The NIS2 Implementation Act came into force in Germany on December 6, 2025, for approximately 30,000 companies, with the aim of securing critical infrastructures. On January 6, 2026, the BSI activated the corresponding portal where affected companies must register.
We support you in the fast and efficient implementation of the NIS2 Directive by identifying relevant security risks and areas where action is needed, deriving the necessary measures, implementing them as required, and accompanying the implementation step by step.
We quickly clarify any uncertainties about NIS2 in our two-hour quick-start workshop:
Outdated IT structures hinder scaling, innovation and security. Skills shortages, high maintenance costs and technological legacy issues are slowing down your growth. Asset-based modernisation helps you tackle change in a targeted manner – with mitigable risks but strategic impact.
NIS2 is aimed at companies with at least 50 employees or €10 million in annual revenue that operate in one of the following sectors:
Outdated IT structures hinder scaling, innovation and security. Skills shortages, high maintenance costs and technological legacy issues are slowing down your growth. Asset-based modernisation helps you tackle change in a targeted manner – with mitigable risks but strategic impact.
For implementation, the NIS2 Directive refers, among other things, to Section 30 of the BSI Act, which sets out organizational and technical tasks. The technical tasks comprise at least 10 areas of action in risk management.
Risk management
Section 30 requires the implementation of effective technical and organizational measures in 10 areas.
Organizational tasks
Responsibility of management Management has a duty to examine the content of the necessary measures before approving them. It must also review their implementation and undergo regular training on cybersecurity, threats, and security practices in the form of management training.
Failure to fulfill this responsibility may result in personal liability in the event of a security incident, accompanied by heavy fines.
Identify the need for action
Coordination, guidance, and operational measures
Documentation of successful measures
After many years of planning, timely implementation is now necessary, not just the identification of the need for action. We are committed to providing you with practical and rapid guidance, support, and empowerment in implementing the necessary measures, concepts, and controls.
We implement the NIS2 Directive in a highly structured manner appropriate to the size of your company. Step by step, we work our way through the 10 risk management measures together and supplement them in areas where the need has been identified.
Our operational team has many years of experience in all 10 required areas, which makes implementation very targeted. Once the objectives have been achieved, you will receive our implementation certificate for your documentation of successful completion.
iteratec has been one of Germany's leading software development service providers since 1996. We hold multiple certifications and are an official project partner of OWASP.
Early certainty of action
In just a few steps, gain clarity about the action required and the effort involved in implementing an NIS2-compliant security level.
Efficient use of resources
Deploy your resources where they are actually needed. Our risk assessment provides the right basis for this.
Lean start
Don't lose momentum with rigid and oversized programs. Get started quickly by identifying the security gaps that need to be closed.
Independent assessment
Benefit from a neutral assessment of your current status to support your investment decisions.
Do you have a specific concern or questions? Feel free to contact me or book an appointment directly. I look forward to hearing from you.
Birgit Murkowski, Solutions Security
It affects operators of essential services and important digital service providers, including providers in areas such as energy, transport, banking, healthcare, and digital infrastructure. However, suppliers to companies that are bound by NIS2 may also be affected. What is new about the NIS2 Directive is that it can also include small and medium-sized enterprises (SMEs) if they offer services that are considered critical to society or the economy.
NIS2 stands for “Network and Information Security 2” and is an EU directive that came into force in Germany on December 6, 2025, with the NIS2 Implementation Act. Its aim is to ensure a high level of security for network and information systems in the EU. It updates and replaces the original NIS Directive and introduces stricter security requirements and reporting obligations for a wider range of sectors and types of companies.
Companies must take appropriate and proportionate technical and organizational measures to manage risks to the security of their network and information systems. This includes ensuring system security, protecting against cyber attacks, conducting regular security audits and tests, and establishing incident response plans. A proactive approach to risk mitigation is essential.
Companies must report security incidents and risks to the relevant national authorities within strict deadlines. These deadlines and the type of information to be reported may vary depending on the severity of the incident. The aim is to enable a rapid response to incidents and to raise awareness of threats. Companies must therefore establish internal procedures to effectively detect, report, and respond to incidents.
Companies that fail to comply with the NIS2 Directive can face significant penalties. These include fines, which can vary considerably depending on the severity of the violation and the Member State concerned. In some cases, fines can be as high as €10 million or 2% of a company's global annual turnover. In addition, loss of reputation and trust among customers and partners can have significant indirect consequences.
Companies should first conduct a thorough assessment of their existing security practices and procedures as part of a GAP analysis. Regular audits and reviews help to protect systems and applications. Companies are also encouraged to conduct training and awareness programs for employees to ensure that they understand the importance of cybersecurity and how they can contribute to a secure operating environment.