Understanding and implementing NIS2
The European Union's NIS2 directive marks a turning point in cybersecurity regulation. What previously only affected large corporations and critical infrastructure operators now reaches the broad mid-market. If you run a company with more than 50 employees or annual revenue exceeding 10 million euros and operate in one of the 18 regulated sectors, there is a good chance that NIS2 applies to you as well. This topic page brings together all our expert articles on the NIS2 directive and provides you with a structured entry point into the subject.
Why NIS2 affects mid-market companies
The original NIS directive from 2016 covered only a few hundred companies in Germany. NIS2 dramatically expands the scope: estimates suggest between 25,000 and 40,000 affected organizations in Germany alone. The directive distinguishes between "essential" and "important" entities, both of which must meet extensive cybersecurity obligations. The sectors range from energy and transport to health and digital infrastructure, all the way to food production, waste management and research institutions.
Particularly relevant for mid-market companies is the so-called size-cap rule: companies with 50 or more employees or annual revenue exceeding 10 million euros automatically fall within scope, provided they operate in a regulated sector. However, smaller companies can also be affected if they are classified as critical to the supply chain or fulfill certain special functions.
Key obligations at a glance
NIS2 requires affected companies to implement systematic risk management for their network and information systems. In practical terms, this means you need documented risk analysis processes, technical and organizational security measures, a functioning incident management system, and regular reviews of your security posture. The directive also demands clear accountability at management level — corporate leadership can be held personally liable if they neglect their supervisory duties.
A particularly time-critical topic is the reporting obligations: in the event of significant security incidents, you must submit an initial report to the BSI within 24 hours. A detailed report follows within 72 hours, and a final report is due within one month at the latest. These deadlines require well-rehearsed processes and predefined responsibilities, because in an emergency there is no time to figure out who needs to do what.
NIS2 and existing standards
If you already operate an ISMS based on ISO 27001 or follow the BSI IT-Grundschutz framework, you are in a good position. Many NIS2 requirements overlap with the controls of these established standards. However, NIS2 goes beyond existing frameworks in several areas, particularly regarding reporting obligations, supply chain security and personal liability of corporate leadership. It is therefore worthwhile to conduct a gap analysis and specifically address the areas where NIS2 imposes additional requirements.
The path to compliance
Implementing NIS2 requirements is not a sprint but a structured project. Start with the applicability analysis: does your company fall under NIS2 at all? If so, as an essential or important entity? This is followed by an assessment of your current security measures, identification of gaps and creation of a roadmap for step-by-step implementation. Our article collection guides you through this entire process — from initial classification through sector-specific requirements to concrete checklists and budget planning.
Particularly helpful for practical implementation are our sector-specific articles. Whether you work in manufacturing, logistics, healthcare or energy supply: every sector has its own characteristics and challenges in NIS2 implementation. The articles show you which measures are particularly relevant in your industry and where you can achieve the greatest security gains with a limited budget.
