NIS-2

Implementation Act Now In Force - Are You Prepared?

The NIS-2 Directive

The NIS-2 Directive (Network and Information Security 2, NIS-2) iobliges all EU member states to ensure a uniformly high level of cybersecurity for critical and important facilities. With the new directive, the EU is focusing its cyber security offensive on other "essential and important facilities" in addition to critical infrastructures.

In Germany, the BSI Act (BSIG) is to be comprehensively amended in accordance with the “Act Implementing the NIS-2 Directive and Regulating Essential Features of Information Security Management in the Federal Administration” (NIS2UmsuCG for short).

 

When did the NIS-2 Implementation Act come into force?

After intensive drafting phases and hearings, the final date for the NIS2UmsuCG has been set with its publication in the Federal Law Gazette: December 6, 2025. From this date onwards, companies affected by the NIS 2 Directive must fully implement the new requirements without a transition period.

 

What requirements must companies fulfill?

Companies affected by NIS-2 are obliged to operate a verifiable information security management system (ISMS). Based on this, they must take appropriate technical, operational and organizational measures to control cyber security risks, prevent security incidents and minimize potential impacts. The requirements of NIS-2 apply to the entire company, not just to individual systems or services classified as critical.

 

Which companies are affected?

The NIS-2 Directive covers 13 sectors that are of crucial importance to the economy and society. It applies to companies with 50 or more employees or an annual turnover and an annual balance sheet total of 10 million euros:

  • Energy
  • Transport
  • Finance
  • Public health
  • Water
  • Digital infrastructure
  • Space
  • Waste management
  • Production, manufacture and trade in chemical substances
  • Production, processing and distribution of food
  • Manufacturing/production of goods
  • Digital service providers
  • Research and development

We are at your side

With the NIS2UmsuCG and the amended BSIG now in force, the preparatory phase is over. Companies that are subject to the NIS-2 Directive must now comply fully with the requirements. Those who are not yet prepared are under pressure: reporting processes, risk management, and technical security measures are now mandatory.

We are here to help. We will support you in the final implementation of the requirements and in reviewing measures that have already been implemented.

More Insights on NIS-2

NIS-2 Implementation Act Comes Into Force

 

NIS-2 Draft Bill under Examination

 

NIS-2 and DORA: Why Two Pieces of EU Cybersecurity Legislation?

Ready for NIS-2? How to Prepare Your Company

 

Contact

 

Please contact us with any questions or queries.

Phone: +49 6102 8631-190
Email: sales@usd.de
PGP Key
S/MIME
Contact Form

 

Kontakt usd Sales

Benedikt Krümmel
Head of Sales - Security Audits