White paper on the NIS2 Act
NIS2 Implementation: Your Roadmap to Compliance
'%3e%3cpath%20d='M26.6667%2020.022L30%2023.3553V26.6886H21.6667V36.6886L20%2038.3553L18.3333%2036.6886V26.6886H10V23.3553L13.3333%2020.022V8.35531H11.6667V5.02197H28.3333V8.35531H26.6667V20.022Z'%20fill='%230AA971'/%3e%3c/g%3e%3c/svg%3e)
Das Wichtigste auf einen Blick
- Status: Law in force since December 2025; full compliance required immediately.
- Deadline: Mandatory BSI registration by March 6, 2026, at the latest.
- Affected parties: Companies with 50 or more employees or €10 million in revenue in 18 sectors (including mechanical engineering and food).
- Liability: Management is personally liable; mandatory cyber training for managers.
- Reporting obligation: Initial reporting of incidents within 24 hours.
- Penalties: Fines of up to €10 million or 2% of global turnover.
- Supply chain: Strict screening of suppliers is required by law.
The NIS2 Directive is no longer a draft – it is a binding law. Since 6 December 2025, Germany’s NIS2 Implementation Act has been in force, and for around 30,000 companies in Germany, the clock is officially ticking.
At heyData, we follow a simple philosophy: compliance shouldn’t slow you down – it should make your business more secure and resilient. That’s why we developed a structured 5-phase approach that guides you step by step through the NIS2 jungle.
Here’s how we make your company NIS2-ready – together.
Table of Contents:
Who Needs to Act?
NIS2 moves away from the old “KRITIS or not” logic. Instead, companies are now classified as “important entities” or “essential entities.”
1. Thresholds (Size Factor)
You are generally affected if your company operates in one of the 18 regulated sectors and meets the following criteria:
Important entities
- At least 50 employees, or
- Annual turnover or balance sheet total of more than €10 million
Essential entities
- At least 250 employees, or
- Annual turnover of more than €50 million (with a balance sheet total above €43 million)
2. Sectors (Relevance Factor)
Sectors of high criticality
- Energy
- Transport
- Banking
- Healthcare
- Drinking water and wastewater
- Digital infrastructure
- Public administration
- Space
Other critical sectors
- Postal and courier services
- Waste management
- Chemicals
- Food production
- Manufacturing (e.g. mechanical engineering, automotive)
- Digital providers (marketplaces, search engines)
- Research
Important: Certain providers (e.g. DNS services, trust service providers) are regulated regardless of company size.
White paper on the NIS2 Act
The Consequences: Why Ignoring NIS2 Is Not an Option
NIS2 is the “sharp sword” of cybersecurity regulation – with enforcement mechanisms comparable to the GDPR.
- Severe fines: For essential entities fines can go up to €10 million or 2% of global annual turnover, whereas for important entities: up to €7 million or 1.4% of global annual turnover
- Personal liability for management: Executives can be held personally liable for compliance failures. The law explicitly allows recourse claims by the company against its management.
- Mandatory training: Managing directors must regularly attend cybersecurity training. Lack of knowledge is explicitly not a defense.
- Mandatory registration: Since 6 January 2026, the new BSI registration portal has been live. Failure to register can already result in the first fine.
Why NIS2 Is Not an IT Project – but a Management Responsibility
Before diving into the phases, let’s be clear: NIS2 is not just about firewalls.
It directly affects:
- Executive liability
- Supply chain security
- Business continuity
Ignoring these requirements doesn’t just risk fines – it puts customer trust, partner relationships, and operational stability at stake.
The heyData Approach: Compliance in 5 Phases
Phase 1: Scoping – Where Do We Stand?
We start with the basics. Not every company needs to implement everything.
What we do
- Assess applicability (are you an important or essential entity?)
- Clarify registration obligations
- Bring management on board
Your benefit: A clearly defined scope. No wasted effort on requirements that don’t apply to you.
Phase 2: Risk Assessment – Your Digital Map
We identify what really needs protection.
What we do
- Inventory your assets and systems
- Conduct a structured risk analysis
- Identify vulnerabilities and potential impact scenarios
Your benefit: Full transparency about your risks – and a clear priority list for action.
Phase 3: Control Design – Building Your Shield
Now it gets concrete.
What we do
- Develop policies and governance structures
- Implement technical and organizational controls
- Assess supply chain risks
- Prepare incident response and crisis management processes
Your benefit: A tailored security framework that actually fits your business.
Phase 4: Monitoring – Does It Work in Practice?
Compliance is a marathon, not a sprint.
What we do
- Conduct internal audits
- Track KPIs and effectiveness
- Provide regular management reviews
Your benefit: Continuous proof that you are meeting your obligations – invaluable during audits or investigations.
Phase 5: Handover – You Take Control
We don’t leave you alone – but we make you independent.
What we do
- Structured handover of all documentation
- Training for your domain owners
- Clear role and responsibility definitions
Your benefit: An audit-ready repository and a team that knows exactly what to do.
Conclusion: Relaxed Through the Next Audit
NIS2 may sound like a massive compliance monster — but with the right partner, it’s absolutely manageable.
At heyData, our goal is to make the process efficient, transparent, and business-oriented, so you can focus on what you do best: running your business.
Important: The content of this article is for informational purposes only and does not constitute legal advice. The information provided here is no substitute for personalized legal advice from a data protection officer or an attorney. We do not guarantee that the information provided is up to date, complete, or accurate. Any actions taken on the basis of the information contained in this article are at your own risk. We recommend that you always consult a data protection officer or an attorney with any legal questions or problems.