Digitale blaue Weltkugel mit NIS2 Beschriftung

Implement NIS-2
now with Hays

We support you from analysis to compliant NIS 2 implementation

Arrange a consultation now
Every 6.4 minutes
we fill a position in Germany
4.5/5
Customer satisfaction
Over 50 years
of experience as a recruitment agency

What is NIS-2?

The NIS-2 Implementation Act, which regulates the essential principles of information security management, came into force in Germany on 6 December 2025. Affected NIS 2 companies are now legally obliged to increase their cyber security requirements. They must register with the BSI, report significant security incidents in a timely manner and establish verifiable risk management system.
In contrast to the previous NIS Directive, which only affected companies in critical infrastructures (KRITIS), it affects significantly more companies and sectors. These include, for example, research, digital services and production. This puts considerable pressure on numerous companies and, in particular, their management and cyber security officers. This is because managers can be held personally liable for violations of the directive.

Our solution portfolio:
From NIS-2 audit to cyber security strategy

Cyber Security Recruitment
We specialise in the search and placement of highly qualified cyber security experts. We connect companies affected by NIS-2 with the talent they need to protect their data and digital assets.
Upskilling and reskilling of personnel
Cyber security is dynamic, because cybercrime is developing at a rapid pace. In order to stay one step ahead of the impending dangers, we help you to train your staff effectively and in a targeted manner.
C-Level Advisory
Our internal Hays experts are your contacts when it comes to designing your cyber security strategy. We advise both C-level executives and the specialists responsible for implementing NIS-2 in your company.
Cyber Security Consulting
Services
Together we will manage the NIS-2 implementation. We advise you on all issues relating to the regulation. From strategy development and specific measures to cyber security assessments.
Managed Security Services
Our professional partners offer a comprehensive portfolio of software and hardware tailored to your needs to beat cybercrime, as well as smooth integration and maintenance of the new security solutions.
Technology Solutions
Our network of more than 390 strategic partners supports you with state-of-the-art technological cyber security solutions.

These are the sectors and companies affected by NIS-2

7 particularly important sectors

  1. Energy: NIS2UmsuCG applies in particular to operators of critical infrastructures (KRITIS) in the energy sector. This includes companies involved in the supply (distribution and storage) of electricity, gas, district heating, district cooling, fuel and heating oil.
     
  2. Transport & traffic: This includes, for example, airlines, airport operators, railway infrastructure operators, passenger and freight transport companies, and operators of a facility or system for influencing road traffic.
     
  3. Finance: In the finance sector, which primarily includes credit institutions and, in some cases, trading venues, the NIS 2 Implementation Act only affects companies that are not covered by the EU-wide DORA Regulation.
     
  4. Health: Healthcare providers, research and development institutions, and companies that manufacture pharmaceutical products and medical devices must actively address cybersecurity, implement specific information security requirements, and be able to demonstrate these measures.
     
  5. Water: Operators of drinking water supply facilities and wastewater disposal companies must be protected against cyber attacks and are therefore directly affected by NIS2UmsuCG.
     
  6. Digital infrastructure: IT infrastructure is particularly vulnerable to digital attacks and must therefore be adequately protected. Operators of internet exchange points, providers of cloud computing and data centre services, operators of public telecommunications networks, providers of publicly available telecommunications services, managed services and managed security services providers must comply with NIS2UmsuCG.
     
  7. Space: Operators of ground infrastructure owned, managed and operated by Member States or private parties that support the provision of space-based services must be protected in accordance with NIS-2. This excludes providers of public electronic communications networks.
  1. Energy: NIS2UmsuCG applies in particular to operators of critical infrastructures (KRITIS) in the energy sector. This includes companies involved in the supply (distribution and storage) of electricity, gas, district heating, district cooling, fuel and heating oil.
     
  2. Transport & traffic: This includes, for example, airlines, airport operators, railway infrastructure operators, passenger and freight transport companies, and operators of a facility or system for influencing road traffic.
     
  3. Finance: In the finance sector, which primarily includes credit institutions and, in some cases, trading venues, the NIS 2 Implementation Act only affects companies that are not covered by the EU-wide DORA Regulation.
     
  4. Health: Healthcare providers, research and development institutions, and companies that manufacture pharmaceutical products and medical devices must actively address cybersecurity, implement specific information security requirements, and be able to demonstrate these measures.
     
  5. Water: Operators of drinking water supply facilities and wastewater disposal companies must be protected against cyber attacks and are therefore directly affected by NIS2UmsuCG.
     
  6. Digital infrastructure: IT infrastructure is particularly vulnerable to digital attacks and must therefore be adequately protected. Operators of internet exchange points, providers of cloud computing and data centre services, operators of public telecommunications networks, providers of publicly available telecommunications services, managed services and managed security services providers must comply with NIS2UmsuCG.
     
  7. Space: Operators of ground infrastructure owned, managed and operated by Member States or private parties that support the provision of space-based services must be protected in accordance with NIS-2. This excludes providers of public electronic communications networks.

7 important sectors

  1. Transport & traffic: This applies to companies that offer postal and courier services.
     
  2. Waste management: This includes waste management companies that dispose of municipal waste such as residual waste, organic waste, paper, glass or bulky waste. Companies for which waste management is not their main economic activity are excluded.
     
  3. Production, manufacture and trade in chemical substances: This affects companies that produce, import or sell chemicals.
     
  4. Production, processing and distribution of food: This sector includes food companies that are active in wholesale trade and industrial production and processing.
     
  5. Manufacturing industry / production of goods: Companies that manufacture medical products and in vitro diagnostics, as well as companies in the fields of data processing equipment, electronic and optical products, mechanical engineering or motor vehicle manufacturing, must be protected by cyber security measures in accordance with NIS-2.
     
  6. Digital service providers: Companies and providers of online marketplaces, online search engines and social networking platforms must be protected by cybersecurity measures in accordance with the NIS-2 Implementation Act.
     
  7. Research: Research institutions are now more dependent on digital services than ever before. This sector must therefore be protected by cybersecurity measures in accordance with the NIS-2 Directive.
  1. Transport & traffic: This applies to companies that offer postal and courier services.
     
  2. Waste management: This includes waste management companies that dispose of municipal waste such as residual waste, organic waste, paper, glass or bulky waste. Companies for which waste management is not their main economic activity are excluded.
     
  3. Production, manufacture and trade in chemical substances: This affects companies that produce, import or sell chemicals.
     
  4. Production, processing and distribution of food: This sector includes food companies that are active in wholesale trade and industrial production and processing.
     
  5. Manufacturing industry / production of goods: Companies that manufacture medical products and in vitro diagnostics, as well as companies in the fields of data processing equipment, electronic and optical products, mechanical engineering or motor vehicle manufacturing, must be protected by cyber security measures in accordance with NIS-2.
     
  6. Digital service providers: Companies and providers of online marketplaces, online search engines and social networking platforms must be protected by cybersecurity measures in accordance with the NIS-2 Implementation Act.
     
  7. Research: Research institutions are now more dependent on digital services than ever before. This sector must therefore be protected by cybersecurity measures in accordance with the NIS-2 Directive.

Your advantages with Hays

Individual support

From customized security assessments to penetration tests, we offer services that put your digital infrastructure through its paces.

A team at your side

Our experts are not only specialists, but also your partners. Together, we will walk the path to NIS-2 compliance.

Software and hardware solutions

Our solutions are designed to make companies more resilient in a cost-effective and sustainable way. 
From SOCaaS (Security Operations Center-as-a-Service) to advanced deception & detection platforms - we have the tools.

Personnel services from the #1

We offer not only technical solutions, but also highly qualified specialists to drive your security strategy and NIS-2 processes forward.

Get ready for NIS-2 with Hays

We support you from the initial assessment to the development and implementation of a comprehensive strategy and regular testing.
Protecting companies
Strengthen customer confidence
Stay profitable

Ready for NIS-2 implementation
with our cyber security team

With the Hays cyber security team, we have created a central point of contact that provides you with highly competent support for all cyber security issues and NIS-2 requirements based on a 360-degree principle: from project and consulting services to suitable technology and software solutions to highly qualified specialists. We also work with strategic and certified partner companies who can offer you the best solution for your needs relating to the new EU directive at any time.

Our experts

  • Michael Hartmann
    Head of Cyber Security (Deutschland)
  • Oualid Lkhaouni
    Cybersecurity Services & Solutions Lead
  • Neil Khatod
    Head of Cyber Security (The Americas)
  • Frank Apel
    Senior Department Manager

Michael Hartmann

Head of Cyber Security (Deutschland)

  • Over 17 years of experience in human resources services, work contracts, and service agreements, particularly in the IT and engineering sectors
  • Degree in mechanical engineering (university of applied sciences) and CompTIA Security+ certified
  • In-depth expertise in cyber security training and continuing education
Oualid Lkhaouni

Cybersecurity Services & Solutions Lead / Technology Expert , EMPOSO GmbH

  • Cybersecurity professional with 10+ years of experience in offensive security and technical assessments
  • M.Sc. in IT Security (Ruhr University Bochum)
  • Delivered 100+ technical security assessments across web, infrastructure, cloud, and red teaming
  • Certifications: OSEP, OSCP, CRTO, CRTP, SAA-C02
Neil Khatod
Head of Cyber Security (The Americas)
  • More than 25 years of military experience
  • Led the defense of the world’s largest IT infrastructure
  • COO of Cyber Operations, U.S. Army Cyber Command
  • Managed a cyber budget of $1.9 billion and led 16,500 personnel
Frank Apel
Senior Department Manager
  • Over 15 years of experience in personnel services, contract work and recruiting
  • Extensive management experience with a focus on strategic management and business development
  • Expertise in 8 different industries

An excerpt from our customers

Contact us now

Yesterday's solutions don't solve tomorrow's problems!

FAQ

What does NIS-2 mean?

The abbreviation "NIS-2" stands for the "Network and Information Security Directive 2" (Directive on Network and Information Systems). This European legislation aims to strengthen cyber resilience in the European Union by defining security measures for affected companies to ensure the integrity, availability, confidentiality and robustness of their network and information systems.

The abbreviation "NIS-2" stands for the "Network and Information Security Directive 2" (Directive on Network and Information Systems). This European legislation aims to strengthen cyber resilience in the European Union by defining security measures for affected companies to ensure the integrity, availability, confidentiality and robustness of their network and information systems.


What are the penalties for non-compliance?

Violations of the NIS-2 Implementation Act can result in heavy fines, depending on the sector. For particularly important institutions, fines can be up to €10 million or two percent of global annual turnover. For important institutions, fines can be up to €7 million or 1.4 percent of global annual turnover.

Violations of the NIS-2 Implementation Act can result in heavy fines, depending on the sector. For particularly important institutions, fines can be up to €10 million or two percent of global annual turnover. For important institutions, fines can be up to €7 million or 1.4 percent of global annual turnover.


Are there any transition periods for implementation?

No, the obligations apply from 6 December 2025, without a transition period.

No, the obligations apply from 6 December 2025, without a transition period.


What is the difference between NIS2 and DORA?

NIS-2 is an EU directive that focuses on improving cybersecurity and information sharing after cyberattacks in 14 sectors and was implemented nationally on 5 December 2025 through the NIS-2 Implementation Act (NIS2UmsuCG). DORA, on the other hand, is a regulation specific to the financial sector and aims to ensure cyber resilience in this sector.

NIS-2 is an EU directive that focuses on improving cybersecurity and information sharing after cyberattacks in 14 sectors and was implemented nationally on 5 December 2025 through the NIS-2 Implementation Act (NIS2UmsuCG). DORA, on the other hand, is a regulation specific to the financial sector and aims to ensure cyber resilience in this sector.


NIS-2 Implementation Act: Summary

Since 2016, the NIS (Network and Information Security Directive) has set minimum standards for cybersecurity, initially primarily for operators of critical infrastructures (KRITIS).  

The NIS-2 Directive significantly expands the scope of application and came into force in Germany on 6 December 2025, with the Act Implementing the NIS-2 Directive (NIS-2UmsuCG) – without a transition period. 

The EU-wide regulation aims to strengthen resilience against cyberattacks in the European Union. It does this by setting security requirements for affected companies to ensure the integrity, availability, confidentiality, and robustness of their network and information systems. NIS-2 not only promotes the EU-wide development of national cybersecurity, but is also an important measure in the fight against cybercrime. 

In addition to KRITIS companies, which were already subject to the NIS Directive, a wider range of companies are now affected by the new NIS-2 regulation. The increased number of sectors affected presents many management teams with a number of critical challenges. 

As a first step, companies should inform themselves about the changes and check whether they are affected by NIS-2. If this is the case, they face the much greater challenge of implementation. A detailed NIS-2 audit will then help them to define and implement specific measures.