Two people in business attire are seated at a desk, discussing NIS2 implementation while looking at a computer monitor. One points to the screen as the other takes notes. A coffee mug and a small plant are also on the desk.

NIS2 implementation: obligations and sanctions

NIS2 affects far more organisations than many assume. In Germany, its implementation introduces binding new requirements for cybersecurity, incident reporting, risk management and management accountability. For organisations in scope, this means reassessing security not only from a technical perspective, but also in terms of governance, organisational arrangements and documentation.

Download the free NIS2 guide now

DOWNLOAD
A man in a suit speaks on stage at a conference for operators of critical infrastructure, speaking into a microphone. The on screen text introduces Stefan Erdweg, Managing Director of 3 core GmbH. The PROTEKT 2025 event logo and the dates appear in the lower right corner.

By working with 3-core, organisations benefit from extensive expertise in KRITIS and NIS2. We support them in integrating NIS2 requirements into their existing processes in a structured, efficient and practical way. Drawing on our experience in the KRITIS environment, we understand what matters when it comes to regulatory requirements, robust security measures, clear documentation and governance that works in practice. In this way, we help our clients not only achieve greater regulatory certainty, but also build resilient structures that support long-term resilience and sustainable cybersecurity.

Why NIS2 implementation is so relevant for organisations

NIS2 implementation significantly expands the number of organisations within scope. In addition to operators of critical infrastructure, essential and important entities now also come into focus. This makes one thing clear: cybersecurity is no longer an issue only for traditional critical infrastructure, but for many medium-sized and large organisations operating in defined sectors. At the same time, the new rules require the implementation of cybersecurity risk-management measures, the continuous review of compliance, and the reporting of significant incidents. Non-compliance may result in substantial administrative fines.

KRITIS-Entities

KRITIS entities include organisations responsible for essential services and critical infrastructure whose disruption would have significant consequences for public safety or the public welfare.

Important Entities

Important entities are generally medium-sized undertakings with at least 50 employees and either an annual turnover of more than EUR 10 million or an annual balance sheet total of more than EUR 10 million, provided that they operate in one of the defined sectors. Providers of certain specific services may also fall within this category.

Essential Entities

Essential entities generally include large undertakings with at least 250 employees, annual turnover of more than EUR 50 million, or an annual balance sheet total of more than EUR 43 million, as well as organisations operating in certain additional sectors. Providers of certain specific services and operators of critical infrastructure may also fall within this category.

Which core requirements NIS2 implementation sets out

NIS2 implementation requires in-scope entities to organise cybersecurity in a comprehensive and demonstrable way. The core requirements include:

  • minimising disruption and limiting its impact
  • taking account of the state of the art and relevant standards
  • applying an all-hazards approach
  • ensuring proportionality
  • maintaining comprehensive documentation

Cybersecurity risk-management measures

  • risk analysis, security assessments, crisis management and recovery
  • supply chain security, secure IT development and cyber hygiene
  • encryption and access control

Reporting obligations for security incidents

  • early warning within 24 hours
  • updated incident notification within 72 hours
  • intermediate report if requested by the Federal Office for Information Security (BSI) or the Federal Office of Civil Protection and Disaster Assistance (BBK)
  • final report, or progress report where the incident is ongoing, within one month

Registration obligations

Organisations must register within three months of falling within scope. Any changes must be reported within two weeks, while supply-related key figures must be updated annually. In addition, the registration process is provided through the Federal Office for Information Security (BSI) or, where applicable, the Federal Office of Civil Protection and Disaster Assistance (BBK).

Information obligations

Entities may be required to inform service recipients. In addition, customers should be made aware of threats and possible protective measures.

What sanctions may apply in the event of non-compliance

Any organisation that fails to meet the requirements of NIS2 implementation may face significant consequences. These include:

  • administrative fines of up to EUR 10 million or 2% of annual worldwide turnover
  • coercive fines of up to EUR 100,000
  • personal liability for members of the management body
  • publication of infringements by the Federal Office for Information Security (BSI)
  • important entities that fail to meet their obligations may be subject to the same supervisory and enforcement measures as essential entities

In the most serious cases, approvals may even be withdrawn and members of the management body may be temporarily prohibited from exercising managerial functions.

Four people in business attire are gathered around a conference table, looking at a laptop. They appear engaged in discussion, possibly strategizing the implementation of the KRITIS umbrella law for critical infrastructure in a modern office setting.

What organisations should do now

NIS2 implementation should not be seen as a mere compliance exercise. Organisations should now assess whether they fall within scope, which category applies to them, and which technical, organisational and documentation measures are already in place. Particularly important are clear responsibilities, robust reporting processes, a structured risk analysis, and proper documentation to demonstrate compliance.

Find out more: Projects & Articles