NIS2 compliance: Roadmap for 2026

The EU's NIS2 directive mandates significantly more companies to adhere to cybersecurity standards than before. The national implementation in Germany (NIS2-UmsuCG) affects approximately 30,000 companies. Those affected have generally not yet started. Here is the roadmap.

Who is affected

NIS2 distinguishes between essential and important facilities. Essential are large companies from sectors with high criticality (energy, transport, banking, health, digital infrastructure). Important facilities are medium-sized companies from these plus other sectors (post, food, chemicals, digital providers).

Thresholds:

Medium-sized enterprise: 50–249 employees or Annual revenue of €10–50 million
Large enterprise: 250+ employees or Annual revenue > €50 million

Overview of obligations

1. Risk management measures (Art. 21)

Concept for risk analysis and security of information systems
Management of cybersecurity incidents
Business continuity management (BCM)
Supply chain security
Security in the acquisition, development, and maintenance of IT systems
Concepts for assessing the effectiveness of measures
Concepts for cryptography and encryption
Personnel security (awareness, access control)
Multi-factor authentication

2. Reporting obligations (Art. 23)

Early warning: 24 hours after knowledge of a significant cybersecurity incident
Report: 72 hours after knowledge — with initial assessment
Final report: No later than 1 month after reporting

3. Management responsibility

Management must approve the cybersecurity measures and monitor their implementation. Training obligation for management. Personal liability in case of violation. Sanctions

In case of violation, fines of up to €10 million or 2% of global annual revenue (for essential facilities) are threatened. For important facilities €7 million or 1.4% of revenue. Plus personal sanctions for management.

The 6-month roadmap

Month 1: Impact assessment

Examination: Sector + size → essential/important/not affected

In case of impact: Registration obligation with BSI
Inventory of existing security measures
Months 2–3: Gap analysis & concept

Gap analysis against NIS2 requirements

Risk analysis with threat modeling
Measures roadmap with prioritization
Management workshop
Months 4–5: Implementation of core measures

MFA implementation for all access points

EDR/XDR endpoint protection
Backup strategy + disaster recovery exercise
Document incident response plan
Awareness training for all employees
Month 6: Documentation & audit

ISMS documentation

Internal audit of measures
Collection of evidence for BSI audit
Ongoing awareness mechanisms activated
For each NIS2-affected client, we create a

What we do at TABAK

complete NIS2 package complete NIS2 package: Impact assessment, gap analysis, roadmap, implementation of technical measures, ISMS documentation. We coordinate with the data center partner DAVINCIRechenzentrum for technical implementation. Typical project duration: 4–6 months. Typical costs: €25,000–80,000 depending on size.

Check NIS2 applicability.

We clarify in a free initial consultation whether you fall under NIS2 and how complex the implementation would be in your case.

Request NIS2 check →

NIS2 compliance:Roadmap for 2026.