All focus topics

NIS 2-Directive

kommunikation@skwschwarz.de

What is it about?

The Network and Information Systems Security Directive (NIS 2 Directive for short) aims to improve cyber security in various sectors such as energy, transport, health and digital infrastructure. It places higher security requirements on companies, addresses supply chain security and holds di e managers accountable for breaches. 

Who is affected?

In addition to the critical sectors previously covered by the first NIS Directive (energy, transport, water, health, digital infrastructure and finance), providers of public electronic communication services and digital services, social media operators, manufacturers of critical products (e.g. medical devices) as well as postal and courier services must now also review and, if necessary, adapt their IT security measures. In addition, individual regulations also affect domain registrars as well as manufacturers of certain IT products requiring certification.

Challenges for companies

The risk management measures to be taken by the companies and operators concerned include the following:

  • Participation of the governing bodies in cyber security trainings and implementation of such trainings for the employees;
  • Implement appropriate and proportionate technical, operational and organisational measures;
  • Compliance with tighter reporting requirements for significant security incidents;
  • Registration/information obligations towards national authorities to collect and maintain overviews of critical infrastructure operators.

Current status and timeline

The EU NIS2 Directive came into force in January 2023. Member states were required to transpose the regulations into national law by October 17, 2024. 
This has now been done in most member states. The German NIS2 Implementation Act came into force on December 6, 2025, with a comprehensive reform of the BSI Act [BSIG - unofficial table of contents]. Since that date, all affected companies have been obliged to implement the requirements for a secure IT infrastructure that apply to them and are liable to fines for implementation gaps and errors.

The BSI's NIS2 portal has been online since January 6, 2026 [Login | BSI Portal], and affected companies must register there by March 6, 2026. Relevant security incidents must now be reported to the BSI via this portal within 24 hours of becoming aware of the incident.

 

Our legal services:

SKW Schwarz is ideally positioned to support companies in the implementation of the security requirements and the corresponding measures. Our expertise spans the entire breadth of the challenges posed by the new law. Our consulting services include:

  • Compliance check: We review your current business practices to ensure that they comply with the new regulations and provide recommendations for action for any adjustments.
  • Avoiding fines: Our team will help you avoid fines by guiding you through the requirements of the new law and helping you implement necessary compliance measures.
  • Crisis management and prevention: We stand by you in the event of cyber incidents as well as legal disputes and develop preventive strategies to minimise risks.
  • Trainings: We offer individual training courses on the topic of cyber security for your team, which are now provided for by the legislator.

Are you ready to take on the challenges of the NIS 2 Directive ?

Set up a consultation with our experts today.

Contact us