In a nutshell: The NIS2 Directive requires approximately 30,000 German businesses to implement uniform IT security standards and establishes binding notification requirements for security incidents.
The NIS2 Directive (Network and Information Security 2) creates uniform IT security obligations for operators of critical infrastructure and other sectors across the EU. In Germany, approximately 30,000 companies are affected and must meet new compliance requirements.
The NIS2 Directive is a revision of the previous NIS Directive from 2016 and significantly expands the circle of affected organisations. No longer only operators of critical infrastructure such as energy, transport or health must meet the requirements, but also information and communications technology companies, digital service providers and other sectors such as waste management or drinking water supply.
The Directive obliges affected businesses to implement documented security measures, incident reporting and regular security assessments. Companies must bring their systems and processes up to the current state of the art and manage risks systematically. In addition, notification requirements for security incidents are established, whereby operators must inform national authorities and, under certain circumstances, also end-users.
For compliance managers, this concretely means: an inventory of IT infrastructure is required, a risk assessment must be carried out and security measures must be documented. The implementation deadlines vary depending on business size and sector. Smaller companies have partially longer transition periods.
Source: news.google.com · Published 5 July 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.3.