NIS2 Update – BSI Position Paper

The NIS2 Directive (EU) 2022/2555 is the central EU law for cybersecurity and replaces the previous NIS Directive from 2016. It sets binding standards on how companies and public institutions must protect their IT systems, assess risks, and report security incidents. The goal is to significantly enhance digital resilience in Europe, ensuring that critical infrastructures, digital services, and supply chains remain functional even during crises.

With the new NIS2UmsuCG, the regulations are now legally binding in Germany. The BSI receives additional supervisory and enforcement powers to monitor companies and sanction violations. The directive applies to “essential” and “important” entities — including energy, healthcare, transport, digital services, cloud providers, postal services, finance, waste management, public administration, and other sectors.

Cybersecurity is no longer a technical obligation, it is now a legally anchored leadership and management responsibility.
With the NIS2UmsuCG now in force, minimum standards, reporting obligations, technical requirements, and supervisory powers are established.
Prior to adoption, the BSI emphasized in its position paper how crucial a strong law is for national resilience. Many of these demands were included in the final legislation.

Companies must now:

• systematically assess risks
• report incidents on time
• prove governance structures
• document technical and organizational measures
• review their supply chains more thoroughly

The transition period is short, which means implementation is mandatory, not preparation.

a) Scope & Classification

Check whether your company qualifies as “essential” or “important” under the new law - based on sector, size, interconnectedness, and market role. Suppliers, IT service providers, and EU subsidiaries may also fall under the scope.

b) Reporting & Documentation Obligations

The law defines fixed deadlines:

• 24 h: Early Warning
• 72 h: Incident Report
• 30 days: Final Report

Companies must document all security measures, audit logs, risk analyses, and incident processes comprehensively.

c) Governance & Responsibility

Executive management and supervisory bodies bear direct liability for cybersecurity.
Their obligations include:

• security strategy
• training
• risk assessments
• regular reviews
• establishing clear roles and escalation paths
   

d) Technical Requirements & Supply Chain

Mandatory measures are aligned with ISO 27001 and BSI IT Baseline Protection:

• monitoring & detection
• network segmentation
• backup & recovery
• patch management
• supplier assessment and due diligence

The following points originate from the BSI position paper (10 October 2025). Some made it into the law, others serve as expert guidance:

• “CISO Bund” – a central security role for the federal administration
• Extended technical powers for resilience scans, C2 tracking, and warnings
• Improved botnet and phishing defense
• Stronger BSI role in the energy sector
• Legal certainty for SMEs (clear definition of thresholds)
• Expansion of cyber sensor networks & data infrastructure
• Legally anchored CVD processes – protection for security research
• National resilience program “CyberGovSecure”

These recommendations are not fully implemented in law but offer valuable guidance for a robust security strategy.

• Unclear responsibilities
• Missing or incorrect scope analysis
• Insufficient readiness for 24/7 reporting obligations
• Gaps in supply-chain documentation
• One-time instead of continuous security measures
• Missing management training despite liability

NIS2 requires ongoing evaluation, documentation, and improvement of the security posture.
With heyData, you can:

• Audit
• Personal consulting
• Employee training
• Vendor risk management
• Complete documentation

This enables compliance without overhead and keeps it continuously up to date.

With NIS2, a new phase of regulated IT security begins in Europe. Additional regulations such as the EU AI Act, CSRD, or the revised Swiss Data Protection Act (revDSG) follow the same pattern: automated, integrated compliance becomes the standard.

Those who invest in cybersecurity and governance now strengthen long-term resilience and competitiveness.

The NIS2 Directive makes cybersecurity a binding management obligation. The new German law sets clear standards, binding reporting deadlines, and comprehensive requirements for governance, technology, and documentation. With digital and automated solutions like heyData, organizations can reduce effort while significantly improving auditability for authorities, partners, and customers.

What is the NIS2 Directive?

A harmonized EU-wide legal framework for cybersecurity, reporting obligations, and state supervision.

When does it enter into force?

Germany adopted the NIS2UmsuCG on 13 November 2025. The law enters into force upon publication in the Federal Law Gazette.

Who is affected?

Companies from 18 defined sectors with at least 50 employees or €10 million in revenue fall under NIS2. (A more detailed classification could be helpful in this FAQ.)

What are the main obligations?

Scope analysis, governance, incident management, technical controls, documentation, supply-chain controls.

What sanctions apply?

Fines of up to €10 million or 2% of global annual turnover.

How can heyData help?

Through centralized compliance automation, real-time monitoring, audit documentation, and integrated training.