Any Questions?

Feel free to reach out if you would like to find out how Athereon GRC can support you with current governance, risk and compliance issues.

1.7.2026
9 minutes

NIS2 Applicability Assessment: Am I Affected, and What Do I Need to Do Now?

Since December 6, 2025, the NIS2 Implementation Act has been legally binding in Germany with no transition period. However, for many companies the first and most important question remains unanswered: Do we even fall under it? A structured NIS2 applicability assessment provides a reliable answer. It is the starting point for every further measure and, at the same time, evidence that supervisory authorities will want to see if in doubt.

This article shows you how the assessment logic works, where the typical misjudgments lie, and how you can clarify your applicability quickly, in a structured manner, and with legal certainty using Athereon GRC.

The current regulatory status: NIS2 is applicable law

The European NIS2 Directive (EU 2022/2555) already entered into force in January 2023. Member states had until October 17, 2024, to transpose it into national law. Germany missed this deadline by more than a year: Due to the change of government and the parliamentary principle of discontinuity, the previous drafts lapsed, and the process had to begin anew.

The timeline of the final implementation:

  • November 13, 2025: The Bundestag passes the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz, NIS2UmsuCG for short).
  • November 21, 2025: The Bundesrat approves the law.
  • December 06, 2025: Upon publication in the Federal Law Gazette, the law enters into force without a grace period.
  • January 06, 2026: The BSI registration portal goes live.
  • March 06, 2026: The statutory three-month registration deadline expires.
  • March 17, 2026: The KRITIS Umbrella Act takes effect, supplementing NIS2 with requirements for physical resilience.
  • July 31, 2026: BSI tolerance period: Outstanding registrations are to be completed by this date.

For context: Germany did not enact a standalone NIS2 law, but instead fundamentally revised the existing BSI Act (BSI-Gesetz, BSIG). The key provisions on applicability can now be found in Sections 28 through 39 of the BSIG. The registration deadline has already passed. Late registration remains possible and is strongly advised, since failure to register constitutes an independent regulatory offense subject to fines.

The pressure to act is real: In Germany, around 29,500 companies are affected, yet by the statutory deadline of March 6, 2026, only about half had registered. In the meantime, the BSI has explicitly called for implementation. In a letter to industry associations, the authority acknowledged that significantly fewer entities have registered than expected, and it assumes that outstanding registrations will be completed by July 31, 2026, at the latest. As of late May 2026, only about 18,500 of the expected 29,500 entities had been registered.

Important to know: This grace period is not a new statutory deadline, but rather a tolerance and goodwill arrangement. The obligation was due on March 6, 2026, and exceeding it formally remains an administrative offense subject to fines. Failure to register alone can be penalized with fines of up to €500,000. July 31, 2026, is therefore the last opportunity to remedy the omission without sanction. Those who register now and document the first steps will noticeably reduce their risk of fines.

Why affected status is often misjudged

No government agency will notify you of your affected status. The classification is a self-assessment. This is often where mistakes occur. The Cyber Security Report 2026 shows: A significant portion of the surveyed companies underestimate their own regulatory exposure. Among small companies with high revenues, this misjudgment is particularly pronounced.

The reason lies in an outdated mindset. Many decision-makers assume that NIS2 only applies to classic operators of critical infrastructure. In fact, the legislator has massively expanded the group of obligated companies. A mechanical engineering firm with 60 employees, a food producer, or an IT service provider can today fall entirely under NIS2 without ever having considered itself as "critical infrastructure."

The assessment logic: Sector, size, classification

A reliable NIS2 applicability analysis follows a fixed sequence of three steps. Only when all three apply are you directly regulated.

Step 1: Sector affiliation

The BSIG regulates 18 sectors, divided into two annexes. Annex 1 covers eleven sectors of high criticality, including energy, transport and traffic, banking, financial market infrastructure, health, drinking water and wastewater, digital infrastructure, and space. Annex 2 adds seven further critical sectors, such as postal and courier services, waste management, chemicals, food, manufacturing (e.g., mechanical engineering and vehicle construction), as well as providers of digital services and research institutions.

Check the assignment individually for each business unit and each subsidiary, not just for the parent company.

Step 2: Size criteria

The decisive factors are number of employees, revenue, and balance sheet total. As a rule of thumb: NIS2 applies to organizations with 50 or more employees or annual revenue exceeding €10 million. The group clause is decisive here. A common misjudgment is to apply the isolated figures of a single subsidiary instead of the consolidated values of the corporate group.


Step 3: Classification as an essential or important entity

NIS2 distinguishes between two categories with different obligations and fine frameworks:

  • Essential entities (Section 28 (1) BSIG): Companies in Annex 1 sectors with 250 or more employees or more than €50 million in revenue and €43 million in total assets. Fines can reach up to €10 million or 2% of global annual revenue.
  • Important entities (Section 28 (2) BSIG): Companies with 50 or more employees or more than €10 million in revenue. Here, the range is up to €7 million or 1.4% of revenue.

Certain organizations are considered subject to the regulation regardless of size, such as DNS service providers, TLD registries, and qualified trust service providers. Anyone operating a critical facility under the KRITIS Framework Act automatically counts as an essential entity.

Indirect exposure through the supply chain

Even if you do not meet the thresholds yourself, NIS2 can still reach you. Section 30 (2) No. 4 BSIG obliges affected companies to ensure the security of their supply chain. In practice, this means regulated clients pass on their requirements through contractual clauses. Cybersecurity requirements, audit rights, and reporting obligations end up in service contracts.

Software suppliers, cloud service providers, and IT maintenance firms with access to their customers' systems are particularly affected. For them, compliance effectively becomes a prerequisite for maintaining business relationships. Anyone working as a supplier should therefore assess their own exposure independently of formal classification.


What to do after the exposure analysis

If the analysis reveals that you are subject to the regulation, concrete obligations begin. Overview of the key steps:

  1. Register with the BSI via the MUK portal. Catch up on this immediately, even after the deadline has passed.
  2. Establish risk management in line with the areas of measures set out in Section 30 BSIG (state of the art).
  3. Establish reporting processes: Initial notification within 24 hours, follow-up notification after 72 hours, final report after one month at the latest.
  4. Involve executive management: Responsibility explicitly rests with executive management, extending to personal liability under Section 38 BSIG.
  5. Ensure ability to provide evidence: The entire impact assessment must be documented in a legally sound manner, as it may be required as evidence during an audit.

A note for companies with an existing information security management system: Experience shows that an ISMS in accordance with ISO 27001 covers 70 to 80% of NIS2 requirements. The remaining items such as BSI registration, the tiered reporting procedure, and management obligations must be specifically supplemented.


The reporting procedure under Section 32 BSIG in detail

Affected entities must report significant security incidents to the BSI in a three-stage procedure in accordance with Section 32 BSIG. An incident is considered significant if it has caused or is capable of causing serious operational disruptions or financial losses, or if it affects third parties through substantial material or immaterial damage. What matters for the start of the deadline is the point of awareness: the moment an employee notices the incident, not the completion of the analysis.

The three reporting stages:

  1. Early warning (within 24 hours): An initial signal notification with classification of the incident, reason for reporting, and a preliminary situation assessment. It explicitly does not require a complete analysis; the principle here is "speed over completeness."
  2. Follow-up notification (within 72 hours): A confirmation and update of the early warning, supplemented by an initial assessment of severity and impact.
  3. Final report (within one month): A detailed description of the incident with root cause analysis, remediation measures taken, and, where applicable, cross-border impacts. If the incident continues for a longer period, an interim progress report initially takes its place.

All reports are submitted via the BSI reporting portal, which requires prior registration. Two points are often underestimated in practice: First, in the case of incidents involving personal data, the GDPR notification obligation under Art. 33 GDPR applies in parallel, with its own 72-hour deadline and a different addressee: the data protection authority. Second, a legally compliant reporting process requires a documented incident response plan, which is mandatory anyway under Section 30 (2) BSIG and must be demonstrated to the BSI upon request.

Differentiation: NIS2, KRITIS Umbrella Act, and DORA

Many affected organizations are not only covered by the NIS2 Implementation Act but also face multiple layers of regulation. For a clean impact analysis, it is therefore worth distinguishing between three sets of rules:

  • NIS2 Implementation Act (BSIG): Governs cybersecurity obligations—risk management, reporting procedures, and technical as well as organizational measures. It provides the general framework for approximately 29,500 entities.
  • KRITIS Umbrella Act: In force since March 17, 2026, it supplements NIS2 with requirements for the physical resilience of critical facilities, such as protection against sabotage, natural disasters, or infrastructure failures. Operators of critical facilities must comply with both laws.
  • DORA: The EU regulation for the financial sector is directly applicable and takes precedence as the more specific set of rules. Section 28 (5) BSIG largely exempts financial institutions from NIS2 obligations; here, reports are submitted to BaFin rather than to the BSI.

The distinction follows the lex specialis principle: Sector-specific rules take precedence to the extent that they impose at least equivalent requirements. For your analysis, this means: Check not only whether you are affected, but also which regime applies to you and whether several apply simultaneously.

Structured impact assessment with Athereon GRC

The impact assessment is not a one-time glance at the commercial register, but a documentation-required review along the lines of sector, size, corporate structure, and supply chain.

Athereon GRC supports you with everything that comes after the impact assessment. With our leading European GRC platform, you can position your company for NIS2 compliance in a structured, traceable, and audit-ready manner, instead of working with fragmented Excel spreadsheets and scattered responsibilities.

A central component is the AI agent LAiKA. It helps you identify relevant risks, classify existing risks, and develop treatment proposals, without taking control out of your hands. The guiding principle behind it: Nothing without your OK. The escalation logic runs from the foundation through LAiKA Assist to the specialized agents, so that at every step you decide which recommendation to adopt.

The benefits for you in becoming NIS2-compliant:

  • Centralized documentation of all review steps, audit-proof and available at any time.
  • Transparent dashboards that make the implementation status and open items visible.
  • Framework-agnostic design, so you can manage NIS2, GDPR, ISO 27001, and TISAX® in a single system.
  • Automated workflows for registration, reporting deadlines, and evidence management.

Athereon GRC is 100% made in Germany and enables you to implement your compliance measures directly and independently, without dependence on lengthy consulting projects.


Conclusion: Creating clarity before the regulator comes knocking

NIS2 is applicable law, deadlines are running, and supervisory authorities are actively conducting reviews. The impact assessment is the point at which it is decided whether your company proceeds in a structured manner or has to catch up under time pressure. Anyone who clarifies their impact early, documents it cleanly, and uses the right tools turns a legal obligation into a competitive advantage—fully in line with compliance as an opportunity.

For more information on the regulatory foundations, please visit our topic page on NIS2. Would you like to assess your applicability directly within the platform? Schedule a demo appointment and see how Athereon GRC supports you from analysis all the way through to documentation of evidence.

Would you like to learn more?

Book a noncommittal demo appointment with our team to analyze your individual use case with us.