With the NIS2 Implementation Act (NIS2UmsuCG -- NIS2-Umsetzungs- und Cybersicherheitsstaerkungsgesetz) coming into force in December 2025, cybersecurity regulation in Germany has reached a new dimension. What many managing directors at small and medium-sized enterprises (known as KMU -- Kleine und mittlere Unternehmen -- in Germany, equivalent to SMEs) have not yet realized: the new obligations do not only apply to large corporations and critical infrastructure operators, but also to thousands of small and medium-sized businesses. Those who fail to act now risk severe fines and personal liability.
What Is the NIS2 Directive?
The NIS2 Directive (Network and Information Security Directive 2) is an EU-wide regulation that significantly tightens the protection of critical and important entities against cyberattacks. It replaces the original NIS Directive from 2016 and massively expands the scope of application. In Germany, it has been transposed into national law through the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG).
The crucial difference from the predecessor regulation: NIS2 now covers approximately 30,000 companies in Germany -- compared to only about 2,000 critical infrastructure operators previously. The threshold is set at companies with 50 or more employees or EUR 10 million in annual turnover across a total of 18 sectors.
Who Is Affected?
NIS2 distinguishes between essential entities and important entities. The classification depends on the sector, company size, and turnover.
Essential Entities
- Energy (electricity, gas, oil, district heating, hydrogen)
- Transport and traffic
- Banking and financial market infrastructures
- Healthcare
- Drinking water and wastewater supply
- Digital infrastructure and IT service providers
- Public administration
- Space
Important Entities
- Postal and courier services
- Waste management
- Chemical industry
- Food production and distribution
- Manufacturing (mechanical engineering, vehicle manufacturing, electrical engineering)
- Digital services (marketplaces, search engines, social networks)
- Research
Important for SMEs: Even if your company does not directly fall within one of these sectors, you may indirectly come within scope as a supplier or service provider to an affected company. The supply chain requirements of NIS2 extend along the entire supply chain.
What Deadlines Apply?
The NIS2UmsuCG came into force in December 2025. Here is an overview of the key deadlines:
- Since December 2025: The requirements for risk management, incident reporting, and governance apply immediately.
- By March 2026: Affected companies must register with the BSI (Bundesamt fuer Sicherheit in der Informationstechnik -- the Federal Office for Information Security, Germany's national cybersecurity authority). This deadline is currently running -- act now if you have not yet registered your company.
- Ongoing: Regular compliance evidence and audits to the BSI.
Those who miss the registration deadline not only signal a lack of compliance to the BSI but already risk initial administrative offence proceedings.
The Four Core Obligations in Detail
1. Risk Management
Affected companies must establish systematic risk management for their IT and network security. This includes:
- Risk analysis and security concepts for information systems
- Incident response procedures for handling security incidents
- Business continuity management including backup management and crisis management
- Supply chain security, including security-relevant aspects of relationships with suppliers
- Security measures for the acquisition, development, and maintenance of IT systems, including vulnerability management
- Policies and procedures for assessing the effectiveness of measures
- Cryptography and encryption
- Access control and asset management
- Multi-factor authentication and secured communication
2. Incident Reporting Obligations
For significant security incidents, strict reporting deadlines apply to the BSI:
- Within 24 hours: Initial early warning after becoming aware of an incident
- Within 72 hours: Detailed report with initial assessment, severity level, and impact
- Within one month: Final report with detailed description, root cause analysis, and measures taken
These deadlines are ambitious and require prepared processes. Without a tested incident response plan, most SMEs will not be able to meet these requirements.
3. Supply Chain Security
NIS2 obliges companies to assess and ensure cybersecurity along their entire supply chain. In concrete terms, this means:
- Contractually defining security requirements for suppliers and service providers
- Regularly reviewing the security measures of partners
- Conducting risk assessments of dependencies on individual suppliers
For many mid-sized suppliers, this means: even if you fall just below the thresholds, your customers will demand NIS2-compliant security evidence from you.
4. Managing Director Liability
Perhaps the most far-reaching innovation for SMEs: managing directors are personally liable for the implementation of cybersecurity measures. The management must:
- Approve and oversee the implementation of risk management measures
- Regularly participate in cybersecurity training
- In the event of a breach of duty, be personally liable with their private assets
This liability cannot be delegated to third parties. Even engaging an IT service provider does not release management from their responsibility.
What Penalties Apply?
The fines for violations are substantial and follow the model of the GDPR:
- Essential entities: Up to EUR 10 million or 2% of global annual turnover (whichever is higher)
- Important entities: Up to EUR 7 million or 1.4% of global annual turnover
In addition, there is the personal liability of management as well as potential reputational damage when security incidents become public. The BSI can also issue orders to implement specific measures and enforce compliance through coercive fines.
7 Concrete Action Steps for SMEs
Step 1: Determine Whether You Are Affected
Systematically determine whether your company falls within the scope of NIS2. Check your sector, your number of employees, and your annual turnover. Also consider indirect applicability through your customers.
Step 2: Complete BSI Registration
If you have not already done so: register your company with the BSI immediately. The March 2026 deadline is imminent. Registration is done through the BSI portal and requires basic information about your company and your IT infrastructure.
Step 3: Conduct a GAP Analysis
Compare the current state of your IT security against the target state required by NIS2. Identify gaps in the areas of risk management, incident response, access control, and supply chain security. A professional GAP analysis forms the foundation for your implementation roadmap.
Step 4: Create an Incident Response Plan
Develop a documented plan for handling security incidents that takes into account the 24-hour reporting deadline. Define clear responsibilities, escalation paths, and communication procedures. Test the plan in an exercise.
Step 5: Build Supplier Management
Identify all relevant suppliers and IT service providers. Assess their security level and update your contracts accordingly. Establish regular reviews of your partners' security measures.
Step 6: Train Management
Ensure that your management team understands the NIS2 requirements and their personal liability. Schedule regular training sessions -- not merely as a box-ticking exercise, but as the basis for informed decisions on cybersecurity strategy.
Step 7: Establish Continuous Improvement
NIS2 compliance is not a one-time project but an ongoing process. Implement an Information Security Management System (ISMS) that provides for regular reviews, audits, and improvements. Alignment with ISO 27001 makes it easier to demonstrate compliance.
Take Advantage of Funding Opportunities
The costs of NIS2 implementation can be a challenge, particularly for smaller companies. The good news: through BAFA funding (Bundesamt fuer Wirtschaft und Ausfuhrkontrolle -- the Federal Office for Economic Affairs and Export Control), SMEs can apply for grants covering external consulting services in the area of IT security. Find out about current funding programs early, as resources are limited and demand is high.
In addition, individual German federal states (Bundeslaender) offer supplementary funding programs for digitalization and IT security that can also be used for NIS2-related measures.
Conclusion: Act Now
The NIS2 directive is not a distant future vision -- it is current law. The BSI registration deadline is running, and the requirements for risk management and incident reporting are already in effect. For managing directors at SMEs, not only the company's compliance is at stake, but also their personal liability.
Those who proceed systematically now can implement the requirements efficiently while sustainably strengthening their own cyber resilience. Because regardless of regulatory obligations: given the rising threat landscape from ransomware, supply chain attacks, and state-sponsored cyber operations, a robust security concept is a business necessity.
Not sure whether your company is affected by NIS2 or where to start? We support small and medium-sized enterprises with applicability analysis, GAP analysis, and implementation planning -- pragmatically and as partners on equal footing.