NIS 2: Who Is Affected?

Until now, regulation under NIS1 in Germany primarily focused on large, traditional KRITIS operators such as power plants, major water suppliers, or national rail infrastructure. NIS2 fundamentally changes this approach.

Why the expansion?

Modern economies are deeply interconnected. An attack on a mid-sized supplier can shut down entire production lines at DAX-listed corporations. The EU therefore follows the concept of “collective resilience”. If every organization above a certain size guarantees a minimum level of security, the overall risk to the economy is reduced.

Here are the sectors and thresholds in detail:

Size categories according to the EU definition 

Classification is based on Recommendation 2003/361/EC:

• Medium-sized companies: 50 to 249 employees OR annual turnover between €10 million and €50 million (or balance sheet total up to €43 million).
• Large companies: 250 or more employees OR turnover of €50 million or more (or balance sheet total of €43 million or more).

Sector logic: “essential” vs. “important”

Two annexes distinguish the sectors. They determine how strict supervision by the BSI will be.

Sector 1: High criticality (Essential entities)

These companies are subject to ex-ante supervision. This means the BSI can proactively check at any time whether measures have been implemented.

• Energy: electricity, district heating, oil, gas, and hydrogen
• Transport: aviation, rail, maritime, and road transport
• Banking and finance: credit institutions and trading venues
• Health: hospitals, laboratories, research, and pharmaceutical manufacturing
• Drinking water and wastewater
• Digital infrastructure: DNS services, cloud providers, data centers, trust services
• Public administration & space

Sector 2: Other critical sectors (Important entities)

Here, ex-post supervision applies. The BSI typically becomes active only after an incident or when there are concrete indications of deficiencies. Nevertheless, the security requirements are almost identical.

• Postal and courier services
• Waste management
• Chemicals: manufacture, production, and trade in chemicals
• Food: production, processing, and distribution (wholesale)
• Manufacturing: particularly relevant for mechanical engineering and the automotive industry. Manufacturers of medical devices, computers, optical products, electrical equipment, machinery, or motor vehicles are included.
• Digital services: online marketplaces, search engines, and social networks
• Research

One of the most overlooked aspects of NIS2 is Article 21(2)(d), which obliges regulated companies to ensure the security of their entire supply chain.

The practical example: A medium-sized stamping company has only 40 employees and generates €8 million in revenue. It does not actually fall under NIS2. However, this company supplies specialized components to a large automobile manufacturer (essential facility). The automobile manufacturer must now ensure, as part of its own risk management, that its suppliers are not “gateways” for hackers.

The result: the supplier is dictated new contract terms that require NIS2 compliance. Without certification or proof of cybersecurity, there is a risk of losing the major customer. NIS2 thus acts like a vacuum cleaner that sucks in even the smallest companies.

Affected organizations must implement appropriate, proportionate and effective technical, operational and organizational measures, including at least:

• Risk analysis and security concepts: Documented processes for assessing risks.
• Incident management: An incident response plan (what to do in an emergency).
• Business continuity management (BCM): Backup management, disaster recovery, and maintaining operations.
• Supply chain security: Reviewing security standards at partner companies.
• Security during acquisition, development, and maintenance: Cybersecurity throughout the entire lifecycle of IT systems.
• Cryptography and encryption: Protection of data at rest and in transit.
• Personnel security and access control: Who is allowed to do what? Training for employees.
• Multi-factor authentication (MFA): A password is no longer enough.

The response time to cyber attacks is drastically reduced. In the event of a “significant security incident,” a multi-level reporting system to the BSI is activated:

• Within 24 hours: An initial “early warning.”
• Within 72 hours: An update on the report, including an initial assessment of the incident.
• After one month: A final report on the causes and corrective measures taken.

This is the lever that elevates NIS2 from a mere IT policy to a boardroom issue.

Approval and monitoring:

Management cannot simply delegate implementation to the IT manager and “forget” about it. It must approve the measures and monitor their implementation.

Personal liability:

The German implementation law stipulates that management is liable for failures. In cases of gross negligence, managers can be held liable with their private assets. In addition, authorities can order a temporary ban on management activities if deficiencies are not remedied.

Training obligation:

Managing directors and board members are legally obliged to attend regular cybersecurity trainings in order to be able to assess the risks of cybersecurity. “I didn't know that was dangerous” will no longer be accepted as an excuse in the future.

Penalties are GDPR-level – or even stricter:

• Significant facilities: Up to €10 million or 2% of global annual turnover (whichever is higher).
• Important facilities: Up to €7 million or 1.4% of global annual turnover.

• Clarity about your own status: First of all, it is important to determine whether a business is classified as “essential” or “important,” as this determines the level of government oversight.
• Comparison with standards: Existing security measures are usually measured against fixed frameworks such as ISO 27001 in order to identify vulnerabilities in the system.
• Resources and budget: Cybersecurity is becoming a fixed budget item, as modern tools for authentication (MFA) and threat detection cost money and require specialist personnel.
• Systematic risk management: A structured process is expected to identify threats at an early stage and not just react passively to attacks.
• Human factor: Since technology alone is not enough, training courses are becoming increasingly important in order to raise awareness among employees of dangers such as phishing.
• Preparation for emergencies: Companies need a clear plan for IT emergencies so that everyone knows what to do in the event of a ransomware attack.
• Security in the supply chain: Responsibility does not end at the factory gate; the security standards of service providers and partners must also be checked.
• Communication with authorities: There are fixed procedures and extremely short deadlines for reporting incidents to the BSI, which must be adhered to in an emergency.
• Technical foundation: Modern protective measures such as multi-factor authentication and a well-thought-out backup strategy (3-2-1 rule) are required as standard.
• Documentation requirement: For authorities, IT security is only considered to be in place if it is fully documented in writing and verifiable.

NIS2 is a challenge, but also an opportunity. Companies that do their homework now will not only protect themselves from fines and liability, but also strengthen the trust of their customers and partners. In a digital world, resilience is a competitive advantage.

When does my company have to comply with NIS2 requirements?

The EU directive is already in force. In Germany, it is being transposed into national law through the NIS2 Implementation Act (NIS2UmsuCG). Although the parliamentary process has been delayed, final adoption is expected in 2024/2025. Important: There are no long transition periods after the law is enacted. Since technical changes often take months, now is the right time to start preparing.

What happens if I do not register my company with the BSI?

The registration requirement is one of the key administrative changes introduced by NIS2. Companies that fail to register on time commit an administrative offense. In such cases, the BSI can already impose fines—even if no IT security incident has occurred.

Do I have to get ISO 27001 certified?

NIS2 does not mandate a specific certification such as ISO 27001. However, it requires measures that meet the “state of the art.” ISO 27001 or TISAX certification (for the automotive industry) is the most reliable way to demonstrate compliance with the requirements to authorities and customers.

Does the employee threshold apply per location or to the entire group?

The group principle applies. If a local site has only 30 employees but belongs to a corporate group that exceeds the relevant thresholds (more than 50 employees or the corresponding turnover), that site is fully subject to NIS2 obligations.

Are municipal administrations and public enterprises also affected?

Yes. Under NIS2, public administration is subject to significantly stricter obligations. This applies not only to ministries, but often also to municipal enterprises such as utilities or waste management companies, provided they meet the relevant thresholds or provide critical services.

Can I transfer liability to my IT service provider?

No. While operational tasks such as patch management can be delegated to a service provider, responsibility for compliance with the directive always remains with the company’s management. NIS2 explicitly excludes a full transfer of liability through outsourcing.

We are a pure B2B service provider—why does this affect us?

In the B2B environment, supply chain security is crucial. Large companies are required to audit their suppliers. If you cannot provide proof of adequate IT security as a service provider, you are very likely to be excluded from future tenders or contract renewals.