NIS-2, the revised EU directive from 2022, now affects around 30,000 companies from 18 sectors – from health to transport to telecommunications
BERLIN, January 11, 2026 – A new era of cybersecurity is dawning for businesses across Germany, as the updated EU directive known as NIS-2 came into effect at the beginning of 2026. This legislation compels a vast number of companies to adopt heightened cybersecurity measures, and support is now available to help small and medium-sized enterprises (SMEs) navigate the changes.
Figure: Screenshot of the “FitNIS2 Navigator” homepage
NIS-2 Impacts Supply Chains and SMEs
Table of Contents
The NIS-2 directive, revised in 2022, now impacts approximately 30,000 companies spanning 18 crucial sectors – from healthcare to transportation and telecommunications. However, its reach extends beyond direct targets, significantly affecting SMEs through integration into complex supply chains and increasing digital networking.
- “SMEs in particular often struggle with limited resources in the area of IT security and are dependent on provider-independent support,” explained Prof. Dr. Simon Thanh-Nam Trang from the University of Paderborn.
To address this challenge, two projects spearheaded by the Software Innovation Campus Paderborn (SICP), a research and innovation association of the University of Paderborn, are offering targeted assistance.
“KMU.kompetent.sicher” Offers Tailored E-Learning
The “SME.competent.safe” project, a collaboration between the SICP, the University of Hohenheim, the innovation network “InnoZent OWL,” and the IT service provider coactum, is developing a training platform designed to provide practical support to SMEs in implementing the NIS 2 guideline. This project is funded by the Federal Ministry for Economic Affairs and Energy (BMWE) with around one million euros and is slated to run for another two years.
After its first year, project partners have unlocked the “KMU.kompetent.sicher” learning platform. The platform features practice-oriented “learning nuggets” – concise, modular (video) learning units – alongside quiz questions and interactive tasks to reinforce learning.
NIS-2 Training for Management and Employees
The training utilizes storytelling elements, such as “true crime” examples, to illustrate how phishing, a common form of internet fraud, operates, the potential consequences, and the protective measures businesses can implement. Learning paths such as “NIS2-Grundschutz” and “Assessing threats correctly” are designed to cover topics tailored to NIS-2, with further paths planned for “IT security culture,” “Risk management,” “Backup management,” “Secure handling of emails,” “Emergency management,” “Password security,” and “Ransomware.”
The project aims to educate both management and employees, incorporating a control circuit to identify individual training needs and embed security practices into the company culture.
Through the “FitNIS2” project, the SICP, in partnership with Deutschland Sicher im Netz eV and the “Transferstelle Cybersecurity,” developed the “FitNIS2” navigator. This online tool first determines if a company falls under the directive’s scope. It then analyzes the company’s current level of NIS 2 requirement fulfillment and provides clear recommendations for achieving compliance.
- This project is funded by the BMWE for a total of two years, running until August 2026. The free “FitNIS2 Navigator” has been available online since June 2025.
Within just three months of its release, the “FitNIS2 Navigator” impact check had been completed 1,500 times, with 700 participants completing the self-assessment to meet NIS-2 requirements, achieving the planned usage goals.
Sector-Specific Guidance on the Horizon
Currently, the navigator utilizes specific requirements for small businesses based on the “CyberRiskCheck” of the Federal Office for Information Security (BSI). In the next phase, industry-specific criteria will be added.
- In the future, SMEs will receive – depending on their sector affiliation – targeted information on how they are affected by NIS 2 and possible overlaps with other relevant regulations.
“Both projects are a free introduction to the NIS 2 topic. A comprehensive event offer supplements the information provided in the projects,” commented Dr. Simon Oberthür, Head of SICP Innovation Area “Digital Sovereignty.”
Further information on the topic:
UNIVERSITY OF PADERBORN
The University of Paderborn is one of the medium-sized, research and transfer-oriented universities in Germany. 70 study programs are spread across our five faculties – cultural studies, economics, mechanical engineering, natural sciences, electrical engineering, computer science and mathematics. There are also around 166 subject combinations in the teaching area.
UNIVERSITY OF PADERBORN
Prof. Dr. Simon Thanh-Nam Trang / Faculty of Economics » Department 3: Business Informatics » Business Informatics, especially sustainability
UNIVERSITY OF PADERBORN
Dr. Simon Oberthür
SiCP
SICP – Software Innovation Campus Paderborn / Innovation through cooperation
SME.competent.safe.
NIS-2 testing and training platform
FitNIS2 Navigator
Is your company affected by the NIS2 directive?
Federal Office for Information Security
CyberRiskCheck – effective protection for small and micro companies in accordance with DIN SPEC 27076
WIKIPEDIA
NIS-2 directive
datensicherheit.de07.01.2026
BSI portal now activated for the second step towards NIS 2 registration / Companies affected by the entry into force of the NIS 2 Implementation Act must register as a “NIS 2 facility” and must always report “significant security incidents” to the BSI
datensicherheit.de11.12.2025
NIS-2 officially in force: Proliance recommendations for action for companies / On November 13, 2025, the NIS-2 package of measures was finally approved in the Bundestag – a turning point for German medium-sized businesses
datensicherheit.de06.11.2025
Almost a quarter of SME executives ignore the business relevance of cybersecurity / 23 percent of IT managers at German SMEs deny their “C-level” an understanding of the business relevance of their operational cybersecurity
