The NIS2 Act is now in force in Germany and applies to a significantly wider range of organisations than the previous 2016 NIS Directive. If your organisation operates in Germany, provides critical services, or supports in scope entities, you may already be subject to new legal obligations under national law.
What is the NIS2 Act
The NIS2 Act is an EU-wide legislative framework governing the security of network and information systems, replacing and significantly expanding the original 2016 NIS Directive. On 5 December 2025, Germany began implementing NIS2 into national law through the NIS2UmsG, introducing stricter cybersecurity, governance, and incident-reporting obligations and extending the regime to a much broader range of sectors and entities.
By establishing a high level of security for critical systems and promoting cybersecurity compliance, this updated framework is designed to further improve transparency and incident response across the European Union, ultimately increasingresilience.
According to The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik (“BSI”), approximately 29,500 organisations in Germany are expected to fall within the scope of these new requirements. Germany is also predicted to drive concrete compliance deadlines throughout 2026.
What organisations are in scope?
NIS2 applies to organisations classified as essential or important entities, based on the nature of the services they provide and their organisational size.
-
Essential entities generally include organisations with:
-
250 or more employees, or
-
Annual turnover of €50 million, or
-
Balance sheet total of €43 million
-
Important entities generally include organisations with:
-
50 or more employees, or
-
Annual turnover of €10 million, or
-
Balance sheet total of €10 million
Organisations meeting these thresholds are expected to take a proactive, risk-based approach to cybersecurity and be able to demonstrate compliance with NIS2 requirements. In parallel, NIS2 significantly expands the scope of the original NISframework. Beyond the essential services previously covered, the updated regime now brings a much wider range of “important” services into scope, capturing many organisations that were not included under the initial framework.
|
Essential services |
Important services |
|
Energy |
Postal services |
|
Transport |
Wate management |
|
Finance and Public Administration |
Chemicals |
|
Health |
Research |
|
Space |
Foods |
|
Water supply |
Manufacturing |
|
Digital Infrastructure |
Digital Providers |
Key obligations
The NIS2 Act outlines several key obligations that organisations must implement. These obligations include:
-
Risk management
NIS2 emphasises the importance of risk management in all aspects of the Act. Reducing the risk of cyber exposure is essential to guarantee continued standardised security. Risks can be significantly reduced through simple measures like incident management, risk assessments, stronger supply chain security, enhanced network security, better access controls and the use of encryption. Through the use of protective measures, organisations can effectively mitigate risks to their data systems across all aspects of operations.
-
Corporate accountability
The framework places accountability at the forefront, requiring corporate management to oversee and approve cybersecurity measures, receive appropriate training and actively address any existent cyber risks. NIS2 imposes a heightened level of transparency and responsibility on corporate management, with breaches potentially resulting in personal liability, and in some cases, temporary bans from management positions.
-
Reporting obligations
A newly focused obligation is incident reporting. NIS2 mandates strict reporting duties to organisations. Organisations can demonstrate compliance with this obligation through having processes in place to ensure prompt reporting occurs in the event of an incident. In particular, they must submit certain information to a notification portal established by the BSI and the Federal Office for Civil Protection and Disaster Assistance (Bundesamt für Bevölkerungsschutz und Katastrophenhilfe) without undue delay, but no later than 24 hours after becoming aware of the significant security incident. Organisations must then provide a more detailed report 72 hours after the incident and a final report within one month of the incident.
-
Business continuity plans
Businesses are also expected to demonstrate business continuity in the event of any data breaches or incidents which may occur. The Act upholds that organisations must plan for how they will ensure normal operations proceed regardless of any unforeseen events. Such plans help businesses mitigate the effects of these incidents. This plan should include information about system recovery, emergency procedures, and setting up a crisis response team.
Penalties and enforcement
The NIS2 Act is Europe’s most comprehensive cybersecurity Act yet, emphasising the importance of close compliance.
Through this Act, national authorities gain supervisory and enforcement powers, including audits, security scans, requests for information, inspections and remediation orders. For essential services, fines can reach up to 10 million euros or 2% of global annual turnover, while important services suffer a slightly lower fine. Supervisory authorities also have the power to temporarily suspend individuals in corporate management positions or impose restrictions on business operations.
Continued compliance is mandatory to avoid any sanctions or fines.
Practical steps to prepare for compliance
As regulatory frameworks such as NIS2 place increasing emphasis on accountability, coordination and demonstrable oversight, the role of the Data Protection Officer (DPO) is becoming more central to organisational compliance strategies. Beyond fulfilling statutory data protection obligations, the DPO provides independent oversight, supports the interpretation of complex regulatory requirements, and helps align legal, technical and operational considerations across the organisation. Given the complexity of the NIS2 Act, it’s vital that organisations adopt governance-led processes that clearly demonstrate compliance and accountability. Leveraging the expertise of a DPO, organisations can ensure they are guided toward achieving compliantpractices while maintaining strong data governance.
The NIS2 framework places substantive emphasis on the mitigation of security incidents. Organisations can do this by conducting thorough assessments of existing systems and processes to ensure appropriate security safeguards are in place. When coordinated by a DPO, these assessments not only help identify and remediate security gaps but also provide documented evidence of accountability in line with the framework.
NIS2 also places strong emphasis on preparedness and forward planning to enable prompt and effective response in the event of any incidents. This includes establishing robust incident detection and reporting measures to meet NIS2’s strict notification obligations. Establishing an incident response team is also critical to mitigating the impact of any breach. A DPO-led approach to incident response planning ensures alignment between technical controls, legal obligations and business continuity strategies under the Act.
As with all legislative guidelines, training is non-negotiable. With increased accountability placed on corporate management, a clear understanding of the NIS2 Act and its requirements is a critical step toward compliance. An experienced DPO plays a key role in ensuring employees receive essential, ongoing training, such as cybersecurity awareness programmes, so they can adopt best practices and identify potential security threats.
By engaging a specialist DPO, organisations can readily meet their training obligations, ensuring employees understand new regulatory requirements while consistently upholding data protection and privacy standards across the organisation.
How HewardMills can support NIS2 compliance
As an experienced Data Protection Officer (DPO), HewardMills has the expertise to support organisations in navigating the requirements of the NIS2 framework, helping to ensure compliance with EU standards while also strengthening internal governance and operational resilience.
Given the mandatory obligations now introduced under NIS2, both essential and important entities are required to demonstrate a proactive, risk-based approach to cybersecurity and accountability. HewardMills can support organisations across the full NIS2 lifecycle, from initial risk and readiness assessments through to the development of governance measures, incident response processes, and employee training. This support is delivered by a multidisciplinary team bringing together expertise in cybersecurity, regulations, and data governance. Contact us for NIS2 support today.
