15.07.2025
How to meet NIS2 requirements with modern network and security solutions
The need to strengthen cybersecurity is undeniable. According to global data experts at Statista, cybercrime increasingly ranks among the most prevalent and damaging offenses of our time. In response to this growing threat, the European Union (EU) has updated the NIS2 Directive to better address today’s complex cybersecurity landscape and ensure broader protection for businesses and organizations.
1. What is the NIS2 Directive?
NIS2 is an amendment to ‘The Network and Information Security (NIS) Directive’, which aims to elevate the level of cybersecurity across the EU member states and make the European Union more resilient to cybercrime.
With the new NIS2 requirements for companies, more sectors will need to analyze their security measures and adapt to stricter security standards. They will need to improve incident response and enhance intelligence sharing across member states. This aims to create a unified and stronger level of cybersecurity. However, the NIS2 Directive does not necessarily require a complete overhaul of your existing cybersecurity measures. In many cases, it is about refining specific areas and enhancing existing procedures. Companies might also be underusing tools already available to them − particularly in the cloud. Before investing in new systems, it is important to consider how current solutions can be strengthened.
In comparison to the original directive, NIS2 is more robust than its predecessor, impacting a wider range of sectors, including manufacturers of critical products, public administration, and space. It introduces a two-tier system, classifying organizations as either ‘essential entities’ (Annex I) or ‘important entities’ (Annex II), with different obligations, supervision levels, and penalties based on this classification. Moreover, the NIS2 Directive imposes stricter security measures and significantly higher penalties to ensure compliance. It also shifts accountability from IT departments to senior leadership, with executives potentially facing public disclosures or bans on future roles if found non compliant.
While the NIS2 Directive sets out a baseline for cybersecurity requirements, it is important to note that local legislators in each EU member state have the authority to strengthen the directive or expand its scope. For instance, they can impose additional responsibilities or extend the sectors to which the directive will apply. EU Member States had until October 17, 2024, to integrate NIS2 into their national laws. This required each state to develop and publish its compliance plans. Now, individual countries are establishing specific timelines for organizations within their borders. As a result, there is no EU wide compliance deadline. Timelines vary by country, with most deadlines anticipated in 2025, and some extending into early 2026.
2. Applicability of NIS2: Who Is Affected?
Approximately 160,000 organizations across the European Union are affected by the NIS2 directive. The question of which type of companies is subject to the NIS2 Directive is determined by the sector in which they are operating and their size.
Sector Classification:
- Essential entities: Organizations crucial for maintaining critical infrastructure and services. Disruption could have severe consequences for society and the economy.
- Important entities: Organizations that provide important services that are less critical than ‘essential entities.’ Their disruption could have a considerable impact.
| Essential Entities | Important Entities |
|---|---|
| Energy, Transport, Banking, Financial market infrastructures, Health, Drinking water, Wastewater, Digital infrastructure, ICT service management (B2B), Public administration, Space | Chemicals, Digital providers, Postal and courier services, Waste management, Food (production, processing, distribution), Manufacturing, Research |
Size Criteria:
- Micro: >10 employees and >€2 million turnover or balance sheet
- Medium: >50 employees and >€10 million turnover or balance sheet
- Large: >250 employees and >€50 million turnover or >€43 million balance sheet
To be subject to NIS2, an entity must meet both sector-based and size-based criteria.
3. Objectives & Core Obligations
The new NIS2 requirements aim to strengthen the resilience of EU member states against cybersecurity threats. The objectives are designed to ensure that essential services provided by businesses and public authorities are better protected from malicious interference, data loss, and operational disruptions.
The directive defines obligations and supervision based on an organization’s categorization:
- Essential entities: Must comply with the full scope of NIS2, undergo proactive supervision (ex ante), report incidents to the CSIRT within the specified time frame, and conduct independent audits.
- Important entities: Must implement risk based security measures independently and verify them through self assessment. They are subject to reactive supervision (ex post), with action taken in case of incidents or non compliance.
Businesses can ensure NIS2 compliance by implementing strict cybersecurity measures, including:
- Risk Management & Security Policies
- Incident Reporting (within 24 hours, full report within 72 hours)
- Business Continuity & Crisis Management
- Supply Chain Security
- Management Accountability
With NIS2, cybersecurity becomes a board-level priority. Leadership must actively oversee compliance and risk management, ensuring their own and their suppliers’ services meet stringent standards.
More than simply adapting to new regulations, businesses should look to foster and promote a culture of security, where employees at every level within the company are actively engaged in safeguarding both operations and data.
4. Accountability & Penalties
The NIS2 Directive defines several penalties for an organization that does not comply with its requirements. Accountability encompasses everyone from IT professionals to senior executives. This means that senior managers must ensure effective risk management and supervision.
Non compliance can severely impact businesses, including:
- Financial disruption: Fines, obligation to security investments
- Business disruption: Focus diverted to compliance, regulatory monitoring, license suspensions
- Reputation damage: Public disclosure requirements
- Executive consequences: Fines, criminal liability, and role bans
The financial sanctions which can be imposed for non-compliance are:
- Up to €10 million or 2% of the company’s annual income worldwide for essential entities
- Up to €7 million or 1.4% of the company’s annual income worldwide for important entities
5. Steps to Achieve NIS2 Compliance
Understanding whether your organization is classified as an essential or important entity under the NIS2 Directive is crucial. To make the process more manageable and to comply with NIS2 requirements, focus on three key areas:
- Consultancy and process services: Address technical security needs, establish comprehensive policies and procedures, and implement operational changes for compliance.
- Technology and managed solutions/services: Deploy advanced security tools, provide continuous monitoring and updates, and support compliance with automated enforcement.
- Security monitoring and validation: Continuously monitor systems, validate security measures through testing and audits, and ensure timely incident reporting.
By concentrating on these three elements, you can simplify your approach to NIS2 compliance and strengthen your organization’s resilience.
6. How Deutsche Telekom Helps Companies Meet NIS2 Requirements
Now is the time for businesses to assess their cybersecurity strategies and act. There are a few simple first steps companies can take, such as appointing a cybersecurity manager, establishing clear policies and responsibilities, and conducting a cybersecurity audit within the company.
Regardless of the approach you take, it is important to keep in mind that the NIS2 Directive is not just about imposing more regulations on companies. Instead, it is about helping organizations secure their data and business - which should be a top priority for almost any company.
Deutsche Telekom's solutions align with all relevant NIS2 requirements, providing a solid foundation for compliance by default. Among these, SD-WAN (Software-Defined Wide Area Networking) and SASE (Secure Access Service Edge) stand out as powerful enablers for organizations aiming to meet the directive’s cybersecurity demands.
A solid foundation in secure, scalable, and centrally managed networking - such as that provided by these technologies - is critical to fulfilling NIS2’s requirements for risk management, secure access, and network visibility.
- SD-WAN ensures resilient, encrypted connectivity and centralized control across distributed environments.
- SASE delivers cloud-native security functions like Zero Trust Network Access (ZTNA), Secure Web Gateways, and Cloud Access Security Brokers, all of which are essential for protecting data and users in a hybrid work world.
But compliance does not stop at architecture − it requires operational excellence. That is where Deutsche Telekom’s cybersecurity expertise completes the picture. With Europe’s largest Cyber Defense and Security Operations Center (SOC) monitoring over a billion data points daily, Deutsche Telekom provides 24/7 threat detection, incident response, and vulnerability management.
Cybersecurity services include automated penetration testing, compliance audits, and security awareness training, all of which directly support NIS2’s mandates for technical and organizational measures.
Together, SD-WAN and SSE − the networking and security parts of SASE − converge into a comprehensive, cloud-native architecture that not only helps organizations meet NIS2 obligations but also empowers them to build a more secure and resilient digital future.
The following table outlines how key SASE components directly support specific NIS2 compliance requirements, particularly in areas like access control, threat prevention, and cloud security.
| SASE Feature | NIS2 Requirement Addressed | Relevant NIS2 Article |
|---|---|---|
| Zero Trust Network Access (ZTNA) | Identity-based access control, segmentation | Article 21(2)(a) – Risk analysis and security policies |
| Cloud-delivered Firewall as a Service (FWaaS) | Perimeter defense, threat prevention | Article 21(2)(d) – Supply chain and asset management |
| Secure Web Gateway (SWG) | Content filtering, malware blocking | Article 21(2)(e) – Handling security incidents |
| Cloud Access Security Broker (CASB) | Cloud visibility, compliance enforcement | Article 21(2)(g) – Security in network and information systems |
| Threat Intelligence Integration | Proactive risk mitigation | Article 7 – Cyber threat intelligence sharing |
| Continuous Monitoring & Logging | Incident detection and response | Article 23 – Incident handling and reporting |
With regards to SD-WAN, the following table shows how network related features contribute to NIS2 compliance by enhancing network resilience, visibility, and secure data flow across distributed environments.
| SD-WAN Feature | NIS2 Requirement Addressed | Relevant Article |
|---|---|---|
| Centralized Management | Simplifies compliance, auditing | Article 21(2)(h) - Cryptography and secure configurations |
| Application-aware Routing | Ensures service continuity | Article 21(2)(f) - Business continuity and crisis management |
| Encryption & Segmentation | Data protection, isolation | Article 21(2)(h) - Cryptography and secure communication |
| Resilient Connectivity | Redundancy, uptime | Article 21(2)(f) - Business continuity |
| Real-time Analytics | Supports incident response | Article 23(1) - Early detection and reporting |
Security Services Mapped to NIS2 Articles
While SASE and SD-WAN give you the architecture and connectivity, Deutsche Telekom’s cybersecurity services bring the operational muscle to meet NIS2’s more demanding requirements. Here is how:
| Cybersecurity Services | What It Does | NIS2 Requirement Addressed | Relevant Article |
|---|---|---|---|
| Virtual Chief Information Security Officer (vCISO) | Provides executive-level cybersecurity leadership and strategy | Governance, risk management, and compliance oversight | Article 21(1) |
| Backup-as-a-Service (BaaS) | Enables rapid data restoration and protection against data loss | Business continuity and data availability | Article 21(2)(f) |
| Disaster Recovery-as-a-Service (DRaaS) | Ensures rapid recovery from cyber incidents or disasters | System resilience and recovery planning | Article 21(2)(f) |
| Threat Detection & Response | Detects and mitigates threats in real time | Incident response and containment | Article 23(1) |
| Vulnerability Management | Identifies and remediates system weaknesses | Technical risk mitigation | Article 21(2)(d) |
| Penetration Testing & Compliance Audits | Validates security posture and readiness | Compliance verification and enforcement | Article 29 |
| Security Awareness Training | Educates staff to reduce human error and insider threats | Human factor risk mitigation | Article 21(2)(c) |
Achieving NIS2 compliance requires more than fragmented tools - it demands an integrated, strategic approach. By combining SD-WAN, SASE, and robust operational security capabilities, organizations can build a comprehensive cybersecurity architecture that not only meets regulatory demands but also strengthens resilience and operational agility.
7. Why Choose Deutsche Telekom?
Deutsche Telekom is committed to helping businesses navigate these new challenges and meet the requirements from the NIS2 Directive. It is our mission to keep your operations secure in today’s ever-changing digital landscape - because your cybersecurity is our business!
There are plenty of good reasons for choosing Deutsche Telekom to make your business more secure:
- Security DNA: Whether it is the protection of mobile devices, vulnerability scanning, identity and access management, intelligent intrusion detection and monitoring, our comprehensive threat library, or our global network of security operation centers - security is deeply ingrained in everything we do.
- Experience: From connectivity to cloud services to 24/7 support - we know how to securely operate and protect business-critical ICT infrastructure end-to-end for various industries and the public sector for decades.
- Leading ecosystem: Our partner ecosystem comprises the leading technology vendors in the areas of security, software-defined network overlays, and cloud services.
- Global reach − Local touch: With legal entities in twenty-eight countries, we serve customers on a global scale combined with local knowledge and expertise.
- Sustainable on principle: For more than two decades, environmental and social responsibility have been essential aspects of our day-to-day business and integral to our corporate governance.
The NIS2 Directive is not just a regulatory requirement − it is a strategic opportunity. By aligning cybersecurity practices with NIS2, organizations can reduce risk, avoid penalties, and build trust and resilience across their operations.
Take the lead − seize the opportunity to assess NIS2 readiness
Contact our network and cybersecurity experts today via the contact form to schedule a free consultation and start your compliance journey with confidence.