NIS2 Directive: What German Companies Need to Know Now
The NIS2 Directive significantly expands the scope of regulated companies: Instead of around 4,000, over 30,000 organizations in Germany will be affected. Those who do not act now risk personal liability.
TL;DR
The NIS2 Directive significantly expands the scope of regulated companies in the EU: Instead of around 4,000, over 30,000 organizations in Germany will be affected. National implementation is underway. Those who do not act now risk personal liability for management.
The Network and Information Security Directive 2 (NIS2) has been in force at the EU level since January 2023. Member states must transpose the directive into national law. In Germany, this is done through the NIS2 Implementation Act (NIS2UmsuCG), which is being developed by the Federal Ministry of the Interior.
Who is Affected?
NIS2 distinguishes between “essential” and “important” entities. The criteria:
- Essential Entities: Energy, Transport, Health, Drinking Water, Digital Infrastructure, Banking, Public Administration
- Important Entities: Postal Services, Waste Management, Chemicals, Food, Manufacturing, Digital Services, Research
- Size Criterion: Generally from 50 employees or 10 million EUR annual turnover
Key Obligations
Risk Management: Companies must implement technical and organizational measures that meet the state of the art. These include Incident Response, Business Continuity, Supply-Chain Security, and Encryption.
Reporting Obligations: Significant security incidents must be reported to the competent authority within 24 hours (early warning) or 72 hours (complete report).
Management Liability: The management level must approve cybersecurity measures and monitor their implementation. Violations can result in personal liability.
NIS2 vs. NIS1: What Changes?
- Significantly more affected sectors and companies
- Stricter reporting obligations (24h instead of “immediately”)
- Personal liability for management
- Harmonized sanctions: up to 10 million EUR or 2% of global turnover
- Mandatory supply chain risk assessment
Key Facts
Over 30,000 companies in Germany affected (vs. approx. 4,000 under NIS1)
Reporting Obligation: 24h early warning, 72h complete report
Sanctions: up to 10 million EUR or 2% of global annual turnover
Personal liability for management regarding cybersecurity
Supply-chain security becomes mandatory
Fact: According to Bitkom, by 2025 only 14 percent of affected companies will have fully implemented the NIS2 requirements.
Fact: Only 43 percent of German SMEs have an IT emergency plan, according to Bitkom.
Frequently Asked Questions
Does NIS2 apply to small businesses?
Generally, from 50 employees or 10 million EUR turnover. Exception: Providers of DNS services, TLD registries, and certain digital infrastructures are affected regardless of size.
What happens if I miss the deadline?
The supervisory authority can impose fines and impose conditions. For essential entities, proactive audits are also planned. Personal liability for management applies from the entry into force of the implementation law.
Further Articles
NIS2 Directive: What Companies Need to Know
Zero Trust: The 7 Most Common Mistakes
How does NIS2 differ from the GDPR?
The GDPR protects personal data, while NIS2 secures the cybersecurity of networks and information systems. NIS2 requires technical and organizational measures, reporting obligations within 24 hours, and regular risk assessments – with significantly shorter deadlines than the GDPR.
Related Articles
- Cybersecurity Trends 2026: The 7 Developments Security Decision-Makers Need to Know
- NIS2 Checklist 2026: What Companies Need to Implement Now
- NIS2 and Management Liability: Why Cybersecurity is Now a Management Issue
More from the MBF Media Network
- More IT Security Trends on mybusinessfuture.com
- IT Strategies for Decision-Makers on digital-chiefs.de
Header Image Source: Pexels / Jan van der Wolf
