Skip to content

NIS2 Compliance: 25,000 to 40,000 Companies Affected in Germany

Bottom line: Germany will see between 25,000 and 40,000 companies fall under the NIS2 Directive, a drastic expansion compared to the previous NIS1 regulations.

The NIS2 Directive requires between 25,000 and 40,000 companies in Germany to meet their cybersecurity requirements. CISOs must prepare for significantly expanded compliance obligations.

The European NIS2 Directive (Network and Information Security Directive 2) significantly expands the circle of regulated companies. According to current estimates, between 25,000 and 40,000 organizations in Germany will fall under the regulations — many times more than the roughly 2,000 critical infrastructures previously regulated under NIS1.

The expansion now also covers medium-sized companies from additional sectors: energy, transportation, water, health, digital infrastructure and public administration. Particularly relevant are new thresholds for “important entities” — organizations with more than 250 employees or annual turnover exceeding 50 million euros are increasingly being included in the regulatory scope.

For CISOs, this means binding requirements for incident reporting, information security management systems, as well as regular audits and penetration tests. The deadline for implementation into German law has already passed; compliance is expected to be phased in starting in 2024. Organizations should compare their current security posture against the detailed technical and organizational requirements of NIS2.


Source: news.google.com · Published June 24, 2026
Lumi AI News — AI-assisted curation according to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.

Share on: