Stefan Hessel
reuschlaw, Saarbrücken
stefan.hessel@reuschlaw.de

Moritz Schneider
reuschlaw, Saarbrücken
moritz.schneider@reuschlaw.de

In recent years, cybersecurity has moved to the forefront of corporate risk management. In the European Union, this shift has now become a legal reality. With the adoption of the NIS2 Directive (Directive (EU) 2022/255), thousands of companies, including many mid-sized and family-owned businesses, will soon face binding obligations aimed at enhancing their digital security posture.

From soft to hard law: what is NIS2?

The revised Network and Information Security (NIS2) Directive (Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union) replaces the NIS Directive (Directive (EU) 2016/1148), which gave Member States considerable discretion in identifying which entities would be subject to cybersecurity obligations. In contrast, the NIS2 Directive harmonises this approach across the EU by directly specifying which sectors and types of entities are subject to the legal requirements. The NIS2 Directive obliges covered entities to implement risk management measures on cybersecurity throughout the entire organisation. The NIS2 Directive entered into force on 16 January 2023, and Member States were obliged to transpose it into national law by 17 October 2024. As an EU directive, the NIS2 Directive is not directly applicable; under Article 288(3) of the Treaty on the Functioning of the European Union (TFEU), directives must be fully implemented into national law by the EU Member States.

Implementation status: a delayed rollout across the EU

Although the deadline for national implementation expired on 17 October 2024, several EU Member States, including major economies like Germany, have yet to fully transpose the NIS2 Directive into domestic law. As a result, the European Commission has initiated infringement proceedings against non-compliant Member States under Article 258 of the TFEU. These proceedings may ultimately lead to financial penalties imposed by the Court of Justice of the European Union if the delays persist.

As of early 2025, only nine Member States, including Belgium, Italy and Hungary, have officially enacted national laws implementing the NIS2 Directive. The remaining countries are at various stages of the legislative process, with some having circulated drafts but failing to complete the parliamentary procedures in time.

Despite these delays, businesses across the EU should not assume they can wait. The obligations of the NIS2 Directive are coming, sooner or later, in every Member State. Companies, particularly those operating in multiple jurisdictions, must therefore begin preparing for compliance regardless of the national implementation status. This includes identifying whether their activities fall within the scope of the NIS2 Directive, conducting internal risk assessments and reviewing their IT governance structures.

In short, while legal harmonisation has not yet been fully achieved in practice, the strategic direction is clear. The NIS2 Directive is set to become a cornerstone of cybersecurity compliance across the EU and organisations should act now to ensure they are ready.

Who is covered?

The NIS2 Directive applies to entities that are active in one of the 18 ‘critical’ or ‘important’ sectors listed in Annexes I and II of the NIS2 Directive. These include energy, transport, healthcare, the manufacturing of certain goods, digital infrastructure and food production, among others. Importantly, the NIS2 Directive generally applies to companies that meet the criteria of a ‘medium-sized enterprise’ under EU law, ie, those with at least 50 employees or €10m in annual turnover or balance sheet total. While there are some specific exceptions, the general rule is clear: any company that operates in one of the listed sectors and exceeds the thresholds of a medium-sized enterprise according to the EU definition falls within the scope of the NIS2 Directive. In certain sectors, such as entities providing domain name registration services, the NIS2 Directive applies regardless of company size.

A key feature is the concept of an ‘entity’ (Art. 6(38) NIS-2): obligations are assessed at the level of the individual legal person. There is no group-wide application or ‘conglomerate’ approach, although affiliated companies must be considered when calculating size thresholds. This leads to significant compliance challenges in terms of complex corporate structures.

Practical surprises: when the Directive applies unexpectedly

A major difficulty with the NIS2 Directive lies in its vague and overly broad definitions. Companies may find themselves subject to the NIS2 Directive based on seemingly minor or ancillary activities, for example, the operation of a single electric vehicle charging point for employees or customers, the use of a photovoltaic system that feeds electricity into the grid, the provision of IT services to affiliated companies (as intra-group IT services may qualify as managed services) or the operation of an online marketplace that allows third-party vendors to sell goods. Each of these activities can, on its own, trigger the application of the NIS2 Directive.

Even where such activities are not part of the core business, but only incidental or ancillary, they may still bring a company within the scope of the NIS2 Directive, unless a specific exemption applies. For instance, waste management is only covered when it constitutes a company’s primary economic activity. However, such carve-outs are rare.

Given this expansive and sometimes counterintuitive approach to determining applicability, any company that exceeds the thresholds of a medium-sized enterprise as defined in the European Commission’s SME Recommendation 96/280/EC (ie, typically 50 or more employees or over €10m in turnover and balance sheet total) should carefully assess all its business activities, main and ancillary alike, against the sectors and services listed in the Annexes of the NIS2 Directive. In many cases, a seemingly harmless side activity may create far-reaching compliance obligations.

The core obligations under the NIS2 Directive

At the heart of the NIS2 Directive lies a clear mandate: companies within its scope must take a proactive and structured approach to cybersecurity. These obligations can be grouped into three key areas: entity registration, risk management and incident reporting.

Firstly, covered entities are required to register with the relevant competent national authorities. This registration must include essential information about the organisation and the services it provides. Registration is not merely a bureaucratic formality, it is a legal obligation. Failure to register can itself trigger enforcement actions, regardless of whether a security incident has occurred.

Secondly, companies must implement technical, operational and organisational risk management measures as set out in Article 21 of the NIS2 Directive. These include cybersecurity hygiene procedures, access controls, encryption, backup strategies, training programmes and policies for secure software development. A particularly noteworthy feature is the obligation to ensure supply chain security: regulated entities must account for cybersecurity risks arising from their service providers and contractors and may need to reflect these requirements in contractual arrangements.

Thirdly, companies must be prepared for timely incident reporting. In the event of a significant cybersecurity incident, affected entities must notify the relevant authorities within 24 hours, provide a more detailed report within 72 hours and submit a final incident report within one month. These timelines demand well-tested internal processes and close collaboration between legal, IT and compliance teams, especially where parallel obligations under other legal frameworks, such as the General Data Protection Regulation, may also apply.

In sum, the NIS2 Directive requires regulated companies not only to implement effective cybersecurity measures, but also to register, report and govern their digital risk landscape in a transparent and accountable manner. This marks a significant evolution in the EU’s approach to cybersecurity: from technical best practices to enforceable legal standards.

Management responsibility

Although national implementation is still pending in many Member States, including Germany, companies should not wait. Legal uncertainty and potential sanctions mean that early compliance planning is essential.

We recommend the following steps:

• conduct comprehensive mapping of your business activities against the sectors listed in the NIS2 Directive;
• pay special attention to borderline cases and ancillary activities;
• ensure your corporate governance structures include cybersecurity responsibilities; and
• prepare internal processes for incident response and supply chain risk management.

Conclusion

The NIS2 Directive marks a shift in European cybersecurity regulation. Cybersecurity is not only a matter of best practice, it is a legal obligation. International businesses operating in the EU, and the lawyers advising them, must adapt swiftly to a new compliance landscape, where technical IT issues are tightly interwoven with regulatory risk and management accountability. In parallel, the EU has adopted the Cyber Resilience Act (CRA), which sets binding cybersecurity requirements for products with digital elements. Unlike the NIS2 Directive, the CRA will apply directly, without the need for national transposition, once it enters into force. Together, these instruments form the foundation of a far-reaching EU cybersecurity framework that companies can no longer afford to ignore.