NIS-2-Directive – Measures to Ensure a High Level of Cybersecurity in the European Union (NIS-2-EU Directive)

The NIS-2-Directive is an EU-wide regulation aimed at harmonizing and improving the cybersecurity of critical infrastructure and essential services in Europe.

What is the goal?

• Protecting critical infrastructure (e.g., energy, transportation, healthcare, water) and digital services (e.g., cloud providers, online marketplaces) from cyber threats 

What are the key obligations for businesses?

• Risk Management: Implementation of comprehensive IT security measures (e.g., multi-factor authentication, encryption, incident response).
• Reporting Requirements: Immediate reporting of cyber incidents to the competent authority (in Germany: Federal Office for Information Security (BSI)).
• Cybersecurity as a top priority: CEOs and executives are required to undergo training on cybersecurity issues and are responsible for implementing the measures.
• Supply chain security: Under NIS-2, supply chain security means that companies providing essential and important services must actively manage cybersecurity risks among their direct suppliers and service providers (e.g., cloud, IT services). This includes contractual security requirements, risk assessments of providers, and the avoidance of single points of failure.

Who is affected?

The NIS-2-Directive applies to a total of 18 sectors, which are divided into »essential« (e.g., energy, health, digital) and »important« (e.g., chemical, food, research) entities, in order to significantly expand the scope of application compared to the previous NIS-1-Directive ((EU) 2016/1148) and thereby enhance the cybersecurity level of critical infrastructures. 

Essential Entities

• Energy (electricity, district heating, oil, natural gas, hydrogen)
• Transport (air, rail, maritime, road transport)
• Banking (credit institutions)
• Financial market infrastructure (trading venues)
• Healthcare (healthcare providers, research, pharmaceuticals)
• Drinking water supply
• Wastewater disposal
• Digital infrastructure (Internet nodes, DNS, cloud, data centers)
• ICT service management (B2B services)
• Public administration (central and regional governments)
• Space (ground infrastructure) 

Important Entities

• Postal and courier services
• Waste management
• Chemicals (production, manufacturing)
• Food (production, processing, distribution)
• Manufacturing / production of goods (e.g., computers, electronics, metals)
• Digital service providers (online marketplaces, search engines, social networks)
• Research (research institutions) 

Companies in these sectors must comply with the requirements if they meet certain size criteria (usually >50 employees or >€10 million in revenue/balance sheet total) or if they are classified as particularly critical. 

What are the consequences of non-compliance?

• Penalties: Heavy fines of up to two percent of global annual turnover.
• Personal liability: Managing directors may be held liable with their personal assets.

Implementation in Germany

• The NIS-2-Implementation Act (NIS2UmsuCG) entered into force in December 2025, transposing the EU Directive into national law. 
• Key aspects of the NIS2UmsuCG are:
  • The expanded scope of application based on the EU NIS2 Directive: As a result, a much broader range of medium-sized and large companies in key sectors (e.g., energy, transportation, healthcare, digital services, research) are affected by heightened cybersecurity requirements than in the past.
  • Stricter security requirements: Companies must implement risk management measures (implementation of comprehensive IT security measures, e.g., multi-factor authentication, encryption, incident response).
  • Three-tier reporting requirement: A tiered system for reporting security incidents (early warning, incident report, final report) has been introduced.
  • Management responsibilities: The law establishes management’s liability for compliance with security requirements.
  • Expanded oversight & sanctions: The BSI is granted greater monitoring powers, and violations are subject to substantial fines, similar to those for GDPR violations.

Services offered by Fraunhofer AISEC for risk analysis and information technology security

Risk Analyses: Integrating Security Aspects into the Software Lifecycle

Fraunhofer AISEC supports companies with security risk analyses. Together, we assess risks, derive security requirements, and integrate these into design, development, testing, and incident response. Security aspects are firmly integrated into the software lifecycle. To this end, Fraunhofer AISEC selects and adapts proven methods, develops and configures tools, and ensures a transparent assessment of the IT risks associated with services and products. At the same time, the institute provides support for quality assurance and measure management and helps to establish a permanently effective security engineering process within the company.

Further information: https://www.aisec.fraunhofer.de/content/dam/aisec/Dokumente/Flyer/Flyer_MoRA_2023_EN.pdf

Contact:
Daniel Angermeier | Product Protection & Industrial Security | daniel.angermeier@aisec.fraunhofer.de

Leverage new technologies safely with an audit

Fraunhofer AISEC has developed an audit that provides organizations with tools to benefit from digital and networked systems - particularly cyber-physical systems - without compromising IT security. As a starting point, our experts work with the organization to define the goals it aims to achieve through the implementation or further development of digital solutions. An inventory analysis provides insights into the existing infrastructure and architecture that can be leveraged or built upon. Based on the assessment of security risks and comprehensive analyses, Fraunhofer AISEC develops a customized roadmap to enhance the level of IT security and identifies appropriate security measures to ensure organizations remain protected. We support companies in implementing this roadmap and empower them to independently assess the prerequisites for future developments. Finally, our team of experts conducts a comprehensive review of the digital systems and security processes.

Contact:
Bartol Filipovic | Product Protection & Industrial Security | bartol.filipovic@aisec.fraunhofer.de

Services offered by Fraunhofer AISEC for supply chain security, including security-related aspects of relationships with direct suppliers or service providers

Knowing Where You Stand – Compliance and Security Audits with Confirmate

»Confirmate« is a tool developed by Fraunhofer AISEC that automatically checks whether the software in a product complies with legal requirements for IT security. To do this, it compares security settings and existing documentation with the requirements and highlights areas that are in compliance as well as those that need improvement.

The tool analyzes the program code, interfaces (e.g., to the cloud), and the third-party libraries used. It compares these against technical specifications, EU regulations, and databases of known security vulnerabilities. It also takes into account business processes, such as those related to vulnerability management.

The results are compiled into a clear overview. This allows manufacturers to quickly see how secure their product currently is and where action is needed. Since »Confirmate« can be used on an ongoing basis, these findings remain up to date. Based on the analyses, our experts assist with the planning and implementation of the necessary security measures.

Further information:

https://www.aisec.fraunhofer.de/en/media/press-releases/2024/CRA-compliance-testing-with-Confirmate.html

Contact:
Christian Banse | Service & Application Security | christian.banse@aisec.fraunhofer.de

Establishing a Secure Foundation with GyroidOS – A Secure Operating System-Level Virtualization Solution

GyroidOS is a Linux-based virtualization system. It can run multiple isolated operating system environments in parallel on a shared Linux kernel. The solution is designed for high security and utilizes hardware features to achieve this. Unlike containers, the software stack is smaller, and particularly sensitive components are more strictly separated from one another. Administrator access first enters a less privileged core container, which communicates with the actual virtualization layer only through a clearly defined interface. GyroidOS is designed to facilitate certification according to common industry standards.

Further information:
https://gyroidos.github.io/

Contact:
Sascha Wessel | Service & Application Security | sascha.wessel@aisec.fraunhofer.de

Services offered by Fraunhofer AISEC for concepts and methods to evaluate the effectiveness of risk management measures in the field of information technology security

Risk Analysis: Integrating Security Considerations into the Software Development Lifecycle

Fraunhofer AISEC supports companies with security risk analyses. Together, we assess risks, derive security requirements, and integrate these into design, development, testing, and incident response. Security aspects are firmly integrated into the software lifecycle. To this end, Fraunhofer AISEC selects and adapts proven methods, develops and configures tools, and ensures a transparent assessment of the IT risks associated with services and products. At the same time, the institute provides support for quality assurance and measure management and helps to establish a permanently effective security engineering process within the company.

Further information: https://www.aisec.fraunhofer.de/content/dam/aisec/Dokumente/Flyer/Flyer_MoRA_2023_EN.pdf

Contact:
Daniel Angermeier | Product Protection & Industrial Security | daniel.angermeier@aisec.fraunhofer.de

Leverage new technologies safely with an audit

Fraunhofer AISEC has developed an audit that provides organizations with the tools they need to benefit from digital and networked systems - particularly cyber-physical systems - without compromising IT security. As a starting point, our experts work with the organization to define the goals it aims to achieve through the implementation or further development of digital solutions. An inventory analysis provides insights into the existing infrastructure and architecture that can be leveraged or built upon. Based on the assessment of security risks and comprehensive analyses, Fraunhofer AISEC develops a customized roadmap to enhance the level of IT security and identifies appropriate security measures to ensure organizations remain protected. We support companies in implementing this roadmap and empower them to independently assess the prerequisites for future developments. Finally, our team of experts conducts a comprehensive review of the digital systems and security processes.

Contact:
Bartol Filipovic | Product Protection & Industrial Security | bartol.filipovic@aisec.fraunhofer.de

Fraunhofer AISEC's offering of concepts and processes for the use of cryptographic methods

Post-quantum cryptography

Advances in the development of quantum computers threaten today’s IT security as a whole. This is because established cryptographic methods could be broken by quantum computers. Through its Post-Quantum Cryptography Competence Center, Fraunhofer AISEC is pooling its expertise in the future-oriented technology of post-quantum cryptography (PQC).  

In the context of the NIS-2 Directive, our services address systematic preparation for cryptographic risks, particularly with regard to post-quantum cryptography. We support organizations in making cryptographic dependencies transparent, assessing risks, and developing a structured, NIS-2-compliant migration strategy. The focus is on crypto-agility, hybrid transitional solutions, and the long-term resilience of business-critical IT systems.

Further information:                                                                                                https://www.aisec.fraunhofer.de/en/spotlights/Competence-Center-PQC.html

Contact:

Prof. Daniel Loebenberger | Secure Infrastructure | daniel.loebenberger@aisec.fraunhofer.de

Fraunhofer AISEC’s offering for the use of solutions for multi-factor authentication or continuous authentication, secure voice, video, and text communication, and, where applicable, secure emergency communication systems within the organization

Development of prototypes and smart safety concepts

Fraunhofer AISEC has expertise in applied cybersecurity research, ranging from hardware to the cloud. It develops state-of-the-art intelligent security concepts, derives prototype solutions from them, and implements these solutions in collaboration with companies and organizations that require robust protection for their future products and systems against highly skilled attackers. Its services include, among others:

• Development of security concepts based on existing systems and driven by new security requirements
• Integration of highly secure components that support complex cryptography and highly secure key storage
• Integration of comprehensive legacy authentication and cryptography for high security and backward compatibility
• Compliance with state-of-the-art cryptography and authentication protocols
• Development of prototype solutions
• Integration of tested prototypes
• Evaluation of existing security concepts

Contact:

Prof. Dr. Claudia Eckert | Managing Director | claudia.eckert@aisec.fraunhofer.de