Development December 2025
With the entry into force of the NIS 2 Implementation Act on 6. By December 2025, there is an urgent need for action for many companies. There are no transitional periods – the new requirements apply immediately. Especially the management is required, because in the case of lack of care, they can also be held personally liable.
The European NIS 2 Directive has now been fully transposed into national law. What is especially new is the significantly expanded scope of application: According to the Federal Office for Information Security (BSI), around 29,500 companies in Germany are now affected – instead of only a few operators of critical infrastructures (KRITIS).
We show what is now important, what steps are required and give concrete recommendations for action for implementation.
Concern and registration
First of all, it must be examined whether the own company falls under the regulations. Classification as a "substantial" or "important" entity affects both the intensity of supervision by the BSI and possible sanctions. The decisive factors are the activity sector and the size of the company. This concerns companies that are considered medium-sized or large companies and operate in a relevant sector.
The classification is based on the EU-SME definition:
- Medium-sized enterprises employ 50 to 249 people and either meet an annual turnover criterion of 10 to 50 million. EUR or a balance sheet total of up to 43 million EUR.
- Large enterprises have at least 250 employees and achieve either more than 50 million. EUR annual turnover or have a balance sheet total of over EUR 43 million.
Essential facilities are large companies from particularly critical sectors such as energy, transport or finance. Important facilities include medium-sized enterprises in these sectors and medium-sized and large enterprises in other critical sectors, such as postal and courier services or waste management.
The management is obliged to determine the affectedness independently and to register the company with the BSI within three months. This first requires a login to "My Corporate Account" (MUK), ideally by the end of 2025. From 6. The new BSI portal will then be registered on January 2026, which is used, among other things, to report significant security incidents.
The measures
According to § 30 of the BSI Act, at least ten central fields of action can be derived for affected companies, which must be implemented in a binding manner:
1. Risk analysis and safety guidelines
2. Incident Management
3. Business continuity and crisis management (BCM)
4. Supply Chain Security (Supply Chain Security)
5. Security in system development and maintenance (including vulnerability management)
6. Procedure for assessing the effectiveness of measures
7. Cyberhygiene and training
8. Use of cryptography and encryption.
9. Staff security and access control concepts
10. Use of multi-factor authentication (MFA) and secure communication
Important:
Companies covered by NIS 2 regulations also bear responsibility for the cybersecurity of their immediate suppliers and service providers. Management shall ensure that safety requirements are contractually binding and that due diligence in the selection, evaluation and monitoring of critical suppliers is demonstrated to be fulfilled.
As experts in cybersecurity and compliance, we are happy to advise you in the respective areas and develop practical solutions for effective implementation together with you.
Reporting obligation: hardly feasible without preparation
The notification obligation shall enter into force as soon as: ‘significant security incident’ means: occurs. It shall take place in a three-stage reporting system:
- Within 24 hours: First early warning with preliminary assessment of the disorder (type, cause, effects, affected areas, suspicion of malicious actions, etc.).
- Within 72 hours: Report with an initial assessment of the incident, its severity, causes and effects, including, where available, compromising indicators (IOCs).
- After one month at the latest: Final or follow-up report containing a detailed description of the incident, the underlying causes, the countermeasures taken and ongoing and the final consequences.
This close Timetable makes it essential for companies, Tested response plans and forensic competences to implement.
Sanctions
The NIS-2 implementation law makes the responsibility for cybersecurity clear and personally binding for each member of the company’s management. According to § 38 BSIG, the management bodies must approve the risk management measures and actively monitor their implementation. In addition, the law requires them to participate in cybersecurity training at least every three years in order to meet their monitoring obligations.
Violations can lead to significant fines, which are based on the level of the GDPR:
- Essential facilities: up to 10 million EUR or 2 % of global annual turnover, whichever is the higher.
- Important facilities: up to 7 million EUR or 1,4 % of global annual turnover, whichever is the higher.
What Companies Should Do Now
- Check and register your concern: clarify whether your company is covered by NIS-2 regulations and, if necessary, register with the BSI.
- Review measures: Perform a gap analysis by systematically comparing your existing security measures against the 10 minimum requirements of § 30 BSIG to identify critical gaps.
- Adapt your internal processes to the 24-hour, 72-hour and 1-month deadlines and run simulations to test the processes.
- Ensure governance: Anchoring Officially take the cybersecurity measures in management, plan the legally required management level training and address personal responsibility.
The implementation of the NIS-2 law is a significant regulatory challenge, but also a key lever for strengthening digital resilience, which is crucial for competitiveness and long-term survival in the modern market.
At TWINSOFT, we support you in implementing the necessary measures effectively and practically – please contact us.
