The law was officially passed on November 13, 2025, and is expected to come into force in early 2026.
Managing directors are liable with their private assets in the event of non-compliance with NIS2.
According to latest research, up to 30,000 companies in Germany need to take action.
Date: November 21, 2025
Cybersecurity experts and companies are sending alarms, as the threat of cybercrime is higher than ever before. The figures published by Bitkom e. V. confirm this: the damage caused by cybercrime in Germany amounts to a total of 266.6 billion euros. 72% of this was caused by direct cyber-attacks.
In order to strengthen and improve the protection of important and critical infrastructure against cyberattacks and IT threats, the European Union introduced the NIS 2 Directive in 2023.
This was passed by the German Bundestag on November 13, 2025, and is expected to come into force at the beginning of 2026.
The law will take effect immediately after its promulgation, as companies have had nearly three years to prepare for the NIS 2 Directive. As the official supervisory authority, the Federal Office for Information Security (BSI) expects all measures to be implemented without any further transition periods.
Many companies are in a dilemma: on the one hand, comprehensive and detailed planning is required to meet all requirements – on the other hand, rapid implementation is necessary to avoid horrendous penalties. The key lies in the details: The revised NIS 2 Directive introduces personal liability for managing directors, board members, and executive bodies – in the worst case, penalties of up to 2% of annual turnover may be imposed.
In our blog, we have summarized the most important information about NIS 2 for you and explain why urgent action is needed now.
What is the NIS2 Directive?
NIS2 (short for Network and Information Security Directive) is the revised version of the current EU-wide NIS1 Directive. It is not new legislation but has been “tightened up” to include essential factors. NIS2 expands existing cyber security requirements in order to maximize cyber security in the EU member states.
In summary, the directive states that each EU member state must develop a national cybersecurity strategy, clearly define responsibilities and offices, draw up emergency plans, report security incidents and establish appropriate risk management.
NIS2 aims to make companies affected by the Directive more resilient and thus ensure the protection of European society in its daily life.
Who are covered by the guidelines?
The NIS2 Directive distinguishes between “essential” and “important” entities. The latter are subject to initiative-taking supervision by the authorities, while “essential entities” are subject to reactive supervision. In addition, there are “critical infrastructure operators” and federal administration facilities.
Companies from clearly defined economic sectors with a minimum turnover of 10 million euros and more than 50 employees are subject to NIS2 regulation. According to the Federal Ministry of the Interior and Community, there are almost 30,000 companies in Germany that are required to act and prepare for NIS2 compliance.
“Important entities” are large companies with at least 250 employees and a turnover of more than 50 million euros – “Essential entities” are medium-sized and large companies with at least 50 employees and a turnover of more than 10 million euros from the economic sectors:
Source: NIS2 Directive
Author:
Andreas Gieseke
SVP Technology & Information Managing DirectorShare blog post:
Further links:
The future of your IT: Why a Technology Catalog is the ultimate game changer
In this whitepaper, we’re going to show you just how a Technology Catalog can improve data quality and completeness and fuel the success of all your IT initiatives. You’ll learn:
- How a Technology Catalog makes your data more reliable
- How a Technology Catalog enriches your data to provide strategic insights
- The risks of bad data
What measures do affected companies need to implement?
Affected companies face numerous challenges: Although the NIS Directive defines specifications and requirements, it does not provide any concrete measures. Companies are forced to find solutions on their own in order to implement the requirements of NIS2 accordingly.
For companies with various European locations, it may even be the case in October that national NIS2-compliant laws already exist for some countries, but not for others.
The following obligations are relevant for all affected companies:
- Risk management measures
- Business continuity management
- Notification, registration & information obligations
- Approval, monitoring, and training obligations for managers
- Use of technical measures such as cryptography, encryption, multi-factor authentication
Additional specific requirements apply to “operators of critical systems”.
What happens in the event of non-compliance?
If the companies concerned do not comply with the required measures, they face heavy fines. “Important entities” could face fines and sanctions of up to 10 million euros or two percent of their annual turnover.
In addition, supervisory authorities have the right to monitor or issue instructions and may set deadlines to ensure that measures are implemented accordingly.
Important: The revised NIS2 Directive introduces personal liability for managing directors, board members and executive bodies. The upper limit of liability here is also two percent of annual turnover.
What are the next steps for affected companies?
Companies that are covered by the NIS2 directive must first study the relevant national law and determine steps on how to fulfill the requirements and achieve NIS2 compliance.
- Set up an internal project, define responsibilities and analyze the actual and target situation in your company
- Check which requirements from the NIS2 directive still need to be implemented. Companies that are already ISO 27001-certified cover most of the obligations
- Review your supply chains: NIS2 requires securing the entire supply chain in terms of network and information systems and the physical environment of these systems
- Define reporting processes and create emergency plans to protect your company from disaster in the event of an emergency
- Implement a cyber security solution that protects your company from threats around the clock and ensures secure business operations
IT Visibility & CAASM as the key to NIS2 compliance
The growing number and variety of solutions and digital assets make it much more difficult for a company’s IT and security teams to find the right answers to essential questions:
- Which and how many IT assets are in my IT environment?
- Which IT assets are 24/7 managed?
- Which assets have access to sensitive company data?
- Which assets are currently connected to a network?
- Which security solutions are installed on the IT assets?
- What is the security status of the IT asset?
- Which IT asset has vulnerabilities or security gaps?
The Raynet One platform answers all this and much more with its multi-faceted approach to comprehensive IT Visibility and powerful Cyber Asset Attack Surface Management (CAASM).
While other solutions start with initial security measures and fight their way through blind spots and shadow IT, Raynet One starts with complete IT transparency. This is the only way to create meaningful and reliable insights and to plan, drive and implement the company-wide security strategy.
You can’t protect, what you can’t see!
CAASM goes beyond traditional Vulnerability Management and includes automated Third-Party & Security Patch Management, End-of-Life & End-of-Support Management and intelligent Unified Endpoint Management.
In this way, we enable fast and effective cyber security and support you in achieving a sustainable security strategy and NIS2 compliance.
Let’s talk in person and drive the success of your IT and NIS 2 initiatives together.