NIS2 Directive: What German Mid-Market Companies Must Implement Now

Those who thought NIS2 is only a topic for energy providers and banks are wrong. The rules reach further than most think.

The NIS2 directive was transposed into German law in October 2024. Deadline for many companies: October 2025.

Who is affected: operators of essential services. But also their suppliers. That means: a mid-market IT service provider working for a hospital can be directly affected.

The five core obligations.

1. Risk management. Document your cyber risks. Not just theoretically — concretely, with measures and timelines.

2. Incident reporting. Serious IT security incidents must be reported to the BSI within 24 hours. Not after lawyer review. Immediately.

3. Business continuity. What happens if your system fails? Do you have an emergency plan. Tested.

4. Supply chain security. Not just your own IT counts — also your service providers'. You are only as secure as your weakest link.

5. Documentation. Everything you do must be documentable. To the BSI. On request.

What this actually means for mid-market companies.

Implementation costs. But non-implementation costs more. Fines up to 20 million euros or four percent of global turnover.

Start with a gap analysis. Where are you? What's missing? Then: prioritize. Not everything at once.

Invest in an ISMS. It's not just NIS2 compliant — it's good practice.