The EU directive NIS2 is, in 2026, the most structurally significant regulation for German mid-market companies operating in IT-relevant sectors. Where the old NIS directive previously covered around 2,000 businesses, an estimated 29,000 now fall within scope. Many organisations do not yet know they are affected — the German transposition came with delays, and many executive teams treat NIS2 as a "deal with it later" problem. That stance is risky. This article lays out the obligations concisely and delivers an actionable 90-day roadmap. The broader context around cybersecurity, penetration testing, and compliance is covered in our Cybersecurity Guide for Mid-Market Companies.
Important: The German transposition of the NIS2 directive via the NIS2UmsuCG is becoming binding in stages. The obligation to self-register with the BSI applies regardless of the exact date of entry into force — any organisation active in one of the 18 sectors and meeting the size thresholds should not count on further delays.
What is NIS2, exactly?
NIS2 stands for "Network and Information Security 2" and is the second edition of the EU directive on cybersecurity. Adopted in December 2022 and in force since October 2024, it replaces the original NIS directive of 2016. The goal: a uniform, significantly higher level of cybersecurity across all EU member states.
The difference from NIS1 is substantial. NIS1 only covered "operators of essential services" within a narrow sector catalogue — an estimated 2,000 companies in Germany. NIS2 expands the scope to 18 sectors, lowers the thresholds considerably, and introduces personal management liability. Estimated reach in Germany: 29,000 companies, many of them classic mid-market businesses.
National transposition in Germany is handled via the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). Comparable rules apply in Austria (amendment to the NISG) and Switzerland (oriented around the ISG, without direct EU affiliation).
Who is affected? The 18 sectors
NIS2 distinguishes between "sectors of high criticality" (Annex I, eleven sectors) and "other critical sectors" (Annex II, seven sectors). The obligation applies to medium and large enterprises in both annexes.
Manufacturing encompasses a number of relevant sub-industries — mechanical engineering, electronics, automotive, and medical devices. This is precisely where many classic mid-market companies from Baden-Württemberg, Bavaria, and Switzerland fall, organisations that have never previously had to engage with IT security regulation.
Threshold: at least 50 employees OR at least €10 million annual turnover and balance sheet total. This threshold corresponds to the EU definition of a medium-sized enterprise. In practice it is reached very quickly — many family-owned mid-market businesses with 60 to 200 employees are clearly in scope.
Essential vs. important entities
Among in-scope organisations, NIS2 distinguishes two categories. "Essential entities" are large companies (250+ employees or €50m turnover) in high-criticality sectors, plus a handful of specialist industries. "Important entities" are medium-sized companies in the highly critical sectors and all companies in the other critical sectors.
The difference lies in supervisory intensity and the level of sanctions. Essential entities are subject to proactive supervision — the authority can audit without prior notice. Important entities are supervised reactively — the authority investigates when there are indications or following an incident. Fines differ accordingly: up to €10 million or 2% versus up to €7 million or 1.4% of global annual turnover.
Mandatory measures under Article 21
Article 21 of the NIS2 directive defines ten minimum measures that every affected organisation must implement. They are a mix of technical and organisational requirements and cover the entire security lifecycle.
- Risk analysis and IT security policy. Documented risk management with regular updates, a maintained security policy as the top-level governance document.
- Incident handling. Incident response process, documented playbook, practised escalation paths. More in our article on the Incident Response Plan.
- Business continuity. Backup management, disaster recovery, business continuity plan with documented restore tests.
- Supply chain security. Assessment of the IT security posture of suppliers and service providers, contractual cybersecurity obligations in IT contracts.
- Security in procurement, development, and maintenance. Secure development lifecycle, vulnerability management, patch processes.
- Effectiveness of security measures. Regular review — for example through penetration tests and continuous vulnerability validation. Covered in depth in our article on the Penetration Test Process.
- Cryptography policy. Defined encryption standards, key management, transition strategies for deprecated algorithms.
- Personnel security, training, and awareness. Regular awareness training, documented security training sessions, clear responsibilities.
- Access control and asset management. Documented inventory of all IT assets, roles and permissions framework, identity lifecycle.
- Multi-factor authentication and secure communications. MFA on exposed systems, encrypted communication channels, secure emergency communications.
These ten minimum measures are not exhaustive — they set the baseline. The competent authority can impose additional requirements, for example based on sector-specific risks or following an incident.
Are you subject to NIS2 — and if so, where do you stand?
In a 30-minute conversation we assess your classification (essential / important / not affected) and deliver an initial gap analysis against the ten NIS2 mandatory measures.
Schedule an NIS2 quick checkReporting obligations — 24 hours, 72 hours, 1 month
One of the most concrete new requirements is the three-stage notification obligation for significant security incidents. These deadlines are absolute — they start from the moment the incident becomes known, not from confirmation.
Stage 1 — Early warning within 24 hours. A first formal notification to the competent national authority (in Germany, the BSI). Content: suspected incident, affected sectors, presumed cross-border impact. Deliberately brief — you do not yet have all the details, but the authority's knowledge gap must be closed promptly.
Stage 2 — Incident notification within 72 hours. Full initial assessment including impact analysis, indicators of compromise, and measures already taken or planned. This notification serves as the basis for the authority's situational assessment and for informing other relevant bodies.
Stage 3 — Final report within one month. Detailed analysis of the incident, progression of impact, root-cause analysis, protective measures implemented, and planned future prevention. For protracted incidents, interim reports are acceptable, with a final report submitted once the incident is resolved.
Important: these reporting obligations come IN ADDITION to GDPR notification requirements under Article 33 (72-hour notification to the data protection authority). If an incident has both NIS2 and GDPR relevance, you must notify both authorities — following different logics and with different content.
Sanctions and management liability
NIS2 is serious about sanctions. The fine frameworks are calibrated at GDPR levels but must be considered separately — a single incident can trigger both a NIS2 and a GDPR fine.
For essential entities: up to €10 million or 2% of global annual turnover, whichever is higher. For important entities: up to €7 million or 1.4%. For a €40 million mid-market company in a highly critical sector, fines of up to €800,000 per incident are a realistic prospect.
Personal management liability is new. NIS2 explicitly requires that management be responsible for implementing security measures and that it must also be trained. Where organisational obligations have demonstrably been breached, managing directors and board members can be held personally liable — D&O insurance does not automatically respond to compliance violations.
NIS2 versus ISO 27001 — the relationship
A frequent question in our advisory conversations: "We are ISO 27001 certified — does that make us NIS2 compliant?" The honest answer: roughly 80% yes, but not fully.
The technical measures under NIS2 Article 21 overlap substantially with ISO 27001 controls. If you have a functioning ISMS (Information Security Management System) in line with ISO 27001, you automatically satisfy the majority of NIS2 obligations.
What is additionally required: the NIS2-specific reporting obligations to the competent authority with the three deadlines described above, the explicit management training requirement (less explicitly addressed in ISO 27001), dedicated supply chain security under NIS2 logic, and registration with the BSI as an affected entity. We go deeper on the cost and effort comparison in the article ISO 27001 Certification Costs.
90-day implementation roadmap
Anyone who wants to implement NIS2 in a structured way starts with an inventory and works forward systematically. This roadmap is tried and tested — we have used it in mid-market engagements since NIS2 was adopted.
| Phase | Activities | Outputs |
|---|---|---|
| Days 1–14 | Applicability analysis, sector classification, size classification, prepare BSI registration | Written classification (essential / important / not affected), documented rationale |
| Days 15–30 | Gap analysis against NIS2 Article 21, create or update asset inventory, risk register | Prioritised gap list, documented risk register |
| Days 31–60 | Implement quick wins: roll out MFA everywhere, document patch process, backup restore test, awareness training | Eight of the ten mandatory measures at initial fulfilment level |
| Days 61–75 | Write incident response playbook, escalation list with BSI reporting channels, tabletop exercise | Binding playbook, one tabletop exercise completed |
| Days 76–90 | Supply chain assessment, update contracts with critical service providers, management training | Assessed supplier list, updated contract clauses, documented management training |
After 90 days you will not have perfect NIS2 compliance — that is an ongoing state, not a project deliverable. But you will have a documented baseline, all mandatory measures at initial implementation level, and the organisational structures for continuous maintenance. That puts you in a significantly stronger position during a supervisory audit than no structured approach at all.
DACH status 2026 — where do things actually stand?
The reality in mid-market advisory work is clear: NIS2 is being underestimated. According to BSI estimates, fewer than 30% of affected German companies had completed a full applicability analysis by the end of 2025. Fewer than 15% had all ten mandatory measures at even initial implementation level. The gap between legal requirement and actual compliance is significant.
The reasons are understandable: NIS2 appears complex, the German transposition was delayed, and for many traditional mid-market businesses IT security regulation is an entirely new topic. But that gap is precisely what makes management liability relevant — anyone who has taken no action by 2026 can no longer claim ignorance.
Our recommendation: do not wait for the final German legislative text in every detail. The EU minimum measures from Article 21 are fixed and will be required in every national implementation. Starting the 90-day roadmap now means your organisation is operationally ready by the deadline — and can handle the penetration test, ISO preparation, and cyber insurance requirements from a single consolidated process.
Frequently asked questions
When does NIS2 become legally binding in Germany?
The EU directive has been in force since October 2024. German transposition is handled by the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), which is becoming binding in stages. Affected companies must register, implement technical measures, and establish reporting channels — anyone still inactive in 2026 is late.
What thresholds trigger NIS2 obligations?
The general rule: 50 or more employees OR at least €10 million annual turnover and balance sheet total, combined with activity in one of the 18 NIS2 sectors. For particularly critical sectors such as energy, water, telecommunications, banking, or digital infrastructure, even smaller companies can be in scope if they are classified as essential service providers.
What are the most important NIS2 obligations?
Article 21 lists ten minimum measures: risk management policy, incident response, backup and business continuity, supply chain security, security in procurement and development, control effectiveness, cryptography policy, personnel security and training, access management and asset inventory, multi-factor authentication and secure communications.
What sanctions apply to NIS2 violations?
For essential entities: up to €10 million or 2% of global annual turnover, whichever is higher. For important entities: up to €7 million or 1.4%. In addition, management can be held personally liable if organisational obligations have been breached.
How quickly must a security incident be reported?
NIS2 requires a three-stage notification: an initial early warning to the competent authority within 24 hours, a full incident report with initial assessment within 72 hours, and a final report within one month. In Germany, the Federal Office for Information Security (BSI) is the central reporting authority.
Does ISO 27001 certification automatically fulfil NIS2?
Largely yes — the technical measures under NIS2 Article 21 overlap with ISO 27001 controls by roughly 80%. What is additionally required: the NIS2-specific reporting obligations to the competent authority, the mandatory management training requirement, and explicit supply chain security. ISO certification significantly eases NIS2 implementation but does not fully replace it.
We guide you through NIS2 implementation
From applicability analysis through gap assessment to initial implementation of the ten mandatory measures — as a fixed-price package with clear milestones. Includes Reepa Security for continuous effectiveness validation.
Request NIS2 advisory