The NIS-2 Directive drastically expands cybersecurity obligations: around 30,000 companies in Germany are affected -- many do not yet know it. Learn which sectors are covered, what security requirements apply, how personal liability for directors works and how to prepare with a compliance roadmap.
NIS-2: The Cybersecurity Obligation That 30,000 Companies Don't Yet Know About
Since 6 December 2025, Germany's NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) has been in force. It transposes the European Directive (EU) 2022/2555 (NIS-2 Directive) into national law and drastically extends cybersecurity obligations for businesses. While the previous KRITIS regime covered only around 4,500 operators of critical infrastructure, the new framework captures approximately 30,000 companies and federal institutions. Many of them are not yet aware of this -- because the authorities do not proactively notify affected companies. Those who fail to check their own status risk severe fines and personal liability for their management.
What Is the NIS-2 Directive?
The NIS-2 Directive succeeds the original NIS Directive of 2016. Its objective is to achieve a high common level of cybersecurity across the entire European Union. Compared with its predecessor, NIS-2 substantially broadens the scope, tightens security requirements and introduces a uniform sanctions regime. The European Union Agency for Cybersecurity (ENISA) supports Member States with technical guidelines and implementation guidance.
Who Is Affected? Essential and Important Entities
The New Categorisation
NIS-2 divides affected entities into two categories:
Essential Entities:
- Companies with at least 250 employees or more than EUR 50 million annual turnover in critical sectors
- Regardless of size: qualified trust service providers, TLD registries, DNS service providers, telecommunications providers
- KRITIS operators under the previous regulation
Important Entities:
- Medium-sized companies (50 to 249 employees or EUR 10 to 50 million annual turnover) in the covered sectors
- Trust service providers and certain domain registration services
Sector Coverage: The Dramatic Expansion
The NIS-2 Directive covers 18 sectors -- considerably more than the previous KRITIS regulation under Section 8a of the BSIG, which was limited to eight sectors. Sectors of high criticality include: energy, transport, banking, financial market infrastructures, healthcare, drinking water, wastewater, digital infrastructures, ICT service management, public administration and space. Additional covered sectors include: postal and courier services, waste management, chemicals, food, manufacturing, providers of digital services and research.
Particularly relevant for mid-sized businesses: companies in the manufacturing sector -- such as mechanical engineering, vehicle manufacturing and electrical engineering -- are subject to cybersecurity obligations for the first time, provided they exceed the thresholds.
Determining Whether You Are Affected
The BSI offers an online self-assessment tool with which companies can determine in a few steps whether they fall under the new regulation. Every company should carry out this assessment promptly.
Security Requirements Under Art. 21
Ten Core Measures
Art. 21 of the NIS-2 Directive and the corresponding provisions of the amended BSIG require affected entities to adopt an all-hazards approach to risk management. The ten mandatory areas of measures are:
- Risk analysis and security policies for network and information systems
- Incident handling (incident response)
- Business continuity -- backup management, disaster recovery, crisis management
- Supply chain security including relationships with suppliers and service providers
- Security in the acquisition, development and maintenance of network and information systems
- Assessment of the effectiveness of risk management measures
- Basic cyber hygiene and cybersecurity training
- Cryptography and encryption -- policies and procedures
- Human resources security, access control and asset management
- Multi-factor authentication or continuous authentication, secured communications
Proportionality
Measures must be proportionate to the risk. Factors to be considered include the size of the entity, the likelihood and severity of security incidents, societal and economic impacts, and the state of the art. SMEs are not required to achieve the same security level as large corporations -- but they must demonstrably implement appropriate measures.
Reporting Obligations Under Art. 23: Tight Deadlines
Reporting obligations for significant security incidents are strictly tiered and leave little room for delay:
- 24 hours: Early warning to the BSI with an initial assessment of the incident
- 72 hours: Detailed notification with assessment of the incident, severity and impact
- 1 month: Final report with a detailed description, root cause analysis and measures taken
A security incident is deemed significant if it causes or is capable of causing severe operational disruptions or financial losses, or if it adversely affects other natural or legal persons through substantial material or non-material damage.
Practical note: The 24-hour deadline starts from the moment the entity becomes aware of the incident. Companies therefore need functioning detection systems and a well-rehearsed incident response process to meet this deadline. Speed takes precedence over completeness -- an initial report must be filed even when not all details are known.
Director Liability: Personal Responsibility
The NIS-2 Innovation
One of the most far-reaching aspects of the NIS-2 transposition is the personal liability of management. Executive bodies -- managing directors of a GmbH, board members of an AG or personally liable partners -- must:
- Approve the risk management measures under Art. 21 and oversee their implementation
- Participate in cybersecurity training and offer such training to employees
- Be held personally liable for breaches of these duties
Scope of Liability
Management is liable under the applicable corporate law rules. Crucially, the company's waiver of claims against management is excluded. Likewise, a settlement of such claims is only possible under narrow conditions -- namely where management is insolvent and to protect creditors. NIS-2 thus goes significantly beyond established corporate law practice.
Penalties: Up to EUR 10 Million or 2% of Turnover
Fine Levels
The sanctions regime mirrors the GDPR approach:
For essential entities:
- Fines up to EUR 10 million or 2% of global annual turnover (whichever is higher)
For important entities:
- Fines up to EUR 7 million or 1.4% of global annual turnover
Further Supervisory Measures
Besides fines, supervisory authorities have additional tools at their disposal:
- Orders to implement specific measures
- Security audits and on-site inspections
- Public warnings (naming and shaming)
- For essential entities: temporary suspension of management functions for the responsible persons
Relationship to Previous KRITIS Regulation
Continuity and Expansion
Companies already regulated as KRITIS operators under Section 8a of the BSIG will not have to start from scratch. The existing requirements -- particularly the obligation to implement appropriate technical and organisational measures and to provide evidence every two years -- form a solid foundation. However, additional duties apply: expanded reporting obligations, registration with the BSI and explicit management responsibility.
Registration Requirement
All affected entities were required to register in the BSI portal by 6 March 2026. An ELSTER organisation certificate is needed for registration. Those who missed the deadline should complete registration immediately to minimise the risk of sanctions.
Practical Compliance Roadmap
Step 1: Scope Assessment
Determine whether your company qualifies as an essential or important entity based on company size (number of employees, annual turnover, annual balance sheet total) and sector. Use the BSI self-assessment tool.
Step 2: Gap Analysis
Compare your current information security level with the requirements of Art. 21. Identify gaps across the ten areas of measures. Companies with an existing ISMS to ISO 27001 or BSI IT-Grundschutz have an advantage here.
Step 3: Implement Risk Management
Establish an all-hazards risk management process. Systematically document risks, measures and their effectiveness. Explicitly include the supply chain in the risk assessment.
Step 4: Build Incident Response Capability
Develop an incident response plan that ensures compliance with the 24-hour early warning deadline. Test the plan regularly through tabletop exercises and simulated incidents.
Step 5: Engage Management
Ensure that management understands and fulfils its approval and oversight duties. Document participation in cybersecurity training. Embed cybersecurity as a standing agenda item at board level.
Step 6: Registration and Documentation
Register in the BSI portal, designate a 24/7 reachable contact point and document all measures comprehensively -- the burden of proof lies with you.
Conclusion
The NIS-2 Directive and the NIS2UmsuCG mark a paradigm shift in German cybersecurity regulation. The expansion to around 30,000 companies, personal management liability and severe sanctions make it clear: cybersecurity is no longer an IT matter -- it is a boardroom issue. Companies that fail to act now expose themselves to substantial legal and financial risks. Those who build a robust compliance structure early, on the other hand, not only protect themselves against sanctions but also strengthen their resilience against the ever-growing threat landscape.
At compleneo, we support you with NIS-2 scope assessments, the implementation of a legally compliant cybersecurity compliance programme and advice on director liability. Get in touch with us.
