Quick answer up front: very likely yes, if you operate in one of the sectors NIS2 covers and you’re not a micro business. The circle of affected companies has grown sharply: under the German NIS2 implementation law, roughly 29,500 entities now fall under BSI supervision, up from about 4,500 before the reform (BSI, 2025).
IT security used to be “nice to have.” With the EU’s NIS2 directive, it becomes mandatory for many companies — and the circle of those affected is considerably wider than under the previous rules.
Note: whether and to what extent NIS2 applies to you depends on your sector and size. This overview doesn’t replace a legal assessment.
What’s Actually New About NIS2?
Two things are genuinely new. First, far more mid-sized companies from far more sectors now fall within scope, not just the classic “critical infrastructure.” Second, management is personally liable for implementation — security is now a leadership responsibility, not just an IT matter. In Germany this gets spelled out through the national implementation law. If it applies to you, don’t sit on it. And for how to check properly whether you’re in scope at all — including the trap with linked enterprises — see the NIS2 scope test.
In substance, it comes down to a handful of core obligations:
- Know, assess, and treat your risks.
- Basic hygiene: updates, patches, access control, encryption.
- Backups that are tested, not just present.
- Monitoring and clear reporting channels to detect incidents and report them within the deadline.
- A supply chain where your service providers play along too.
How Much of This Does Good Operations Already Cover?
That sounds like a lot. But the larger part of it is simply solid operations — something any system worth taking seriously needs anyway. This is how the work splits:
| NIS2 demands | Does managed hosting cover it? |
|---|---|
| Updates, patches, hardened systems | Yes — ongoing maintenance is part of operations, documented |
| Tested backups | Yes — including practised recovery |
| Monitoring and incident detection | Yes — around the clock, with a fixed point of contact |
| Reporting to the authority | No — you have to report yourself, the operator supplies the facts |
| Risk analysis and security strategy | No — that stays a leadership matter |
If your hosting brings the upper half, you’ve got a substantial part covered already, demonstrably so. It doesn’t replace an actual security strategy. But a cleanly run foundation makes that strategy a lot smaller.
Not sure whether NIS2 applies to you and where you stand? Let’s sort it out in a short conversation.