NIS2 in Germany: Why It Matters?

As a business owner in Germany, you may have already heard about the NIS2 directive. Not yet? Do you run a company with more than 50 employees? Yes? Then you should take the next five minutes to read this blog.

What is NIS2?

The Network and Information Security Directive 2 (NIS2) is a new EU-wide regulation aimed at improving cybersecurity across Europe. It replaces the original NIS directive and significantly expands its scope by including more sectors and introducing stricter cybersecurity requirements.

Similar to how the GDPR governs personal data, NIS2 ensures that essential services and critical infrastructure are better protected against growing cyber threats. While the GDPR applies to all companies dealing with customer data, NIS2 specifically targets companies that provide important or essential services – with the goal of securing their digital systems and infrastructure.

Germany – like all other EU member states – is required to implement NIS2. If your company falls under this category, it's crucial to understand and comply with the directive. Non-compliance can result in fines of up to 10 million euros or 2% of the company's global annual turnover.

Does your company have to comply with NIS2?

With its expanded scope, NIS2 will soon affect around 30,000 organizations in Germany (source). In particular, the directive applies to medium and large companies (50+ employees or over €10 million annual revenue) in the following 18 sectors:

Essential sectors (NIS 2, Annex I):

Energy (electricity, oil, gas, district heating/cooling, hydrogen)
Transport (air, rail, water, road)
Banks
Financial market infrastructure
Healthcare
Drinking water supply
Wastewater treatment
Digital infrastructure
ICT service management (business-to-business)
Public administration
Space

Important sectors (NIS 2, Annex II):

Postal and courier services
Waste management
Manufacturing, production, and distribution of chemicals
Food production, processing, and distribution
Manufacturing industry
Digital service providers
Research

Certain organizations – regardless of size – must comply with NIS2 if they are the sole provider of a critical service in Germany.

What many overlook: service providers and suppliers to affected companies can also fall under NIS2 indirectly. Even if your company isn't directly subject to the directive, your clients may require you to meet comparable cybersecurity standards to ensure their own compliance. In other words: no matter where you are in the supply chain, preparing for NIS2 is not just a nice-to-have – it's a strategic advantage for retaining or winning customers in regulated industries.

When does NIS2 take effect?

Germany missed the original October 2024 deadline for implementing NIS2 into national law. The timeline remains uncertain – some expect spring 2025. Regardless of the exact date, companies should start preparing now. Regulatory frameworks can come into effect quickly, and the penalties for non-compliance are too severe to wait until the last minute.

Key Requirements of NIS2

NIS2 focuses on four main areas that every affected company must implement:

Risk Management: Companies must regularly conduct cybersecurity risk analyses and implement security policies. Processes for vulnerability management, access control, and continuous monitoring are essential.
Strict Reporting Obligations: Companies in Germany subject to NIS2 must report security incidents to the BSI within 24 hours of detection – with a detailed report within 72 hours.
Supply Chain Security: While the original NIS directive focused on the security of internal systems, NIS2 requires risk assessment and mitigation for third parties – such as cloud providers, SaaS tools, or IT service providers. Companies are therefore responsible not only for their own cybersecurity but also for ensuring their service providers meet high security standards.
Accountability: Management must approve and oversee cybersecurity risk management – and can be held personally liable in cases of gross negligence.

How to Prepare

Here are a few recommended actions from me:

For companies under NIS2:

Conduct a gap analysis: Identify where your current security measures fall short.
Implement an ISMS: ISO 27001 or a comparable standard.
Revise security policies: Define clear processes for incident reporting.
Train employees: Provide regular training on cybersecurity awareness and secure software development.

For service providers/suppliers to NIS2 companies:

Obtain or maintain certifications: ISO 27001 is common.
Conduct risk assessments: Identify vulnerabilities, especially in IAM and data protection.
Implement an incident response protocol: Be able to notify clients immediately in case of a security incident.

Need Support?

Preparing for NIS2 compliance can feel overwhelming – but it doesn't have to be. I'm happy to support you in taking the first steps: from a solid gap analysis to a detailed action plan. And if you're a software or IT service provider, I also offer training in secure software development and secure coding best practices – so your team can confidently meet your NIS2 clients' requirements.

Contact Me!

Even if your business isn't directly affected by NIS2, strong cybersecurity is no longer optional. Cyberattacks are a growing risk for companies of all sizes – and proactive protection is the best defense. If you're a small or medium-sized business, you can book a tailored cybersecurity assessment with me to identify critical risks and boost your resilience.

Check out my service here

FAQ

What is the difference between the NIS2 Directive and the GDPR?

NIS2 focuses on protecting networks and information systems from attacks and failures and ensuring the security of critical services.

GDPR focuses on protecting the privacy and security of personal data and ensures that data is used lawfully and fairly.

Which areas of a company are mainly affected by NIS2?

IT security and cyber defense:
Companies must implement stricter technical and organizational security measures to protect their networks and systems.
Risk management:
Companies are expected to systematically identify, assess, and minimize cyber risks.
Reporting obligations:
Companies must promptly report security incidents and cyberattacks to the competent authorities.
Supply chain management:
Companies must also consider security requirements for their suppliers and partners.
Governance and compliance:
Clear responsibilities and processes must be established to comply with NIS2 rules.
Training and awareness:
Employees must be regularly trained on cybersecurity topics to increase security awareness.

What is an ISMS?

ISMS stands for Information Security Management System.

It forms the basis for international standards such as ISO/IEC 27001.

An ISMS is a systematic approach to:

Identify security risks to information,
Define appropriate protection measures,
And ensure the confidentiality, integrity, and availability of data on an ongoing basis.

It is not a technical solution but a comprehensive management system involving people, processes, and technologies.

What is ISO 27001?

SO 27001 is an international standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).

Its main purpose is to help organizations systematically and effectively manage the security of their information assets and protect them from threats such as data breaches, cyberattacks, or accidental data loss.

Important points about ISO 27001:

It provides a risk-based approach to information security.
Organizations certified under ISO 27001 demonstrate that they follow best practices to protect sensitive data.
The certification is recognized worldwide and is often required by customers or partners to ensure data protection.
It covers the people, processes, and IT systems involved in managing information security.

What is IAM?

IAM stands for Identity and Access Management.

IAM is a system of technologies and processes that serves to:

Uniquely identify users,
Manage and control access rights.

It ensures that only authorized persons or systems can access certain data, services, or resources.

What does IAM include?

Identity Management:
Management of users’ digital identities
Authentication:
Verification of “Are you really who you claim to be?” (e.g., password, 2FA)
Authorization:
Decision of “What are you allowed to access?”
Logging & Auditing:
Traceability of accesses and activities

Why is IAM important?

Protection against unauthorized access
Compliance with legal requirements (e.g., GDPR, NIS2)
Security in cloud and remote environments
Reduced risk from human error or misuse of privileges

What is a gap analysis for NIS2 and GDPR?

A gap analysis helps answer:

“Where are we now — and where do we want (or need) to be?”

In compliance, gap analysis is used to determine whether a company meets all legal requirements — or if there are still gaps.

For NIS2 (EU Directive on Network and Information Security):

The gap analysis checks if the company has already implemented the necessary technical and organizational measures, for example:

Is there a functioning incident response process?
Is supply chain security sufficiently considered?
Are reporting obligations clearly regulated internally?

Goal: Create an action plan to improve in time and avoid fines.

For GDPR (General Data Protection Regulation):

The gap analysis helps to verify:

Are valid consents for data processing in place?
Has a data protection officer been appointed?
Is there a process to report data breaches within 72 hours?

Goal: Avoid data breaches, build trust, and comply with legal requirements.