The point: 30,000 German companies must establish and operate an IT risk management system by the deadline set by the NIS2 Directive.
The NIS2 Directive obligates around 30,000 companies in Germany to establish systematic IT risk management systems. This requirement applies to operators of critical infrastructures and large companies with significant economic importance.
The European Union’s NIS2 Directive (Network and Information Security) sets binding standards for cybersecurity in critical sectors. The scope of application now covers significantly more organizations than the previous NIS1 regulation. Approximately 30,000 companies in Germany fall under the expanded requirements.
Specifically, these companies must establish and operate a comprehensive IT risk management system. This includes the identification of risks, their assessment, the definition of measures to avoid or reduce risks, as well as regular review and updating of the system. In addition, security incidents must be documented and reported to the competent authorities.
For CISOs and IT security officers, this means that organizational governance, technical controls and process workflows must be realigned or expanded. Implementation must be carried out with professional expertise, as non-compliance leads to substantial fines. Companies should begin documenting their current security posture and defining implementation roadmaps to meet compliance deadlines.
Source: news.google.com · Published 15 June 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrasing and classification through Lumi News Pipeline v1.7.1.