Cybersecurity in Europe is entering a new era. The NIS2 Directive (Directive 2022/2555), now in force across the EU, significantly raises the bar for how organizations protect critical infrastructure, sensitive data, and digital services. For companies operating in Europe, this isn’t just a compliance checkbox – it’s a call to strengthen defenses, secure communications, and prepare for stricter oversight.

Germany has taken the lead in translating NIS2 into concrete national law. Its December 2025 NIS2 Implementation Act, updating the BSI Act (BSIG), provides a clear and actionable blueprint for organizations. With roughly 29,500 organizations now falling under the law, the implications for businesses – from energy and healthcare to finance and digital services – are immediate and far-reaching.

For organizations across the EU, NIS2 represents both a challenge and an opportunity: to protect critical systems, prevent cyberattacks, and demonstrate resilience in an increasingly digital world.

Who Falls Under NIS2 in Germany

Germany’s revised BSI Act increases the number of regulated entities from roughly 4,500 to around 29,500 organizations. Entities are classified as either:

• Essential entities
• Important entities

Classification depends on sector, company size, and economic or societal impact.

Sectors in Scope

As illustrated above, Directive (EU) 2022/2555 (NIS2) expands cybersecurity obligations across the European Union by introducing additional regulated sectors. The table below outlines the key NIS2 sector categories and identifies whether each sector is classified as an essential entity or an important entity under the NIS2 Directive.

This expansion reflects NIS2’s EU-wide goal: protecting a broader range of critical and important services from cyber risk.

Key Cybersecurity Obligations

Entities in scope must meet strengthened requirements, including:

• Registration with the BSI and maintaining accurate contact and service information
• Risk management and documentation of cybersecurity policies, controls, and procedures
• Incident reporting through the new BSI portal, which became active on January 6, 2026, including initial notifications, follow-up mitigation, and final reporting
• Governance and resilience: implementing structured cybersecurity governance, incident response, and business continuity measures, making cybersecurity a board-level responsibility

Incident Reporting and EU-Wide Coordination

Entities in scope must report significant cybersecurity incidents through Germany’s BSI portal, active from January 6, 2026, including initial notifications, mitigation updates, and final reporting.

Beyond national reporting, NIS2 also creates a European Cyber Crisis Liaison Organisation Network (EU-CyCLONe). This network coordinates responses to large-scale cybersecurity incidents or crises across EU member states, ensuring that critical cross-border threats are managed efficiently. Organizations should be aware that severe incidents may involve both national authorities and EU-level coordination.

Email Security: Strongly Recommended as a Core Control

While NIS2 does not universally mandate specific technologies, Germany’s guidance and widely accepted best practices identify email authentication as a critical technical control. Organizations are expected to implement measures such as:

• SPF (Sender Policy Framework)
• DKIM (DomainKeys Identified Mail)
• DMARC (Domain-based Message Authentication, Reporting & Conformance)
• MTA-STS (Mail Transfer Agent Strict Transport Security)
• TLS-PRT (Transport Layer Security Reporting)

These controls help prevent:

• Phishing and social engineering attacks
• Domain spoofing and impersonation
• Brand abuse and business email compromise (BEC)
• Manipulation of sensitive communications

Implementing strong email authentication is considered essential to demonstrating compliance with the BSI TR-03182 email authentication and NIS2’s “appropriate technical measures” requirement.

Immediate Compliance Required

Unlike previous frameworks, Germany’s NIS2 implementation is in effect immediately. Organizations in scope should assess and implement risk management, governance, and technical controls without delay.

Why NIS2 Matters

NIS2 strengthens digital resilience across the EU, harmonizes standards, and improves incident detection, reporting, and response. Non-compliance can lead to:

• Regulatory fines and sanctions
• Increased supervisory oversight
• Mandatory audits and enforcement actions
• Operational disruption and reputational damage

How Skysnag Supports NIS2 Compliance

Email authentication is one of the fastest, most effective ways to meet NIS2 expectations. Skysnag automates DMARC, SPF, DKIM, and MTA-STS deployment and monitoring, helping organizations:

• Protect domains and brands at scale
• Detect phishing and spoofing in real time
• Generate audit-ready compliance reporting
• Integrate email security into broader NIS2 governance frameworks

For regulated entities, automated email security is a foundational step toward compliance and digital resilience.

Preparing for the Future

Germany’s NIS2 Implementation Act provides a clear blueprint for EU-wide compliance. Organizations should treat email authentication and broader governance measures as essential components of their cybersecurity strategy, ensuring they are prepared for regulatory oversight and ongoing digital threats.