Skip to content

NIS2 Directive: 30,000 German Companies Required to Comply

Bottom line: NIS2 affects approximately 30,000 German companies and requires CISOs to implement new governance, risk management systems, and incident reporting obligations.

The EU’s NIS2 Directive obligates approximately 30,000 German enterprises to implement enhanced cybersecurity measures. For CISOs, this means concrete compliance requirements and substantial organizational adjustments.

The NIS2 Directive of the European Union establishes binding cybersecurity standards for operators of critical infrastructure and important services. Approximately 30,000 German companies fall under this regulation — significantly more than under its predecessor directive NIS1. The scope of affected sectors has expanded and now includes service providers from energy, transport, water, health, digital infrastructure, public administration, as well as space and industrial sectors.

NIS2 creates concrete operational requirements for CISOs: The Directive mandates the introduction or strengthening of governance structures, the establishment of risk management systems, documentation of security measures, and proactive incident reporting. Companies must increase board and executive management involvement in cybersecurity matters and regularly report on the status of security measures.

Compliance requirements are partly detailed: NIS2 stipulates, for example, that security incidents with significant impact must be reported to authorities within 24 hours. Companies must conduct penetration tests, security audits, and regular training, as well as assess supply chain risks. Penalties for non-compliance range up to fines of EUR 10 million or 2 percent of global annual turnover.


Source: news.google.com · Published June 6, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.

Share on: