NIS2 in Germany: Understanding requirements. Safely managing implementation.
For many companies in Germany, the NIS2 Directive is no longer a topic for the future. The German implementation law imposes significantly expanded requirements for cybersecurity, risk management, reporting processes, and management responsibility.
For affected organizations, the question today is no longer whether NIS2 will come into effect, but how the requirements can be implemented effectively, transparently, and efficiently. HITGuard provides you with a robust foundation for this.
The platform helps you centrally manage risks, measures, evidence, supplier evaluations, incidents, and reports—instead of using scattered Excel lists, individual solutions, and manual coordination.
NIS2 in Germany: current status
The European NIS2 Directive has been in force since January 16, 2023. In Germany, the NIS2 Implementation Act has been in force since December 6, 2025. In addition, the BSI portal for registration and regulatory processes has been activated since January 6, 2026.
The registration deadline for NIS2 institutions expired on March 6, 2026! Around 11,500 public authorities and companies registered on time. However, according to estimates by the BSI, 30,000 companies and institutions are affected – a significant gap.
For affected companies, it is therefore no longer a matter of preparing for a future law, but rather of concrete and verifiable implementation.
Why NIS2 is now relevant for so many companies
NIS2 no longer affects only traditional KRITIS operators. In Germany in particular, many medium-sized companies are now subject to a binding regulatory framework for cybersecurity for the first time.
More affected companies
The regulation goes significantly beyond the previous perception of KRITIS.
More responsibility for management
Cybersecurity is becoming a matter for management and the board of directors.
Greater need for verification and control
Not only measures, but also documentation, processes, and traceability are important.
Which companies may be affected by NIS2
NIS2 covers organizations from a total of 18 sectors. These include energy, transportation, health, digital infrastructure, ICT service management, public administration, water, chemicals, food, postal and courier services, and parts of industry.
Classification depends not only on the industry. The decisive factors are primarily the sector, company size, specific activity, and regulatory classification as an "important" or "particularly important" institution.
For many companies, this classification is the first sensible step toward NIS2 implementation.
energy
Health
Digital infrastructure
IT services
traffic
Water / Wastewater
Public administration
Industry / Chemicals / Food
What requirements companies must meet under NIS2
NIS2 requires a risk-based approach to the security of network and information systems. This includes not only technical protective measures, but also clear responsibilities, documented processes, and reliable evidence.
Risk management
Risks must be identified, assessed, addressed, and documented in a structured and comprehensible manner.
Incident Management
Significant security incidents must be identified, assessed, addressed, and reported in a timely manner.
business continuity
Companies need robust procedures for dealing with failures, disruptions, and crisis situations.
supply chain security
Supplier and service provider risks must be systematically taken into account.
Awareness and cyber hygiene
Training, awareness-raising, and basic security measures are explicitly included.
Documentation and monitoring
Implementation must be comprehensible, controllable, and monitorable at management level.
Why NIS2 quickly becomes confusing with Excel and isolated applications
In many companies, information on risks, measures, guidelines, audits, incidents, suppliers, and responsibilities has historically been spread across multiple files, teams, and systems. For NIS2, this is usually not sufficient in the long term.
The challenge lies not only in understanding individual requirements, but also in translating them into the organization in a way that is comprehensible, repeatable, and controllable.
- Lack of transparency regarding pending measures
- Unclear responsibilities
- Complex consolidation of evidence
- Incomplete supplier evaluation
- High reporting effort
- Lack of historization of decisions
In practice, NIS2 does not require any additional individual documents, but rather a system that consistently brings together requirements, risks, tasks, evidence, and status information.
How HITGuard supports you in implementing NIS2
HITGuard supports companies in implementing NIS2 as a structured management process. The platform includes risk management, action tracking, audit and compliance management, dashboards, reports, exportable evidence, and support for NIS-2 and BSI IT-Grundschutz. The platform is available as a SaaS solution and can be deployed on-premises.
HITGuard is available as a cloud solution and on-premises and is particularly suitable for companies that want to combine regulatory requirements with practical feasibility.
- Workflow-supported risk analyses
- Management of requirements and evidence
- Action planning and status tracking
- Audit management and reviews
- Documentation of security incidents
- Supplier risk management
- Dashboards and management reporting
- Support for ISMS, NIS2, and IT baseline protection
This is how NIS2 can be approached in a structured manner
Check for concern
Classify relevant companies, locations, services, and roles in regulatory terms.
Identify requirements and risks
Make obligations, protection needs, vulnerabilities, and dependencies visible.
Define measures and responsibilities
Prioritize actions, define tasks, and manage implementation.
Manage incidents, suppliers, and evidence
Set up reporting processes, evaluations, and documentation in a reliable manner.
Report status and continuously improve
Prepare management, audits, and regulatory requirements in a structured manner.
Particularly relevant for German SMEs
For many companies in Germany, NIS2 is the first regulation that brings together cybersecurity, governance, incident management, supply chain security, and management responsibility in such a broad scope.
Medium-sized organizations in particular need a solution that maps regulatory requirements in a structured manner without ending up unnecessarily complex. This fits in well with HITGuard's positioning as a practical GRC platform.
- Focus on Germany instead of abstract EU text
- Compatible with ISMS and BSI-oriented procedures
- Suitable for structured implementation without tool chaos
NIS2 catalog from
- Check your NIS2 fitness with the NIS2 catalog from our partner T-Security
Frequently asked questions about the NIS2 Directive in Germany
Does NIS2 already apply in Germany?
Yes. The German NIS 2 Implementation Act has been in force since December 6, 2025. The BSI portal for registration and other processes has been active since January 6, 2026.
Are only KRITIS operators affected?
No. NIS2 goes well beyond traditional KRITIS operators and affects many other companies and institutions in Germany.
How can I tell if my company is affected?
The sector, size, specific activity, and regulatory classification are particularly important factors. A structured impact assessment is usually the most sensible first step.
What deadlines apply in the event of significant security incidents?
The directive stipulates an early warning within 24 hours, a report within 72 hours, and a final report within one month.
Does management need to deal with NIS2?
Yes. NIS2 explicitly strengthens the responsibility of management bodies for cyber risk management and its monitoring.
How does HITGuard support implementation?
HITGuard provides support for risk analyses, measure control, audit and compliance management, evidence management, supplier evaluation, dashboards, reports, and NIS2/IT baseline protection references, among other things.
Implement NIS2 in a structured manner – instead of just reacting to it
Check now which requirements are relevant for your company and how you can centrally manage risks, measures, evidence, supplier evaluations, and incidents with HITGuard.
This allows you to create a robust foundation for effective cybersecurity, transparent governance, and an auditable implementation status.