Bottom line: NIS2 obligates thousands of new companies to cybersecurity compliance; an ISMS structures implementation through risk-based, continuous information security management.
The revised Federal Office for Information Security Act (BSIG) expands the circle of regulated companies to approximately 30,000 organizations. An Information Security Management System (ISMS) provides the organizational framework to fulfill these requirements systematically and sustainably.
The European Union has significantly tightened cybersecurity requirements for economically and socially relevant organizations through the NIS2 Directive (EU) 2022/2555. With the revision of the BSIG effective December 6, 2025, this directive was transposed into German law. The BSI now serves as the central reporting and supervisory authority.
The scope has expanded considerably: while the original NIS Directive (2016) addressed only a few critical sectors, the BSIG now covers 18 sectors – including public administration, ICT service management (MSPs, cloud providers), postal and courier services, waste management, and food production and processing. The regulation distinguishes between “essential entities” and “important entities” based on industry, company size, and criticality. Approximately 30,000 companies fall directly under the law; additionally, systemic pressure spreads across large parts of the economy through supply chains.
An Information Security Management System (ISMS) is neither a product nor a certificate, but an organizational approach to systematic security management. It captures the organization’s protection requirements, identifies and prioritizes risks, and anchors appropriate security measures. An ISMS is based on a continuous improvement process: the management system and its components are continuously reviewed and adjusted to ensure high effectiveness and to avoid working at cross-purposes with organizational needs.
The BSIG demands systematic, risk-based information security management – this is precisely what a structured ISMS delivers. It creates transparency over security risks, clarifies responsibilities, and documents compliance demonstrably – a necessary foundation to anchor the new requirements not as an episodic project, but as a lasting organizational process.
Source: www.it-daily.net · Published June 19, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.