What is the NIS2 Directive?
The NIS2 Directive (Network and Information Security Directive 2) is the European Union's updated cybersecurity legislation that came into force in January 2023. It significantly expands and strengthens the original NIS Directive of 2016, extending its scope to cover far more organizations and imposing much stricter requirements.
For businesses operating in Germany, NIS2 is implemented through the NIS2UmsuCG (NIS2 Implementation Act). This legislation brings substantial obligations — and significant penalties for non-compliance — to thousands of German companies that may not have previously considered themselves subject to cybersecurity regulation.
The bottom line: NIS2 applies to a broad range of German businesses, and non-compliance can result in fines of up to €10 million or 2% of global annual turnover. Senior management can be held personally liable.
Who Does NIS2 Apply To?
Essential Entities
Companies in highly critical sectors with more than 250 employees OR annual turnover exceeding €50 million:
- Energy (electricity, gas, oil, hydrogen)
- Transport (air, rail, water, road)
- Banking and financial market infrastructure
- Health sector (hospitals, pharmaceutical manufacturers)
- Drinking water and wastewater
- Digital infrastructure (DNS, TLD registries, cloud providers, data centers, CDNs)
- Public administration
- Space
Important Entities
Companies with more than 50 employees OR annual turnover exceeding €10 million in:
- Postal and courier services
- Waste management
- Chemical industry
- Food production and distribution
- Manufacturing (medical devices, electronics, machinery, motor vehicles)
- Digital services (online marketplaces, search engines, social networks)
- Research institutions
The Supply Chain Factor
Even if your company doesn't directly fall into these categories, you may be affected indirectly. NIS2 explicitly requires covered organizations to assess and manage cybersecurity risks throughout their supply chain. This means that if you are a supplier or service provider to a covered entity, your customers will increasingly demand evidence of adequate cybersecurity practices.
Key NIS2 Requirements
1. Risk Management Measures
Organizations must implement appropriate and proportionate technical, operational and organizational measures to manage cybersecurity risks. This includes:
Policies and Procedures: - Information security policies - Risk management framework - Incident response procedures - Business continuity planning
Technical Measures: - Network and information system security - Access control and identity management (including multi-factor authentication) - Encryption of data in transit and at rest - Vulnerability management and patch cycles - Security monitoring and logging
Supply Chain Security: - Assessment of cybersecurity practices of direct suppliers - Contractual security requirements for vendors - Monitoring of third-party access to systems
2. Incident Reporting
NIS2 introduces strict incident reporting timelines for "significant incidents":
| Timeframe | Requirement |
|---|---|
| 24 hours | Early warning to BSI (German Federal Office for Information Security) |
| 72 hours | Incident notification with initial assessment |
| 1 month | Final report with detailed analysis and remediation measures |
A "significant incident" is defined as one that causes or could cause severe operational disruption or financial loss, or affects other persons by causing considerable material or non-material damage.
3. Management Accountability — The Personal Liability Rule
This is one of the most significant aspects of NIS2 for German businesses: senior management can be held personally liable for cybersecurity failures.
Management bodies must: - Approve cybersecurity risk management measures - Oversee their implementation - Undergo cybersecurity training (and ensure staff do as well)
If management fails in its oversight duties and a significant incident occurs, individual executives may face personal fines. This elevates cybersecurity from an IT issue to a board-level responsibility.
4. Registration with the BSI
Covered entities must register with the BSI (Bundesamt für Sicherheit in der Informationstechnik), providing: - Contact information - The sector they fall under - List of EU member states where they provide services
Practical Implementation: Getting Started
Step 1: Determine If You're Covered
Use this quick checklist:
- [ ] Does your company operate in one of the listed sectors?
- [ ] Do you meet the size thresholds (50+ employees or €10M+ turnover)?
- [ ] Are you a supplier to covered entities who may impose requirements on you?
If in doubt, err on the side of assuming coverage — the penalties for non-compliance are severe.
Step 2: Conduct a Gap Analysis
Compare your current security posture against NIS2 requirements:
Technical gaps typically found: - No multi-factor authentication on critical systems - Missing or inadequate patch management processes - No centralized log management or SIEM - Absent or outdated incident response plan - No dark web monitoring for compromised credentials
Run a free scan with Nullbreach to immediately identify if any company credentials have already been compromised and are circulating on the dark web.
Step 3: Prioritize and Implement
Focus first on high-impact, quick wins:
- Enable MFA everywhere — this single measure prevents the majority of credential-based attacks
- Set up dark web monitoring — know immediately when credentials are compromised
- Document an incident response plan — required under NIS2, valuable regardless
- Audit your email security — configure SPF, DKIM and DMARC correctly
- Inventory your critical systems — you can't protect what you can't see
Step 4: Build the Framework
For sustainable compliance, implement:
- Information Security Management System (ISMS) — ISO 27001 is well-aligned with NIS2 requirements
- Regular risk assessments — at least annually, and after significant changes
- Supplier security reviews — assess the top 10 suppliers with system access
- Employee training program — cybersecurity awareness at all levels
NIS2 and GDPR: The Interplay
Many German businesses are already subject to GDPR. NIS2 and GDPR are complementary but distinct:
| Aspect | GDPR | NIS2 |
|---|---|---|
| Focus | Personal data protection | Network and information system security |
| Scope | All organizations handling EU personal data | Specific sectors and size thresholds |
| Incident reporting | 72 hours to supervisory authority | 24/72 hours/1 month to BSI |
| Fines | Up to €20M or 4% global turnover | Up to €10M or 2% global turnover |
A strong GDPR compliance program provides a solid foundation for NIS2, but additional technical security measures are typically required.
Common Questions from German Businesses
"We already have ISO 27001 — are we NIS2 compliant?"
ISO 27001 certification is excellent and provides substantial overlap with NIS2 requirements, particularly around risk management and security controls. However, NIS2 has specific requirements — especially around incident reporting timelines, management liability, and supply chain security — that may require additional steps even for ISO 27001-certified organizations.
"Our main IT infrastructure is with a cloud provider — are we still responsible?"
Yes. NIS2 does not transfer responsibility to cloud providers. You remain responsible for ensuring adequate security of your information systems. Your cloud provider must be assessed as part of your supply chain security obligations.
"We're a foreign company operating in Germany — does NIS2 apply to us?"
NIS2 applies based on where services are provided, not just where the company is headquartered. If you provide services within the EU and meet the sector/size thresholds, NIS2 likely applies. Non-EU companies with significant EU operations should seek legal advice.
Penalties and Enforcement
The BSI (Bundesamt für Sicherheit in der Informationstechnik) is the primary enforcement authority for NIS2 in Germany. Enforcement mechanisms include:
- Binding instructions to implement specific security measures
- Security audits and inspections
- Fines up to €10 million or 2% of global turnover for essential entities
- Personal liability for senior management in cases of gross negligence
- Temporary prohibition from exercising management functions
Enforcement began after the German implementation law came into force. Companies should treat this as an active compliance risk, not a distant theoretical concern.
The Business Case for NIS2 Compliance
Beyond avoiding fines, NIS2 compliance delivers genuine business value:
Risk reduction: The measures required by NIS2 address the most common attack vectors. Companies that implement them are measurably more resilient.
Competitive advantage: As NIS2 supply chain requirements cascade down, businesses with documented security practices will win contracts over those without.
Insurance: Many cyber insurance providers now require NIS2-aligned security practices for coverage. Non-compliance may void coverage when you need it most.
Trust: Customers and partners increasingly ask about security practices. Demonstrated NIS2 compliance is a credible signal of trustworthiness.
Where to Start Today
-
Verify coverage: Does your company fall under NIS2? Take 30 minutes to run the analysis.
-
Check your current exposure: Run a free Nullbreach scan to see if company credentials are already compromised.
-
Read the German checklist: Our German NIS2 Compliance Checklist provides a detailed implementation roadmap.
-
Engage management: Given the personal liability provisions, NIS2 compliance is a conversation that must happen at board level.
-
Get support: For companies without dedicated security expertise, external consultants or managed security services can accelerate the path to compliance.
This article provides general information only and does not constitute legal advice. For specific guidance on NIS2 obligations for your organization, consult a qualified lawyer or cybersecurity professional with expertise in German and EU law.