NIS2 Is Coming – Are You Ready for the New EU Directive?

Diagram of the NIS 2 draft bill. From the BSI, an arrow labeled "NIS 2 draft bill" points to a legal text icon.

Many companies that previously did not consider themselves “critical” are suddenly in the spotlight of European cybersecurity regulation. IT management, executive leadership and security officers in medium-sized companies are currently asking: Are we affected by the NIS-2 Directive – and what exactly does that mean for us?

On 30. Juli 2025, the Federal Office for Information Security (BSI) published the draft bill for implementing the NIS-2 Directive. This significantly expands the previous scope. Many companies – especially from sectors such as manufacturing, mechanical engineering, IT services, logistics or healthcare – are now coming more into focus within the EU’s cybersecurity strategy. Companies that have not previously been subject to specific legal requirements in the area of IT security will in future be actively included in the protection of digital infrastructures.

In Germany, according to the Federal Ministry of the Interior, this will affect around 29.000 companies and institutions.

Diagram of NIS2 goals: Industrial cybersecurity, threat analysis, threat awareness, endpoint detection and response, central management, incident reporting

What changes with NIS-2

The draft provides that companies must meet certain minimum requirements for their cybersecurity. Here are the key points:

Obligations for many mid-sized companies: Companies with as few as 50 employees or 10 Mio. Euro in annual revenue may be affected – depending on their sector.
Mandatory risk management: IT security measures must be documented and reviewed regularly.
Reporting obligations for security incidents: Events with potential risk to customers, partners or supply chains must be reported to authorities – tiered and time-bound.
Liability of management: Managing directors will bear a much more visible responsibility.
Tight timeline: The law is slated to be passed in 2025 and become fully effective from 2026 onward.

Find more information on the contents of NIS-2 here.

At first glance, that may sound like a lot of work for some businesses. But for many companies this development also offers an opportunity: They now fall within a legal framework that clarifies what “appropriate” IT security means. Instead of relying on isolated measures or intuitive assessments, companies can align their security strategy with binding standards – and thus not only meet regulatory requirements, but also strengthen the trust of customers, partners and investors.

“Important entities” are required to register with the joint registration office of BSI and BBK.

Graphic list of "Important entities": Wastewater services, banking, digital infrastructure, energy supply, financial infrastructure, health sector, public administration, drinking water supply, transportation, B2B ICT, space

“Particularly important entities” are required to register with the joint registration office of BSI and BBK.

Graphic list of "Particularly important entities": Waste management, food production, chemical sector, digital service providers, postal and courier services, scientific research

What this means for companies

For those who have not had to deal with the details of European IT security directives so far, complex questions now arise:

Do we fall under the new requirements?
Which measures do we need to implement, specifically?
How much effort is involved – personnel, technical, legal?
How do we protect ourselves against fines or liability risks?

The BSI provides information on most questions that can help companies. Here you can learn more. However, without experience the topic can be very complex and demanding.

But we can support you

We help companies keep an overview and implement the requirements of NIS-2 in a structured, efficient and appropriate way. Together, we can analyze whether and to what extent your company falls under the new legal framework. When we know more, we develop a strategy for realistic implementation of NIS2 for you. We prioritize measures and integrate them into existing structures. Since this is a particular focus of NIS2, we help you build a functioning reporting system with clear responsibilities and practical workflows.

It is also important to strengthen understanding within your company. Through training and courses, we enable both management and specialist departments to take action.

Whether based on ISO 27001, BSI IT-Grundschutz or sector-specific standards – we support the development of suitable processes and documentation. And we ensure that your documentation is audit-proof – for internal reviews as well as external audits.

Security graphic. Laptop with error messages

Now is the right time to act

Medium-sized companies in particular benefit from taking action early. Those who address the requirements now can shape implementation with a sense of proportion – aligned with their own structures and resources. Instead of merely reacting to external requirements, there is the opportunity to anchor IT security strategically and remain competitive in the long term. That not only creates security, but also room to maneuver.

Implementing NIS-2 is not a short-term project, but a strategic step for many companies. Those who start planning today avoid operational rush once the law comes into force – and at the same time position themselves as a trustworthy partner in a digitally networked economy.

Honicon GmbH is at your side as an experienced, hands-on consultancy. We know the legal requirements as well as the day-to-day challenges of small and medium-sized enterprises – and we bring the two together.

If you need an informational meeting, consulting, implementation , training, or the complete package on the topic of cybersecurity, then talk to us.

Schedule a conversation –
Security that pays off