ServicesSoftwareAboutBlogReferencesContact Deutsch
Book a consultation
ComplianceDeadline Passed

NIS2 Is Here.
Is Your Company Ready?

Around 29,500 German companiesare affected by the new EU cybersecurity directive — many don't know it yet. The registration deadline expired on March 6, 2026, and the obligations have been in force since December 2025 with no transition period.

MS
Mikail Sünger
Geschäftsführer & Technischer Lead · April 9, 2026 · 10 min Lesezeit

TL;DR — Das Wichtigste in 30 Sekunden

  • 1The NIS2 Implementation Act has been in force since December 6, 2025 — with no transition period. Registration with the BSI was mandatory by March 6, 2026.
  • 2Around 29,500 German companies in 18 sectors are affected: from 50 employees or €10 million annual revenue.
  • 310 specific obligations from § 30 BSIG: from risk analysis to incident response to MFA and cryptography.
  • 4Fines: up to €10 million or 2% of annual revenue. Managing directors are personally liable with their private assets.
  • 5Even companies not directly affected are exposed through the supply chain — NIS2 customers demand proof from suppliers.

Die wichtigsten Zahlen

29,500
German companies are affected by NIS2
18
sectors fall under the directive
€10 Mio
maximum fine (or 2% of annual revenue)
24 h
deadline for early warning to the BSI after incidents

On December 6, 2025, the German NIS2 Implementation Act (NIS2UmsuCG)entered into force — over a year after the originally EU-wide binding deadline. Since then: companies in 18 sectors are obligated to maintain minimum cybersecurity standards, report incidents within 24 hours, and register with the BSI.

The registration deadline ended on March 6, 2026. Estimates suggest that at that point, more than half of affected companies had not even checked whether they fall under the regulation. The problem: there is no grace period. The technical and organizational obligations apply since entry into force — violators risk fines in the tens of millions and personal liability of the management board.

Why NIS2 hits mid-sized companies

The original NIS Directive from 2016 only regulated “critical infrastructure operators” — essentially energy suppliers, banks, and hospitals. NIS2 massively expands the scope: fundamentally, any company with at least 50 employees or €10 million annual revenue operating in one of the 18 sectors is affected.

That sounds narrow at first — but it includes machinery manufacturers, food producers, chemical companies, IT service providers, logistics companies, and many more. Even those not directly affected will feel it through the supply chain: NIS2-obligated companies must assess the security of their suppliers and service providers. Those who cannot provide this proof lose contracts.

The Quick Check

Are you affected by NIS2?

Select your sector and adjust employee count and revenue. The result appears in real time.

75
150 (threshold)250 (stricter)500+
15 Mio \u20AC
110 (threshold)50 (stricter)100+
👈

Select your sector first

For orientation only — not legal advice

18 Sectors

Who NIS2 covers

NIS2 divides companies into two categories: Annex I are essential entities (more strictly regulated), Annex II are important entities.

Energy

Annex I

Electricity, oil, gas, hydrogen, district heating

🚆

Transport

Annex I

Air, rail, water, road

🏦

Banking

Annex I

Credit institutions

📈

Financial Markets

Annex I

Financial market infrastructures

⚕️

Healthcare

Annex I

Hospitals, laboratories, pharma

💧

Drinking Water

Annex I

Supply & distribution

🌊

Wastewater

Annex I

Municipal disposal

🌐

Digital Infrastructure

Annex I

DNS, cloud, data centers, CDN

🛠️

ICT Service Providers

Annex I

Managed services (B2B)

🏛️

Public Administration

Annex I

Federal, state, municipal

🛰️

Space

Annex I

Ground infrastructure

📦

Postal & Courier Services

Annex II

Logistics & delivery

♻️

Waste Management

Annex II

Collection, recycling

⚗️

Chemicals

Annex II

Production & trade

🥬

Food

Annex II

Production & distribution

🏭

Manufacturing

Annex II

Medical, electronics, machinery, vehicles

💻

Digital Services

Annex II

Marketplaces, search engines, social networks

🔬

Research

Annex II

Research institutions

The 10 minimum obligations from § 30 BSIG

NIS2 prescribes not only the “what” but also the “how.” The German BSIG (§ 30) lists ten risk management measures that every affected company must implement — regardless of size. The benchmark is the state of the art.

The 10 Minimum Obligations

What NIS2 requires from you

§ 30 BSIG mandates ten specific risk management measures. Not “nice to have” — each obligation must be documented and verifiable.

🎯
01

Risk Analysis & Security Concept

Structured identification and assessment of risks to your information systems.

🚨
02

Incident Response

Processes and teams for handling security incidents — incl. 24h/72h reporting obligation.

♻️
03

Business Continuity

Backup management, disaster recovery, and crisis management.

🔗
04

Supply Chain Security

Assessment and securing of all service providers and suppliers.

🛡️
05

Secure Development & Maintenance

Security in acquisition, development, and maintenance of IT systems.

🔍
06

Effectiveness Testing

Regular assessment of whether measures actually protect.

🎓
07

Cyber Hygiene & Training

Mandatory training for all employees — not just IT.

🔐
08

Cryptography

Encryption of data at rest and in transit.

🔑
09

Access & Asset Management

Personnel security, access controls, inventory management.

📡
10

MFA & Emergency Communication

Multi-factor authentication and secured communication channels.

The new reporting chain: 24 / 72 / 1 month

One of the most impactful changes is the three-stage reporting obligation for significant security incidents:

  • Within 24 hours — an early warning to the BSI with initial information about the incident.
  • Within 72 hours — a more comprehensive incident report with damage assessment.
  • Within one month — the final report with root cause, consequences, and measures taken.

These deadlines are non-negotiable. Failure to meet them is treated as if no report was filed at all — with full fine consequences.

Personal liability of the management board

NIS2 no longer addresses just the company, but directly the management. Managing directors and board members are personally responsible for ensuring risk management measures are implemented and monitored. They must complete mandatory cybersecurity training — and are liable for violations with their personal assets. Delegation to the IT department does not protect them.

Fine Calculator

What a violation can cost you

NIS2 has two fine tiers. The higher value of fixed amount and revenue percentage applies.

20 Mio \u20AC
\u20AC1 Mio\u20AC500 Mio\u20AC1 Bn\u20AC2 Bn
Maximum Fine
10 Mio €
The higher value of €10 Mio and 2% of annual revenue.
Additionally
Personal liability of the management board

What you should do now

The bad news first: a NIS2 program is not a weekend project. The good news: you are not the only one running late — and the BSI has signaled that companies demonstrably taking action will be treated differently from those ignoring the topic.

1. Clarify your affected status — documented

Have it formally assessed whether and how you are affected. The assessment must be documented in writing — in an audit, this is the first proof that you have engaged with the topic.

2. Complete BSI registration

The BSI registration portal remains accessible. A late registration is better than none. Being affected and not registered is a separate regulatory offense.

3. Gap analysis against the 10 obligations

Compare your current state against the ten obligations from § 30 BSIG. For most mid-sized companies, gaps emerge in supply chain security, incident response, cryptography, and access management.

4. Implement quick wins

Multi-factor authentication (MFA), a structured backup concept, and documented incident response processes can be implemented with limited effort and cover multiple obligations simultaneously. Companies using Microsoft 365 can achieve significant progress in just a few days with Conditional Access, Defender for Business, and Intune.

5. Document, document, document

NIS2 is an accountability obligation. Measures that are not documented do not exist from the BSI's perspective. Policies, processes, training records, test results — everything must be retained and producible on request.

Conclusion: Delay is no longer an option

The deadline has passed, obligations are active, fines are real. Those who wait now risk not only compliance but also contracts: large companies and public-sector clients are already beginning to require NIS2 conformity as a qualification criterion for suppliers. The good news: the required measures are nothing more than solid modern IT security — something your company benefits from regardless. NIS2 is the reason to finally get it done.

As a Managed Service Provider, we guide SMBs through NIS2 implementation: from the affected-status analysis to the gap analysis to the technical implementation of measures in your Microsoft 365 and Azure environment. We document every step in an audit-ready manner.

Check your NIS2 readiness in 30 minutes

Free initial consultation — we clarify affected status, gaps, and next steps.

Book a consultationOur security services