Information processing for small and medium-sized enterprises

Understand and apply the NIS2 policy

The Network and Information Systems Directive 2 (NIS2) is an important directive intended to strengthen the security and integrity of networks and information systems in the European Union (EU). It affects a wide range of organizations and companies. Here's who is affected by NIS2 and what you need to know to understand and apply this policy.

The main intention of the NIS2 Directive is to increase the resilience of network and information systems in the European Union to cyber threats. It focuses on critical sectors such as energy, healthcare, transport and digital infrastructure. The aim is to help EU countries develop and implement effective measures to detect, prevent and respond to cyberattacks. The directive promotes cooperation between Member States and the private sector to strengthen digital security at EU level and better protect network and information systems. It repeals Directive (EU) 2016/1148 (NIS Directive) as of October 18, 2024.

Affected sectors

The European Union's NIS2 Directive identifies 18 critical sectors, which are divided into those with high criticality according to Annex 1 NIS2 and other critical sectors according to Annex 2 NIS2. In these sectors, the security and integrity of network and information systems are crucial. They include organizations that provide essential services and infrastructure that are essential to the functioning of our modern society. Some of these sectors were already included in the previous NIS directive, while the sectors marked in red are new additions:

  • Energy
    This essential sector covers the entire energy supply, from generation to distribution to supply. The supply chain begins with the extraction of raw materials such as coal, oil and gas, leads to energy production and ends with distribution via power grids.
  • Traffic
    This sector keeps the world moving and includes road, rail, air and sea transport. The supply chain extends from the manufacture of vehicles to the operation of transport routes and the provision of transport services.
  • Banking
    This sector includes financial institutions that carry out banking activities such as deposit and lending operations. The stability and integrity of the financial system depends largely on these institutions.
  • Financial market infrastructures
    This sector includes operators of trading venues. These companies play a central role in the financial market by operating trading venues and acting as central counterparties in financial transactions. They are highly critical for the stability and integrity of the financial system.
  • Healthcare
    The well-being and health of the population depends on this sector, which includes hospitals, clinics and medical providers. The supply chain includes medical devices, medicines and a wide range of healthcare services.
  • Drinking Water (New!)
    The provision of drinking water is crucial. It includes the production and treatment of drinking water as well as its reliable distribution to households and companies. The supply chain includes services such as maintenance and repair of water treatment systems as well as the production of technical equipment such as pumps and pipelines. However, it should be noted that companies for which water supply represents only an insignificant part of their general business activity and which mainly supply other raw materials and goods are exempt from this rule.
  • Wastewater (New!)
    This sector involves the collection, disposal and treatment of wastewater to meet environmental and health standards. The supply chain in this area may include services and products necessary to support wastewater management. These include, for example, companies that maintain and repair wastewater treatment plants, as well as manufacturers and suppliers of wastewater treatment chemicals. However, it should be noted that companies for which wastewater management represents only an insignificant part of their general business activity and which mainly carry out other activities are exempt from this rule.
  • Digital infrastructure
    This extensive sector includes Internet exchange operators, DNS service providers (excluding root name server operators), TLD name registries, cloud computing service providers, data center service providers, content delivery network operators, trust service providers, public electronic communications network providers and providers of publicly available electronic communications services. These companies are highly critical as they represent the foundations of the digital world. They are largely responsible for the security, connectivity and performance of the Internet and help ensure that digital services and communications function smoothly.
  • Business-to-Business (ICT) Services Management (New!)
    These companies play a crucial role in the business world by providing information technology services and security solutions to other companies. They support business customers in managing and securing their digital resources and contribute to the efficiency and security of business processes. Companies in this sector are highly critical as they ensure business continuity and protection of sensitive data.
  • public administration (New!)
    This sector includes public administration bodies of central governments and public administration bodies at regional level, as defined by a Member State in accordance with national law. These institutions form the backbone of state administration and regional authorities. They are highly critical because they carry out the basic functions of public administration that are essential for maintaining public order and providing public services. The security and stability of these facilities are of utmost importance to society.
  • Space (New!)
    This sector includes operators of ground infrastructure owned, managed and operated by Member States or private parties. These infrastructures support the delivery of space-based services and are highly critical to the space and satellite industries. They play a crucial role in communications, navigation, Earth observation and scientific research in space. It should be noted that providers of public electronic communications networks are exempt from this rule. The security and integrity of these space infrastructures are of paramount importance for numerous applications and services.
  • Postal and courier services (New!)
    This sector includes providers of postal services. This also includes providers of courier services. These companies play an essential role in the delivery of mail and parcels, which is of great importance not only for everyday business operations, but also for communication and the movement of goods. Ensuring reliable postal and courier delivery contributes to the smooth functioning of the economy and society.
  • Waste management
    This sector includes waste management companies. These companies play a crucial role in the collection, disposal and recycling of waste. They contribute to environmental protection and are highly critical as they ensure waste disposal and recycling. Companies where waste management is not their main economic activity are exempt from this rule. Proper waste management is crucial to protecting the environment and public health.
  • Production, manufacture and trade of chemical substances
    These are companies that produce chemical substances and trade in substances or mixtures, as well as companies that produce products from substances or mixtures. These companies play an important role in the production and trading of chemical products that are used in various industries and products. The safe and environmentally friendly handling of chemicals in this sector is of great importance for health and the environment.
  • Production, processing and distribution of food
    Companies active in wholesale trade and industrial production and processing of food. These companies play a key role in the food supply chain as they produce, process and wholesale food. The quality and safety of food is of paramount importance to the health of the population, and activities in this sector have a direct impact on the diet and health of consumers.
  • Manufacturing/Production of Goods (New!
    This sector includes several areas:
    • Manufacture of medical devices and in vitro diagnostics
      Facilities that produce medical devices and facilities that produce in vitro diagnostics. Companies in this area produce vital medical devices that are of great importance for healthcare and medical treatments. Excluded are natural persons or legally recognized entities that can act on their own behalf and meet certain legal requirements.
    • Manufacture of data processing equipment, electronic and optical products
      This area includes the production of computers, electronic devices and optical products.
    • Manufacture of electrical equipment
      Companies that produce electrical equipment, including electrical components and devices, are classified here.
    • mechanical engineering
      Included in this category are companies in the engineering sector that produce machinery and equipment for various industries.
    • Manufacture of motor vehicles and motor vehicle parts
      This area includes companies that produce motor vehicles and parts for motor vehicles.
    • Other vehicle construction
      Companies that produce vehicles that do not fall into the previous categories, such as rail vehicles, are classified here.
  • Digital Service Provider (New!)
    This sector includes various service providers, including online marketplace providers, online search engine providers and social networking service platform providers. These companies play an essential role in the digital economy by providing online marketplaces that facilitate the trade of products and services, search engines that enable information searches on the Internet, and social networking platforms where users communicate with each other, content share and build social networks. Their services are critically important to society and the economy and have a significant impact on the way we communicate, conduct business and search for information online.
  • Research (New!)
    This sector includes research institutions whose main objective is to carry out applied research or experimental development with a view to exploiting the results of this research for commercial purposes. Research institutions in this sector play an important role in promoting innovation and scientific development, particularly when it comes to exploiting new knowledge and technologies for commercial purposes.
    However, it should be noted that educational institutions do not fall into this category.

Affected companies

NIS2 sets the size of the company as a further criterion in order to identify the affected companies.

The distinction is made as follows:

  • Medium-sized companies with 50 or more employees and an annual turnover of EUR 10 to 50 million or an annual balance sheet of up to EUR 43 million
  • Large companies with 250 employees or more and an annual turnover of EUR 50 million or more or an annual balance sheet of EUR 43 million or more


Here too, the NIS2 categorizes two main groups, namely essential and important entities. Public administration, certain areas of digital infrastructure and providers of critical services where a disruption could have a significant impact are subject to regulation, regardless of their size. This approach makes it possible to apply differentiated security requirements to ensure that both the most critical and less critical service providers are appropriately regulated.

  • Large companies that fall into Annex 1 (High Criticality Sectors).
  • Qualified trust service providers and domain name registries and DNS service providers
  • Providers of public electronic communications networks or publicly available electronic communications services
  • Public administration institutions
  • Other establishments of a type listed in Annex I or II which are classified by a Member State as essential establishments.
  • Entities classified by Member States as operators of essential services before 16 January 2023 in accordance with Directive (EU) 2016/1148 (NIS Directive) or under national law
  • Large companies falling in Schedule 2 (other critical sectors).
  • Medium-sized enterprises falling in Annex 1 or 2 (High Criticality Sectors or Other Critical Sectors).
  • Entities classified as such by a Member State

To be covered by the NIS2 Directive, companies must both belong to the critical sectors listed in Annex 1 and Annex 2 of the Directive and meet certain size criteria.
With our checklist you can easily check whether your company is affected by the requirements of the NIS2 directive:

Note that the NIS2 Directive also affects companies in the supply chain that provide services or products related to critical sectors.

  • Company size
    Check whether your company meets the defined company size thresholds according to NIS2:
    • Medium-sized companies with 50 – 250 employees and a turnover between EUR 10 and 50 million or an annual balance sheet total of a maximum of EUR 43 million
    • Large companies with more than 250 employees and more than EUR 50 million in sales or an annual balance sheet of more than EUR 43 million
  • Sector affiliation
    Determine whether your company operates in one of the 18 critical sectors under NIS2 and check whether your sector is listed in Annex 1 or Annex 2 of the NIS2 Directive
  • Essential or important entity
    Clarify whether your company is classified as an Essential Entity or an Important Entity.

How can VdS support the implementation of the NIS2 directive?

Our motto is: Let's give NIS(2) a KISS

The goal is to develop VdS guidelines that support companies in the effective implementation of the NIS2 guideline. These guidelines are developed for companies of all sizes - small, medium and large - to implement the new requirements clearly and practically. The principle is “as little as possible, as much as necessary!” in focus.

The measures taken can be audited and certified by the independent authority, VdS Schadenverhütung GmbH. The required infrastructure for certification and the new VdS guidelines are expected to be available at the time the NIS2UmsuCG is announced in the Federal Law Gazette (probably October 2024). If required according to the NIS2UmsuCG, the guidelines are submitted to the Federal Office for Information Security (BSI) for certification or recognition.

To create a seamless connection, these new guidelines are developed based on the proven VdS guidelines VdS 10000 and are intended to serve as a supplementary module for companies affected by NIS2 in the future. This means that the VdS 10000 guidelines can and should be implemented today as a preparatory measure. They provide a solid framework to meet the requirements of the NIS2 directive and prepare companies for possible changes.

We are convinced that valuable and practical guidelines can only be created if many bright minds contribute to them. We therefore warmly invite everyone who is interested to actively participate in this process. Our goal is to make the design of the new VdS guidelines as open as possible. We want the community to help shape these policies.

Further information about the NIS2 guideline and the project progress can be found on our project page.