The NIS2 Implementation Act has been in force since 6 December 2025. No transition period, no grace period. For around 30,000 companies in Germany, this means that cybersecurity is now a leadership responsibility carrying personal liability. Treating it as an IT issue fundamentally underestimates what is at stake.

From Regulatory Framework to Management Reality

The EU NIS2 Directive, transposed into German law through the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), marks a historic break in Germany’s regulatory landscape. For the first time, executive management can be held personally liable for the failure of cybersecurity measures. Section 38 of the new BSIG makes this explicit: governing bodies are required to monitor implementation and may be held personally liable in the event of failure. This is not an abstract legal construct. Under Section 38 BSIG, the Federal Office for Information Security (BSI) may impose activity bans on natural persons in management functions. This instrument was deliberately chosen to structurally elevate cybersecurity from the IT department to the executive level.

Who Is Affected, and to What Extent

The scope of NIS2 has been drastically expanded compared with the previous directive. Whereas around 4,500 organisations were previously regulated, the figure now stands at approximately 29,500 to 30,000 companies across 18 sectors, ranging from energy, water and healthcare to manufacturing, digital infrastructure and research institutions. In principle, all companies in the defined sectors with 50 or more employees or annual revenue of EUR 10 million or more are affected. The Act distinguishes between “essential entities” (large companies in highly critical sectors) and “important entities” (medium-sized companies and additional sectors). For the former, fines may amount to up to EUR 10 million or 2 percent of global annual revenue. For important entities, the limit is EUR 7 million or 1.4 percent. The BSI registration deadline expired on 6 March 2026. Companies that missed it are already in a position carrying a risk of fines.

NIS2 at a Glance:

-In force since: 6 December 2025 (NIS2UmsuCG, Federal Law Gazette 2025 I No. 301)
-Companies affected in Germany: approx. 29,500–30,000
-Sectors: 18, including energy, healthcare, transport, water, IT and manufacturing
-Threshold: from 50 employees or EUR 10 million annual revenue in relevant sectors
-Fine for essential entities: up to EUR 10 million or 2% of annual revenue
-Personal liability of executive management: Section 38

The Ten Areas of Measures: What Must Be Implemented in an Auditable Manner

Section 30 BSIG-new defines ten core areas of risk management that companies must implement and, crucially, document. These include risk analysis and security concepts, incident management, business continuity, supply chain security, cryptography and encryption, as well as access and authorisation management. The adjective “auditable” is programmatic here: those who implement measures without maintaining documentation do not meet the requirements of NIS2.

Area of measures 8, cryptography and encryption, is particularly relevant in practice. It directly concerns the management of digital certificates and cryptographic keys, an area in which many companies lack documented, verifiable processes. This is where NIS2 converges with the operational requirements of Certificate Lifecycle Management.

Governance as a Core Responsibility: What Companies Need Now

NIS2 compliance does not begin with a technical measure. It begins with a governance decision: Who is responsible? Which processes are documented? How is executive management regularly informed about the security status? How is escalation regulated? In practice, a staged approach is recommended. The first step is a structured gap assessment against the requirements of ISO 27001, the NIST CSF and NIS2. It provides a documented analysis of the current state, a maturity assessment and a prioritised action plan: the foundation for auditable action.

Companies that have not yet taken this path should act now. Not because the BSI will be on their doorstep tomorrow, but because documentation of their own security status can, in the event of an incident, an audit or a legal dispute, make the difference between demonstrated due diligence and personal liability.

Conclusion: NIS2 as a Catalyst for a Mature Security Culture

NIS2 is uncomfortable. It requires time, resources and a willingness to treat cybersecurity as a strategic management issue. But it also presents an opportunity: organisations that use the level of maturity enforced by NIS2 to anchor cybersecurity permanently at board and executive management level will be better protected, face liability less frequently and gain the trust of customers, partners and insurers. The first step is always the same: an honest assessment of the situation. Without it, NIS2 remains an abstract obligation. With it, NIS2 becomes the foundation of sustainable resilience.