Inhaltsverzeichnis

NIS2 Directive

NIS2 Directive

Implementation of EU Directive 2022/2555 (NIS2) for network and information security with post-quantum cryptography.

Overview

The NIS2 Directive¹⁾ is the revised EU directive for cybersecurity of critical infrastructure. It entered into force on January 16, 2023, and must be transposed into national law by October 17, 2024.

flowchart TB subgraph NIS2["NIS2 Directive (EU) 2022/2555"] A21["Article 21
Risk Management"] A23["Article 23
Reporting Obligations"] A32["Article 32
Supervision"] end subgraph A21D["Art. 21(2) - Minimum Measures"] A21a["(a) Risk Analysis"] A21d["(d) Supply Chain"] A21e["(e) Procurement"] A21h["(h) Cryptography"] A21j["(j) MFA/Access"] end subgraph WVDS["WvdS Implementation"] RISK["Risk Documentation"] SUPPLY["OpenSSL 3.6
(Open Source)"] CERT["NIST FIPS
203/204"] CRYPTO["ML-DSA
ML-KEM"] MFA["mTLS
Client Certs"] end A21 --> A21D A21a --> RISK A21d --> SUPPLY A21e --> CERT A21h --> CRYPTO A21j --> MFA style CRYPTO fill:#4caf50,color:#fff style MFA fill:#4caf50,color:#fff

Affected Sectors

NIS2 expands the scope to more sectors:

Essential Entities

Sector	Examples	WvdS Relevance
Energy	Power grids, wind farms, oil/gas	Energy Scenarios
Transport	Rail, aviation, shipping	Transport certificates
Banking	Credit institutions	Transaction security
Healthcare	Hospitals, laboratories	Healthcare Scenarios
Drinking Water	Water supply	SCADA communication
Digital Infrastructure	DNS, TLD, cloud	PKI, TLS

Important Entities

Sector	Examples	WvdS Relevance
Postal/Courier	Logistics	Authentication
Waste Management	Disposal	OT security
Chemicals	Production	Industry Scenarios
Food	Production, retail	Supply chain
Manufacturing	Machinery, vehicles	Automotive Scenarios
Digital Services	Marketplaces, search engines	API security

Article 21(2) - Risk Management Measures

The directive requires specific minimum measures in Article 21(2)²⁾:

(a) Risk Analysis and Information System Security

Requirement	WvdS Evidence
Risk identification	Risk Documentation
Quantum threat analyzed	Harvest-Now-Decrypt-Later scenario
Protection requirements determined	Data classification by lifespan

(d) Supply Chain Security

Requirement	WvdS Evidence
Evaluate suppliers	OpenSSL 3.6 = open source, auditable
Minimize dependencies	Only OpenSSL + .NET runtime
Ensure updates	NuGet package, automatic updates

(e) Security in Acquisition, Development and Maintenance

Requirement	WvdS Evidence
Secure development	Code review, tests
Vulnerability management	GitHub Security Advisories
Patch management	Semantic versioning

(h) Cryptography Policies

Core Requirement for WvdS:

Requirement	WvdS Implementation	Status
Appropriate cryptography	NIST FIPS 203/204 algorithms	Completed
State of the art	Post-quantum since NIST 2024	Completed
Encryption where required	Hybrid cryptography	Completed
Key management	HKDF, PBKDF2, Argon2id	Completed

// NIS2-compliant cryptography configuration
CryptoConfig.DefaultMode = CryptoMode.Hybrid;
 
// Hybrid certificates: classical + post-quantum
var cert = request.CreateSelfSigned(
    notBefore, notAfter,
    CryptoMode.Hybrid  // ECDSA + ML-DSA
);

(j) Multi-Factor Authentication

Requirement	WvdS Implementation	Status
MFA or continuous authentication	mTLS with client certificates	Completed
Secure communication	TLS 1.3 with PQ algorithms	Completed
Identity management	X.509 certificates	Completed

Article 23 - Reporting Obligations

Strict reporting obligations apply to security incidents³⁾:

Deadline	Report	WvdS Support
24 hours	Early warning	Audit logging for forensics
72 hours	Incident notification	Detailed logs available
1 month	Final report	Complete documentation

Recommendation: Enable audit logging for all cryptographic operations to document incidents traceably.

Implementation Timeline

timeline title NIS2 Implementation section 2023 Jan 16 : NIS2 in force Inventory : Check applicability section 2024 Oct 17 : Transposition deadline Gap Analysis : Identify measures section 2025 Reporting : Fully active Supervision : Controls begin section 2026+ Sanctions : Fines possible Audits : Regular reviews

Sanctions for Violations:⁴⁾

Essential entities: up to EUR 10 million or 2% annual turnover (Art. 34(4))
Important entities: up to EUR 7 million or 1.4% annual turnover (Art. 34(5))

Checklist for NIS2 Compliance

#	Checkpoint	WvdS Evidence	Status
—	———–	—————	—
1	Risk analysis documented	Risk	[ ]
2	Cryptography „state of the art“	NIST FIPS 203/204 (2024)	[ ]
3	Hybrid cryptography active	CryptoMode.Hybrid	[ ]
4	Key management documented	KeyDerivation	[ ]
5	Supply chain transparent	OpenSSL 3.6 open source	[ ]
6	MFA implemented	mTLS with client certificates	[ ]
7	Audit logging active	Crypto events logged	[ ]
8	Reporting process defined	Incident response plan	[ ]

German Implementation: NIS2UmsuCG

The NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG)⁵⁾ transposes NIS2 into German law:

NIS2	German Law	Responsible Authority
Essential entities	Sections 28-29 BSIG-new	BSI
Important entities	Sections 30-31 BSIG-new	BSI
Reporting obligations	Section 32 BSIG-new	BSI
Sanctions	Section 60 BSIG-new	BNetzA, BSI