The threat of cyberattacks is higher than ever before, warns the Federal Office for Information Security (BSI). With the NIS-2 Directive, the EU aims to significantly raise security standards for companies and expand the circle of obligations. NIS-2 stands for "Network and Information Security Directive 2". Germany has already decided to implement it, with the new rules expected to take effect in early 2026.

Not only critical infrastructure operators are affected, but also many medium-sized companies across 18 sectors – from energy and healthcare to manufacturing industries. The criteria: at least 50 employees or more than 10 million euros in turnover. Whether your company is included can be checked using the BSI tool at betroffenheitspruefung-nis-2.bsi.de (only available in German).

The obligations are extensive: Companies must establish risk management, create security concepts, secure supply chains, and train employees. Additionally, registration at a central reporting office is required within three months of implementation. Security incidents must be strictly reported: the first report within 24 hours, a detailed analysis after 72 hours, and a final report no later than one month later.

Ultimately, the law demands that companies fundamentally engage with IT security and establish corresponding structures.

For further information, visit the BSI website.