NIS2 compliance from a single source: consulting, roadmap, and implementation
At the beginning of 2026, or by the end of Q1 2026 at the latest, the NIS 2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) is set to come into force, enshrining in German law the measures adopted by the European Commission in 2023 to strengthen the cybersecurity of European companies. We have summarized the most important changes for you.
In order to better protect companies in the EU against cyberattacks in the future, the European Commission launched the NIS 2 Directive at the beginning of 2023 as the successor to NIS 1, which has been in force since 2016. The German implementation of the NIS 2 Directive is expected to take place at the beginning of 2026, at the latest in Q1 2026.
For a long time, it was unclear exactly what this implementation would look like: Although most experts assumed that the group of companies affected would be significantly expanded, the measures would be tightened in some areas, and the fines applicable for violations would be significantly increased, many details remained unclear at first.
- What is NIS 2?
-
The European Commission's NIS 2 Directive aims to strengthen the cyber resilience of affected companies in the EU. To this end, the group of affected companies has been massively expanded compared to its predecessor, NIS 1, and the requirements for affected companies have been significantly tightened.
- Who is affected by NIS 2?
-
According to expert estimates, the requirements will affect around 30,000 medium-sized and large companies in Germany from 18 sectors of the economy (such as utilities, transport, finance, healthcare and ICT). In reality, however, NIS 2 will affect many more companies, as many directly regulated companies will also require their supply chains to implement the measures and requirements.
The legislator distinguishes between particularly important facilities (over 250 employees or over EUR 50 million turnover and over EUR 43 million balance sheet) and important facilities (over 50 employees or over EUR 10 million turnover and over EUR 10 million balance sheet).
- What does the NIS 2 sometimes require?
-
Once the law comes into force, organizations and companies are obliged to register with the competent supervisory authority independently and in good time, to comply with a wide range of obligations and to implement various technical and methodological requirements.
- Will I be notified if I am affected?
-
No, particularly important and important institutions will be obliged to register independently on the online portal of the Federal Office for Information Security (BSI) within three months of the new law coming into force. Don't miss out - you could face heavy fines!
- What do those affected have to do?
-
The government draft obliges you to implement systematic cyber risk management that is based on the relevant European and international standards. To this end, you must meet a series of minimum cyber security requirements and take appropriate and proportionate technical, operational and organizational measures in accordance with the all-hazards approach.
- What are the biggest challenges for newly regulated companies?
-
The new three-stage reporting system will be a major hurdle: Companies must report significant security incidents to the BSI within 24 hours and confirm, explain and assess them within 72 hours. A final report must then be available no later than one month after the notification. This triad of reporting, notification and the ability to provide information requires companies to have clear and efficient processes, many of which need to be redefined.
- What happens in the event of violations of the NIS 2 requirements?
-
Graduated fines are planned for infringements. The upper limits are to be between 100,000 euros and 10 million euros. Alternatively, fines of up to 2 percent of annual global turnover can be imposed on large institutions. And particularly important now in the early stages: a fine of up to 500,000 euros may be imposed for failure to register or incorrect registration.
Take action now!
Set the course now for seamless NIS 2 compliance - because even if you are not directly affected, your business partners will pass on the relevant requirements and obligations to you! As part of our NIS 2 compliance check, our experts will first help you to identify where you stand in terms of implementation. In the second step, we will also be happy to support you in setting up systematic and sustainable information security management. This will secure the trust of your customers and partners - and allow you to concentrate fully on the success of your company.
Affected! - What now?
Talk to us! Our experts will be happy to answer any questions you may have about NIS 2 compliance and help you to reliably meet all requirements.
Our services for you:
We derive the specific requirements of NIS 2 for your organization.
We conduct interviews to find out where you stand with regard to the requirements.
We work with you to design the necessary measures and support you with our implementation expertise.
We help you to set up resilient business operations and prepare for emergencies.
NIS-2: From obligation to opportunity
The NIS 2 Directive is much more than a regulatory requirement—it offers companies the opportunity to strategically rethink information security and use it as a competitive advantage. Instead of viewing compliance as a mere burden, organizations should see NIS 2 as an impetus for higher security levels and sustainable resilience.
In his article, Daniel Kammerbauer, Team Lead Governance, Risk & Compliance at Controlware, explains how companies can implement NIS-2 in a practical way and derive real added value from it.
We will be happy to help you!
Would you like more information about our NIS2 services? Do you have specific questions? Would you like a personal consultation?
