well as associated challenges identified and Deficiencies in the NIS Directive identified:

insufficient cyber resilience of companies operating in the EU
uneven resilience between member states and sectors
insufficient common understanding of the main threats and challenges facing EU member states
lack of joint crisis management

In response, the EU Commission has introduced an adapted and significantly expanded directive with revised, future-proof proposals into the EUlegislative process – the NIS2 Directive.

The new EU NIS2 Directive expands the existing NIS Directive by clearly the scope of application and the safety requirements expands. The new regulation has been in effect at the EU level since the beginning of 2023 and will, after its national implementation, which in the EU member states until to be fully effective by October 17, 2024.

Among the most important innovations compared to the previous NIS Directive belong:

a significantly expanded scope of application
tightened security requirements
more extensive reporting obligations
a stricter enforcement

Around 30,000 institutions and companies affected

The expansion of the scope means that now many smaller Organizations and companies that must meet the new requirements, previously did not fall under the NIS Directive. According to estimates, in Germany about 30,000 companies from the new regulations of NIS2- Policy affected. This includes companies from sectors such as energy, health, Transport, banking, digital infrastructure, public administration, and more.

Additionally, companies are also included in the new directive that a Part of the supply chain of these sectors or providing services for them. It is important to note that companies are not automatically informed about be informed whether they are affected by the NIS2 Directive. They must check for themselves whether they fall under the category due to their size and industry affiliation Guidelines must be dropped and appropriate precautions taken.

Stricter reporting obligations and tougher sanctions

The new NIS2 directive expands the reporting obligations. Affected companies must already report security-relevant incidents to the authorities, which could have significant impacts on the availability of services. NIS2 also introduces more uniform and stricter penalties for violations of the safety requirements and reporting obligations to ensure that Companies that take the new requirements seriously and corresponding Rapidly implement measures for cybersecurity. The management and responsible executives can be held directly liable for violations occur and in the worst case, fines of up to 10 million euros or 2% of the global annual turnover is possible. This shows how important it is, the new requirements of the NIS2 Directive together with a reliable Implement partners like IT resellers in a timely and comprehensive manner.

Exceptions for municipalities and educational institutions

The European Union primarily targets companies with the NIS2 Directive but, by defining the affected sectors, basically also educational institutions, cities and municipalities as well as public directions with. However, in Germany there are efforts for some of these actors Creating exceptions. The IT Planning Council in Germany has made the decision targeted, educational institutions from the application of the NIS2 Directive to exclude. For local administrations in the cities and municipalities there are also the plan not to include them in the scope of the NIS2 Directive to be included. However, the final decision is still pending and will be made in framework of the national implementation currently being Is in the draft stage.

Empty library

Other public institutions, such as libraries, cinemas, museums, and zoos can indeed be affected by the new requirements of the NIS2 Directive. The inclusion may depend on their size, their revenue, and their importance for critical infrastructure. There will also be certainty in these cases only with the final national implementation. Basically, it is advisable that the institutions also Set up together with an experienced partner like IT-Resell um Topics such as cybersecurity and resilience that ultimately may possibly not be affected by the new regulations – if only because Self-interest.

SMEs and the NIS2 Directive

With the new NIS2 directive, the scope is expanded compared to significantly expanded previous specifications. This means that many small and medium-sized enterprises (SMEs) the new security requirements and -must meet requirements. These include:

Security Policies: Development and implementation of security policies that meet the specific requirements of SMEs
Security solutions: Implementation of security solutions such as security software, firewalls, and intrusion detection systems
Security audits: Regular conduct of security audits to identify vulnerabilities and assess the current security situation
Employee Training: Regular training of employees to raise awareness of cyber threats and to promote safe handling of IT systems

Whether your company is affected depends on whether it meets certain criteria fulfilled. Companies with 50 or more employees, a turnover of 10 million or more. Euro and an annual balance sheet total of the same amount fall into the Scope of application. This also applies to companies that are in one of the defined are active in critical sectors and exceed specified thresholds (more than 250 employees, annual turnover over 50 million euros and/or Annual balance sheet of over 43 million euros) and thus automatically classified as "critical" or "important" companies within the meaning of the directive apply.

Contact us, benefit from our expertise and take the Foundation for meeting the NIS2 requirements. We at IT-Resell discuss with you whether and to what extent your company will benefit from the new is affected by security requirements and develop together with you a Solution that allows you and your company to comply with the new policy on time can – so that cybersecurity is ensured and sanctions are not an issue are.

Hand in hand with the KRITIS umbrella law

The NIS2 Directive is implemented through the CER Directive and the national implementation KRITIS roof law supplemented. While the NIS2 requirements primarily focus on the Cybersecurity and preventive measures for a high common standard aimed at cybersecurity, the KRITIS umbrella law focuses on the physical security and cyber resilience of critical infrastructures. The goal: Prevent disruptions and failures as best as possible, limit their consequences, and the Restoring functionality quickly after an incident – no matter whether Severe weather, human error, or an act of sabotage is the cause.

Unlike the NIS2 Directive, which is estimated to affect up to 30,000 When it comes to companies, the KRITIS umbrella law specifically targets critical Infrastructure in focus. Companies are defined in various Sectors that are essential for the overall supply in Germany and more to provide for 500,000 people.

The KRITIS umbrella law introduces various measures to increase the Resilience of critical infrastructures:

Resilience plans: Operators of critical infrastructure must create resilience plans that include risk analyses, emergency preparedness, crisis management, and measures for restoring critical services
Risk analyses: Regular risk analyses are required to identify and minimize potential vulnerabilities – at least every four years
Physical protection: Operators must implement measures for the physical protection of the infrastructure, such as fences and secure access controls
Business Continuity Management: An important component of resilience management is Business Continuity Management Systems (BCMS), which must be implemented
Audits and Monitoring: Biennial audits by the Federal Office of Civil Protection and Disaster Assistance (BBK) to review the implementation of resilience measures

Conclusion: Urgent need for action for many companies

The NIS2 Directive and the KRITIS Framework Act impose completely new requirements to numerous actors and many companies – including many SMEs. At Violations of the new regulations can affect management and managers are held responsible and there are threats of severe Sanctions for the company. IT-Resell is available to you as an experienced and reliable partner at your side to meet the new requirements on time meet and ensure the security as well as the resilience of your IT. Access Rely on our expertise and let our trained Personalized individual consultation to jointly find the best solutions for your to find specific needs.

Netzwerktechnik

Services