The Point: Around 30,000 German companies misclassify themselves under NIS2, risking compliance violations and fines.
Approximately 30,000 German companies misjudge their regulatory obligations under the NIS2 Directive and fail to realize that they must be classified as critical or important infrastructure.
The NIS2 Directive (Network and Information Security 2) obligates EU member states to subject operators of critical infrastructure and providers of important services to enhanced security requirements. In Germany, the Directive had to be transposed into national law by January 2025. A current analysis shows that approximately 30,000 companies underestimate or incorrectly classify their own compliance obligation.
For CISOs, this discrepancy poses significant risks: companies that incorrectly believe they are not affected fail to implement the governance, security, and incident response measures required by NIS2. This can lead to fines and liability risks if supervisory authorities discover the actual compliance obligation during an inspection.
CISOs should therefore conduct a detailed review to determine which categories their company falls under according to NIS2. Particularly relevant are sectors such as energy, transport, water and waste management, healthcare, financial services, and ICT services, but also providers of cloud and DNS services. The self-assessment should be documented and reviewed regularly.
Source: news.google.com · Published 23 June 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.