NIS2Compass — NIS2-Compliance-Plattform
Use CasesPricing

Weiterführende Seiten

  • Blog
  • FAQ
  • Glossar
  • Use Cases
  • Branchen
  • Preisgestaltung

Offizielle Quellen

  • BSI – Bundesamt für Sicherheit in der Informationstechnik
  • NIS2-Richtlinie (EUR-Lex)
  • NIS2UmsuCG (Bundesgesetzblatt)
NIS2Compass — NIS2-Compliance-Plattform

Ihr Navigator durch die NIS2-Compliance

Rechtliches

  • Datenschutzerklärung
  • Allgemeine Geschäftsbedingungen
  • Cookie-Richtlinie
  • Impressum

Ressourcen

  • Blog
  • Use Cases
  • Branchen
  • Preise
  • FAQ
  • Glossar

Kontakt

Kontakt

kontakt@nis2compass.de

NIS2Compass bietet Informationen und Orientierungshilfen zur NIS2-Compliance. Die Inhalte stellen keine Rechtsberatung im Sinne des Rechtsdienstleistungsgesetzes (RDG) dar und ersetzen keine individuelle rechtliche oder fachliche Beratung.

© Copyright 2026 NIS2Compass. Alle Rechte vorbehalten.

Entwickelt in DeutschlandAllianz für Cyber-Sicherheit — Teilnehmer
Home/Blog/NIS2 Simply Explained: What IT Managers Need to Know
Guide

NIS2 Simply Explained: What IT Managers Need to Know

Authored by NIS2Compass Team, NIS2 Compliance Expert
Last updated:June 25, 20269 min read
NIS2 Directive made accessible: From legal text to a structured implementation plan

NIS2 without legal jargon: what the directive means, who it affects, what obligations apply, and how IT managers can get started.

NIS2 is the EU's new cybersecurity directive that has been in force as German law since December 2025. Around 29,500 companies in Germany must implement mandatory security measures, report incidents, and register with the BSI. This article explains all the core concepts without unnecessary jargon. The NIS2Compass Pre-Check shows in under 5 minutes whether your organization is affected.

What Is NIS2 and Why Does This Law Exist?

NIS2 stands for the second EU Directive on Network and Information Security. It requires organizations in critical sectors to implement mandatory cybersecurity measures. In Germany, the NIS2UmsuCG has been in force as the national implementing law since December 2025, transposing the EU requirements into German law.

An EU Directive sets out the objective, while each EU member state implements the specifics through its own national legislation. This distinguishes a directive from an EU regulation, which applies directly and uniformly across all member states. For Germany, the decisive reference is the NIS2UmsuCG, not the original EU text.

Why Was NIS2 Needed?

The first NIS Directive from 2016 had a critical weakness: it only covered around 4,500 companies in Germany. Given the growing cyber threat landscape, that was not enough. According to Bitkom, German businesses suffered damages of EUR 266.6 billion in 2024 from cyberattacks, sabotage, and data theft.

NIS2 significantly expands the scope: instead of 4,500, around 29,500 companies in Germany now fall under the obligations. Newly added sectors include waste management, food production, postal and courier services, and parts of manufacturing.

The German implementing law, the NIS2UmsuCG, came into force on 6 December 2025, with no transition period. Organizations that are in scope must already be compliant. For a comprehensive overview, see the article NIS2 in Germany: What Companies Need to Know in 2026.

Who Does NIS2 Affect — and Who Is Exempt?

NIS2 applies to organizations in 18 defined sectors with 50 or more employees or EUR 10 million in annual turnover. In Germany, around 29,500 companies are affected, including, for the first time, sectors such as food production, waste management, and digital services.

Which Sectors Fall Under NIS2?

The law distinguishes between two groups. The 11 essential sectors cover areas of particularly high societal importance: energy, transport, healthcare, drinking water, and digital infrastructure. The 7 important sectors are newly added: food production, waste management, postal and courier services, chemicals, and research. For IT managers in manufacturing companies, this often comes as a surprise.

Is the 50-Employee Threshold Absolute?

The general rule is: 50 or more employees OR at least EUR 10 million in annual turnover is enough to bring an organization into scope. Both criteria are assessed alternatively, not cumulatively. There are, however, exceptions at the lower end: sole regional providers or operators of critical DNS services may fall under the rules even below these thresholds.

What Is the Difference Between Essential and Important Entities?

The NIS2UmsuCG defines two entity classes. Essential entities (BWE) are subject to stricter supervision: the BSI can conduct audits without specific cause, and fines can reach up to EUR 10 million. Important entities (WE) are subject to reactive supervision with fines of up to EUR 7 million.

For comparison: under the old KRITIS regime, only around 4,500 companies were regulated. Today that figure is approximately 550% higher, because NIS2 significantly lowered the thresholds and brought new industries into scope.

Whether your organization is affected can be systematically assessed. The article Am I Affected by NIS2? How to Find Out walks through the criteria step by step. The NIS2Compass Pre-Check assesses your exposure in under 5 minutes.

What Obligations Do Affected Organizations Face?

The NIS2UmsuCG requires ten categories of risk management measures, a three-tier incident reporting obligation, and registration with the BSI. Executive leadership is personally liable for implementation under §38 BSIG (the law governing the Federal Office for Information Security).

What Does §30 BSIG Specifically Require from Your Organization?

§30 BSIG establishes ten categories of measures that affected organizations must implement:

  • Risk analysis: Systematically identify threats to your IT systems and assess them by likelihood and potential impact.
  • Incident handling: Define clear processes for emergencies so your team knows who does what and when during an attack.
  • Backup and business continuity: Regularly back up data and create a contingency plan that keeps operations running even in the event of a failure.
  • Supply chain security: Set security requirements for external service providers and suppliers and verify compliance.
  • Security in procurement and development: Purchase and operate IT systems and software only with defined security requirements.
  • Effectiveness testing: Regularly test implemented measures and adjust them as needed.
  • Cyber hygiene and training: Raise employee awareness of cyber threats and actively involve executive leadership in NIS2 training.
  • Cryptography: Use encryption wherever sensitive data is transmitted or stored.
  • Personnel security and access control: Clearly define who is authorized to access which systems and data.
  • Multi-factor authentication: Protect critical systems with a second authentication factor.

What Deadlines Apply to Security Incident Reporting?

When a significant security incident occurs, a three-tier reporting obligation to the BSI applies. Within 24 hours, an early warning must be submitted. Within at most 72 hours, an initial report with first findings must follow. Affected organizations must submit a full final report within 30 days.

In addition, all affected organizations are required to register with the BSI. The registration deadline expired on 6 March 2026.

Who Bears Personal Responsibility for Implementation?

§38 BSIG makes executive leadership personally liable. Managing directors and board members cannot delegate responsibility to the IT department. The law explicitly requires them to participate in NIS2 training and to actively take ownership of implementation.

The implementation status in practice is sobering: according to a study by G DATA, only 12.1% of affected organizations have fully implemented NIS2. For IT managers just getting started, the article Implementing NIS2: A Step-by-Step Path to Compliance provides a structured introduction.

What Penalties Apply for Non-Compliance?

Violations of the NIS2UmsuCG can result in fines of up to EUR 10 million or 2% of global annual turnover. The BSI as the supervisory authority can conduct audits and issue binding instructions. Executive leadership is also personally liable.

The NIS2UmsuCG differentiates the fine framework by entity class:

  • Essential entities (BWE): up to EUR 10 million or 2% of global annual turnover, whichever is higher
  • Important entities (WE): up to EUR 7 million or 1.4% of global annual turnover

The BSI has extensive powers. It may order audits, demand evidence, and issue binding instructions. Organizations must be able to demonstrate compliance with their obligations upon request.

Personal liability of executive leadership is a frequently underestimated aspect. §38 BSIG requires managing directors and board members to actively monitor and approve cybersecurity measures. Those who neglect this duty may face personal liability.

Important to note: this is not an all-or-nothing system. Demonstrable implementation efforts and documented progress are taken into account when assessments are made. At the deadline of 06.03.2026, the BSI registration rate stood at only 38.5% of affected organizations.

"Organizations that systematically document their implementation efforts are in a significantly stronger position during a BSI audit than those that have not started at all," explains Dr. Markus Hartmann, Senior Compliance Consultant at NIS2Compass.

For a detailed overview of the full fine framework, see the article NIS2 Fines: What Penalties Apply for Non-Compliance?.

How Does NIS2 Differ from ISO 27001 and BSI IT-Grundschutz?

ISO 27001 and BSI IT-Grundschutz are voluntary frameworks for information security. NIS2 is binding law with reporting obligations, registration requirements, and fines. An existing ISO 27001 certification covers approximately 70% of NIS2 requirements, but does not replace compliance.

Law vs. Framework: What Is the Difference?

ISO 27001 and BSI IT-Grundschutz are voluntary standards. No law requires organizations to obtain certification, and there is no authority to penalize non-compliance. The NIS2UmsuCG, by contrast, is applicable German law. The BSI can impose fines, demand evidence, and issue instructions.

Organizations that are already ISO 27001 certified have a significant head start. The framework covers many NIS2-relevant areas: risk management, documentation, access control, and the continuous improvement of security measures. According to the BSI webinar #nis2know (April 2026), ISO 27001 alone is still not sufficient for full NIS2 compliance.

What Do Existing Certifications Not Cover?

Three obligations under the NIS2UmsuCG cannot be replaced by any framework:

  • BSI registration: Affected entities must register with the BSI. This is a statutory reporting obligation, independent of any existing security standards.
  • Incident reporting obligation: Significant security incidents must be reported within 24 hours, followed by a detailed report within 72 hours, and closed out within 30 days.
  • Management training obligation: §38 BSIG requires executive leadership to regularly participate in cybersecurity training. ISO 27001 has no comparable requirement.

An ISO 27001 certification is not a free pass for NIS2. It is a valuable starting point that significantly reduces the effort involved. However, the NIS2-specific obligations must be met separately. Read a detailed comparison in the article NIS2 vs. ISO 27001: What Is the Difference?.

How Do You Get Started with NIS2 Implementation as an IT Manager?

The starting point comes down to three steps: assess whether you are in scope, involve executive leadership, and conduct an initial gap analysis. The NIS2Compass Implementation Guide walks you through the entire implementation process across 8 chapters and over 120 steps.

Which Five Steps Are Critical at the Start?

Step 1: Clarify whether you are in scope. First check whether your organization falls under NIS2. The relevant criteria are sector, headcount, and annual turnover. The NIS2Compass Pre-Check identifies your individual compliance gaps based on ISO 27001 and BSI IT-Grundschutz.

Step 2: Involve executive leadership. §38 BSIG requires the active participation of management — not just a signature. Prepare a concise briefing document that clearly outlines obligations and consequences.

Step 3: Assess the current state. A gap analysis shows which of the ten measure categories under §30 BSIG are already covered and where concrete gaps exist. Without this overview, you are working without direction.

Step 4: Create an implementation plan. Prioritize by risk, not by effort. Critical gaps — such as missing incident response processes or unsecured access controls — take precedence over administrative documentation obligations.

Step 5: Document as you go. The BSI expects evidence that measures have been implemented. Organizations that try to document everything retroactively lose valuable time.

Do You Need External Consultants?

Not necessarily. The NIS2Compass Implementation Guide walks you through all obligations under §30 BSIG across 8 chapters — from risk analysis to supply chain security. The NIS2Compass Template Library provides ready-made documents for policies, risk analyses, and reporting processes that you can adapt directly to your organization.

For a concrete look at what a structured start looks like, see the article Getting Started with NIS2: How to Begin Quickly and Correctly.

Frequently Asked Questions About NIS2

Does NIS2 apply to companies with fewer than 50 employees?

In exceptional cases, yes. Organizations acting as sole regional providers or belonging to critical infrastructure may be in scope regardless of size. The standard threshold is 50 employees or EUR 10 million in annual turnover. The NIS2Compass Pre-Check can determine whether your organization is affected.

Is NIS2 already in force?

Yes. The NIS2 implementing law (NIS2UmsuCG) has been in force since 6 December 2025, with no transition periods. The BSI registration deadline expired on 6 March 2026. Organizations that have not yet registered should complete registration via the BSI portal without delay.

Is an ISO 27001 certification sufficient for NIS2 compliance?

No, ISO 27001 alone is not enough. The standard covers the majority of the technical requirements, but NIS2-specific obligations are missing: BSI registration, the 24-hour initial reporting obligation for security incidents, and the legally mandated training obligation for executive leadership. See the article NIS2 vs. ISO 27001: What Is the Difference? for details.

Who is personally liable for NIS2 violations?

Executive leadership is personally liable under §38 BSIG. They must actively monitor security measures and demonstrably participate in NIS2 training. Delegating responsibility to the IT department does not protect against personal liability.

What does NIS2 implementation typically cost?

It depends heavily on your starting position. Organizations with an existing information security management system (ISMS) face significantly less effort. The NIS2Compass Implementation Guide enables a structured self-implementation for EUR 29/month, compared to external consulting fees of EUR 700 to EUR 1,200 per day.

Implement NIS2 step by step

NIS2Compass guides you step by step through implementation – with guide, templates and knowledge hub.

Get started

Ähnliche Artikel

guide

The KRITIS Umbrella Act and NIS2: What Applies to Whom?

Since July 2026, around 2,000 KRITIS operators must register in addition to NIS2. Who needs to comply with NIS2, the KRITIS Umbrella Act, or both — sectors, deadlines, and fines explained.

7 Min. Lesezeit

guide

NIS2 ISO 27001 Mapping: Excel Checklist Download

ISO 27001 covers approximately 70% of NIS2 requirements. The mapping Excel shows at a glance what is already covered — and where the regulatory gap remains.

6 Min. Lesezeit

guide

NIS2 BSI Registration: Missed the Deadline — What Now?

The statutory NIS2 registration deadline has expired, but the BSI is granting an extended deadline until 31 July 2026. How to complete your registration in the BSI portal step by step.

9 Min. Lesezeit

Back to Blog