NIS 2 directive: Who is affected and what requirements now apply

Cyber attacks on businesses and public authorities in Germany continue to rise; the BSI situation report 2025 (in German) describes a persistently tense IT security situation with growing attack surfaces and increasing professionalisation of attackers. With the NIS 2 Directive (EU) 2022/2555 and the German NIS 2 Implementation Act (NIS2UmsuCG), cybersecurity is becoming a binding legal framework for many organisations.

This article explains who is affected by NIS 2, which requirements now apply and how companies can prepare effectively.

TL;DR – the most important points in a nutshell:

• Why NIS 2? NIS 2 is the revised EU directive on the security of network and information systems and is a response to the significantly deteriorated cyber threat landscape.

• Who is affected by the NIS 2 directive? Primarily medium-sized and large organisations in highly critical and critical sectors such as energy, transport, financial services, healthcare, digital infrastructure and digital services.

• What are the core requirements of NIS 2? The directive sets out clear requirements for cybersecurity, including risk analysis, supply chain security, cryptography, cyber hygiene and reporting procedures for security incidents.

• What is the current status? The German NIS 2 Implementation Act has been published in the Federal Law Gazette on 5 December 2025. It entered into force on the day after its promulgation.

• What does NIS 2 mean in practice? Organisations must check whether they fall within the scope of NIS 2, assess and improve their security level, and define reporting channels and responsibilities.

Why NIS 2?

NIS 2 is the revised EU directive on the security of network and information systems, updating the existing legal framework to reflect the current threat landscape and the state of digitalisation. It is not fundamentally new, but builds on the first NIS directive from 2016.

The original NIS directive was the starting point for a common level of cybersecurity across the EU. In practice, however, it became clear that implementation varied greatly between Member States, many companies did not fall within its scope at all, and at the same time cyber attacks have become significantly more frequent and more professional.

The NIS 2 directive now tightens this framework. It responds to a persistently tense threat situation, increased connectivity and new attack vectors – for example via supply chains or digital services. The aim is to regulate cybersecurity in a more binding, broader and more uniform way: with a clear minimum level of protective measures, an expanded range of affected sectors and entities, and stricter rules on supervision, reporting obligations and management responsibility.

In short: NIS 2 is intended to ensure that essential services and supply chains in Europe continue to function reliably even under high cyber pressure – and that cybersecurity is no longer voluntary or “nice to have”, but a binding standard.

Who is affected by the NIS 2 directive?

The original NIS directive mainly applied to operators of critical infrastructure. NIS-2 goes much further: in addition to classic critical infrastructure (KRITIS), it now regulates “essential entities” and “important entities”. This is intended to reflect the growing threats in the digital space.

As a result, many companies come into focus that have not previously regarded themselves as critical – especially in the mid-market segment.

Sectors in which organisations are generally classified as essential entities include, among others:

• Energy (electricity, gas, oil, district heating)

• Transport (air, sea, rail, road)

• Banking and financial market infrastructures

• Healthcare (hospitals, laboratories, manufacturers of critical products)

• Drinking water and wastewater

• Digital infrastructure (DNS services, data centres, cloud)

• Central public administration

• Space

Organisations in the following areas are typically classified as important entities, for example:

• Postal and courier services

• Waste management

• Manufacture of certain critical products (e.g. chemicals, medical technology, electronics, machinery)

• Digital services (e.g. online marketplaces, search engines, cloud services)

• Research institutions (in critical areas)

Size criteria: Who typically falls under NIS 2?

Whether a company is considered an essential or important entity always depends on two factors:

• Which sector it operates in

• How large the company is (number of employees, turnover, balance sheet total)

The NIS 2 directive refers to the EU definitions for medium-sized and large enterprises:

Medium-sized enterprises:

• at least 50 employees and

• at least 10 million euros annual turnover or balance sheet total

Large enterprises:

• at least 250 employees and

• at least 50 million euros annual turnover or 43 million euros balance sheet total

In simplified terms:

• If a medium-sized or large company operates in a highly critical sector (see Annex I to NIS 2), it will generally be classified as an essential entity.

• If it operates in a critical sector (see Annex II), it will generally be classified as an important entity.

In addition, there are certain special cases that are covered regardless of size – for example specific providers of digital infrastructure or trust services. Public authorities in the areas of national security, defence and law enforcement are explicitly excluded from NIS 2.

How many entities are affected in Germany?

With the implementation of the NIS 2 directive, the number of regulated entities in Germany will, according to the federal government, rise from around 4,500 (under the previous KRITIS framework) to roughly 29,000 to 30,000 companies and public authorities.

💡 Important: Organisations must assess for themselves whether they fall within the scope – there is no blanket “NIS 2 notice by post”. As support, the BSI offers an online self-assessment tool as well as comprehensive FAQs on the topic.

What are the central requirements of NIS 2?

For affected organisations, the NIS 2 directive defines concrete minimum requirements for cybersecurity and risk management. At its core, it focuses on the following components:

• Policies for risk analysis and information security: Clear rules on how risks to network and information systems are identified, assessed and treated, and how information security is managed.

• Handling of security incidents (incident handling): Procedures for detecting, reporting, analysing, containing and following up on security incidents.

• Business continuity and crisis management: Measures to ensure that critical business processes can be restored quickly in the event of disruptions (backups, recovery plans, crisis communication).

• Security in the supply chain: Inclusion of cybersecurity requirements in contracts and processes with service providers and suppliers, particularly where data is exchanged.

• Security in the acquisition, development and maintenance of IT systems: Requirements for secure procurement, development and maintenance of systems, including a structured approach to vulnerabilities (“security by design and by default”).

• Assessment of the effectiveness of security measures: Regular checks to determine whether the implemented cybersecurity and risk management measures actually achieve the intended level of protection.

• Basic cyber hygiene and cybersecurity training: Establishing secure everyday routines (e.g. updates, passwords) and ongoing training of staff on cyber risks.

• Rules on the use of cryptography: Guidelines for the use of cryptography and encryption to ensure the confidentiality and integrity of sensitive data “in transit” and “at rest”.

• Personnel security, access control and asset management: Measures to ensure reliability in security-critical roles, clear role and authorisation concepts, and structured management of relevant systems and information assets.

• Strong authentication and secure communication: Use of strong authentication mechanisms (e.g. MFA) and protection of voice, video and text communication, including internal emergency communication.

In addition, NIS 2 gives rise to further key obligations:

• Extensive reporting obligations for security incidents: Gradual, time-bound reporting (e.g. significant security incidents within 24 hours) to the competent authorities, as well as informing affected customers and users.

• Supervision, documentation and management responsibility: Extended powers for supervisory authorities, evidence and documentation obligations for companies, and the explicit responsibility of top management for cybersecurity and risk management.

Deadlines and current status of implementation

(As of 5 December 2025)

At EU level, the NIS 2 directive (EU) 2022/2555 has been in force since 16 January 2023 and has applied since 18 October 2024. It has replaced the original 2016 NIS directive and forms the binding framework for a uniform level of cybersecurity across the EU.

In Germany, implementation is taking place via the NIS 2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). The federal cabinet adopted the draft bill in July 2025, the Bundestag passed the act on 13 November 2025, and the Bundesrat approved it on 21 November 2025.

On 5 December 2025, the act was published in the Federal Law Gazette. It entered into force on the day after its promulgation.

For companies, this means:

• The European framework is in place, and the old NIS directive has been repealed.

• The specific obligations in Germany (for example on risk management, reporting procedures and supervision) take effect when the NIS2UmsuCG enters into force.

• No long transitional periods are planned for the technical and organisational NIS 2 requirements – they essentially apply from the date the act comes into force. For certain points, such as registration with the BSI, staggered deadlines of a few months are provided.

In short: The NIS 2 implementation act in Germany has been formally in force since 6 December 2025 and the substantive framework is clear – anyone who is affected should now begin aligning their security measures with the NIS 2 standards.

What does NIS 2 mean in practice for companies?

NIS 2 is binding law and ensures that cybersecurity is regulated in a mandatory way, with concrete requirements for risk management, processes and technology. For affected companies and public authorities, this means they now need to actively prepare their implementation.

• Cybercrime does not wait for deadlines: The threat level remains high. Minimum standards under NIS 2 reduce not only regulatory risk, but above all the likelihood that ransomware, data theft or supply chain attacks will bring operations to a standstill.

• Implementing measures takes time: NIS 2 affects governance, processes, technology and training. These issues cannot be resolved at short notice – anyone who only starts at the moment the act takes effect will quickly come under time pressure.

• Competitive advantage through compliance: Demonstrable cybersecurity is increasingly becoming a decision criterion in tenders and partnerships. Companies that take a professional approach to NIS 2 will score points with customers and within regulated supply chains.

Getting prepared: Three key steps

The BSI (Federal Office for Information Security) makes it clear that preparation before the first audit is crucial. We therefore recommend three concrete steps now:

• Clarify whether and to what extent you are affected: Use your sector, company size and role in the supply chain to assess whether you fall within scope – and, if so, classify yourself as an “important” or “essential” entity.

• Secure critical processes first: Identify weaknesses in your IT security and focus in particular on processes where data leaves the company or where many external parties are involved.

• Establish reporting channels and evidence properly: Define responsibilities, communication channels and technical documentation so that the short deadlines can realistically be met in the event of an incident.

What happens if NIS 2 requirements are not met?

The truth is: the risk of falling victim to a cyber attack has never been greater. For that reason alone, it already makes sense to engage with the NIS 2 requirements.

In addition, financial penalties can be expected if the directive is not complied with: for essential entities, NIS 2 provides for fines of up to 10 million euros or 2 per cent of global annual turnover; for important entities, up to 7 million euros or 1.4 per cent – in each case, whichever amount is higher.

How FTAPI supports NIS 2 implementation

FTAPI is an immediately deployable building block that enables you to demonstrably implement key measures in the area of risk management:

• Secure data exchange as part of risk treatment: Data is always transmitted and stored in encrypted form, optionally also end-to-end encrypted; uploads are checked in advance for harmful content.

• Strong protection of the supply chain: Partners and suppliers work via secure data rooms, encrypted ad hoc transfer and protected input channels; digital processes can be mapped and automated centrally.

• Consistent cyber hygiene: Dispatch rules and role and rights concepts reduce data leakage and shadow IT.

• Requirements on cryptography and MFA fulfilled: BSI-compliant encryption, two-factor authentication and SSO are available.

• Secure emergency communication: Where required, an independent, encrypted communication channel is available.

Conclusion: NIS 2 as a framework for binding cybersecurity

NIS 2 sets a clear framework for how companies and public authorities should organise their information security: with defined responsibilities, transparent processes and verifiable technical measures. Cybersecurity thus moves from being a voluntary best practice to a mandatory management responsibility.

Organisations that clarify whether they are in scope, assess risks systematically and implement key requirements such as risk management, secure data exchange, reporting channels and training in a structured way increase their resilience to attacks and avoid unnecessary panic during audits or incidents.

In this way, NIS 2 becomes a central point of orientation: for a robust level of security, transparent accountability and sustainable digital business relationships.

Note: This article is for general information on NIS 2 only and does not constitute legal advice. For binding information on your individual obligations, please consult a qualified solicitor or lawyer.