The key point: The NIS2 Directive significantly expands the scope of regulated companies and introduces new requirements for cybersecurity governance and risk management systems.
The EU NIS2 Directive requires approximately 30,000 companies in Germany to realign their cybersecurity measures. This particularly affects medium-sized and large enterprises in critical sectors as well as providers of essential digital services.
The European standard NIS2 (Network and Information Systems Security) replaces the previous NIS1 Directive and significantly broadens the scope of application. Companies from critical infrastructure sectors such as energy, water, transport and healthcare are affected, as are medium-sized and large businesses in the financial sector, waste management and the digital sector.
CISOs must prepare for strict requirements: mandatory risk management systems, reporting obligations for cybersecurity incidents within 24 hours, training measures for executives and employees, and business continuity testing will become standard practice going forward. Management liability for cybersecurity compliance will also increase.
Implementation timelines vary depending on company size and sector. Large enterprises must be compliant by early 2025, mid-market businesses have until mid-2025. Smaller companies and micro-enterprises are subject to simplified requirements or are entirely exempt from the Directive.
Source: news.google.com · Published June 15, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.