NIS-2 Directive — Cybersecurity Compliance
The NIS-2 directive (EU 2022/2555) is the successor to the original NIS Directive, dramatically expanded in scope to cover most mid-market and large enterprises in critical sectors across the EU. Transposed into national law by EU member states from October 2024, NIS-2 mandates cybersecurity risk management, incident reporting and governance accountability. For ERP-bearing organisations in Germany, Switzerland (via Swiss equivalents) and Austria, NIS-2 is the most consequential cybersecurity regulation since GDPR.
Scope and entity classification
NIS-2 applies to two categories: Essential Entities (large companies in critical sectors — energy, transport, banking, health, drinking water, digital infrastructure, public administration) and Important Entities (medium and large companies in extended sectors — postal services, waste management, manufacturing of pharmaceuticals, medical devices, machinery, electronics, motor vehicles, chemical production, food production, digital service providers, research). Size thresholds: medium-sized entity is over 50 employees and over 10 million EUR turnover; large is over 250 employees and over 50 million EUR turnover. Below these thresholds, NIS-2 does not apply directly but may flow down through supply-chain security requirements from customers that are themselves in scope.
Core obligations
- Risk-management measures — policies, asset inventories, access controls, vulnerability management, supply-chain security, encryption, MFA, backup and recovery procedures
- Incident reporting — early warning within 24 hours, notification within 72 hours, final report within one month — to the national CSIRT
- Business-continuity planning — documented BCP and DR procedures, tested regularly
- Supply-chain security — cybersecurity requirements flowed to suppliers, including ERP vendors and cloud providers
- Governance accountability — management board personally liable for compliance, with mandatory cybersecurity training
ERP-specific implications
NIS-2 is technology-neutral but practically demands ERP-side capabilities. Audit logging compliant with the audit-trail requirements. Identity and access management with MFA, role-based access and segregation of duties. Encryption at rest and in transit for the ERP database and integrations. SIEM integration (see SIEM) for centralised monitoring and the 24-hour incident-reporting clock. Backup and recovery tested at least annually with documented RTO and RPO. Vendor risk management for the ERP provider itself — data-processing agreements, sub-processor lists, ISO 27001 / SOC 2 attestation evidence.
Sanctions and timeline
Penalties under NIS-2 are aligned with GDPR severity. Essential Entities: up to 10 million EUR or 2% of worldwide annual revenue, whichever is higher. Important Entities: up to 7 million EUR or 1.4% of worldwide annual revenue. Beyond fines, board members are personally liable, with potential disqualification from management positions in case of severe negligence. Germany's national transposition (NIS2UmsuCG) was delayed but expected in effect by mid-2025; Austria's NISG 2.0 came into force in 2024; Switzerland is not bound by NIS-2 directly but the Swiss Information Security Act (ISG) imposes broadly similar requirements from 2024 onwards.
Related Topics
Frequently Asked Questions
Am I in scope for NIS-2?
Check three things. (1) Sector — manufacturing of machinery, pharmaceuticals, medical devices, food, electronics and motor vehicles is in scope; pure trade and services often are not. (2) Size — over 50 employees and over 10 million EUR turnover for Important Entities. (3) Supply-chain pull-through — if your customers are in scope, they may impose NIS-2-equivalent requirements on you contractually.
Does cloud ERP help or hurt NIS-2 compliance?
Cloud ERP from major vendors (SAP, Microsoft, Oracle) typically simplifies compliance — they hold ISO 27001 and SOC 2 attestations, run robust patch management and provide audit-ready logging. You still own the application-level controls (user access, segregation of duties, custom integrations) and the supply-chain risk management. Smaller cloud ERP vendors should be evaluated against their attestation portfolio.
What is the typical NIS-2 implementation effort?
For a 200-employee mid-market manufacturer, plan 12-24 months from gap assessment to operationally compliant, with 200-500 person-days of internal effort plus 100-300 person-days of consulting. The main cost drivers: SIEM deployment, MFA rollout, supply-chain due diligence and document-and-train management activities.