The NIS2 Directive: Is My Company Affected? A Guide for the German Mittelstand
Check whether your German SME falls under the new NIS2 implementation act, which criteria apply, and how to meet your legal obligations.
What is the German NIS2 implementation act?
The German act implementing the European NIS2 directive (NIS2UmsuCG for short) officially came into force on December 6, 2025[1]. This act fundamentally modernizes national IT security law and adapts it to the heightened threat landscape in cyberspace. For managing directors and IT leads in the German Mittelstand, the new set of rules is no longer a distant bureaucratic hurdle but an immediate legal obligation that demands systematic risk management.
From EU standard to German federal law
The European NIS2 directive was transposed into German law with the new act and leads to a comprehensive amendment of the BSI Act (BSIG). While the original legislation was primarily geared toward protecting critical infrastructures such as energy and water suppliers, the new set of rules drastically expands the circle of regulated businesses. The aim is to strengthen the digital resilience of the German economy across the board by establishing binding minimum standards for IT security.
The new role of the BSI and the massive increase in affected businesses
The most important change concerns the sheer number of regulated companies in Germany. Until now, only around 4,500 organizations fell under the supervision of the Federal Office for Information Security (BSI). With the NIS2 implementation act, this number jumps sharply to an estimated 29,500 companies. The BSI acts as the central supervisory authority and receives far-reaching control powers. To clarify whether their own company falls under the expanded criteria, managing directors and IT leads should promptly check their NIS2 applicability.
| Criterion | Old law (former BSIG) | New act (NIS2UmsuCG) |
|---|---|---|
| Regulated businesses in Germany | Approx. 4,500 entities | Approx. 29,500 entities[[cite:https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2025/251113_NIS-2-Umsetzungsgesetz.html]] |
| Responsible supervisory authority | BSI primarily oversees core KRITIS sectors | BSI oversees important and essential entities |
| Sanctions and liability | Low personal liability risks for officers | Personal liability of management for security failures |
The new obligations include registration with the BSI, compliance with strict deadlines for reporting security incidents, and the implementation of robust technical protective measures. Mid-sized companies face the challenge of implementing these complex requirements without their own huge IT security departments. This is where CAVRIX comes in: with the professional services for Compliance, Cybersecurity, and Managed IT, German SMEs receive all necessary measures from a single source. Through the Command Center, IT leads and managing directors keep an eye on the status of their security measures in real time.
The thresholds: from what point is an SME affected?
Whether a company is affected by the new German NIS2 implementation act (NIS2UmsuCG) is not determined arbitrarily but follows clear legal criteria. For managing directors and IT leads in the German Mittelstand, knowing these limits precisely is the first step toward initiating legally sound measures. The classification is based on a combination of belonging to one of the 18 critical sectors and the specific thresholds of your business. When you check your own NIS2 obligation, it quickly becomes clear that the regulatory requirements already apply in full to medium-sized companies.
Thresholds for medium and large businesses in detail
The legal requirements are based on the official SME definitions of the European Union[2]. Decisive for the classification are primarily the number of employees and the financial figures of a financial year. A company in the regulated sectors crosses the critical threshold and is classified as a medium-sized entity as soon as it employs at least 50 people or has an annual turnover of more than 10 million euros and a balance sheet total of more than 10 million euros[2].
| Company category | Employees (FTE / AWU) | Financial figures (turnover / balance sheet) | Typical NIS2 classification |
|---|---|---|---|
| Medium-sized companies | 50 to 249 | Turnover > EUR 10 million or balance sheet > EUR 10 million | Important entity (as a rule) |
| Large companies | From 250 (under 500 in this focus) | Turnover > EUR 50 million or balance sheet > EUR 43 million | Essential entity (as a rule) |
| Special cases | Regardless of size | No thresholds for certain sectors | Important or essential (e.g. DNS providers) |
Classification into essential and important entities
The distinction between important and essential entities (often referred to as essential entities in the EU draft) has considerable practical effects on your company's day-to-day operations[3]. Essential entities are subject to active and proactive supervision by the Federal Office for Information Security (BSI), while important entities are mostly checked reactively (that is, after a security incident has occurred)[2]. Regardless of this classification, however, both categories must implement the identical technical and organizational security measures (TOMs)[4]. For decision-makers in the Mittelstand, this means that in case of failures, the personal liability of management is at stake in any case.
Self-assessment criteria for managing directors
To carry out a reliable self-assessment, you must also consider the structure of your company. It is not enough to look only at the employee numbers of a single subsidiary. Linked enterprises or partner enterprises must be consolidated and added together according to EU guidelines[2]. In addition, a continuity rule applies: briefly exceeding or falling below the thresholds in a single year does not immediately change your status. Only when these thresholds are exceeded or fallen below in two consecutive financial years does the legal classification of your business change[2].
To simplify this complex process of self-assessment and subsequent protection, CAVRIX has developed an end-to-end solution. With our dedicated Compliance service, we analyze your applicability precisely and build complete audit logs. By combining this with our Managed IT and Cybersecurity services, you get an IT infrastructure that is operated in a NIS2-compliant way from day one. This relieves your IT leadership and protects your company legally.
Special rules for SMEs: why even smaller firms fall under NIS2
The new German NIS2 implementation act (NIS2UmsuCG) generally provides for thresholds of at least 50 employees or an annual turnover of 10 million euros for a company to be affected. Anyone who does not exceed these limits often feels a false sense of security. But the legislator has established targeted special rules through which even smaller businesses fall directly into the regulated scope. In addition, an often underestimated lever ensures that the European security directive reaches almost every small and medium-sized company (SME) in Germany: the legally anchored protection of the supply chain.
Direct regulation through size-independent special cases
For certain industries and digital key components, the classic SME grace period does not apply. Since these services play a fundamental role for the stability of the internet and for digital trust, the act classifies them as regulated entities regardless of their number of employees or balance sheet total[2].
- DNS service providers and registries for top-level domains (TLDs), which form the backbone of name resolution on the web.
- Providers of trust services that issue digital signatures and certificates.
- Providers of public electronic communications networks or publicly available electronic communications services.
- Sole providers of a service in a federal state whose failure could have critical effects on public safety.
Indirect applicability through supply chain security
For the majority of German SMEs, however, the obligation to achieve NIS2 compliance looms via a different route: the supply chain. Large, directly regulated corporations must prove that they actively secure their IT supply chain and conduct regular risk analyses of their service providers[5]. This means that large customers pass strict security requirements on to their SME suppliers by contract. Anyone who, as a service provider, trade business, or software partner, cannot provide robust security evidence risks losing important contracts and being disqualified from tenders. Companies should therefore proactively check their NIS2 obligation in order to avoid unprepared contract losses.
To meet these requirements without their own huge IT departments, a holistic partnership is the way forward. The CAVRIX platform, operated by CITO GmbH in Hamburg, unites Managed IT, Cybersecurity, and Compliance in a single solution. With the integrated Command Center, managing directors and IT leads keep an eye on the current security status through everyday tools such as Teams or Slack. Through the use of modern security concepts such as Cybersecurity for the Mittelstand from CAVRIX, proof to customers and auditors succeeds effortlessly, allowing smaller firms to protect themselves optimally against existence-threatening exclusion from supply chains.
The 18 sectors in detail: does your industry belong?
The German act implementing the NIS2 directive (NIS2UmsuCG) brings far-reaching obligations for the German Mittelstand. When you, as a managing director or IT lead, check whether your company falls under this regulation, classification by industry comes first. The act divides the affected economic sectors into a total of 18 sectors, which fall into two different categories: sectors of high criticality (Annex 1 of the BSIG) and other critical sectors (Annex 2 of the BSIG)[6]. A company with more than 50 employees or an annual turnover of more than 10 million euros that is active in one of these sectors must, as a rule, expect an immediate registration and cybersecurity obligation. A structured check of applicability is therefore the first necessary step to avoid legal uncertainty and high fines.
Highly critical sectors and their specific criteria
The sectors of high criticality cover eleven fundamental areas of our economy and society. Alongside classic infrastructures such as energy, transport, and drinking water, there are sectors that form the backbone of the digital economy. These include, among others, digital infrastructures such as operators of data centers, cloud providers, or trust services, but also the financial sector and healthcare[7]. Particularly important for the IT landscape is the sector for managed services and ICT services. As a provider of IT infrastructure or security services, you automatically count as highly critical, since you play a decisive role in the supply chains of hundreds of customers.
Other critical sectors and the digital economy
The remaining seven areas are classified as other critical sectors. These include economic sectors such as waste management, the production of chemical substances, and the processing and distribution of food products. The entire manufacturing industry, in which many German mid-sized machine builders and automotive suppliers operate, also falls under this category. Likewise, providers of digital services, such as online marketplaces and social networks, belong to these other sectors[7]. Although these industries are classified in the act as important rather than essential, almost identical requirements for risk management and reporting obligations for security incidents apply to them.
| Sectors of high criticality (Annex 1 BSIG) | Other critical sectors (Annex 2 BSIG) |
|---|---|
| Energy (electricity, district heating, oil, gas, hydrogen) | Postal and courier services |
| Transport (air, rail, maritime, road) | Waste management (disposal) |
| Finance (banking, financial market infrastructures) | Chemical industry (production and distribution) |
| Health (hospitals, medical devices, research) | Food industry (production and distribution) |
| Water management (drinking water, wastewater) | Manufacturing industry (machinery, vehicles, electronics) |
| Digital infrastructure (data centers, cloud providers, DNS) | Digital services (online marketplaces, search engines) |
| Managed services (managed service providers, security providers) | Research (research institutions) |
Particularities for ICT service providers and IT leads in the Mittelstand
For IT managers in the Mittelstand, this sector classification has direct operational consequences. Anyone who provides IT infrastructures or cloud systems for affected industries quickly comes into the focus of the NIS2 requirements as a service provider. But even as an internal IT team, you must ensure that the prescribed security measures such as backups, encryption, and access controls are documented without gaps. With CITO GmbH from Hamburg at your side, you have an experienced partner at your disposal. Through the CAVRIX platform, you receive Managed IT and Cybersecurity from a single source. The integrated Compliance features ensure continuous adherence to all requirements. Through the Command Center, managing directors and IT leads can view the current security status and upcoming tasks in real time in their familiar chat tools.
Insufficient protection or missing reporting is no longer a trivial offense for mid-sized companies. Managing directors are increasingly liable with their private assets in case of failures in cybersecurity, as our guide on personal liability under NIS2 shows. To minimize this risk and set up your company securely, CAVRIX offers a fast, guided path to compliance. Get in touch directly for a no-obligation initial consultation to clarify how you can secure your IT infrastructure seamlessly.
Obligations and deadlines: what affected SMEs must do now
With the entry into force of the German NIS2 implementation act (NIS2UmsuCG) on December 6, 2025, a new era in the area of digital security has begun for many mid-sized companies. Since then, strict legal requirements have applied to affected small and medium-sized companies (SMEs), which must be implemented promptly and in a structured way. Anyone who misses the legally prescribed deadlines risks substantial fines of up to 10 million euros or 2% of worldwide annual turnover[8]. The obligations extend across three core areas: the registration obligation with the Federal Office for Information Security (BSI), extremely short reporting deadlines for security incidents, and a significantly tightened personal liability for company management.
Registration obligation in the BSI portal and reporting deadlines
The most important administrative obligation for regulated businesses is registration in the BSI's central portal. This registration is what is known as an obligation to act, meaning that the BSI does not actively prompt companies to register. The legal deadline for this is extremely short: affected organizations must register within three months of the act coming into force. For most mid-sized companies, this means that registration must be completed by March 6, 2026, at the latest[8]. To carry out the registration process in the BSI portal, an ELSTER organization certificate is mandatory. Since applying for this certificate can take several weeks, IT leads and managing directors should initiate this procedure without delay.
If a significant IT security incident occurs, regulated businesses must report it to the BSI according to firmly defined, multi-stage deadlines. These obligations apply regardless of whether registration in the portal has already been completed. The first hurdle is particularly high: an initial notification must be made to the BSI within 24 hours of first becoming aware of the incident[8]. A detailed follow-up notification is due after 72 hours at the latest, in which a preliminary assessment of the incident and its technical effects is presented. A final report containing the precise root cause analysis and the countermeasures taken must be submitted after 30 days at the latest.
| Obligation | Legal deadline | Required action |
|---|---|---|
| BSI registration | By March 6, 2026 | Registration in the portal with ELSTER organization certificate |
| Initial security incident notification | Within 24 hours | Initial assessment and notification of the threat to the BSI |
| Follow-up security incident notification | Within 72 hours | Detailed update on causes and extent of damage |
| Final report | Within 30 days | Root cause analysis and documentation of remediation measures |
The personal liability of management and implementation
A decisive aspect of the act concerns the duties of decision-makers. Pursuant to Section 38 of the amended BSIG, cybersecurity has now become a non-delegable matter for top management. Management must approve the implementation of security measures and actively monitor it[8]. In case of breaches of duty, the personal liability of management with their private assets looms. This responsibility can be delegated neither to the IT lead nor to an external CISO. In addition, the act requires managing directors to regularly attend qualified cybersecurity training in order to be able to assess threat risks independently.
For German small and medium-sized companies under 500 employees, this regulatory effort often represents a considerable burden. This is where CITO GmbH in Hamburg comes in: with the CAVRIX platform, companies receive a single point of contact for all requirements. The integrated services for Compliance and Cybersecurity ensure that all necessary measures are implemented in a compliant and audit-proof way from day one. Through the Command Center, managing directors and IT leads keep an eye on the current security status and the collected evidence at all times and can access it in real time through familiar communication channels such as Microsoft Teams. This way, the complex legal obligation can be integrated efficiently into normal day-to-day operations.
Worry-free NIS2 compliance: how CAVRIX protects the Mittelstand
The transposition of the NIS2 directive into German law poses considerable challenges for small and medium-sized companies. Section 38 of the BSI Act (BSIG) in particular holds management personally responsible for approving and actively monitoring risk management measures[9]. For many businesses, this means a massive bureaucratic and technical effort that can hardly be managed with internal IT resources. This is where CAVRIX comes in: as an integrated, AI-native platform from CITO GmbH in Hamburg, the service unites all necessary measures for a complete IT infrastructure, cybersecurity, and regulatory conformity. Instead of laboriously linking various individual solutions, mid-sized businesses receive a central point of contact that accompanies them on the path to conformity from day one.
Managed IT and Cybersecurity: the technical foundation
A stable foundation is essential to meet the strict technical requirements of NIS2. With the Managed IT module, CAVRIX offers automated administration, ranging from proactive device management and automated patch management to complete, audit-ready IT documentation. This is seamlessly complemented by the Cybersecurity service. This ensures continuous 24/7 monitoring of the entire IT landscape using modern SIEM and SOC structures as well as behavior-based EDR systems (Endpoint Detection and Response). Through this combination, security incidents are not only detected in time, but the fast reporting deadlines prescribed for NIS2 are also reliably met.
Compliance automation and intuitive control via chat
Purely technical protection is not enough, however; compliance with legal requirements must be demonstrable at all times without gaps. The integrated Compliance module automatically collects evidence and creates audit-ready reports that meet the requirements of NIS2, the GDPR, or also voluntary standards such as ISO 27001. So that managing directors and IT managers always keep an overview, the Command Center serves as an intuitive interface. Through familiar communication channels such as Microsoft Teams, Slack, or WhatsApp, authorized users can query the current security status and upcoming tasks in natural language and receive real-time security alerts directly.
| CAVRIX service area | Technical & operational implementation | Contribution to NIS2 compliance |
|---|---|---|
| Managed IT | Automated endpoint management, device staging, patching, and proactive monitoring of all endpoints. | Ensures that all systems are always at the latest security level and delivers the required complete IT documentation. |
| Cybersecurity | Round-the-clock (24/7) staffed Security Operations Center (SOC) with SIEM monitoring and behavior-based EDR. | Meets the legal requirements for continuous threat detection, active incident response, and adherence to reporting deadlines. |
| Compliance | Automated capture of evidence, continuous comparison with frameworks, and creation of audit reports. | Delivers audit-proof evidence to management for audits and thus protects against personal liability under Section 38 BSIG. |
| Command Center | AI-native interface for controlling all services and retrieving security reports directly via Teams, Slack, or WhatsApp. | Enables fast, transparent control of the security status by management in accordance with the legal monitoring obligations. |
Through the close interlinking of these four pillars, CAVRIX takes the complexity of NIS2 introduction off the hands of mid-sized companies. Managing directors and IT leads receive a turnkey platform that seamlessly connects technical security and regulatory evidence. This way, the required security level can be achieved without building one's own expensive SOC infrastructures or the time-consuming management of isolated individual systems, while the legal responsibility of management is reliably secured.
Frequently asked questions
When did the German NIS2 implementation act come into force?
The act implementing the NIS2 directive came into force on December 6, 2025. With this, the European requirements were officially transposed into national German law.
How many companies in Germany are affected by NIS2?
According to the Federal Office for Information Security (BSI), around 29,500 companies in Germany are directly affected by the new cybersecurity regulations.
From what company size does the NIS2 regulation apply?
In principle, medium-sized companies are affected from 50 employees or an annual turnover or balance sheet total of at least 10 million euros, provided they are active in one of the regulated sectors.
Which deadlines apply for reporting security incidents?
An initial notification must be submitted to the BSI within 24 hours of becoming aware of a significant security incident. A detailed report follows after 72 hours.
How long is the registration deadline for affected entities?
Affected companies must register through the BSI portal within a deadline of 3 months after the act comes into force or after reaching the relevant criteria.
Are managing directors personally liable for compliance failures?
Yes, the act provides for personal liability of management. Managing directors and board members must monitor the risk management measures and are liable with their private assets in case of violations.