Delegation is not an option: cyber security is becoming a management task
Companies must take urgent action to avoid fines and risks, advises TÜV NORD Akademie.
Companies must take urgent action to avoid fines and risks, advises TÜV NORD Akademie.
Hacker attacks are becoming an ever-greater threat to businesses. The EU has therefore fundamentally revised the Network and Information Security (NIS) Directive and established new requirements for protection against cyber attacks. Since 6 December 2025, the law implementing the NIS 2 Directive has also increased the requirements for many companies and numerous federal government agencies in Germany.
In addition to operators of critical facilities, numerous medium-sized and large companies from other sectors are now also required to comply with stricter requirements for protection against cyber attacks. This affects, for example, companies in food production, postal and courier services, digital services and public administration; in Germany, this amounts to a total of around 30,000 companies from 18 different sectors (industries and areas), depending on size and annual turnover. "However, not all companies are sufficiently prepared for the new requirements," reports Melanie Braunschweig, an expert in IT security training at TÜV NORD Akademie.
These companies are required, for example, to carry out a comprehensive risk analysis and implement and document risk management measures. In addition, employees must receive regular training on the subject of cybersecurity. "What is particularly new, however, is the personal liability of a company's management and senior managers. They are responsible for ensuring that IT security measures are implemented and are obliged to complete appropriate training. This responsibility cannot be delegated to third parties," explains Melanie Braunschweig.
With the introduction of the NIS 2 Directive, strict reporting obligations have also come into force. Supervisory authorities must be informed of any significant incident within 24 hours, and within 72 hours they must receive an initial assessment of the significant security incident, including its severity, impact and, if applicable, indicators of compromise. "Violations are subject to severe penalties of up to ten million euros or up to two per cent of global annual turnover," says Melanie Braunschweig.
TÜV NORD Akademie supports companies in implementing the new requirements with training courses on the NIS-2 Directive, such as trainings for management or the four-day certificate course "NIS-2 Expert (TÜV)" for IT security officers and managers. Interested parties can find more information and further training offers here:
https://www.tuev-nord.de/de/weiterbildung/themen/informationsmanagement
Founded over 150 years ago, we stand for security and trust worldwide. As a knowledge company, we have our sights firmly set on the digital future. Whether engineers, IT security experts or specialists for the mobility of the future: in more than 100 countries, we ensure that our customers become even more successful in the networked world.
