NIS-2: Cyber Resilience Becomes Mandatory for 18 Sectors
Fabian Peter 7 Minuten Lesezeit

NIS-2: Cyber Resilience Becomes Mandatory for 18 Sectors

NIS-2 requirements and practical implementation for 18 critical sectors
compliance-campaign-2026 nis-2 cyber-security incident-handling compliance management-haftung
Ganze Serie lesen (40 Artikel)

Diese Serie erklärt systematisch, wie moderne Software compliant entwickelt und betrieben wird – von EU-Regulierungen bis zur technischen Umsetzung.

  1. Compliance Compass: EU Regulations for Software, SaaS, and Cloud Hosting
  2. GDPR: Privacy by Design as the Foundation of Modern Software
  3. NIS-2: Cyber Resilience Becomes Mandatory for 18 Sectors
  4. DORA: ICT Resilience for the Financial Sector Starting January 2025
  5. Cyber Resilience Act: Security by Design for Products with Digital Elements
  6. Data Act: Portability and Exit Capability Become Mandatory from September 2025
  7. Cloud Sovereignty Framework: Making Digital Sovereignty Measurable
  8. How EU Regulations Interconnect: An Integrated Compliance Approach
  9. 15 Factor App: The Evolution of Cloud-Native Best Practices
  10. 15 Factor App Deep Dive: Factors 1–6 (Basics & Lifecycle)
  11. 15 Factor App Deep Dive: Factors 7–12 (Networking, Scaling, Operations)
  12. 15 Factor App Deep Dive: Factors 13–15 (API First, Telemetry, Auth)
  13. The Modern Software Development Lifecycle: From Cloud-Native to Compliance
  14. Cloud Sovereignty + 15 Factor App: The Architectural Bridge Between Law and Technology
  15. Standardized Software Logistics: OCI, Helm, Kubernetes API
  16. Deterministically Checking Security Standards: Policy as Code, CVE Scanning, SBOM
  17. ayedo Software Delivery Platform: High-Level Overview
  18. ayedo Kubernetes Distribution: CNCF-compliant, EU-sovereign, compliance-ready
  19. Cilium: eBPF-based Networking for Zero Trust and Compliance
  20. Harbor: Container Registry with Integrated CVE Scanning and SBOM
  21. VictoriaMetrics & VictoriaLogs: Observability for NIS-2 and DORA
  22. Keycloak: Identity & Access Management for GDPR and NIS-2
  23. Kyverno: Policy as Code for Automated Compliance Checks
  24. Velero: Backup & Disaster Recovery for DORA and NIS-2
  25. Delivery Operations: The Path from Code to Production
  26. ohMyHelm: Helm Charts for 15-Factor Apps Without Kubernetes Complexity
  27. Let's Deploy with ayedo, Part 1: GitLab CI/CD, Harbor Registry, Vault Secrets
  28. Let's Deploy with ayedo, Part 2: ArgoCD GitOps, Monitoring, Observability
  29. GitLab CI/CD in Detail: Stages, Jobs, Pipelines for Modern Software
  30. Kaniko vs. Buildah: Rootless, Daemonless Container Builds in Kubernetes
  31. Harbor Deep Dive: Vulnerability Scanning, SBOM, Image Signing
  32. HashiCorp Vault + External Secrets Operator: Zero-Trust Secrets Management
  33. ArgoCD Deep Dive: GitOps Deployments for Multi-Environment Scenarios
  34. Guardrails in Action: Policy-Based Deployment Validation with Kyverno
  35. Observability in Detail: VictoriaMetrics, VictoriaLogs, Grafana
  36. Alerting & Incident Response: From Anomaly to Final Report
  37. Polycrate: Deployment Automation for Kubernetes and Cloud Migration
  38. Managed Backing Services: PostgreSQL, Redis, Kafka on ayedo SDP
  39. Multi-Tenant vs. Whitelabel: Deployment Strategies for SaaS Providers
  40. From Zero to Production: The Complete ayedo SDP Workflow in an Example

TL;DR

  • NIS-2 expands the scope of EU cybersecurity regulation to 18 sectors, primarily involving medium and large companies in critical and important areas. The directive has been in effect since January 16, 2023, and must be transposed into national law by October 17, 2024.
  • The core element of NIS-2 consists of ten minimum requirements for cyber risk management, including incident handling, business continuity/disaster recovery, supply chain security, access control, and multi-factor authentication.
  • Management bears explicit responsibility: leadership teams must understand cybersecurity risks, make strategic decisions, and are personally liable in cases of gross negligence.
  • Reporting obligations are strictly regulated: early warning within 24 hours, detailed report after 72 hours, and a final report within a month – requiring clear processes, roles, and appropriate technical telemetry.
  • ayedo supports you with an integrated, NIS-2-focused platform: from intrusion detection with Falco, to network visibility with Cilium, backups with Velero, to supply chain security with Harbor as well as a structured compliance architecture and a NIS-2 readiness assessment.

NIS-2 as the New Standard for Cyber Resilience in Europe

With the NIS-2 Directive (EU) 2022/2555, the EU establishes a unified, demanding standard for cybersecurity. The directive came into force on January 16, 2023; member states must transpose it into national law by October 17, 2024. From this point, national NIS-2 laws apply – along with concrete obligations and sanction mechanisms.

NIS-2 is not purely an IT issue. It explicitly addresses management and supervisory bodies. The goal is to anchor cyber resilience as part of corporate due diligence – similar to data protection under the GDPR.

A detailed overview can also be found in our NIS-2 summary at /nis2/. Below, we focus on the questions: Who is affected, what are the minimum requirements, and how can these be implemented technically and organizationally?

Scope: Focus on 18 Sectors

NIS-2 significantly expands the scope compared to the original NIS Directive. It affects entities in a total of 18 sectors, divided into two categories: highly critical sectors and other critical sectors.

Highly Critical Sectors

Highly critical sectors include, among others:

  • Energy (electricity, district heating, oil, gas, hydrogen)
  • Transport (air, rail, water, road)
  • Banking and financial market infrastructures
  • Healthcare, including pharmaceutical production
  • Drinking water and wastewater management
  • Digital infrastructure (internet exchange points, DNS providers, TLD registrars, cloud computing service providers, data centers, content delivery networks, trust services, providers of public electronic communication networks)
  • ICT service management (managed service providers, managed security service providers)
  • Public administration
  • Space-related services

Other Critical Sectors

In addition, NIS-2 defines other sectors that also fall under the regulation:

  • Postal and courier services
  • Waste management
  • Chemical industry
  • Food production and processing
  • Manufacturing of medical devices, computers and electronics, machinery, vehicles
  • Digital services (online marketplaces, search engines, social networks)
  • Research organizations

Size Criteria and National Specification

As a rule, medium and large companies (from 50 employees or EUR 10 million annual turnover) are affected. Some sectors – particularly critical infrastructures – are subject to additional national thresholds and regulations.

In practice, this means:

  • Check early on whether your company falls into one of the 18 sectors.
  • Consider national specifics, such as KRITIS regulations in Germany or sector-specific laws.
  • Include outsourced areas (cloud, managed services, critical suppliers) in your considerations.

The Ten Minimum Requirements According to Art. 21(2) NIS-2

Article 21(2) of the directive lists ten minimum requirements for cyber risk management. These are not to be understood as a checklist for individual measures but as a framework for an integrated security concept.

The ten areas are:

  1. Risk management policies and processes
  2. Incident handling
  3. Business continuity and disaster recovery
  4. Supply chain security
  5. Security in procurement, development, and maintenance
  6. Evaluation of the effectiveness of security measures
  7. Cyber hygiene and training
  8. Cryptography and encryption
  9. Access control
  10. Multi-factor authentication and secured communication systems

Below, we delve into the areas that are particularly strongly linked to your technical infrastructure – such as a Kubernetes-based environment.

Incident Handling: From Alert to Forensic Investigation

NIS-2 expects security incidents to be detected, contained, processed, and documented. This includes:

  • Detection of anomalies and attacks
  • Structured incident response procedure with clear roles
  • Forensic analysis and lessons learned
  • Traceable documentation, also to fulfill reporting obligations

Technically, ayedo supports this through:

  • Continuous behavior analysis with Falco (e.g., suspicious system calls in containers)
  • Network telemetry and policy enforcement with Cilium
  • Centralized logging and audit logs, which can also be used for forensic purposes

Organizationally, this requires an incident response playbook, defined escalation paths, and a clear integration with legal reporting processes.

Business Continuity and Disaster Recovery: Resilience Becomes Mandatory

NIS-2 requires robust concepts for:

  • Business continuity (maintaining critical processes during disruptions)
  • Disaster recovery (recovery after major outages)
  • Crisis management (decision-making and communication structures)

In containerized environments, it is crucial to be able to consistently restore not just individual workloads but the entire platform. ayedo relies on:

  • Cluster- and application-aware backups with Velero
  • Geographically separate storage locations for backups
  • Regular restore tests as part of an established DR process

At the management level, these technical capabilities should be anchored in a business continuity plan and regularly tested – including clear recovery time and recovery point objectives (RTO/RPO).

Supply Chain Security: Transparency Over Software Supply Chains

NIS-2 places particular emphasis on security aspects in the supply chain – including the digital supply chain. This concerns:

  • Software components and images
  • Suppliers of platform technologies
  • External service providers (e.g., managed services, cloud)

With Harbor as a container registry, ayedo offers central functions for supply chain security:

  • Vulnerability scanning of containerized workloads
  • Image signing and policy enforcement (only signed images in production)
  • Support for SBOM concepts (Software Bill of Materials)
  • Traceable chain of custody for critical images

These technical measures should be complemented by contractual requirements for suppliers, standardized security questionnaires, and regular reviews.

Access Control and MFA: Identity as a Security Anchor

Access control (Art. 21(2)(h)) and multi-factor authentication (Art. 21(2)(i)) are central components of NIS-2. Expected are:

  • Role-based access concepts
  • Principle of least privilege
  • Strong authentication, especially for administrative accounts
  • Secured communication channels (e.g., TLS, mTLS, encrypted management access)

In the ayedo platform, identity and access management functions play a central role:

  • Integration with central identity providers (e.g., SSO, OIDC/SAML)
  • Fine-grained RBAC models directly in Kubernetes
  • Enforceable MFA for all privileged accesses
  • Encryption of connections and – if needed – network encryption via Cilium

On the management side, it is important that these technical possibilities are anchored in a binding access control policy and regularly reviewed.

Management Responsibility: Governance Instead of Alibi Documents

NIS-2 explicitly addresses management responsibility. Executives are obliged to:

  • Establish adequate cyber risk management
  • Monitor the implementation of requirements
  • Regularly receive reports on the status of risks and measures
  • Participate in training and acquire sufficient knowledge

In cases of gross negligence, personal liability consequences are foreseen. In practice, this means:

  1. Define Governance Structure

    • Appoint clear responsibilities for information security (CISO or equivalent).
    • Anchor cybersecurity in risk management and reporting to management/supervisory bodies.

  2. Risk-Based Approach

    • Conduct a structured risk analysis (including IT, OT, cloud, supply chain).
    • Prioritize measures based on impact and likelihood.

  3. Policies and Processes

    • Document security policies (access control, incident handling, backup/DR, vulnerability management).
    • Ensure these policies are translated into operational processes – including metrics and KPIs.

  4. Continuous Effectiveness Review

    • Establish regular reviews, audits, and tests (e.g., backup restore tests, security reviews, penetration tests).
    • Also use external perspectives, such as independent audits.

Technology can automate and secure many things. However, it cannot relieve management of the responsibility for prioritization, budgeting, and governance. NIS-2 deliberately sets a clear framework here.

Reporting Obligations: Early Warning, Incident Report, Final Report

A central element of NIS-2 is the tiered reporting obligations for significant security incidents. The directive essentially provides for:

  1. Early Warning Within 24 Hours

    • Report to the competent national authority or CSIRT.
    • Focus on incident detection, initial assessment, and potential cross-border impacts.

  2. Detailed Incident Report Within 72 Hours

    • Updated assessment of cause, scope, and impact.
    • Initial remedial actions and planned further steps.

  3. Final Report Within a Month

    • Complete root cause analysis.
    • Final impact assessment.
    • Lessons learned and planned improvement measures.

To realistically meet these deadlines, it requires:

  • Early and reliable detection of incidents (monitoring, intrusion detection, log analysis).
  • Clear internal processes, who informs whom and who creates the external report.
  • Standardized templates for internal and external reports.
  • Technical traceability, to actually reconstruct causes and impacts.

The ayedo platform supports this by

Vorheriger Post Alle Posts Nächster Post

Ähnliche Artikel