AI Guide

NIS2: The EU cybersecurity directive now binding for the German Mittelstand

NIS2 (Directive EU 2022/2555) is the European Union's cybersecurity law requiring risk management measures and strict incident reporting across 18 critical sectors. Germany's implementing law took effect in December 2025 with no transition period, pulling an estimated 29,500 companies under BSI supervision. This article explains what NIS2 requires, who it covers, and what Mittelstand companies must do to comply.

Key Facts
  • NIS2 (Directive EU 2022/2555) requires risk management and incident reporting across 18 critical sectors EU-wide.
  • Germany's NIS2UmsetzungsG entered into force on 6 December 2025, bringing roughly 29,500 companies under BSI supervision, per Bitkom's 2026 analysis.
  • Affected companies had to register with the BSI within three months, by 6 March 2026.
  • Incident reporting follows a tiered clock: an early warning within 24 hours, notification within 72 hours, and a final report within one month.
  • Fines reach up to 10 million euros or 2% of global turnover for essential entities, with management personally liable for risk management failures.

Definition: NIS2

NIS2 (Directive (EU) 2022/2555) is the EU’s cybersecurity law requiring organizations in critical sectors to implement risk management measures and report significant incidents within fixed deadlines.

Core characteristics of NIS2

NIS2 replaces the 2016 NIS Directive and roughly triples its scope, covering 18 sectors instead of 7.

  • Covers medium (50+ staff) and large (250+ staff) companies by headcount or turnover
  • Splits organizations into “essential” and “important” entities with different oversight
  • Requires documented measures for supply chain security, access control, and incident handling
  • Mandates board-level accountability, including non-delegable training and personal liability

NIS2 vs. EU AI Act

NIS2 and the EU AI Act regulate different things but often apply to the same company. NIS2 governs the security of network and information systems regardless of whether they run AI, focused on incident reporting and risk management; the AI Act governs the design and oversight of AI systems by risk tier. A manufacturer running an AI inspection system must satisfy both at once.

Importance of NIS2 in enterprise AI

NIS2 matters for enterprise AI because agents connected to ERP, CRM, and production systems become part of the infrastructure it protects. Bitkom’s 2026 analysis puts roughly 29,500 German companies under BSI supervision, pulling many Mittelstand firms into formal cybersecurity duties for the first time.

Methods and procedures for NIS2

Compliance rests on three structured workstreams.

Affectedness assessment (Betroffenheitsprüfung)

The first step is checking whether the company falls into scope, since sector and size thresholds interact in non-obvious ways.

  • Map headcount and turnover against the thresholds
  • Cross-check activities against the 18 covered sectors
  • Document the classification decision in writing

Risk management implementation

NIS2 requires defined technical and organizational measures, not a generic policy, covering incident handling, business continuity, and access control. Registered companies must demonstrate these to the BSI on request.

Incident reporting workflow

NIS2 sets a tiered clock: an early warning within 24 hours, detailed notification within 72 hours, and a final report within one month. Building this workflow before an incident occurs is what separates readiness from scrambling.

Important KPIs for NIS2

Tracking readiness requires indicators across documentation, response speed, and supplier coverage.

Operational readiness metrics

  • BSI registration status: completed vs. pending
  • Risk documentation: percentage complete against Section 30 BSIG
  • Incident drill frequency: at least annually
  • Critical supplier reviews: percentage assessed

Governance and accountability metrics

Forrester’s 2026 research found 81% of European organizations expect cybersecurity budget increases tied to NIS2 and DORA, making management training completion a leading readiness signal.

Incident response quality

Beyond the 24/72/30-hour clock on paper, companies should track actual detection-to-notification time in drills and final report completeness.

Risk factors and controls for NIS2

Underestimating scope

The most common failure is assuming NIS2 only applies to classic critical infrastructure, when many manufacturing and logistics companies with 50 or more staff are in scope too.

  • Reassess scope whenever headcount or activities change
  • Include subsidiaries and group structures
  • Treat uncertainty as a reason to check, not assume exemption

Supply chain security gaps

NIS2 extends obligations to suppliers, so compliance depends partly on vendors a company does not control, and contracts often lack the required clauses.

Unmanaged AI agent deployments

Shadow AI tools adopted outside IT oversight create exactly the unmonitored access NIS2 is designed to eliminate. Every agent with write access to company systems needs the same logging and incident-handling coverage as any other critical component.

Practical example

A 210-employee precision parts manufacturer in Baden-Württemberg found during its affectedness assessment that it qualified as an important entity under NIS2, despite never seeing itself as critical infrastructure, with no incident process or documented risk measures beforehand. Within four months it built a compliance program on its existing IT setup instead of a costly rebuild.

  • BSI registration completed with documented classification
  • Incident reporting workflow rehearsed through tabletop exercises
  • Critical supplier contracts updated with security clauses
  • Management training on Section 38 BSIG liability completed

Current developments and effects

Registration and enforcement ramp-up

Germany’s NIS2UmsetzungsG entered into force on 6 December 2025 with no transition period, and affected companies had to register with the BSI within three months.

  • BSI registration portal activated in January 2026
  • No grace period for risk management measures
  • Early enforcement focused on registration over deep audits

KRITIS-Dachgesetz alignment

A parallel law, the KRITIS-Dachgesetz, addresses physical resilience of critical infrastructure and overlaps partly with NIS2. Companies in both scopes need one governance program, not two.

AI agents as a new NIS2-relevant asset class

As companies connect AI agents to core systems, AI governance programs increasingly fold in NIS2’s logging requirements. An AI agent platform like Superkind, which connects agents to systems such as CRM and ERP with full activity logging, produces exactly the audit trail NIS2 supervision expects.

Conclusion

NIS2 has moved from directive to binding German law, and its scope now reaches far beyond the operators many Mittelstand leaders associate with cybersecurity regulation. The priorities are straightforward: confirm affectedness, document risk management measures, and rehearse incident reporting before it is needed under pressure. Companies treating NIS2 as a security upgrade rather than paperwork gain resilience independent of enforcement, and as AI agents take on more operational work, that same discipline keeps deployments auditable.

Frequently Asked Questions

Does NIS2 apply to companies with fewer than 250 employees?

Yes. NIS2 uses a medium-enterprise threshold of 50 or more employees or over 10 million euros in turnover, so most Mittelstand companies in the 18 covered sectors need to check the lower bar too.

How does NIS2 relate to GDPR compliance?

Both apply in parallel. GDPR governs personal data processing, while NIS2 governs system security regardless of what data is processed. A DPIA covers privacy risk to individuals; NIS2’s measures cover system resilience.

What does NIS2 compliance cost a company with around 200 employees?

Costs vary with existing security maturity, but Mittelstand companies commonly report initial programs in the low-to-mid six-figure euro range. Companies with an existing ISO 27001 or ISO 42001 system typically spend less.

Do we need dedicated IT security staff to comply with NIS2?

Not necessarily. Many Mittelstand companies combine existing IT staff with an external security partner for the initial assessment, then maintain the program internally, though NIS2 requires a named point of accountability.

How long does it take to become NIS2-ready?

A focused program typically takes three to six months from assessment to a tested incident reporting workflow, faster for companies with an existing security management system.

Is there funding available for NIS2 compliance in the Mittelstand?

Some German states and KfW digitalization programs offer cybersecurity funding, though NIS2 compliance itself is rarely funded as a standalone project, so check regional Digitalisierungsförderung schemes first.

Building better software Contact us together