The NIS2 Directive is an EU legislation aimed at improving cybersecurity in critical sectors. NIS stands for network and information security. It obliges companies to secure their networks and information systems against cyber risks and to report incidents. The first NIS Directive was adopted by the EU Parliament in 2016. Building on this, the second version of the Directive (NIS2) was introduced in 2022, which has already entered into force and must be transposed into national law by October 2024. The German NIS2 Implementation Act (NIS2UmsuCG) came into force on 6 December 2025.

The NIS2 applies to companies in sectors such as energy, healthcare, transport, food supply, finance, digital infrastructure and public administration, in both the private and public sectors. There are no fixed thresholds in NIS2 that clearly apply to all affected companies. However, for some sectors, small and medium-sized enterprises (SMEs) are taken into account, which means that companies with fewer than 50 employees and an annual turnover of less than €10 million are usually not directly affected by the NIS2. However, despite their size, small companies operating in critical sectors such as healthcare or energy supply must meet certain minimum requirements, even if they are not fully covered by the NIS2. If you are unsure, please feel free to contact us – we will help you to correctly classify your impact on the NIS2 requirements.

Companies must take a variety of measures to meet the requirements of NIS2. The starting point for this is an ISMS. In addition, the following points in particular must be implemented:

Risk management and safety precautions: Companies must establish an effective risk management system based on the identification and minimization of cyber risks. Security precautions must be taken to protect sensitive data and systems from attacks.

Report cybersecurity incidents: In the event of an incident, companies are obliged to report it to the competent national authorities within 24 hours. A detailed report of the incident must be submitted within 72 hours of the initial report.

Monitoring and regular audits: Companies need to regularly review their security measures and ensure that they are up-to-date and effective. This includes conducting security audits and implementing improvement measures.

Companies that do not comply with the requirements of the NIS2 Directive can be subject to significant penalties. These penalties can be as high as €10 million or 2% of the company’s annual global turnover, whichever is higher. In addition to the financial penalties, there may also be legal consequences and a loss of trust on the part of customers and partners, which can lead to long-term business damage. Therefore, it is crucial to meet the requirements in a timely manner to avoid these risks.

An ISMS (Information Security Management System) is a structured system for managing and improving information security in an organization. It includes processes, policies, tools, and procedures for identifying, assessing, and addressing security risks. An ISMS according to the ISO 27001 standard forms the basis for the implementation of the NIS2 requirements. It helps businesses implement the necessary security measures, report incidents, and continuously improve their cybersecurity. The introduction of an ISMS ensures that all requirements of NIS2 are taken into account in a systematic framework.

The actual cost will depend on the size and complexity of your business. Factors such as locations, business units and existing IT structures play a role in this.

The following guidelines apply for orientation:

• Initial consultation or examination of concern: free of charge (approx. 30 minutes)
• Micro-enterprises (< 10 employees): from €1,299 net
• Small companies (< 50 employees): from €1,999 net
• Medium-sized companies (< 100 employees): from €2,950 net
• Medium-sized companies (< 250 employees): from €3,950 net

The prices quoted are non-binding guidelines (net, plus statutory VAT). The actual expenditure is determined individually and transparently after a short initial examination.