Digitale blaue Weltkugel mit NIS2 Beschriftung

Implement NIS-2
now with Hays

We support you from analysis to compliant NIS 2 implementation

Arrange a consultation now

What is NIS2?

The NIS2 Directive (Network and Information Security Directive 2) is an EU-wide directive that aims to strengthen cyber security in the European Union. In contrast to the previous NIS Directive, which only affected companies from critical infrastructures, it affects significantly more companies and sectors. These include, for example, research institutions, digital services and production companies. NIS2 must be transposed into national law in Austria and the EU member states by October 2024.
The NIS2 Directive (Network and Information Security Directive 2) is an EU-wide directive that aims to strengthen cyber security in the European Union. In contrast to the previous NIS Directive, which only affected companies from critical infrastructures (KRITIS) , it affects significantly more companies and sectors . These include, for example, research, digital services and production. NIS2 must be transposed into national law in Germany and the EU member states by October 2024.
This means considerable pressure for many companies and in particular for their management and cyber security officers. This is because managers can be held personally liable if the directive is breached.

What are the penalties for violations?

Heavy fines can be imposed for violations of the NIS2 Directive. For significant companies, the fines can amount up to ten million euros or two per cent of the annual global turnover. For important companies, the fines can amount up to seven million euros or 1.4 per cent of the annual global turnover.
Heavy fines can be imposed for violations of the NIS2 Directive. For significant companies , the fines can amount to up to ten million euros or two per cent of annual global turnover. For important companies n, the fines can amount to up to seven million euros or 1.4 per cent of annual global turnover.

Furthermore, the introduction of NIS2 means a considerable effort for organisations. Many organisations lack the resources and knowledge to deal with such important topics as vulnerability scans, incident response management or awareness training.

In addition, many organisations are currently unable to assess the extent of cyber risks in their supply chain or the costs associated with implementing NIS2. Admittedly: Organisations from all sectors are facing quite a few challenges with the introduction of NIS2 in Austria.

Nevertheless, one thing is certain: dealing with cyber security is relevant for all of us and protects us significantly from the increasing number of cyber attacks worldwide. The implementation of the directive is therefore not only a comprehensive challenge, but also a necessary measure in the fight against cybercrime.

Every 6th cyberattack against companies in Austria is successful.1

In 2023, the total damage caused by cybercrime in Germany amounted to 205 billion euros.

Dealing with NIS2 is highly relevant for companies and protects them and their clients and stakeholders from the increasing number of cyberattacks worldwide.

The implementation of the NIS2 Directive is therefore not necessarily another construction site, but rather a sensible protective measure and opportunity. We and our more than 390 strategic partners can carry out a detailed security analysis for you, as well as correct reporting in the event of security breaches or the creation of a holistic cyber strategy with a simultaneous focus on cost minimisation.

NIS2 requirements
How to prepare for NIS2?

Companies and organisations affected by NIS2 need to address cyber risk management, control and monitoring, incident handling and business continuity.

Important steps for preparing for NIS2 are:
1. Risk assessment
Identify the risks associated with your digital operating and information systems. This should include a comprehensive analysis of all systems and processes that are essential to the operation of your organisation.
2. Implement security measures
Based on the risk assessment, appropriate security measures should be implemented. This could include the encryption of data, the implementation of firewalls and the regular updating of software and hardware.
3. Emergency planning
Create a detailed emergency plan with clear instructions on exactly what to do in the event of a cyberattack.
  • Employee training: Ensure that all employees, as well as management, are trained in the basics of cyber security and understand why it is so important to comply with the NIS2 policy.
  • Regular reviews: Conduct regular reviews and assessments of your security measures. The management is required to monitor the NIS2 measures.

Get ready for NIS2 with Hays

We support you from the initial assessments to the holistic strategy development and regular tests.
Protecting companies
Strengthen clients confidence
Stay profitable

Get ready for NIS2 with Hays

We support you from the initial assessment to the holistic strategy development and regular tests.
Protecting companies
Strengthen customer confidence
Stay profitable

NIS2 – who is affected?

The NIS2 Directive applies to public and private organisations in 18 sectors that either have at least 50 employees or an annual turnover and annual balance sheet of at least €10 million. They are divided into "high criticality sectors" and "other critical sectors".
More

As companies are not informed about this, it is up to you to check whether you are affected by the NIS2 Directive. We can help you analyse the impact and determine whether and which measures are required of you.

Some sectors are affected regardless of their size. These include, for example, parts of the digital infrastructure or critical infrastructure, the failure of which would have an effect on public order and security.

In order to avoid double regulation, financial companies that fall under the new EU regulation DORA are not affected by NIS2. They must adhere to the requirements of the Digital Operational Resilience Act.

These are the companies affected by NIS2

7 particularly important sectors

  1. Energy: NIS2UmsuCG applies in particular to operators of critical infrastructures (KRITIS) in the energy sector. This includes companies involved in the supply (distribution and storage) of electricity, gas, district heating, district cooling, fuel and heating oil.
     
  2. Transport & traffic: This includes, for example, airlines, airport operators, railway infrastructure operators, passenger and freight transport companies, and operators of a facility or system for influencing road traffic.
     
  3. Finance: In the finance sector, which primarily includes credit institutions and, in some cases, trading venues, the NIS 2 Implementation Act only affects companies that are not covered by the EU-wide DORA Regulation.
     
  4. Health: Healthcare providers, research and development institutions, and companies that manufacture pharmaceutical products and medical devices must actively address cybersecurity, implement specific information security requirements, and be able to demonstrate these measures.
     
  5. Water: Operators of drinking water supply facilities and wastewater disposal companies must be protected against cyber attacks and are therefore directly affected by NIS2UmsuCG.
     
  6. Digital infrastructure: IT infrastructure is particularly vulnerable to digital attacks and must therefore be adequately protected. Operators of internet exchange points, providers of cloud computing and data centre services, operators of public telecommunications networks, providers of publicly available telecommunications services, managed services and managed security services providers must comply with NIS2UmsuCG.
     
  7. Space: Operators of ground infrastructure owned, managed and operated by Member States or private parties that support the provision of space-based services must be protected in accordance with NIS-2. This excludes providers of public electronic communications networks.
  1. Energy: NIS2UmsuCG applies in particular to operators of critical infrastructures (KRITIS) in the energy sector. This includes companies involved in the supply (distribution and storage) of electricity, gas, district heating, district cooling, fuel and heating oil.
     
  2. Transport & traffic: This includes, for example, airlines, airport operators, railway infrastructure operators, passenger and freight transport companies, and operators of a facility or system for influencing road traffic.
     
  3. Finance: In the finance sector, which primarily includes credit institutions and, in some cases, trading venues, the NIS 2 Implementation Act only affects companies that are not covered by the EU-wide DORA Regulation.
     
  4. Health: Healthcare providers, research and development institutions, and companies that manufacture pharmaceutical products and medical devices must actively address cybersecurity, implement specific information security requirements, and be able to demonstrate these measures.
     
  5. Water: Operators of drinking water supply facilities and wastewater disposal companies must be protected against cyber attacks and are therefore directly affected by NIS2UmsuCG.
     
  6. Digital infrastructure: IT infrastructure is particularly vulnerable to digital attacks and must therefore be adequately protected. Operators of internet exchange points, providers of cloud computing and data centre services, operators of public telecommunications networks, providers of publicly available telecommunications services, managed services and managed security services providers must comply with NIS2UmsuCG.
     
  7. Space: Operators of ground infrastructure owned, managed and operated by Member States or private parties that support the provision of space-based services must be protected in accordance with NIS-2. This excludes providers of public electronic communications networks.

7 important sectors

  1. Transport & traffic: This applies to companies that offer postal and courier services.
     
  2. Waste management: This includes waste management companies that dispose of municipal waste such as residual waste, organic waste, paper, glass or bulky waste. Companies for which waste management is not their main economic activity are excluded.
     
  3. Production, manufacture and trade in chemical substances: This affects companies that produce, import or sell chemicals.
     
  4. Production, processing and distribution of food: This sector includes food companies that are active in wholesale trade and industrial production and processing.
     
  5. Manufacturing industry / production of goods: Companies that manufacture medical products and in vitro diagnostics, as well as companies in the fields of data processing equipment, electronic and optical products, mechanical engineering or motor vehicle manufacturing, must be protected by cyber security measures in accordance with NIS-2.
     
  6. Digital service providers: Companies and providers of online marketplaces, online search engines and social networking platforms must be protected by cybersecurity measures in accordance with the NIS-2 Implementation Act.
     
  7. Research: Research institutions are now more dependent on digital services than ever before. This sector must therefore be protected by cybersecurity measures in accordance with the NIS-2 Directive.
  1. Transport & traffic: This applies to companies that offer postal and courier services.
     
  2. Waste management: This includes waste management companies that dispose of municipal waste such as residual waste, organic waste, paper, glass or bulky waste. Companies for which waste management is not their main economic activity are excluded.
     
  3. Production, manufacture and trade in chemical substances: This affects companies that produce, import or sell chemicals.
     
  4. Production, processing and distribution of food: This sector includes food companies that are active in wholesale trade and industrial production and processing.
     
  5. Manufacturing industry / production of goods: Companies that manufacture medical products and in vitro diagnostics, as well as companies in the fields of data processing equipment, electronic and optical products, mechanical engineering or motor vehicle manufacturing, must be protected by cyber security measures in accordance with NIS-2.
     
  6. Digital service providers: Companies and providers of online marketplaces, online search engines and social networking platforms must be protected by cybersecurity measures in accordance with the NIS-2 Implementation Act.
     
  7. Research: Research institutions are now more dependent on digital services than ever before. This sector must therefore be protected by cybersecurity measures in accordance with the NIS-2 Directive.

Our experienced cyber security team makes
your company NIS2-ready

With the Hays Cyber Security Team, we have created a central point of contact that provides you with highly competent 360-degree support for all cyber security issues and NIS2 requirements: from project and consulting services to suitable technology and software solutions and highly qualified specialists. We also work with strategic and certified partner companies that can offer you the best solution for your concerns relating to the new EU Directive at all times.

Our team of experts

  • Mike Beaupre
    Head of Cyber Security (Global)
  • Julius Ponsen
    Cyber Solutions Lead & CISO, EMPOSO GmbH
  • Wladimir Baghdasarian
    Teamlead Cyber Security (Austria)

Mike Beaupre

Head of Cyber Security (Global)


  • Over 28 years of experience in IT and security
  • Know-how in 12 different industries
  • Leadership experience in the US military at C-level
  • Former DAX 30 CISO

Julius Ponsen

Cybersecurity Services & Solutions Lead + CISO, EMPOSO GmbH


  • Experienced cyber security expert
  • M.Sc. in Cybersecurity & Privacy
  • Experience in over 50+ cyber security projects
  • Specialized in: Endpoint, network, email and human firewall security

Wladimir Baghdasarian

Teamlead Cyber Security (Austria)


  • Master in IT Management and regular participation in Cyber Security Summits
  • Over 4 years of experience in personnel services and recruiting
  • C-level consulting for IT strategies in various industries
  • Specialist expert for cyber security in Austria

Our portfolio of solutions: From NIS2 audit to cyber security strategy

Cyber Security Recruitment
We specialise in the search and placement of highly qualified cyber security experts. We connect companies affected by NIS2 with the talent they need to protect their data and digital assets.
Upskilling and reskilling of personnel
Cyber security is dynamic, because cybercrime is developing at a rapid pace. In order to stay one step ahead of the impending dangers, we help you to train your staff effectively and in a targeted manner.
C-Level Advisory
Our internal Hays experts are your contacts when it comes to designing your cyber security strategy. We advise both C-level executives and the specialists responsible for implementing NIS2 in your company.
Cyber Security Consulting
Services
Together we will manage the NIS2 implementation. We advise you on all issues relating to the regulation. From strategy development and specific measures to cyber security assessments.
Managed Security Services
Our professional partners offer a comprehensive portfolio of software and hardware tailored to your needs to beat cybercrime, as well as smooth integration and maintenance of the new security solutions.
Technology Solutions
Our network of more than 390 strategic partners supports you with state-of-the-art technological cyber security solutions.

Our wealth of operational experience and certified partner network

390+ partner companies
in long-term collaborations and over 30 highly specialized strategic cyber partners based in german-speaking countries
2.000+ projects
successfully implemented with our customers from over 50 industries in Germany and Austria in the field of cyber security
5.200+ experts
from the cyber security environment – both freelance and in permanent employment

Our portfolio of solutions: From NIS2 audit to cyber security strategy

Cyber Security Recruitment
We specialise in the search and placement of highly qualified cyber security experts. We connect companies affected by NIS2 with the talent they need to protect their data and digital assets.
Upskilling and reskilling of personnel
Cyber security is dynamic, because cybercrime is developing at a rapid pace. In order to stay one step ahead of the impending dangers, we help you to train your staff effectively and in a targeted manner.
C-Level Advisory
Our internal Hays experts are your contacts when it comes to designing your cyber security strategy. We advise both C-level executives and the specialists responsible for implementing NIS2 in your company.
Cyber Security Consulting
Services
Together we will manage the NIS2 implementation. We advise you on all issues relating to the regulation. From strategy development and specific measures to cyber security assessments.
Managed Security Services
Our professional partners offer a comprehensive portfolio of software and hardware tailored to your needs to beat cybercrime, as well as smooth integration and maintenance of the new security solutions.
Technology Solutions
Our network of more than 390 strategic partners supports you with state-of-the-art technological cyber security solutions.

Our wealth of operational experience and certified partner network

390+ partner companies
in long-term collaborations and over 30 highly specialized strategic cyber partners based in Germany
2.000+ projects
successfully supported our customers and partners from over 50 industries in all areas of cyber security
5.200+ skilled professionals
from the cyber security environment - both freelance and in permanent employment and temporary employment

An excerpt from our clients

An excerpt from our customers

Graph . Customer Satisfaction

Your benefits from our NIs2 consultation

1. Being competitive and profitable in the long term

NIS2 harmonises and significantly improves the level of security in the companies affected by NIS2, as the directive also obliges them to ensure that their entire supply chain complies with the requirements. This ensures the long-term competitiveness and profitability of the companies concerned.

2. Become resilient

Get a head start against cybercrime. NIS2 includes measures that significantly reduce business and financial risks and protect you from attacks.

3. Increase compliance

Show that your company can operate securely in a complex world. Compliance with the NIS2 Directive strengthens the trust of clients and partners. You also avoid sanctions: Penalties of up to ten million euros or up to two per cent of annual turnover can be imposed for violations and management and CISOs can be held personally liable.

Get ready for NIS2 with Hays

We support from the initial assessment to the holistic strategy development and regular tests.
Protecting companies
Strengthen clients confidence
Stay profitable

Get ready for NIS2 with Hays

We support from the initial assessment to the holistic strategy development and 
Protecting companies
Strengthen customer confidence
Stay profitable

NIS2 consulting and implementation
How the collaboration with Hays works

Appointment with Cyber Experts
Deep Dive with NIS2 Experts
Gap analysis and implementation
Establishing NIS2 compliance
Regular
testing

The NIS2 gap analysis

At the start of our collaboration, we usually conduct a detailed gap analysis. Our experts conduct a review of your existing documentation to determine whether it meets the requirements of the NIS2 Directive. We then organise a one-day workshop with your team to jointly identify gaps. On this basis, our experts develop a detailed roadmap with customised measures to close the identified gaps.

Individual support

From customized security assessments to penetration tests, we offer services that put your digital infrastructure through its paces.

A team at your side

Our experts are not only specialists, but also your partners. Together, we will walk the path to NIS2 compliance.

Software and hardware solutions

Our solutions are designed to make companies more resilient in a cost-effective and sustainable way. 
From SOCaaS (Security Operations Center-as-a-Service) to advanced deception & detection platforms – we have the tools.

Personnel services from the #1

We offer not only technical solutions, but also highly qualified specialists to drive your security strategy and NIS2 processes forward.

Contact us now

Yesterday's solutions don't solve tomorrow's problems!

FAQ

What does NIS-2 mean?

The abbreviation "NIS-2" stands for the "Network and Information Security Directive 2" (Directive on Network and Information Systems). This European legislation aims to strengthen cyber resilience in the European Union by defining security measures for affected companies to ensure the integrity, availability, confidentiality and robustness of their network and information systems.

The abbreviation "NIS-2" stands for the "Network and Information Security Directive 2" (Directive on Network and Information Systems). This European legislation aims to strengthen cyber resilience in the European Union by defining security measures for affected companies to ensure the integrity, availability, confidentiality and robustness of their network and information systems.


Who has to implement NIS2?

Companies with at least 50 employees or an annual turnover of more than ten million euros are directly affected by NIS2 and should comply with the NIS2 Directive in order to avoid fines and liability risks.

Companies with at least 50 employees or an annual turnover of more than ten million euros are directly affected by NIS2 and should comply with the NIS2 Directive in order to avoid fines and liability risks.


What are the penalties for non-compliance?

Violations of the NIS-2 Implementation Act can result in heavy fines, depending on the sector. For particularly important institutions, fines can be up to €10 million or two percent of global annual turnover. For important institutions, fines can be up to €7 million or 1.4 percent of global annual turnover.

Violations of the NIS-2 Implementation Act can result in heavy fines, depending on the sector. For particularly important institutions, fines can be up to €10 million or two percent of global annual turnover. For important institutions, fines can be up to €7 million or 1.4 percent of global annual turnover.


Are there any transition periods for implementation?

No, the obligations apply from 6 December 2025, without a transition period.

No, the obligations apply from 6 December 2025, without a transition period.


What is the difference between NIS2 and DORA?

NIS-2 is an EU directive that focuses on improving cybersecurity and information sharing after cyberattacks in 14 sectors and was implemented nationally on 5 December 2025 through the NIS-2 Implementation Act (NIS2UmsuCG). DORA, on the other hand, is a regulation specific to the financial sector and aims to ensure cyber resilience in this sector.

NIS-2 is an EU directive that focuses on improving cybersecurity and information sharing after cyberattacks in 14 sectors and was implemented nationally on 5 December 2025 through the NIS-2 Implementation Act (NIS2UmsuCG). DORA, on the other hand, is a regulation specific to the financial sector and aims to ensure cyber resilience in this sector.


NIS2 Directive: Summary

NIS (Network and Information Security Directive) is an important EU directive for the security of critical infrastructures and has defined the minimum cyber security standards in companies since 2016. The NIS2 Directive is the revised version that must be transposed into national law in Austria by October 2024.

The EU-wide regulation aims to strengthen resilience against cyberattacks in the European Union. It does this by laying down security requirements for affected organisations to ensure the integrity, accessibility, confidentiality and resilience of their network and information systems. NIS2 not only drives the EU-wide development of national cybersecurity, but is also an important measure in the fight against cybercrime.

In addition to the critical infrastructure companies that were previously subject to the NIS Directive, a broader range of companies are now also affected by the new NIS2 regulation. The expanded number of affected sectors presents many company managements with a number of critical challenges.

As a first step, companies should inform themselves about the changes and check whether they are affected by NIS2. If this is the case, they face the far greater challenge of implementation. A detailed NIS2 audit then helps them to define and implement specific measures.

Quelle

  1. https://kpmg.com/at/de/home/insights/2024/04/cybersecurity-studie-2024.html