Webinar: How Everphone Saves More Than 100 Hours a Year with AI
Register now!
Questions?: +49 30 577 123 32
You can reach us at: (+49) 30-57712332

NIS2 in Germany: Deadlines, Impact, and Implementation

Table of contents

With the NIS2 Directive, the European Union is tightening its cybersecurity requirements for businesses and public institutions. At the same time, the scope of the regulation is being significantly expanded, meaning that far more companies than before will be subject to its provisions in the future. The goal is to better protect critical digital infrastructure and establish a uniform level of security across the EU.

For many companies, this raises the question for the first time of whether they are affected by NIS 2 and what requirements this entails. In Germany, national implementation is carried out through the Act Implementing the NIS 2 Directive.

The following article explains the role NIS2 plays for companies in Germany and highlights the key considerations for assessing and implementing the directive.

The most important facts about NIS2 at a glance

  • NIS2 is an EU directive aimed at strengthening cybersecurity for businesses and public institutions.
  • It expands on existing regulations and applies to significantly more organizations than the traditional KRITIS regulations.
  • The NIS2 Directive is implemented in Germany through the NIS2 Implementation Act (NIS2UmsuCG).
  • Affected companies must implement organizational and technical security measures and report security incidents.
  • Violations of the directive's requirements may result in regulatory oversight and potential fines.

What exactly is NIS2?

The NIS2 Directive (EU 2022/2555) is a European regulation designed to strengthen IT security and risk management in businesses and public institutions. It builds on the original NIS Directive and expands both the scope of affected organizations and the requirements for IT security and risk management.

The goal of NIS2 is to establish a uniformly higher level of security for digital infrastructures and critical services within the European Union. Today, digital systems form the foundation of many economic and social processes. Security incidents or cyberattacks can therefore quickly affect entire industries or supply chains.

With NIS2, the EU is responding to this development and establishing binding minimum requirements for managing cyber risks. Companies must systematically organize security measures, assess risks, and establish processes for reporting security incidents.

Purpose and Objective of the Directive

The NIS2 Directive was developed against the backdrop of the increasing digitization of economic and public processes. Today, digital infrastructures, cloud services, and interconnected IT systems form the foundation of many business models and service delivery structures. Consequently, the importance of stable and secure information systems for businesses and organizations is growing.

At the same time, experience has shown that the original NIS Regulation covers only a limited part of the digital infrastructure and is implemented differently across EU member states. This has led to inconsistent security standards in some cases within the European single market.

With NIS2, the European Union aims to further harmonize cybersecurity. The directive establishes common minimum requirements for managing cyber risks and outlines key risk management measures. The goal is to improve the long-term stability of digital services within the EU.

What has become stricter compared to NIS (old) 

NIS2 significantly tightens regulatory requirements compared to the original NIS regulation. In particular, the NIS2 Directive strengthens organizational responsibility for cybersecurity and introduces more binding obligations for risk management within companies.

A key difference concerns the role of senior management. Whereas cybersecurity was previously often viewed as a purely technical task, NIS2 places greater emphasis on management-level responsibility. Senior management must ensure that appropriate security measures are put in place and that relevant risks are assessed in a structured manner.

At the same time, the NIS2 Directive strengthens regulatory oversight and establishes clearer guidelines for handling security incidents, such as reporting and response procedures. In addition, potential penalties for violations are being expanded, placing greater emphasis on compliance with these requirements within corporate compliance frameworks.

Why NIS2 affects "more companies" than before

A key difference from the original regulation lies in the significantly expanded scope of the NIS2 Directive. While the first NIS regulation focused primarily on traditional operators of critical infrastructure, NIS2 now covers a much wider range of economic actors.

In addition to established critical infrastructure sectors such as energy, transportation, and healthcare, the NIS2 Directive also covers other industries that play a central role in economic processes and digital services. These include, for example, digital infrastructure, IT services, and parts of the manufacturing sector.

In addition, NIS2 places greater emphasis on a company’s size and economic significance. As a result, many small and medium-sized organizations are now subject to regulatory requirements for the first time. This raises the question for many companies: Who is affected by NIS2?

Who is affected by NIS2?

The NIS2 Directive primarily affects medium-sized and large companies, as well as public institutions in economically significant sectors. According to estimates, approximately 30,000 companies in Germany could be subject to NIS2. By comparison, the original NIS regulation covers only about 2,000 organizations.

Whether a company is subject to regulation generally depends on two criteria: company size and sector. To determine company size, the directive uses the thresholds for medium-sized and large companies. The following size criteria are particularly relevant:

  • at least fifty employees or
  • annual revenue of more than ten million euros or total assets of more than ten million euros

In addition to size, the sector of economic activity also plays a role. The NIS2 Directive distinguishes between “critical” and “important” facilities. The sectors affected include, among others:

  • Energy, Transportation, and Healthcare
  • Banks and Financial Market Infrastructures
  • digital infrastructure, data centers, or cloud services
  • public administration and certain IT services
  • Postal and courier services, waste management, or parts of the food production sector

For many organizations, the assessment of whether they are affected depends on a combination of industry, company size, and role within digital value chains. In certain cases, however, companies below these thresholds may also be affected—for example, if they provide critical digital services or play a key role within the supply chain of regulated organizations. In addition, supply chain security is becoming a greater focus.

When did NIS2 become mandatory in Germany?

The NIS2 Directive was adopted at the European level in 2023. Member states were then required to transpose the provisions into national law.

In Germany, this was implemented through the NIS2 Implementation Act, which entered into force on December 6, 2025. Since then, the NIS2 requirements have also been binding for affected companies in Germany.

Organizations subject to the regulation were required to register with the Federal Office for Information Security (BSI) by March 2026 in order to be listed as a regulated organization.

For companies, this means that the necessary organizational and technical measures must be implemented in a structured manner starting at the end of 2025.

NIS2 Requirements: What Is Expected from an Organizational and Technical Perspective

The requirements of NIS2 apply to both organizational structures and specific security measures.

At the organizational level, companies must define clear responsibilities for information security and establish a structured risk management system. 

These include, in particular:

  • Direct responsibility of senior management for cybersecurity and risk management
  • Implementation of structured risk management processes
  • Processes for reporting security incidents to the relevant authorities
  • Addressing security risks within the supply chain
  • Regular training for employees on cyber risks

A key new development is the increased responsibility at the management level. Management teams must ensure that appropriate security measures are implemented and that risks are systematically assessed.

In addition, NIS2 requires technical measures that are based on state-of-the-art technology. Typical examples include:

  • Multi-factor authentication for systems and user accounts
  • Securing IT networks and isolating different system areas
  • Encryption of confidential data
  • Structured management of security updates and software updates
  • Systems for detecting security incidents
  • clear access controls and authorization models

The specific measures required depend on the industry, company size, and risk profile.

What is the difference between KRITIS and NIS2?

The main difference between KRITIS and NIS2 lies in their regulatory approaches and the scope of the organizations they cover. While the German KRITIS Regulation primarily targets operators of critical infrastructure, NIS2 takes a broader approach to regulating cybersecurity in economically significant sectors.

In Germany, the KRITIS regulation primarily applies to facilities whose failure would have a significant impact on public life. These include sectors such as energy supply, healthcare, transportation, and telecommunications. Companies subject to the KRITIS regulation must implement specific IT security measures and report relevant incidents to the Federal Office for Information Security.

In contrast, the NIS2 Directive takes a Europe-wide approach to cybersecurity regulation. It defines common requirements for companies in various economically significant sectors, with the aim of establishing a uniform level of security within the EU. In Germany, these requirements are transposed into national law through the NIS2 Implementation Act.

While the KRITIS Regulation constitutes national legislation for operators of critical infrastructure, NIS2 takes a Europe-wide approach with a significantly broader scope.

NIS2 Implementation Act / NIS2UmsuCG: What Is Regulated in Germany

The European NIS2 Directive is implemented in Germany by the NIS2 Implementation Act (NIS2UmsuCG). This law establishes the legal framework for transposing the European requirements into German law in a binding manner.

The NIS2UmsuCG primarily defines how the requirements for the implementation of NIS2 within Germany are organized and monitored. This includes, in particular, the responsibilities of the authorities, reporting procedures for security incidents, and the regulatory classification of affected companies.

The Federal Office for Information Security plays a central role in this regard, serving as the regulatory authority responsible for ensuring compliance with legal requirements. The Office monitors compliance with the regulations, may conduct security audits, and can order appropriate measures in the event of violations.

The law thus provides the national framework for the practical implementation of European regulations in Germany.

The KRITIS Framework Act: What It Covers – and How It Relates to NIS2

In addition to the European NIS2 regulation, Germany is also introducing the so-called KRITIS Framework Act. While many provisions of NIS2 focus on cybersecurity and the protection of digital systems, the KRITIS Framework Act primarily addresses the physical resilience of critical infrastructure. One of its objectives is to establish regulations governing information security management for operators of critical facilities.

Operators of critical infrastructure must systematically analyze risks and take appropriate measures to ensure that their facilities remain operational even in the event of disruptions or other security-related incidents, such as natural disasters. In addition, they are required to report significant disruptions to the relevant authorities.

The KRITIS Framework Act supplements the existing provisions of the KRITIS Regulation and is closely linked to the implementation of NIS2 in Germany. While the two regulations have different focuses, they often overlap in practice.

NIS2 Consulting & Compliance: How a Typical Project Unfolds

Many companies are implementing the NIS2 Directive as part of a structured project. The goal is to review existing security processes, clarify organizational responsibilities, and systematically implement regulatory requirements.

A NIS2 consulting project typically follows a multi-step approach:

  • Assessing the impact: Companies first determine whether and to what extent they are subject to the requirements of the NIS2 Directive.
  • Current state analysis of the security framework: Existing processes, policies, and technical measures are analyzed to identify potential gaps in NIS2 compliance.
  • Risk Assessment and Action Planning: Based on the analysis, prioritized measures to improve the security framework are identified.
  • Implementation of organizational and technical measures: Security policies, governance structures, and technical safeguards will be adjusted accordingly.
  • Documentation and Training: Companies establish incident reporting processes and document their security measures in a transparent manner.

A key component of NIS2 compliance is the regular review and improvement of security processes.

NIS2 Implementation Using Contract Management

The NIS2 Directive applies not only to internal IT security measures but also to the security of service providers and suppliers. Since many digital services are provided by external vendors, security risks often arise along the supply chain.

Against this backdrop, structured contract management is becoming increasingly important. Contracts with service providers, IT vendors, or platform operators often contain key provisions regarding security standards, responsibilities, and reporting obligations in the event of security incidents. These agreements form an important foundation for implementing the requirements of the NIS2 Directive beyond the scope of one’s own organization.

Systematic contract management can help companies

  • to centrally document security-related contract clauses
  • Security requirements for service providers should be established at the contract drafting stage and clearly documented in the contract
  • Monitoring deadlines, reporting requirements, or audit rights under contracts
  • Making NIS2-relevant contractual clauses easy to find

This makes contract management a key component in the structured implementation of regulatory requirements.

Organize NIS2 tasks and deadlines with contract management software

For many companies, the requirements of the NIS2 Directive also affect contractual relationships with service providers and technology partners. Security requirements must be clearly defined and documented, particularly within the supply chain. This creates additional organizational tasks for departments such as IT, Legal, and Procurement.

Structured contract management software can help centralize the recording of relevant contracts and systematically manage security-related obligations. This enables important information regarding security requirements, responsibilities, and reporting obligations to be consistently documented.

Typical applications include, for example:

  • A centralized overview of supplier and IT contracts to identify supply chains that are critical to security
  • Centralized tracking of security requirements derived from contract clauses
  • Documentation of audit rights and security certifications for regulatory authorities
  • Management of security-related certificates or compliance documentation from service providers
  • Management of relevant NIS2 deadlines, such as those related to the documentation of security incidents or internal audit processes

By organizing this information in a structured manner, contractual obligations and regulatory requirements can be better managed in day-to-day operations.

Conclusion: Implement NIS2 in a structured manner and clarify responsibilities

The NIS2 Directive significantly increases the requirements for risk management and organizational accountability in many companies. For numerous organizations, the challenge is therefore to integrate security requirements, responsibilities, and processes in a way that ensures long-term traceability. Especially when external service providers and multiple departments are involved, implementation quickly becomes a cross-functional task. Furthermore, fines may be imposed for serious violations.

Structured contract management can provide an important organizational foundation for this. Security requirements for service providers, audit rights, and reporting obligations are often specified directly in contracts. If this information is stored in a decentralized manner, it quickly leads to additional coordination efforts. Centralized management helps ensure that obligations are documented in a traceable manner and that responsibilities are clearly assigned.

ContractHero ContractHero supports companies precisely in this area. The platform centrally consolidates contracts, makes security-related information easier to find, and clearly outlines deadlines, responsibilities, and contractual obligations. This allows implementation to be organized more closely in line with the actual agreements with service providers and partners.

NIS2 Self-Assessment: Are Your Contracts Ready for an Audit?

Many companies are currently investing heavily in IT security. At the same time, experience shows that contractual security requirements are often scattered across individual documents, emails, or departments.

Our brief NIS2 Governance Self-Assessment helps you quickly identify typical risks in contract management.

Take the five-minute test:

• whether your IT and service provider contracts are fully documented
• whether security-related obligations are documented in a traceable manner
• whether deadlines and responsibilities are organized in a structured manner

Download: NIS2 Self-Assessment for Businesses

Get started with ContractHero now
See ContractHero live in action! Register here for the 30-minute demonstration:
Book a demo

Frequently asked questions

What is the NIS2 Directive, explained simply?

The NIS2 Directive is an EU-wide regulation designed to strengthen cybersecurity in businesses and public institutions. It requires organizations in critical sectors to systematically manage risks, implement appropriate security measures, and report security incidents. Compared to the original NIS Directive, NIS2 expands both the scope of affected organizations and the requirements for risk management, governance, and documentation. The goal is to establish a uniformly high level of security within the European Union and to sustainably improve the resilience of digital infrastructures.

Who is affected by NIS2?

NIS2 primarily affects medium-sized and large companies, as well as public institutions in economically significant sectors such as IT, energy, healthcare, transportation, and finance. Classification is generally based on company size and industry. The following thresholds are often used as a guide: -at least fifty employees or -more than ten million euros in annual revenue or total assets In addition, smaller companies may also be affected, particularly if they provide critical digital services or, as service providers, are part of the supply chain of regulated companies.

When does NIS2 take effect in Germany?

The NIS2 Directive was adopted at the European level in 2023 and subsequently transposed into national law. In Germany, NIS2 has been in effect since the NIS2 Implementation Act came into force in December 2025. Affected companies were required to register with the Federal Office for Information Security (BSI) by March 2026 and have been obligated to implement the directive’s requirements ever since. These include, in particular, organizational measures, technical security precautions, and established processes for reporting security incidents.

What obligations do companies have under NIS2?

Under the NIS2 Directive, organizations must establish a structured cybersecurity risk management framework and implement appropriate technical and organizational measures. Key requirements include: -Implementation of a systematic risk management framework -Implementation of state-of-the-art technical protective measures -Establishment of reporting processes for security incidents -Consideration of security risks in the supply chain -Training of employees in dealing with cyber risks The goal is to identify security risks early on, minimize them, and be able to respond to them in a structured manner in the event of an emergency.

What role does senior management play in NIS2?

With the NIS2 Directive, responsibility for cybersecurity is shifting more toward senior management. Companies must ensure that security measures are implemented, risks are assessed, and compliance requirements are met. Senior management bears overall responsibility for risk management and compliance with legal requirements. It must establish appropriate structures, monitor processes, and ensure that security requirements are also taken into account when working with service providers. As a result, cybersecurity is no longer viewed exclusively as an IT issue, but rather as a core management and governance task.

You may also be interested in...

Blog

NIS2 in Germany: Deadlines, Impact, and Implementation

Find out which companies are affected by NIS2, what requirements apply, and how to approach implementation in a structured way.
Read the article
Blog

Digital contract management: Making companies more efficient, secure, and future-proof

Learn how digital contract management helps companies automate processes, save costs, and minimize risks.
Read the article
Blog

Best contract management software 2026: ContractHero is the top solution

Find out what really matters in contract management in 2026.
Read the article
Product
AI-supported contract analysis
Contract creation & digital signature
Integrations & API
Pricing
Company
About Us
ROI Calculator
Careers
Press
Trust Center
Status
Help Articles
ISO 27001 & Security
Legal
Privacy
Security Policy
Terms & Conditions
Imprint
Language
Deutsch
English
You can reach us at: (+49) 30-57712332
©2026 ContractHero | Developed and hosted in Germany

How efficient is your contract process really?

Our guide shows how modern contract processes save time and minimize risks
Download now