Perfectly prepared for NIS2

With its strict requirements, the Network and Information Security Directive 2 (NIS2) aims to strengthen the cyber security of critical infrastructures and boost the overall level of cybersecurity in the EU. The deadline draws nearer, but many companies are still not fully prepared. Learn the most important facts about NIS2 and discover how a CMDB can help you with NIS2 compliance.

What is NIS2?

NIS2, short for Network and Information Security Directive 2, is a European legislation aimed at increasing the security of networks and information systems in critical infrastructures. The NIS2 Directive builds on previous NIS regulations from 2016.

It defines specific requirements for companies that provide vital services for society. With NIS2, the EU aims to prevent attacks on critical infrastructure and thus avoid major consequences. Companies within the scope covered by NIS2 are obliged to take appropriate safety measures.

When does the NIS2 Directive come into effect?

NIS2 has been in force at EU level since 2023. However, the EU member states have until October 17, 2024 to transpose its measures into national law. From this date, affected companies must be NIS2-compliant. In Germany, a draft bill for the NIS2 Implementation Act (NIS-2 Implementation and Cybersecurity Strengthening Act – NIS2UmsuCG) and a discussion paper have been available since July 2023.

What changes are coming with NIS2?

NIS2 results in significant changes in the area of cyber security for companies:

  • Extension of the scope: A large number of companies will be affected by the regulations of the NIS2 Directive.
  • Higher penalties: Violations of the safety regulations now result in more drastic penalties.
  • Liability of the management: The management may be liable with its private assets if safety regulations are violated.
  • Stricter security measures Organizations are required to strengthen their security measures, including cyber risk management, control and monitoring, incident handling and business continuity.
  • Stricter reporting obligations: Significant security incidents must be reported to the Federal Office for Information Security within 24 hours, followed by an initial assessment within 72 hours and a detailed final report within one month.

Which companies are affected by NIS2?

NIS2 defines two categories: ” Essential Entities” and “Important Entities”. The classification is based on the degree of criticality in the relevant sector and the size of the company. The category to which an organization is assigned determines the scope of regulatory control (proactive for essential entities and reactive for important entities) and potential penalties.

Note: It is the responsibility of companies to determine whether the NIS2 directive applies to them. Public institutions do not actively inform them that they follow the requirements of NIS2.

Company size

Organizations with at least 50 employees or an annual turnover of at least 10 million euros. However, there are exceptions and some companies are included in the scope of NIS2 regardless of their size.

Business sector

Another aspect is the sector in which a company operates. The NIS2 defines a total of 18 sectors. The new directive also applies indirectly to service providers and suppliers of affected organizations.

Essential Entities

Sectors of High Criticality

  • Energy
  • Traffic
  • Banking
  • Financial market infrastructures
  • Health
  • Drinking water
  • Waste water
  • Digital infrastructure
  • ICT service management
  • Public administration
  • Space

Important Entities

Other Critical Sectors

  • Postal and courier services
  • Waste management
  • Chemistry
  • Food
  • Manufacturing
  • Digital providers
  • Research

What do affected companies need to consider?

With NIS2, strict security measures and reporting obligations apply to many organizations. Affected companies must meet stringent requirements in terms of risk management, incident management, business continuity and reporting.

A key requirement of NIS2 is the structured analysis and documentation of assets related to network and information systems. The aim of this requirement is to inventory and classify the assets that are important for the operation of these critical systems.

Identify assets

Operators of essential services must identify all assets related to their network and information systems. This can include hardware, software, data, infrastructures, applications, services and other resources.

Carry out a structured analysis

Assets should be identified in a structured and systematic manner. A comprehensive analysis enables relevant assets to be recorded and assessed in a targeted manner.

Classification of assets

The recorded assets should be classified in order to assess their value, significance, confidentiality, integrity and availability. This helps to prioritize safety measures and allocate resources effectively.


The results of the analysis and classification of the assets should be documented in order to obtain a clear and transparent overview of the assets and their security requirements. This documentation serves as a basis for the development of safety measures and strategies.


The operator shall create a suitable asset management concept for the identification, classification and inventory of IT processes, systems and components as well as software platforms/licenses and applications.

Updating and review

The analysis and documentation of assets should be regularly updated and reviewed to ensure that they meet current requirements and threats. New assets should be recorded and evaluated, obsolete or no longer relevant assets should be archived.

NIS2 with SmartITSM from REALTECH

SmartITSM (with the integrated SmartCMDB) supports you in implementing the NIS2 directive by enabling a precise inventory of your IT/OT infrastructure. REALTECH’s intelligent Configuration Management Database offers reliable and automated recording, documentation and monitoring of your critical IT/OT environment. The data obtained in this way can be seamlessly integrated into your business processes. SmartITSM thus makes a decisive contribution to traceability and security in the KRITIS and NIS2 environment.

Asset management in the energy sector
Full transparency for your IT and OT landscape

FAQs: NIS2 Directive

NIS2 differentiates between Essential Entities (sectors of high criticality) and Important Entities (other critical sectors). These include companies from the energy, healthcare, finance and transportation sectors, for example. Companies with more than 50 employees and an annual turnover of more than 10 million euros are also affected.

For companies, NIS2 means that they must comply with strict security precautions. This includes particularly strict requirements for risk management, incident management, business continuity and reporting. Among other things, companies need to thoroughly analyze their IT infrastructure and implement suitable security measures.

The NIS2 Implementation Act in Germany is expected to come into force from October 2024.

A common problem is creating transparency across all of a company’s assets. Doing this manually would be extremely time-consuming and economically inefficient. A technical NIS2 solution is therefore necessary. A CMDB offers a suitable approach for this.

A technical solution with a high degree of automation is essential to ensure that all assets are always up to date. Ideally, the solution should have features such as auto-discovery, baselining and alerting. SmartCMDB offers all the necessary options for this.