Key takeaway: NIS2 makes ISMS mandatory for companies with 50 or more employees in additional sectors from 2026 onwards, shifting responsibility to management.
The NIS2 Directive will require companies with 50 or more employees in additional sectors to implement structured IT security processes from 2026 onwards – responsibility will henceforth rest with senior management. An Information Security Management System (ISMS) provides the necessary organizational foundation to meet both regulatory requirements and anchor a security culture sustainably within the organization.
With the NIS2 Directive entering into force in 2023, the EU has tightened its requirements for cyber resilience. The regulation includes additional sectors such as chemicals, industry, public administration, and postal and courier services for the first time, and is expected to apply in Germany from early 2026 onwards. For companies with at least 50 employees from these sectors, this represents a compliance obligation.
In contrast to previous approaches, management is being held more accountable: they must establish appropriate organizational structures, provide adequate personnel and financial resources, and establish continuous controls. This shifts responsibility from the IT department to senior management and simultaneously increases liability for non-compliance. It is not sufficient to implement IT security measures arbitrarily – documented and demonstrably structured processes are required.
An ISMS provides the necessary framework for this: it combines organizational, personnel and technical measures – from access management to emergency plans to regular risk assessments – in a continuous improvement process. When properly implemented, an ISMS also delivers operational benefits – it clarifies responsibilities, documents processes clearly and makes risks visible.
Mid-sized and smaller companies in particular often face resource and guidance shortcomings in implementation. Acceptance depends critically on employees understanding the security benefit and not perceiving only compliance requirements. A lived ISMS fosters this security culture when it places people at the centre and is not primarily regarded as an administrative project.
Source: www.it-daily.net · Published 2 July 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.