NIS-2 Directive: What Companies in Germany Need to Do
Das Wichtigste in Kürze
- NIS-2 is relevant for companies operating in Germany, not for foreign markets in general.
- The key questions are sector, company size, supply-chain relevance, and reporting duties.
- Cyber insurance helps with incident costs, but it does not replace compliance obligations.
The NIS-2 Directive increases cybersecurity obligations for companies operating in Germany. For many SME, the practical question is no longer whether cyber risk exists, but whether management can document adequate safeguards, reporting processes, and vendor controls.
When Is a Company Affected?
The answer depends on sector, size, and criticality. Companies in IT services, infrastructure, logistics, healthcare, and other defined industries should review their exposure early. This is especially relevant for businesses already considering cyber insurance for SME.
What Management Must Have in Place
Core topics include security governance, incident escalation, backups, supplier assessments, vulnerability management, and evidence that controls are actually used. If executives ignore these basics, liability exposure can increase.
Insurance Perspective
A cyber policy can cover IT forensics, business interruption, and external crisis support after an attack. It does not replace reporting deadlines or security governance. For management liability questions, For a practical checklist on policy duties, see the cyber insurance obligations guide.
Companies in defined critical and important sectors, especially when employee and turnover thresholds are exceeded.
Risk management, security measures, incident reporting, management accountability, supplier checks, backups, and regular reviews.
No. Insurance can absorb financial losses after an incident, but NIS-2 requires prevention, governance, and reporting.