NIS2 Compliance: What German Companies Need to Know

The NIS2 directive (Network and Information Security Directive 2) is the EU's most significant cybersecurity legislation to date. It replaces the original NIS directive and dramatically expands the scope of organizations that must comply with mandatory cybersecurity requirements.

Germany has transposed NIS2 into national law through the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). This means concrete obligations, audits, and significant penalties for non-compliance.

NIS2 applies to "essential" and "important" entities across 18 sectors, including energy, transport, healthcare, digital infrastructure, ICT service management, public administration, and manufacturing. The classification depends on sector, company size, and criticality.

Crucially, many mid-sized companies (50+ employees or €10M+ annual revenue) that were previously unregulated now fall under NIS2. Estimates suggest 25,000–40,000 German organizations are affected — many of which are not yet aware.

NIS2 mandates a comprehensive set of cybersecurity risk management measures: risk assessments, incident response plans, supply chain security, business continuity management, encryption policies, access control, and regular security audits.

Organizations must report significant security incidents to the BSI (Federal Office for Information Security) within 24 hours of detection, with a full report within 72 hours. Management is personally liable for ensuring compliance.

Non-compliance carries significant financial penalties: up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% for important entities. The BSI has expanded supervisory and enforcement powers.

Perhaps more importantly, NIS2 introduces personal liability for management. Board members and executives can be held personally responsible if they fail to oversee and approve cybersecurity risk management measures.

Start with a gap analysis: assess your current cybersecurity posture against NIS2 requirements. Identify your external attack surface, evaluate your incident response capabilities, and review supply chain security.

Many organizations underestimate the technical requirements. Understanding what attackers can see — your exposed assets, breached credentials, and infrastructure weaknesses — is a critical first step. From there, build a prioritized remediation roadmap with clear timelines and responsibilities.