Skip to content

NIS2 Directive: Architecture Firms Now Subject to New Cybersecurity Obligations

In brief: Architecture firms must immediately implement NIS2-compliant cybersecurity measures, document them, and report security incidents.

The NIS2 Act now requires architecture firms to establish documented cybersecurity measures and report obligations for security incidents. The regulation applies to enterprises in critical infrastructure sectors as well as certain digital service providers.

The national implementation of the NIS2 Directive (Network and Information Security Directive 2) has entered into force. Architecture firms, depending on company size and activities, fall under the affected organizations and must therefore implement structured cybersecurity measures.

Concrete requirements include the documentation of information security policies, the conduct of risk analyses, the implementation of access controls and encryption, regular security testing, and employee training. Enterprises must demonstrate that they have implemented appropriate technical and organizational measures to protect systems and data.

For compliance officers, this means: The new regulation creates binding documentation and evidence obligations. Additionally, a reporting obligation arises for significant cyberattacks to competent authorities and affected customers. Violations can be penalized with fines in the six-figure range.

Enterprises should immediately review whether they fall under the NIS2 definition as an “essential entity” or as a critical service provider. Following this, a stocktake of existing measures is required to identify gaps and systematically close them. Compliance should be documented and reviewed regularly.


Source: news.google.com · Published 31 May 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.2.

Share on: