NIS2 Compliance 2026: Obligations, deadlines, penalties. Check now in two minutes where you still have gaps - with our NIS2 readiness quick check
Fast-paced regulation: the European NIS2 Directive is here - faster than many thought. It was already adopted at EU level in December 2022, published in the EU Official Journal on December 27, 2022 and thus came into force on January 16, 2023. The aim is to achieve a significantly higher common level of cybersecurity in the European Union.
With the national implementation in Germany, the requirements will become binding for thousands of additional companies. For many organizations, a crucial question now arises: Are we really prepared? And if not, what is still missing?
NIS2 is the further development of the original NIS directive from 2016, which was prompted by increasing cyberattacks on critical infrastructure, supply chains and public institutions. Ransomware attacks on hospitals, energy suppliers and municipal administrations in particular have shown that cyber risks can have a systemic impact.
The EU has responded with stricter requirements for risk management, reporting obligations, governance structures and supply chain security. The official information page of the European Commission explains the objectives and background of the directive in detail.
The focus is on a clear paradigm shift: cyber security is no longer treated exclusively as an "IT task", but as a strategic management responsibility.
The new directive significantly expands the group of affected organizations. So-called "essential" and "important" organizations in the following sectors, among others, are covered:
In many cases, companies with 50 or more employees or an annual turnover of 10 million euros or more are considered to be affected if they are active in the aforementioned sectors.
Another important point is that there is no provision for individual notification by the authorities. Each company must check for itself whether it falls under the regulations. And: The directive explicitly anchors cyber security as a management responsibility. Management bodies must approve security measures and monitor their implementation. Gross breaches of duty can have consequences under supervisory law or liability law.
The requirements go far beyond mere IT protection measures. NIS2 requires, among other things
Risk management measures
Companies must introduce suitable technical and organizational measures to minimize risks to network and information systems.
Incident reports
Serious security incidents must be reported within 24 hours, followed by a detailed report within 72 hours.
Documentation and verification obligations
Security concepts, risk analyses and measures taken must be documented in a comprehensible manner.
Supply chain security
Service providers and IT partners must also be included in risk management.
Management responsibility
The company management bears explicit responsibility for compliance with security measures.
The directive provides for severe sanctions. For particularly important facilities, fines of up to 10 million euros or 2 percent of annual global turnover can be imposed. For important facilities, fines of up to 7 million euros or 1.4 percent of annual turnover are possible.
The amount of the possible penalties is regulated in the directive itself.
In addition to financial sanctions:
This can have existential consequences for companies in regulated industries.
Discussions often reveal this:
Medium-sized companies in particular often find themselves in a gray area between "non-critical" and "fully regulated". NIS2 closes precisely this gap.
The biggest hurdle is often not implementation, but an honest assessment of the current situation.
This is exactly where the NIS2 Readiness Quick Check from SecureCloud comes in (in German language only).
In just two minutes or so, you answer ten specific questions about
You will then receive an initial structured assessment of where your company stands and in which areas there is a need for action.
What the Quick Check brings you:
Transparency
You immediately recognize how high your risk is - and where it lies dormant.
Prioritization
You can see which measures should be tackled first.
Argumentation aid
You receive a sound basis for discussions with management, CISO or compliance.
Optionally, we invite you to talk to our experts about your personal NIS readiness and discuss specific approaches for improvement. Without obligation. But with a clear focus on practical and rapid implementation.
NIS2 is not a project with an open end date. The requirements already apply. Audits will follow. Reporting obligations apply immediately. The earlier you create transparency, the lower your risk. If you want to know how well prepared your company really is, then start now. Participation takes hardly longer than a coffee break.