NIS 2 Directive:
New cybersecurity obligations for critical infrastructures
NIS 2 Directive:
The NIS 2 Directive introduces extended security, reporting and documentation requirements for operators of critical infrastructures and digital services. It requires companies to systematically manage cyber security risks, report incidents within short deadlines and provide comprehensive accountability for technical and organisational protective measures. INSYS icom provides technologies that help to meet these requirements efficiently and in an audit-proof manner – with secure infrastructure, centralised device management and documentable security processes.
With the revised Network and Information Security Directive (NIS-2), the EU aims to achieve a higher and uniform level of security for networks and information systems. It obliges companies in critical and important sectors to implement comprehensive cybersecurity measures, report incidents and ensure organisational security.
Compared to the NIS 1 Directive, the scope of application has been significantly expanded – more industries, more companies, more obligations.
What is NIS 2 Directive?
The NIS 2 Directive (EU) 2022/2555 sets out cybersecurity requirements for operators of critical and important facilities in the EU. It replaces the previous NIS Directive.
The NIS 2 Directive aims to significantly increase the EU’s resilience to cyber threats. To this end, it aims to harmonise national differences in security standards and improve the exchange of information in the event of a crisis. It applies to operators of essential and important facilities in critical sectors such as energy, transport, water, health, administration and digital infrastructure, as well as to manufacturers of security-related components and digital service providers.
The directive obliges these companies to implement state-of-the-art technical and organisational security measures. These include effective risk management, clear responsibilities at management level, a secure supply chain, and continuous review and improvement of protective measures. Reporting obligations for significant security incidents – within 24 hours – and comprehensive documentation requirements are key components, as is greater personal liability on the part of company management.
Implementation period and past developments:
2016
The first NIS Directive was adopted in 2016, but proved inadequate due to significant differences in national implementation and a lack of enforceability. The continuing high threat level – especially for operators of critical infrastructures – made a fundamental revision necessary.
2022
The new NIS 2 Directive was adopted and represents a paradigm shift in cybersecurity legislation: not only is it more comprehensive in scope, but for the first time it also includes specific liability and sanction provisions for senior management. The aim is to establish a comprehensive and mandatory security architecture in system-critical facilities.
2023
Although it came into force on 16 January 2023, Germany has not yet transposed the directive into national law. The draft NIS2 Implementation Act (NIS2UmsuCG) has been available since spring 2024, but has not yet been finally adopted. Industry associations such as Bitkom and eco are sharply criticising this delay, as it leads to considerable legal uncertainty.
2024
As the EU directive has been in force since October 2024, enforcement by European authorities is to be expected – regardless of the lack of implementation in Germany. Companies should therefore not rely on national deadlines, but should actively begin implementing the NIS 2 requirements. It is best to start now.
Who is affected by the NIS 2 Directive?
Relevant industries: energy supply, water supply and wastewater management, transport, healthcare, public administration, telecommunication, Plant- and mechanical engineering
Safely comply with NIS-2 requirements with INSYS icom
Cyber-secure solutions and an NIS 2-compliant product portfolio for your individual requirements.
Protect your critical infrastructure – reliably and future-proof.
Request a quote now
What does NIS-2 actually mean?
Obligations under NIS-2:
Documentation and verification requirements:
What needs to be done and by when?
Urgent need for action:
The time until mandatory implementation is short. Companies should already be reviewing their security processes, defining responsibilities and evaluating technologies that enable end-to-end verification and security capabilities.
Timeline NIS-2 Directive
Companies should not rely on the delayed national legislative process,
but should already be aligning their security architecture with the requirements of the EU Directive.
January 2023
NIS-2 Directive comes into force
October 2024
Applicable throughout the EU
Since October 2024
EU authorities can conduct audits and impose sanctions
What are the penalties?
Failure to comply with the requirements of the NIS 2 Directive can have serious consequences:
INSYS icom solutions expertise
Secure device architecture
Router architecture with BSI-compliant security features.
Security updates
Automated roll-out of security-relevant updates with audit-proof documentation to fulfil the obligation to provide evidence via icom Router Management.
Lifecycle Support
Long-term provision and maintenance of security-relevant software updates throughout the entire product lifecycle.
Security audits
Audit-proof logging of all configuration changes and access to the router.
Secure Development
Implementation of IEC 62443-4-1 compliant processes throughout the entire product lifecycle.
Secure remote access
Managed VPN service with strong authentication, encrypted connections and central key management.
These measures provide targeted support to companies in implementing the NIS2 Directive by technically securing the security requirements stipulated by regulations, fulfilling key documentation and monitoring obligations, and enabling IT- based transparency.
The added value: significant relief in audit preparations, minimized operational risks and a demonstrably higher level of security in the connected infrastructure.
Update management according NIS2:
Implementation with icom Router Management
icom Router Management (iRM) provides an NIS2-compliant update infrastructure that ensures IT security and traceability for critical infrastructures in accordance with EU Directive (EU) 2022/2555 (NIS2). With strong encryption, digital signatures and granular control, iRM enables secure and scalable device management throughout the entire lifecycle of industrial routers – suitable for operators of critical services and their supply chains.
| NIS2 Requirement | Implementation via iRM + icom OS |
|---|---|
| Ensuring the integrity and authenticity of updates | Update packages are signed and optionally encrypted. Only packages with valid signatures/certificates from a trusted CA are accepted. |
| Risk-based approach & protection against unauthorised access | Manipulation protection through cryptographic validation and enforceable policies in the router (e.g. acceptance of signed packets only). Updates from unknown sources are strictly rejected. |
| Secure remote update without human intervention required | iRM enables fully automated, semi-automated or manual update processes. Unattended updates are also possible in compliance with all security guidelines. |
| Resilience and incident management | Updates can be scheduled, manually approved or executed unattended. Logging and recovery functions minimise downtime risks for security-critical changes. |
| Mandatory logging of security-related events | All updates and system accesses are logged in the iRM dashboard in an audit-proof manner and are fully traceable. |
| Protection against known vulnerabilities through patching | iRM enables centrally controlled distribution of firmware/software updates for all connected routers – with documented history and verifiability in the event of an audit. |
| State-of-the-art encryption and access protection | HTTPS-protected access, API access only via authorised tokens and certificate client authentication. |
Benefits for NIS2-regulated companies:
Security & Compliance
Here you will find relevant evidence and documents on NIS-2 conformity, certified development processes and IT security measures from INSYS icom.
NIS 2 Directive – Frequently asked questions
Who falls under the NIS 2 Directive?
Companies from KRITIS and other defined sectors of a certain size and relevance.
What is the reporting deadline for security incidents?
An initial report must be made within 24 hours, followed by a final report within 72 hours.
How does INSYS icom help with NIS 2 implementation?
With secure network technology, automated documentation and centralised management of critical communications infrastructure.
Does NIS 2 also apply to small and medium-sized enterprises (SMEs)?
Yes, provided they operate in critical sectors or are of particular importance for security of supply – regardless of their size.
What obligations apply to suppliers and IT service providers?
Companies in the supply chain must also implement security measures and provide
What does ‘state of the art’ mean specifically in the context of NIS 2?
This includes regular vulnerability analyses, encrypted communication, access protection, patch management and documented security processes.
INSYS icom also meets these cybersecurity requirements
Cyber Resilience Act (CRA)
The Cyber Resilience Act (CRA) obliges manufacturers of digital products to ensure cyber security throughout the entire product life cycle.
Radio Equipment Directive (RED)
The extended RED Directive sets out binding cybersecurity requirements for internet-connected radio equipment such as routers and IoT devices.
Learn more about our secure products
VPN service
Centralised management for updates,
configurations and documentation
Any questions left? We will be happy to assist you!