The NIS2 directive has arrived in Germany – with no transition periods. Since December 6, 2025, the revised BSI Act has been in force (BSI). For online retailers, this means: New obligations regarding cybersecurity, incident reporting, and supply chain control apply immediately. Around 29,000 entities in Germany are affected (BSI). Companies that fail to meet the requirements face significant fines – and management is personally liable. In this article, you will learn what NIS2 means for your online shop and how to approach implementation.
NIS2 in Germany – Current Status and Deadlines
After extended delays, Germany has transposed the EU NIS2 Directive (Network and Information Security Directive 2) into national law. The NIS2 Implementation Act entered into force on December 6, 2025 as the revised BSI Act (BSI). This means the new cybersecurity obligations apply without transition periods – affected companies must comply immediately.
Affected companies must register with the BSI by March 6, 2026 (BSI). This deadline is binding. Registration is completed via the BSI portal and includes information about company size, sector, and contact details for security incidents.
Unlike many EU regulations, NIS2 has no transition periods (BSI). The obligations to implement security measures, report incidents, and register apply immediately. For online retailers, this means: Act now, do not wait.
The NIS2 directive significantly expands the scope compared to its predecessor NIS1. While NIS1 only covered a few sectors such as energy and transportation, NIS2 includes considerably more industries – including digital infrastructures, cloud services, and online marketplaces. For the e-commerce sector, this represents a paradigm shift: Cybersecurity is no longer a voluntary measure but a legal obligation with concrete sanctions.
Are You Affected? Criteria for Online Retailers
The NIS2 directive captures companies based on size criteria and sector classification. Online marketplaces are classified as "Important Entities" under Annex II of the EU directive (EU NIS2 Directive). Whether your company is affected depends on the following thresholds:
| Criterion | Important Entity | Essential Entity |
|---|---|---|
| Employees | From 50 | From 250 |
| Annual Revenue | From 10M EUR | From 50M EUR |
| Balance Sheet | From 10M EUR | From 43M EUR |
| Fine Framework | Up to 7M EUR | Up to 10M EUR |
Crucially, just one of the size criteria (employees or revenue/balance sheet) is sufficient to fall within scope (NIS2). Online retailers operating a B2B marketplace or acting as a digital service provider are particularly frequently affected. Companies serving critical supply chains can also be captured regardless of their size.
Even if your company does not meet the size thresholds: If you act as a supplier for NIS2-obligated companies, you can be indirectly affected. The requirements for supply chain security extend across the entire value chain.
The 10 Minimum Measures Under Article 21
Article 21 of the NIS2 directive defines ten minimum measures that all affected companies must implement (EU NIS2 Directive). For online shops, we have prepared these requirements in a practical format:
- Risk analysis and security policies: Systematic assessment of IT risks for your online shop, including threat modeling and vulnerability analysis
- Incident handling: Documented processes for detection, analysis, containment, and recovery during security incidents
- Business continuity and crisis management: Contingency plans for continued shop operations during cyberattacks, including backup strategies
- Supply chain security: Assessment and monitoring of cybersecurity across your service providers, hosting partners, and integration partners
- Security in acquisition, development, and maintenance: Secure software development following security-by-design principles
- Effectiveness assessment: Regular review and testing of implemented security measures
- Cyber hygiene and training: Regular training for all employees on cybersecurity and current threats
- Cryptography and encryption: Appropriate encryption for data in transit and at rest – particularly relevant for customer data in e-commerce
- Access control and asset management: Multi-factor authentication, access restrictions, and complete inventory of all IT assets
- Secure communications: Encrypted communication channels and emergency communication systems
Implementing these measures requires a risk-based approach – meaning measures must be proportional to the identified risks. Professional hosting with integrated security measures already covers several of these requirements.
The requirements for cryptography and encryption as well as access control are particularly relevant for online shops. Customer data, payment information, and order histories must be encrypted both in transit and at rest. Multi-factor authentication for administrative access to the shop backend should be considered a minimum standard. If you are unsure which measures should take priority, you can request an individual initial assessment via our contact page.
Personal Liability for Board Directors and Management
One of the most significant innovations of the NIS2 implementation in Germany: Management is personally liable for compliance with cybersecurity obligations. Section 38 of the revised BSI Act regulates the responsibility of governing bodies (Greenberg Trauig).
Oversight Obligation
Management must actively oversee and approve the implementation of cybersecurity measures.
Training Obligation
Directors must personally participate in cybersecurity training to be able to assess risks.
Liability Risk
Breach of duty can result in personal liability and fines – independent of corporate liability.
Personal liability cannot be delegated to employees or external service providers. Directors and board members must actively engage with their company’s cybersecurity strategy. Professional consulting helps minimize personal liability risks.
Incident Reporting Obligations
NIS2 introduces a three-tier reporting system for security incidents. Online retailers must report significant security incidents to the BSI within strict deadlines (BSI):
| Report | Deadline | Content |
|---|---|---|
| Initial Report | 24 hours | Type of incident, initial assessment, affected systems |
| Follow-up Report | 72 hours | Updated assessment, severity, impact |
| Final Report | 1 month | Detailed analysis, root cause, measures taken |
The 24-hour deadline for the initial report is particularly demanding (BSI). It requires that your company can actually detect security incidents promptly. Without professional monitoring and automated alerting, this is hardly achievable. A documented incident response plan is therefore indispensable.
Create an incident response plan now with clear responsibilities and communication channels. Test the plan regularly through exercises. This enables you to meet the 24-hour deadline in an emergency.
Supply Chain Security in E-Commerce
A central aspect of the NIS2 directive is supply chain security (EU NIS2 Directive). For online retailers, this means: You must not only secure your own IT infrastructure but also assess and monitor the cybersecurity of your service providers and partners.
In e-commerce, the digital supply chain typically includes:
- Hosting providers: Is your server hosting certified to current security standards?
- Payment providers: Do your payment service providers meet PCI-DSS and NIS2 requirements?
- ERP integrations: Are your system connections protected against unauthorized access?
- Logistics partners: How secure are the digital interfaces with your shipping providers?
- Marketing tools: Do third-party integrations meet security requirements?
- Shop system providers: Are security updates applied promptly?
Assessing supply chain security requires contractual agreements with your service providers, regular audits, and documented supplier risk management. Professional consulting helps identify the critical vulnerabilities.
In practice, this means: Request evidence of security measures from your hosting providers, payment processors, and logistics partners. Contractually agree that security incidents potentially affecting your data are reported without delay. And regularly verify that your integrations are configured according to current security standards. The effort may initially seem high, but it protects your business from cascading security incidents where a vulnerability at one service provider could compromise your entire shop.
Practical Implementation – Your NIS2 Checklist
NIS2 implementation may seem complex, but it can be broken down into concrete steps. Here is your checklist for the most important measures:
- Conduct affected assessment: Check whether your company falls under NIS2 based on size and sector criteria
- Complete BSI registration by March 6, 2026: Register on time via the BSI portal
- Create risk analysis: Systematically identify and assess all IT risks of your online shop
- Set up incident response plan: Define processes, responsibilities, and communication channels for emergencies
- Conduct supply chain audit: Assess the security of all service providers and integration partners
- Implement security measures: Encryption, access control, backup strategy, secure hosting
- Involve management: Organize cybersecurity training for the leadership level
- Set up monitoring: Automated detection of security incidents with alerting
- Train employees: Conduct regular cyber hygiene training for all staff
- Create documentation: Document all measures, processes, and decisions comprehensively
As an e-commerce agency specializing in secure infrastructure, we support you with NIS2 implementation. From the affected assessment through technical implementation to ongoing monitoring – we guide you through the entire process.
NIS2 implementation is not a one-time project but an ongoing process. Security measures must be regularly reviewed, updated, and adapted to new threats. An experienced partner for consulting and hosting ensures that your shop remains NIS2-compliant in the long term.
Especially in combination with modern security architectures like Zero Trust and fundamental IT security measures for e-commerce, you achieve comprehensive protection for your online shop. SEO optimization should not be neglected either – as a secure shop is positively evaluated by search engines.
This article is based on: BSI (Federal Office for Information Security) – NIS2 Implementation Act and BSI Act, EU NIS2 Directive (Directive (EU) 2022/2555), Greenberg Trauig – Analysis of liability provisions under Section 38 BSI Act. Regulatory requirements may change through further implementing regulations and BSI guidelines. As of: February 2026.
The revised BSI Act has been in force since December 6, 2025 (BSI). There are no transition periods – all obligations apply immediately. Registration with the BSI must be completed by March 6, 2026.
Online marketplaces are classified as "Important Entities" under Annex II of the NIS2 directive (EU NIS2 Directive). Companies with more than 50 employees or more than 10 million euros in annual revenue in relevant sectors fall under the directive. Smaller companies can also be affected as part of the supply chain.
Violations can result in fines of up to 10 million euros or 2% of global annual turnover. Additionally, management is personally liable under Section 38 of the BSI Act (Greenberg Trauig). Early consulting helps minimize risks.
Significant security incidents must be reported to the BSI within 24 hours as an initial report (BSI). Within 72 hours, an updated assessment follows, and after one month, a detailed final report. Professional monitoring facilitates timely detection.
We support you with affected assessments, implement technical security measures, provide secure hosting with monitoring, and guide the NIS2-compliant securing of your e-commerce infrastructure. Our consulting covers the entire implementation process.