Cybersecurity & Compliance —  Practical Insights

NIS 2: What the Law Requires – and Who Is Affected

NIS 2 has been on the table for more than two years. The directive has been discussed, assessed, added to agendas – and in many organizations still not implemented. That is no surprise: regulatory requirements compete with day-to-day business, and as long as no penalty looms, the pressure is missing. That pressure nowexists. The German implementation act is in force, authorities are conductingaudits, and the fines are substantial.

Before discussing implementation, it is worth stepping back. What does NIS 2 actually require – and who does it affect?

‍

1. What is NIS 2 – and What Has Changed?

NIS 2 is the second EU directive on network and information security. It replaces the predecessor directive from 2016 and responds to a development that no one seriously disputes anymore: cyber attacks are no longer the exception, but the rule. Supply chains are deliberately compromised, hospitals stand still for days, municipal administrations are paralyzed. The previous directive was limited to a few sectors and left member states considerable discretion – with the result that protection across Europe varied widely. NIS 2 draws the consequence.

Three points are decisive: The scope has been significantly expanded – many organizations that were previously outside the spotlight now fall under the regulation. The requirements have been made concrete – where general security objectives once stood, there is now a defined catalogue of obligations. And enforcement has been tightened – with substantial fine sand personal liability for executive management.

In Germany, the directive is implemented through the NIS 2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). It has been in force since December 2025 – with no transition period. Any organization within scope has been required to complysince then. The Federal Office for Information Security (BSI) is the central supervisory authority and has been accepting registrations through its portalsince January 2026.

‍

2. Who Is Affected? And How Do You Register?

Before any measure makes sense, one question must be answered: is my organization actually within scope? The answer is less obvious than it appears. NIS 2 covers significantly more sectors than its predecessor, and the thresholds are set in a way that brings many mid-sized companies into scope for the first time –often without their knowledge.

The lawdefines two categories. Essential entities are organizations with atleast 250 employees or annual revenue of at least 50 million euros in highly critical sectors – energy, water, healthcare, digital infrastructure, transport, and several others. Important entities begin at 50 employees or 10 million euros in annual revenue across a noticeably broader sector list, ranging from food production and postal services to providers of digital services. In addition, there are special cases where company size is irrelevant– for example, trust service providers or parts of the public administration.

Registration is the firstobligation – and the most common oversight.

The BSI registration portal has been live since January 2026. Affected organizations must register actively – it does not happen automatically. Any organization that has not yet registered is already in breach of compliance. And this breach is immediately subject to fines, even before any technical or organizational measure has been implemented. This is what makes the point so insidious: you can be formally in default without realizing it.

What needs to be done inconcrete terms:

•  Assess scope – check sector, headcount and revenue against the thresholds. Borderline cases should document their assessment inwriting.
• Register in the BSI portal – a one-time process, including master data and sector classification.
• Designate a 24/7 point of contact that the BSI can reach in an emergency. This is not a formality – the contact must genuinely be reachable.
• Maintain changes actively – any change to management, address, or contact point must be updated promptly.

This step costs no budget and no consulting days. But it creates immediate legal clarity about whether you fall within scope – and removes the latent risk of being caught off guard by a BSI inquiry.

3. Liability and Responsibility at the Management Level

With NIS 2, responsibility for cyber security leaves the CISO, the IT department, and similar functions and lands directly with executive management. NIS 2fundamentally changes the legal situation: cyber security is no longer an IT matter that can be delegated and forgotten. Management is personally liable –with their private assets. Indemnification through the company or D&O insurance is excluded.

The lever is the duty of care. Executives must not only introduce risk management measures –they must actively approve them and monitor their implementation. This is not a tick-box exercise in a quarterly meeting, but a documented engagement, including evidence that management knows the current state of security,evaluates it, and makes decisions accordingly.

The fines are tiered, but substantial in both categories:

• Up to 10 million euros or 2% of global annual revenuefor essential entities – whichever is higher.
• Up to 7 million euros or 1.4% of global annual revenuefor important entities – also whichever is higher.
• Personal liability of executive management in cases of proven breach of duty of care – no cap, no indemnification.
• In extreme cases: temporary prohibition of business activity or of the executive function imposed by the BSI.

On top of this, there is a mandatory training requirement for the management level. Anyone who ends up in front of a supervisory authority and cannot explain what their organization is doing and why has a problem. Ignorance is no defense – on the contrary, it constitutes the breach of duty of care itself.

That covers the fundamentals: what NIS 2 is, who it affects, how registration works, and what consequences management can face personally. But the real work only begins after that – with the implementation of concrete requirements for processes, technology, and organization.

That is the focus of Part 2: risk management, incident response, business continuity, and the most sensitive area of all – the security of your own supply chain.

As of May2026  — This article provides practical insights and does not replace individuallegal or security advice.

‍