NIS-2 Compliance
NIS-2
Are you prepared?
Our experts help you understand the complex requirements of the NIS-2 Directive and implement them in a legally compliant manner within your organisation.
Background
Why Was the NIS-2 Directive Introduced?
Successor to the 2016 NIS-1 Directive
The NIS-2 Directive (EU) 2022/2555 replaces the outdated NIS Directive (EU 2016/1148) and updates EU cybersecurity law to address significantly increased cyber risks.
Response to New Threats
Sophisticated cyberattacks, geopolitical conflicts, ransomware campaigns and the growing digitalisation of critical processes made comprehensive modernisation necessary.
Harmonised EU Protection Level
NIS-2 reduces fragmentation within the EU, massively expands the circle of affected companies and significantly raises the overall level of protection.
Goals
What Are the Goals of the NIS-2 Directive?
The central goal is a binding and EU-wide harmonised level of cybersecurity for all companies that are essential to the economy, supply chains and society.
Increased Cyber Resilience
Companies and authorities are to be effectively protected against cyberattacks.
Improved Incident Response
Strict reporting obligations and clear response processes for security incidents.
Supply Chain Security
Suppliers are also considered a risk source — supply chain security becomes mandatory.
Uniform Minimum Standard
A harmonised level of protection across the EU that reduces national differences.
Strengthened Supervision
More binding and stricter oversight by national authorities and the BSI.
Effective Sanctions
Significantly tougher sanctions make cybersecurity a mandatory corporate obligation.
Why machCon?
Achieve NIS-2 Compliance with machCon
The right combination of expertise, efficiency and personal support — for a successful and stress-free NIS-2 implementation.
Our specialists know all requirements in detail and make complex regulations understandable and actionable.
We integrate NIS-2 into your existing processes without unnecessary effort or operational burden.
We guide you with clear steps, reliable communication and consistent direction throughout the process.
Scope
Who Does NIS-2 Apply To?
NIS-2 applies to organisations in 18 critical and important sectors — including many businesses not previously covered by NIS-1.
Energy
Electricity, gas, district heating, oil, hydrogen — the entire energy sector is covered.
Transport
Air, rail, road and maritime transport and related infrastructure.
Banking & Financial Markets
Credit institutions, trading venues, central counterparties, insurers and financial market infrastructure.
Healthcare
Hospitals, laboratories, manufacturers of medical devices and pharmaceutical companies.
Drinking Water & Wastewater
Drinking water suppliers and wastewater operators as critical infrastructure.
Digital Infrastructure
Cloud providers, data centres, CDN providers, DNS resolvers, TLD registries and ICT services.
Public Administration
Federal and state authorities are also subject to NIS-2 requirements.
Space
Operators of ground infrastructure for space services are classified as essential entities.
Manufacturing & Others
Manufacturers of medical devices, machinery, vehicles, chemicals as well as postal and courier services above certain size thresholds.
Thresholds
From What Company Size Does NIS-2 Apply?
Essential Entities (Annex I)
Large companies in critical sectors: more than 250 employees or more than €50 million annual turnover and more than €43 million annual balance sheet. Subject to the strictest supervision and highest fines.
Important Entities (Annex II)
Medium-sized companies: more than 50 employees or more than €10 million annual turnover or more than €10 million annual balance sheet. Also comprehensively regulated, but with adapted supervisory intensity.
Small Companies — Special Exceptions
Generally not affected — except for critical activities, impacts on public security or cross-border effects. Suppliers to affected companies may be indirectly impacted.
"Once the German NIS-2 law comes into force, obligations and potential sanctions apply immediately. While compliance evidence generally only needs to be submitted after three years, particularly critical companies can expect audits by independent inspectors sooner. Now is the right time for companies to act."
Zdravko Matić
IT Security Consultant, machCon
NIS-2 Obligations
What Must Affected Companies Do?
Companies must implement a range of binding organisational, technical and strategic measures.
Risk Analysis & Security Concept
Systematic assessment and treatment of cybersecurity risks — documented and traceable.
Security Incidents & Reporting
Significant security incidents must be reported to the competent authority (BSI) within 24 hours.
Risk Management
Establishing and operating a structured risk management system as an ongoing process.
Business Continuity & Crisis Management
Emergency planning and business continuity management to ensure operations even in a crisis.
Cryptography & Multi-Factor Authentication
Use of modern encryption and strong authentication methods as a minimum technical requirement.
Security Awareness & Training
Regular sensitisation and training of all employees — including phishing simulations.
Supply Chain Security
Security requirements also apply to suppliers and service providers — supply chain security becomes mandatory.
Access Control & Asset Management
Inventory of all critical IT assets and strict control of access rights and permissions.
Management Liability
New: Personal Liability of Company Management
The severity of sanctions is designed to ensure that companies no longer view cybersecurity as optional, but as an obligation and a continuous process.
Management Personally Liable
NIS-2 explicitly obliges company management to take responsibility for cybersecurity measures. Gross negligence in fulfilling these obligations can result in personal sanctions.
High Fines for Essential Entities
For essential entities: fines of up to €10 million or 2% of global annual turnover.
Fines for Important Entities
For important entities: fines of up to €7 million or 1.4% of global annual turnover.
Regulatory Orders & Audits
Regulatory orders to implement measures, mandatory retraining or IT audits, as well as intensified monitoring by national authorities.
Our Service Portfolio
machCon Helps You Achieve Compliance
With a structured, transparent and practical approach, we guide you step by step through the entire process. We analyse your current situation, identify concrete areas for action and develop tailored measures aligned with your goals, resources and priorities.
Building and/or developing an Information Security Management System (ISMS) according to ISO 27001 or BSI Grundschutz.
Inventory and classification of all critical IT and business assets.
Structured and practical identification, analysis and management of security risks.
Implementation of clear rules, responsibilities and technical safeguards (TOMs) for all employees.
Integration and monitoring of partners and suppliers, plus business continuity management for crisis situations.
Regular internal audits, documentation and training measures to raise employee awareness.
Our Approach
Three Steps to NIS-2 Compliance
Whether you want to achieve NIS-2 compliance with us or simply receive an initial fit-gap analysis — no problem!
Non-Binding Initial Consultation
In a free initial meeting, we clarify together your individual needs, goals and challenges. We lay the foundation for a trusting and successful collaboration and create full transparency about the entire process.
Analysis of Your Situation
We take a close look at your company: processes, IT systems, security measures and existing risks are carefully assessed. Weaknesses are clearly identified so you always know where action is needed.
We Stand by Your Side
Whether implementing measures, developing your ISMS further or providing long-term support — we accompany you every step of the way, ensuring your company stays compliant and resilient against cyber risks.
Client Testimonials
What Our Clients Say
" Working with machCon exceeded our expectations. Their expertise and tailored solutions significantly improved our security infrastructure and helped us understand and implement the NIS-2 measures required for our company. Their professional and proactive approach has been truly convincing! "
FSM AG
machCon Client
" Through machCon's NIS-2 and IT security consulting, we were finally able to get our bearings and significantly optimise our IT security measures. The professional advice and solutions tailored to our needs make us feel ready and secure. We recommend their services without reservation. "
Renfert GmbH
machCon Client
" Thanks to machCon's NIS-2 and IT security consulting, we have significantly improved our security measures. Their expertise and customised solutions helped us meet NIS-2 requirements without difficulty. We particularly appreciate their straightforward and dedicated working style. "
Fidel Dreher GmbH
machCon Client
FAQ
Frequently Asked Questions about NIS-2
When does NIS-2 apply in Germany?
NIS-2 has applied in Germany since 6 December 2025. With the entry into force of the NIS-2 Implementation Act (NIS2UmsuCG), the corresponding obligations for affected companies have become effective immediately.
What company size is affected?
Generally companies with more than 50 employees or more than €10 million annual turnover in one of the 18 covered sectors. Essential entities are affected from 250 employees or €50 million turnover. For certain entities (e.g. operators of critical installations), NIS-2 applies regardless of size.
What happens in case of violations?
For essential entities: fines of up to €10 million or 2% of global annual turnover. For important entities: fines of up to €7 million or 1.4% of annual turnover. Additionally: personal liability of management and regulatory orders.
What are the key technical requirements?
Key technical measures include: risk analysis and security concept, multi-factor authentication, encryption, access control, regular security updates, backup systems and structured patch management.
Does NIS-2 also affect my suppliers?
Yes — NIS-2 explicitly requires securing the entire supply chain. Affected companies must impose security requirements on their service providers and suppliers, and verify their compliance.
How can machCon help?
We first assess your NIS-2 applicability, then develop a prioritised implementation plan and guide you through all requirements — from risk analysis and ISMS implementation to training measures and incident reporting procedures.
Downloads
NIS-2 Compliance Made Easy
White papers, checklists and guides — to help you implement NIS-2 requirements efficiently and minimise risks proactively.
Everything you need to know at a glance. Compact, practical and free: download our NIS-2 cheat sheet and stay on top of requirements.
We continuously provide additional resources on NIS-2. Check back soon or contact us directly.
Check Your NIS-2 Readiness Now
In a free 30-minute initial consultation, we assess your applicability and show you the next steps.