From Regulation to Reality: What NIS2 Means for Businesses

NIS2 for businesses: Compliance steps, registration and incident reporting requirements, and risk management — explained clearly and practically.

Written by Markus Zeischke

The image shows a judge's gavel lying on a blue, gold-rimmed pedestal with the inscription “NIS 2 DIRECTIVE ADOPTED – EU CYBERSECURITY.”

Following the adoption of the NIS2 Implementation Act (Link only in German) - by the German Bundestag in mid-November, the European cybersecurity directive is now taking concrete shape in Germany. For many companies, this represents a significant change that is not immediately obvious.

What was once perceived as a vague European requirement is now being incorporated into national legislation. Once the final legislation takes effect, the requirements will become legally binding. Security levels and resilience are expected to rise noticeably, as are the threats posed by increasingly sophisticated cyberattacks. This puts companies at a critical turning point: the time has come to systematically implement the new requirements and understand that cybersecurity is an integral part of future business viability.

Who is affected by NIS2?

The law applies to 'essential' and 'important' entities in 18 critical and key sectors, including energy supply, transportation, healthcare, critical infrastructure, public administration, waste management and manufacturing. However, classification is not determined by sector alone. Companies with at least 50 employees or an annual turnover of at least 10 million euros often fall within the scope as well, as economic criteria also play a crucial role.

Consequently, the number of obligated organisations increases significantly. It is estimated that the directive affects more than 30,000 companies in Germany, including many that previously had little exposure to regulatory cybersecurity. One of the biggest challenges is that many companies recognise their own relevance late or underestimate its full implications, even though the requirements immediately impact processes, structures, and responsibilities.

How to determine whether your organisation is subject to NIS2

Before planning any concrete measures, organisations must first answer the following fundamental question: Are we affected by NIS2, and if so, to what extent? The first step is therefore to conduct a systematic impact assessment. Companies should examine which business areas may be classified as 'essential' or 'important', and which activities could be considered 'negligible'.

However, you should be careful: excluding certain activities does not automatically mean that no risks exist in those areas. Attackers do not care about legal definitions — they look for the easiest entry point. Overly generous interpretations or loosely defined exceptions can quickly create unexpected vulnerabilities.

First Orientation: The NIS-2-Betroffenheitsprüfung

This assessment (link only in German) can serve as a valuable first point of orientation. It helps organisations quickly determine whether they are likely to fall under the NIS2 directive. The online tool provides a straightforward starting point with clear questions and a simple presentation of results, while ensuring full anonymity. However, this assessment does not replace formal self-identification or legal review.

Implementation obligations: What needs to be done in practice?

Once it is clear that a company falls under NIS2, the implementation process can begin. The directive requires a significantly higher level of security, both organisational and technical. The core obligations (Link only in German) include:

1. Registration requirement: Organisations must officially register themselves.

'Highly important' and 'important' entities must register with the joint registration office of the BSI and BBK. Registration must take place within three months of an organisation first being identified — or newly classified — as falling under NIS2. Additional reporting requirements may apply to certain sectors, such as operators of critical facilities, digital services or digital infrastructures.

2. Incident reporting obligation: Clear timelines and required content

Affected entities must report significant security incidents to the BSI. This includes incidents leading to major operational disruption, financial damage or impairments affecting third parties. Reporting timelines after becoming aware of the incident:

Initial early notification: 24 hours
72 hours: detailed follow-up report
30 days: final or supplementary report

The report must include:

An assessment of the incident and its severity
A description of the impact
Indicators of compromise
Relevant contact information

3. Risk management: Effective, documented security measures

Companies must implement and document an appropriate, proportionate and effective risk management approach. The level of proportionality depends on factors such as the level of risk exposure, the size of the organisation, associated costs, and the likelihood and potential impact of security incidents.

The risk management framework must cover all IT systems, components and processes required to deliver the organisation's services. The measures must reflect the latest developments, consider relevant European and international standards, and adopt a cross-hazard approach. Minimum requirements include, for example:

Conducting regular risk analyses
Handling and managing security incidents
Ensuring operational continuity (backup management, restoration and crisis management)
Supply chain security
Security requirements for the procurement, development and maintenance of IT systems
Cybersecurity training and awareness
Multi-factor authentication and secure communication, and emergency communication if necessary

Risks of non-compliance: Why inaction can be costly and highly visible

The NIS2 regulation introduces tangible consequences for organisations that fail to meet their obligations for the first time. Violations may result in:

Significant fines based on annual turnover
Official orders to implement specific technical or organisational measures
Disqualification of responsible individuals from management roles
Public warnings that can lead to substantial reputational damage

Beyond regulatory consequences, shortcomings in cybersecurity can also have direct operational impacts, such as prolonged downtime, higher damage costs and reduced insurability. In short, non-compliance is not only expensive, it is also visible, both internally and externally.

Create clarity now and take action!

Use proactive compliance to gain a competitive advantage. NIS2 is an opportunity as well as an obligation. Companies that act early will strengthen their digital resilience, improve their governance structures and increase their credibility with customers, partners and regulatory authorities.

Many organisations are still at the beginning of their NIS2 implementation journey. Support is available in various formats and should be used to quickly build implementation readiness.

BSI Infopakete (Link only in German): These packages provide step-by-step guidance, checklists and all the necessary information on registration, reporting obligations and fundamental requirements.
BSI webinars and events (Link only in German): The events a compact overview, explain key obligations and provide practical guidance for the first steps.

You should also take the opportunity to explore the recorded sessions from it-sa Expo&Congress 2025. These offer concrete, practical examples, up-to-date insights and recommendations that can be put into practice immediately, making them ideal for planning your next steps with confidence and effectiveness.

Additional resources

Author

Markus Zeischke

IT-Autor & Senior Content Manager

The Digitale