ISMS becomes mandatory
The Network and Information Security (NIS) Directive is an EU directive that is part of the European cyber security strategy. Its aim is to harmonise and improve the level of security in the EU member states. This directive is now being transposed into German law by the new NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). The law was already passed by parliament on November 13, 2025, and is expected to come into force shortly – without any transition periods, i.e., immediately on the day after its promulgation. Effected companies will now have to pay greater attention to issues such as cyber risk management and business continuity. The law greatly expands the scope of application, so that in addition to operators of critical infrastructure (KRITIS), numerous other industries and companies are now covered.
The NIS-2 Directive brings many small and medium-sized enterprises within the scope of binding cybersecurity requirements for the first time. The NIS-2 Directive significantly expands the group of companies that are currently subject to these requirements, far beyond the critical infrastructures covered to date. In future, companies with 50 or more employees or €10 million in turnover and €10 million in total assets will be considered “important institutions” within the meaning of the law. The directive therefore focuses on the number of employees or the turnover of the company. In the future, a distinction will be made between ‘particularly important institutions’ and ‘important institutions’. Critical infrastructure facilities remain in place and will continue to be measured against the known thresholds. Critical infrastructure facilities must implement more comprehensive measures in addition to the requirements of NIS-2 for particularly important institutions.
Affected companies will face extensive new obligations, particularly in the areas of information security, risk management, and emergency preparedness. Companies are required to take technical and organizational measures to maintain the security of their IT infrastructure and thus the services they provide, as well as to minimize the impact of (cyber) security incidents.
Below, we have briefly summarized the most important points and new requirements for you:
Effected companies therefore need to take urgent action to adapt to the new requirements in a timely manner. We therefore recommend that you check immediately whether your company falls under the NIS-2 regulations and take the necessary measures. In particular, the introduction of an ISMS and the above-mentioned security measures should be addressed as a priority to minimize risks and be able to demonstrate compliance when the regulations come into force. We would be happy to assist you with an initial impact analysis and with the implementation of the necessary security measures in your company. If you have any questions about NIS-2 or would like advice, please do not hesitate to contact us.
NIS-2 lays down numerous requirements. It is therefore advisable to place your trust in experts who have been successfully supporting and implementing processes like these for many years. Let us be your sparring partner when it comes to risk management, IT and cyber security, and we will keep an eye on related legal and data protection issues for you.
As an element of an auditing, legal and tax consultancy, IT security is part of our DNA. With dhpg at your side, you can be sure of meeting legal and compliance requirements at all times.
We pool our IT expertise with the know-how of lawyers and data protection specialists, so we always have an expert at the ready for related issues. This allows you to not only keep abreast of complex issues in all their facets, but to also keep them under control.
We have many years of extensive project experience in all aspects of IT and cyber security. With our best-practice approaches, methods and experience, we build on the processes and structures already in place at your company.
Would you like to arrange a personal meeting to discuss the implementation of NIS-2 at your company? It would be our pleasure to arrange an appointment with you - no strings attached - to get to know each other. We look forward to a phone call or e-mail and to hearing from you.
The requirements of the NIS-2 directive are complex and multi-layered. Maintaining an overview and tackling the implementation process can pose major challenges for affected organisations. Since no implementation period is planned after the law is passed, a good structure is required. We recommend starting with a gap analysis and deriving specific fields of action from this, successively increasing the level of cyber security in the organisation. The experts at dhpg IT-Services will be happy to support you in this process and work with you to ensure that your organisation meets the requirements of NIS-2. Please feel free to contact us if you require assistance with the following:
If a company falling under the scope of the NIS-2 Directive fails to meet its requirements, the draft bill from the German Federal Ministry of the Interior provides for fines. The amount of these fines depends on whether the company is a particularly important organisation and operator of critical infrastructure or an important organisation.
It is imperative that the affected company or institution be able to demonstrate that it has not acted negligently or intentionally. It is therefore essential to take appropriate technical and institutional measures in areas such as cyber security, supply chain security and encryption and to ensure diligence in reporting to the BSI.
Yes, the management can also be held liable for breaches of the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG). If requirements are not met, managing directors are to be held liable with their private assets. The upper limit here is 2% of the company's global annual sales revenue.
Foto: Andreas Pohlmann/EvonikOnly operators of critical infrastructures (KRITIS) are obliged to report regularly to the BSI. Spelled out in concrete terms, this means that these organisations must submit evidence of proper implementation within a period of three years following entry into force of the national NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). This is to be repeated every three years thereafter.
The situation is different when it comes to security incidents. If a security incident occurs in an organisation, both KRITIS operators and important as well as particularly important institutions are obliged to submit a report to the BSI. A three-stage reporting system is provided for:
If the security incident cannot be rectified within a period of one month, a progress report must be submitted within the period of one additional month (and additional months in each case). The final report is then due one month after rectification.
Generally speaking, the BSI, in its capacity as a supervisory institution, is only to perform inspections of important organisations if there is suspicion of a security incident. In the case of KRITIS and particularly important organisations, the BSI may also perform checks and controls or request evidence even in the absence of suspicion. The check-and-control measures include the following items:
The European NIS 2 Directive, in the form of the national NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), aims to harmonise and improve the level of security in EU member states and requires affected companies to comply with minimum standards for the protection of their network and information systems. The law greatly expands the scope of application, so that numerous industries and companies are covered. In the future, affected companies will therefore have to pay more attention to cyber security, the security of their supply chain and secure encryption. There is an urgent need for action, because implementation is multi-layered and complex. The IT experts at dhpg will be happy to support you in this process.
Contact form 
+49 228 81000 0