NIS2 Directive – Fact sheet for medium-sized companies
August 2025
NIS2 Directive – Fact sheet for medium-sized companies
The Federal Office for Information Security (BSI) estimates that the "Directive on the Security of Network and Information Systems" (NIS2) places around 29,000 companies in Germany under statutory cybersecurity obligations for the first time. These are classified as "important" and "essential" entities and are added to the already regulated 1,000 companies of critical infrastructure. The number of regulated companies thus increases from 1,000 to 30,000 – an expansion by a factor of 30.
The problem – Many medium-sized companies do not yet know their new obligations. NIS2 extends the cybersecurity requirements from critical infrastructure to large parts of the economy. Checking whether one is affected is complex due to references to other laws. Even for legal specialists, clear distinctions are not always easy to make.
The BSI provides general information but does not advise on individual cases. Companies must check themselves whether they are affected.
This article shows you what you need to know for your NIS2 compliance.
What is NIS2? – The purpose
Due to increasing cyberattacks, the EU has created a directive with NIS2 that is intended to harmonize and improve the cybersecurity level in the Union.
The standard pursues concrete objectives: containing threats to network and information systems and ensuring the continuity of essential services in the event of security incidents. This is intended to contribute to the "security of the Union and the smooth functioning of the economy."
NIS2 replaces the predecessor directive NIS, which had introduced binding cybersecurity requirements for critical infrastructures. According to the authorities' assessment, NIS was successful and led to measurable improvements in cybersecurity. However, it was criticized that regulated companies would have wished for more flexibility in choosing security measures.
Implementation into German law should have been completed by October 17, 2024. However, the German NIS2 Act was not passed by the previous Bundestag due to the shorter legislative period.
NIS2 scope of application – Am I affected?
The central question for medium-sized companies is: Am I affected? NIS2 applies to your company if you meet three criteria:
1. You offer your services in the EU or conduct your activities here
For German companies, this is generally the case. In international group structures, the distinction may become relevant.
2. You operate in one of the regulated economic sectors
This is where it gets complex. The definitions are openly designed, and the law refers to annexes and other EU regulations.
Affected sectors (selection):
Energy (electricity, district heating, oil, gas, hydrogen)
Transport (road, rail, air, water)
Banking and financial market infrastructure
Healthcare
Water (drinking and wastewater)
Digital infrastructure (cloud computing, data centers)
ICT service providers (managed security services)
Postal and courier services
Chemical industry
Food industry
Manufacturing (mechanical and vehicle engineering, electrical equipment)
Digital services (online marketplaces)
Research institutions
The scope of application has been significantly expanded and no longer covers only critical infrastructures.
3. Your company exceeds the minimum size thresholds
The thresholds are intended to protect small businesses. A medical practice would be covered by the sector, but is not covered due to size. However, large group practices may be affected.
NIS2 refers to another EU standard for the thresholds. Companies that are classified as medium-sized enterprises or larger are affected:
More than 50 employees
Annual revenue over 10 million euros
Important – In corporate groups and joint ventures, the data of affiliated companies may be aggregated.
What must I do? – The most important content
The requirements focus on cybersecurity risk management. NIS2 distinguishes between "important" and "essential" entities. The classification depends on the economic sector, but can also be made by the member states.
Cybersecurity becomes a management matter
Management must approve and oversee the cybersecurity risk management measures. It bears direct responsibility and must regularly participate in training on risks and risk management practices.
Security measures
The NIS2 Directive requires "appropriate and proportionate" measures to manage cybersecurity risks. The goal is to minimize or completely avoid the impacts of security incidents.
Measures are needed to prevent cybersecurity incidents and to limit damage. The specific measures depend on the respective risk. Clear certifications do not yet exist. The BSI mentions BSI-Grundschutz and security certifications such as ISO 27001 as good starting points - however, these are not mandatory.
For incident management, incident response plans and prior training, such as through table-top exercises, are recommended.
Reporting and notification obligations
Significant security incidents must be reported to the authority without delay
Customers may also need to be notified
Tight deadlines: Initial notification within 24 hours, update within 72 hours
Further obligations
Authority orders: Supervisory authorities can require the use of specific ICT products (currently hardly practically relevant)
Registration: Mandatory (initial) registration as an entity, changes must be communicated
Availability: Communication channels for the authority must always be available
Information exchange: When participating in information exchange on cybersecurity risks with other companies
Supervisory authorities and their powers
Supervisory authorities and their powers
The BSI will be the competent supervisory authority. It emphasizes an approach of cooperation and counseling; particularly at the beginning, the focus is on education. At the same time, the BSI has extensive powers, including on-site inspections for essential entities.
In the event of security incidents involving personal data, the BSI cooperates with the data protection authorities.
What are the consequences of violations? – The risks
Sanction measures
The authorities can impose various measures: warnings, instructions to perform or refrain from certain behaviors, instructions to publish violations, and fines. For essential entities, operational bans or temporary activity prohibitions for management bodies are even possible until the deficiencies are remedied.
Fines
Essential entities: Up to 10 million euros or 2% of worldwide annual revenue
Important entities: Up to 7 million euros or 1.4% of worldwide annual revenue
Additionally: Coercive fines up to 100,000 euros possible
Relationship to GDPR: GDPR fines take precedence. No additional NIS2 fine will be imposed for the same behavior, but other regulatory measures remain possible.
Personal liability of management
According to the current draft of the German law, this is a matter of corporate liability. This is a relief for management bodies insofar as they may be able to invoke the Business Judgment Rule under certain circumstances.
Public warnings
According to the German draft law, the BSI can issue warnings to the public.
Practical risks
In addition to legal sanctions, reputational damage and disruptions to business operations are potential risks.
NIS2 in Germany – Next steps & timeline
On July 25, 2025, a government draft was adopted. The law is in the legislative process but has not yet been finalized. Changes are still possible. Due to the implementation deadline that has already passed, we expect that the law will become applicable very quickly after it enters into force – either with short implementation periods or without a transition period. This was also the case in other EU countries. The argument: The essential content corresponds to the NIS2 Directive that has been known for some time.
Recommended immediate actions
1. Check applicability:
Initial review: If not yet done or unclear
Re-review: Required if your business has grown in staff since the last NIS-2 review or your business model has been expanded to an included sector
2. Prepare compliance:
Designate responsible persons
Clarify management responsibility
Conduct inventory of information security
Establish continuous improvement
Prepare reporting obligations and warning system
Do you need help with one of these points?
Contact us for a free initial NIS2 meeting.
We develop with you a roadmap with the most important steps and create concepts, contracts and legal documentation so that you can focus on what pays off for you – your business.
Author
Back to overview