On 13 November 2025, the German Bundestag adopted the NIS2 Implementation Act. The new rules will have a significant impact on the IT security requirements of German organisations.
What is the NIS2 Directive?
The NIS2 Directive (Network and Information Security Directive 2) builds on the first NIS Directive from 2016. It sets out comprehensive cybersecurity requirements for organisations across the EU and defines sanctions for non-compliance.
Its aim is to protect essential entities in EU Member States from cyberattacks and ensure a consistent level of protection across Europe.
When does NIS2 apply?
Before the new rules take effect, the German Bundesrat must approve the law and it must be published in the Federal Law Gazette. The exact date will be set in the law, but it is expected to enter into force at the end of 2025 or early 2026.
From that point onwards, the NIS2 requirements will be binding for affected German organisations. As things stand, there are no transition periods. Companies should use the remaining time to prepare.
Who is affected by NIS2?
To fall under the NIS2 Directive, EU companies must meet the size-cap criteria and operate in one of the critical sectors listed in Annex 1 or Annex 2.
Medium-sized companies have 50 to 249 employees and either EUR 10–50 million in annual turnover or an annual balance sheet of EUR 10–43 million.
Large companies have 250 or more employees and at least EUR 50 million in turnover or an annual balance sheet of at least EUR 43 million.
NIS2 covers far more sectors than the previous NIS Directive. These sectors are classified as either essential or important entities.
In total, around 29,500 German companies will fall under the new rules — far more than before.
What do companies need to do?
Affected institutions must implement effective measures for information security, risk management and business continuity. These include, among other things
- Introduction of state-of-the-art technical and organisational measures (e.g. encryption, multi-factor authentication, emergency management)
- Mandatory maintenance and restoration of operations in the event of an emergency (backup, crisis and supply chain management)
- Comprehensive reporting and information obligations in the event of relevant security incidents
- Stronger obligations for management, including monitoring, approval and training obligations
Streamlined and tightened security and reporting requirements
NIS2 contains clearer rules for incident reporting, including reporting steps, content, and timelines.
Organisations must report a significant security incident to the Federal Office for Information Security (BSI) within 24 hours of discovering it.
Potential consequences of non-compliance
NIS2 defines clear sanctions.
Regarding fines, the NIS2 Directive distinguishes between essential and important facilities.
Essential entities
- Fines up to 10 million EUR or 2% of the total global annual turnover
Important entities
- Fines up to 7 million EUR or 1.4% of the total global annual turnover
To reduce pressure on IT teams and raise awareness of cybersecurity responsibility, NIS2 introduces personal liability for senior management. Board members and executives may be held personally liable if requirements are not met and a cyberattack occurs.
How Damovo supports your NIS2 implementation
NIS2 Gap Analysis
Our NIS2 Gap Analysis provides a comprehensive assessment of your current cybersecurity posture against the specific requirements of the NIS2 Directive. We review your security policies, technical controls and processes. We then highlight the gaps and deviations between your current status and the NIS2 obligations.
The analysis covers all critical areas, including risk management frameworks, incident response capabilities, access controls, encryption standards, business continuity planning, and third-party security assessments.
It includes interviews with key stakeholders, documentation review and a technical evaluation. You receive a detailed overview of all identified gaps, categorised by severity and impact. This also includes clear recommendations and actions to help you close these gaps in a structured way.
NIS2 Risk Assessment
Our NIS2 Risk Assessment provides a rigorous, asset-based evaluation of potential cyber threats and vulnerabilities that could impact your organisation’s ability to maintain NIS2 compliance. We map your critical business assets, identify associated threats and vulnerabilities and calculate the risk exposure according to the NIS2 requirements. The assessment covers all organisational domains, including information systems, data flow, infrastructure dependencies, third-party integrations and human factors.
This creates a clear picture of your overall risk environment. Based on this, we determine which risks require immediate remediation, which can be mitigated through specific controls, and which may be appropriately accepted within your organisation’s risk tolerance.
The resulting risk register provides a prioritised roadmap for resource allocation and control implementation. This helps you direct your cybersecurity investments to the risks with the greatest impact while meeting your NIS2 obligations.
NIS2 Implementation Roadmap
The NIS2 Implementation Roadmap transforms compliance requirements into a realistic, phased execution plan tailored to your organisation’s size, complexity, and risk profile.
Based on the gap analysis and risk assessment, we develop a clear strategy with defined milestones, resource requirements, dependencies, and timelines.
The roadmap integrates both technical measures (such as authentication systems, encryption, monitoring, and incident detection) and organisational measures (including governance structures, policy development, training programmes, and awareness initiatives) into a cohesive implementation sequence.
Each phase includes defined objectives, success criteria, stakeholder responsibilities, and measurable deliverables. This allows your teams to work through the programme step by step without disrupting operations.
The roadmap remains flexible and evolves as your organisation progresses, with regular reviews and adjustments ensuring alignment with enforcement timelines, emerging threats, and changes to NIS2 requirements or your business environment.
Ongoing NIS2 vCISO Services
With Damovo’s vCISO service, you gain executive-level cybersecurity leadership and operational expertise delivered by experienced Chief Information Security Officers working remotely with your organisation.
This continuous engagement model ensures sustained compliance with NIS2 requirements whilst building your organisation’s long-term cybersecurity maturity and resilience.
The vCISO serves as a trusted advisor to your board and senior management, overseeing risk management governance, approving cybersecurity policies and strategies, and ensuring that regulatory obligations are met on an ongoing basis.
Services include proactive monitoring of your compliance posture, incident response coordination, third-party risk oversight, stakeholder communication with regulatory authorities, and regular board reporting translated into business risk language.
The vCISO ensures you remain compliant between audits, respond quickly to new threats and adapt safely to regulatory changes. This makes NIS2 a foundation for operational stability and stakeholder trust.
Conclusion
Implementing the NIS2 Directive is not only a compliance task. It is essential for strengthening your organisation’s cyber resilience.
The threat level from hackers, state-sponsored APT groups and ransomware attacks is higher than ever. Legislators see the new rules as a necessary “clear response” to improve security through greater stability and strength.
IT leaders should use this as an opportunity to enforce long-overdue security measures. Organisations that start early reduce the risk of penalties and strengthen their protection against damaging incidents.