At a glance: 30,000 German enterprises must align their IT security governance with EU-wide NIS2 requirements, which standardizes incident reporting, risk management, and supply chain security.
The EU’s NIS2 Directive obligates approximately 30,000 enterprises in Germany to restructure their IT security measures. CISOs must adapt their governance and technical controls to meet tightened compliance requirements.
The Network and Information Security (NIS2) Directive applies directly to so-called “critical infrastructures” and “important entities” in the energy, transport, water, health, digital infrastructure, and public administration sectors, as well as to providers of digital infrastructure and cybersecurity services. In Germany, this affects an estimated 30,000 organizations.
Compliance requirements extend beyond technical measures: they include documentation of the risk management process, regular security assessments, mandatory reporting of security incidents within 24 hours to the national cybersecurity authority, incident response management, and organizational precautions such as training and awareness. Furthermore, enterprises must integrate supply chain risks into their security strategy.
For CISOs, this means concretely: a realignment of security governance, enhanced documentation and audit trails, formalization of incident response processes, and regular reporting to management and supervisory bodies. Implementation deadlines are staggered depending on the size of the enterprise, with initial reporting obligations already beginning in 2024/2025.
Source: news.google.com · Published June 19, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.