THREAT BRIEFING · 09.07.2026 DEENFRES

Security Glossary

What Is NIS2? Definition, Obligations, and Liability

By Alec Chizhik · July 5, 2026 · 7 min read

What is NIS2? The Directive (EU) 2022/2555 on Network and Information Security, NIS2 for short, is an EU legal act that expands the cybersecurity framework for critical infrastructures and essential services in the European Union. It obliges affected organizations to implement risk management, to report security incidents, and holds the management personally liable.

Key Points at a Glance

  • Implementation: In Germany, NIS2 applies through the NIS2 Implementation Act (NIS2UmsuCG), which anchors the obligations in the BSI Act (BSIG).
  • Legal Status: The requirements apply directly in Germany since December 2025. There is no transition period.
  • Liability: Management is personally liable in the event of gross breach of duty. Fines can reach up to 10 million euros or two percent of global annual revenue.

What NIS2 Means in Practice

NIS2 significantly shifts the regulatory environment of IT security. The previous approach focused on a limited group of critical infrastructures. NIS2, by contrast, covers a broad range of essential economic sectors. The German implementation takes place via the NIS2 Implementation Act (NIS2UmsuCG), which anchors the obligations directly in the BSI Act (BSIG).

A central feature is the lack of a transition period. The requirements apply directly in Germany since December 2025. From this point onward, affected entities are fully obliged to implement the requirements. There is no period during which compliance would merely be recommended.

The obligations rest on three pillars, defined in Article 21 NIS2 and § 30 BSIG. First, there is a registration requirement with the Federal Office for Information Security (BSI). Second, significant security incidents must be reported to the BSI without undue delay. Third, risk management measures must be implemented and documented. This includes the treatment of security risks, crisis management, and supply chain security.

The requirements are also enforced through financial sanctions. Entities classified as “essential” face fines of up to 10 million euros or up to two percent of the global annual revenue of the preceding financial year. The higher of the two amounts applies.

Who Is Affected

The group of affected organizations is growing significantly. Under the previous regulation, approximately 4,500 entities were covered in Germany. Under NIS2, this number rises to around 29,500. The reason is the division into two categories: “essential entities” and “important entities”. The classification depends on the size and strategic importance of the organization in its industry.

50

Employees from threshold

10 Mio €

Annual revenue from threshold

18

regulated sectors

For medium-sized enterprises, which previously often stood outside the strict framework, NIS2 introduces new thresholds. A company falls under the obligations if it employs at least 50 staff or generates annual revenue of 10 million euros. Additionally, it must operate in one of the 18 defined sectors, ranging from energy and transport through healthcare and water to digital infrastructures and public administration.

The distinction between “essential” and “important” entities determines the level of supervision and the severity of sanctions. Essential entities are subject to stricter requirements and higher fines. But “important entities” are also fully obliged to implement the technical and organizational measures under Article 21 NIS2. No exemption from these basic obligations exists for either group as long as the size or revenue thresholds are met.

In addition, there is heightened personal responsibility for company leadership. Pursuant to § 38 BSIG, the executive bodies, that is managing directors or board members, must approve the security measures and monitor their implementation. They must also participate in cybersecurity training. In the event of gross breach of duty, executives are personally liable. This shifts IT security from the specialist department to the board level and turns it into a governance topic.

What Companies Must Check Now

Companies should first analyze their own situation and determine whether they fall under “important” or “essential” entities. The first step is to compare their own headcount and annual revenue against the thresholds of 50 employees or 10 million euros respectively. If that applies, the next step is to check membership in one of the 18 regulated sectors.

Check Now

  • Check employee count and annual revenue against the thresholds (50 employees, 10 million euros)
  • Determine affiliation with one of the 18 regulated sectors
  • Complete registration with the BSI
  • Document security processes against Article 21 NIS2
  • Define reporting procedures for significant incidents

Once affected status has been determined, registration with the BSI must take place. The BSI portal for this has been available since January 2026. Early registration is advisable, since registration forms the basis for communication with the responsible authorities. In parallel, existing security processes must be reviewed against the requirements from Article 21 NIS2, including the documentation of all risk management measures.

Another point is the reporting procedure for security incidents. Companies must ensure that significant incidents are detected, assessed, and reported to the BSI in a timely manner. This requires clear internal escalation paths and a defined interface to the authority. Finally, the management should formalize the approval and monitoring of the measures. Because personal liability is at stake, decisions and training participation by the executive level must be carefully documented.

Distinction from Related Terms

NIS2 is often confused with the Digital Operational Resilience Act (DORA). However, the legal nature and scope of application of both regulatory frameworks differ clearly. DORA is a regulation, NIS2 a directive. As a regulation, DORA applies directly in all member states without national implementation reservation, while NIS2 is implemented through national laws such as the NIS2UmsuCG.

The decisive difference lies in the sector. DORA addresses the financial sector exclusively and regulates the operational resilience of banks, insurance companies, and other financial market participants. NIS2 covers, in addition to the financial sector, energy, healthcare, transport, digital infrastructure, and further areas.

The principle of specialty applies in the financial sector. Since DORA is the more specific legal provision for the financial area, it takes precedence over NIS2. Financial undertakings therefore primarily fulfill the requirements of DORA. To the extent DORA does not contain a provision, NIS2 obligations may still apply. For companies outside the financial sector, NIS2 remains the primary instrument for securing network and information security.

Frequently Asked Questions

Each question is closed. Tap to reveal the answer.

Is there a transition period for the implementation of NIS2?

No. The requirements apply directly in Germany since December 2025. There is no transition period; the obligations are binding from this point onward.

What are the maximum fines for essential entities?

Up to 10 million euros or up to two percent of the global annual revenue of the preceding financial year. The higher of the two amounts applies.

When does registration with the BSI start?

The BSI portal for registration has been available since January 2026. Affected entities must register there as soon as their obligations apply.

What company size makes an enterprise subject to NIS2?

From 50 employees or 10 million euros in annual revenue, provided the company operates in one of the 18 regulated sectors. For individual critical services, smaller entities may also be covered.

How does NIS2 differ from DORA?

DORA is a directly applicable regulation only for the financial sector; NIS2 is a directive for 18 sectors that is implemented through national law. In the financial sector, DORA takes precedence as the more specific provision.

Editor’s Reading Recommendations

Recommended ReadingFive Budget Items That Need to Come Before SIEMRecommended ReadingWhat Management Must Document Under NIS2Recommended ReadingDORA in Operation: What Supervisors Want to See

More from the MBF Media Network

cloudmagazinKRITIS in the Cloud: What Secures the MigrationMyBusinessFutureAI Oversight in Germany Now Has an AddressDigital ChiefsAI Writes the Code. Who Is Liable?

Further reading

A magazine by Evernine Media GmbH