Implications for businesses and institutions
Your expert for questions
André Glenzer
Partner, Cyber Security & Privacy at PwC Germany
Tel: +49 160 94470376
Email
The NIS2 Directive (Network and Information Security Directive) was published in the Official Journal of the European Union on 27 December 2022 and came into force on 16 January 2023. It regulates cyber and information security for companies and institutions. EU Member States must transpose it into national law by October 2024.
The NIS2 Directive extends cyber security requirements and sanctions to harmonise and improve the level of security in Member States and contains stricter requirements for various sectors. Among other things, companies and organisations must address the issues of cyber risk management, control and monitoring, incident handling and business continuity. In addition, the directive expands the number of organisations that fall within its scope. Stricter liability rules will apply to the management of the organisations concerned.
NIS2 Implementation Act: In Germany, the NIS2 Implementation Act (‘Draft law on the implementation of the NIS2 Directive and on the regulation of essential principles of information security management in the federal administration’) was passed by the Bundestag on 13 November 2025. The Act will come into force on 6 December 2025.
Particularly relevant for management: The Act provides for mandatory training for company management (Section 38 (3) BSIG-E). The aim is to strengthen understanding of cyber risks and risk management at board level. The BSI specifies a minimum duration of four hours within three years for this training – the scope and content depend on the individual risk exposure of the company.
“In Germany, the legislation pertaining to critical infrastructure, or KRITIS, has so far mainly affected larger institutions. But now NIS2 is making cybersecurity and resilience a major issue for an even wider range of businesses in Europe and Germany.”
Together, we assess whether you are affected by the NIS 2 Directive and lay the foundation for your NIS 2 readiness.
In the second step, we identify deviations from NIS 2 requirements and recommend appropriate measures to close these gaps.
We help you clarify the NIS 2 requirements for all your EU entities and prepare measures efficiently and in a harmonized manner.
We support you in implementing strategic, organizational, procedural, and technical measures.
We support you with a Risk Exposure Assessment (REA) and develop a targeted training concept.
Compliance as a service – always compliant, audit-ready, and sustainably secured.
The NIS2 Directive is EU-wide legislation on network and information security that came into force on 16 January 2023. Member States should transpose the Directive into national law by 17 October 2024. In Germany, a cabinet draft of the German implementation law has been submitted to the Bundestag (“Draft law on the implementation of the NIS2 Directive and on the regulation of essential principles of information security management in the federal administration”); implementation is scheduled for Q4 2025/Q1 2026. The new directive will lead to a massive increase in the number of companies affected. In addition, higher requirements will be placed on the companies concerned and enforcement pressure will also increase – for example, through the threat of higher sanctions and liability at management level.
Use our fast impact analysis tool to find out whether the NIS2 Directive affects your business.
With the introduction of the NIS2 Directive, companies are faced with the challenge of reporting significant security incidents within 24 hours. This requirement has far-reaching implications for business operations and demands quick, accurate decisions.
The NIS2 Incident Severity Indicator is an AI tool designed specifically for this purpose. In an environment where non-compliance can result in heavy fines and tight deadlines leave no room for delays, AI provides the necessary security and speed. It helps teams to assess incidents quickly and reproducibly, clarify reporting requirements and document decisions in a reliable manner.
The integrated, AI-based decision support with detailed, verifiable documentation creates transparency and traceability. At the same time, structured workflows ensure that the effort required for reporting is significantly reduced and that reports are created quickly, consistently and in a resource-efficient manner.
Rely on the NIS2 Incident Severity Indicator to accelerate your incident management, effectively support compliance with the 24-hour reporting obligation, and strengthen your cybersecurity posture in the long term.
NIS2 requires companies to implement comprehensive cyber risk management. This includes adopting cybersecurity practices across the supply chain, with clear requirements for suppliers and service providers. Therefore, companies must include appropriate cybersecurity provisions in all supplier and service provider contracts. This can be challenging, as suppliers and service providers typically provide the initial contract drafts.
Rapid, efficient and accurate review of all relevant contracts for NIS 2 supply chain compliance:
In the German implementation, a distinction is made between “essential” and “important” entities. The main difference is that important entities face lower fines and are subject to reactive supervision by the authorities, whereas essential entities will be subject to proactive supervision. The German drafts differ in the terminology by naming the entities “very important” and “important”.
Instead of a minimum threshold, as in the past, the EU will use “uniform criteria” to determine what kind of entities are affected. The regulations are expected to apply to medium and large enterprises:
As a result, the number of affected businesses in Germany is expected to increase substantially.
Essential entities may face fines of up to 10 million euros or 2 percent of their annual turnover, whichever is higher. Important may face fines of up to 7 million euros or 1.4 percent of their annual turnover, whichever is higher.
The businesses and organizations affected must take appropriate measures in areas such as cyber risk management, supply chain security, business continuity management, encryption, access restrictions, reporting to authorities, and mitigation.
Please note: Under the draft put forward by the Federal Ministry of the Interior and Community, company executives may be held personally liable for compliance with risk management measures. The upper limit for these fines corresponds to 2% of the company's global annual turnover.
It’s clear: The scope of application goes well beyond the already familiar types of critical infrastructure. In the energy sector, for instance, the scope of the NIS has so far always been limited to companies that generate, provide, or regulate energy in the electricity and gas sector. We expect NIS2 to extend the requirements to include the supply chain as well, such as the manufacturers of wind turbines and the operators of charging stations for electric vehicles.
Provision, distribution, transmission, and sale of electricity, gas, oil, heating/cooling, hydrogen; operators of charging stations for electric vehicles
Healthcare providers, research laboratories, pharmaceuticals, manufacturing of medical devices
How will NIS2 affect public administration? What aspects of the federal government are subject to NIS2? We take a closer look at the requirements NIS2 places on information security management, as well as the duties and risk of penalties.
Including shipping companies and port facilities
Drinking water suppliers and wastewater disposal providers
Operators of ground-based infrastructure
Loans, trading, market and infrastructure; Update: draft version of the NIS-2UmsuCG also covers the insurance sector
DNS service providers and TLD registries
Production, processing, and distribution
Production and distribution
Waste collection, transport, treatment, and disposal
Cyber incidents in waste disposal and recycling can have a significant impact on public life. That is why the sector has been considered critical infrastructure since January 2024 and requires a particular degree of protection. NIS2 will apply to such businesses from October 2024 onward, even if they do not exceed the KRITIS thresholds.
Medical/diagnostic devices, computers, electronics, optical products, machinery, motor vehicles, trailers, semitrailers, other transport equipment
Production, manufacturing, and trade
Online marketplaces, search engines, social networking platforms
PwC has established a combined NIS2 capability, developed through our communities of Cybersecurity, risk management, incident response, governance, compliance and legal specialists.
These communities have been brought together to form a team of over 150 specialists across EMEA, focussed on supporting our clients with the NIS2 Directive. We are supporting our clients in understanding the relevance of the NIS2 Directive to their organisation; their own ability to meet the requirements or identify where gaps exist, along with supporting them in achieving compliance with the regulatory requirements both local and at EU-level in a proportionate and cost effective manner.
“NIS2 is set to be a real game changer and alter cyber regulation in Europe for good.”
André Glenzer, Partner at PwC GermanyUse our fast impact analysis tool to find out whether the NIS2 Directive affects your business.
Check out our white paper to learn more about the directive and who will be affected. You will also get exclusive access to our checklist to help you prepare for NIS2.
