NIS2: Is My Law Firm or Practice Affected?
Since October 17, 2024, the NIS2 Implementation Act (NIS2UmsuCG) has been in effect in Germany. Many businesses have heard of it — but very few know whether they are actually affected. There is particular uncertainty among law firms, medical practices, and tax advisors.
This article provides a clear overview: who falls under NIS2, what is required, and what you should do now.
What Is NIS2?
NIS2 stands for “Network and Information Security Directive 2” — an EU directive that establishes binding IT security requirements for businesses and organizations across Europe. It replaces the original NIS Directive from 2016 and significantly expands its scope.
In Germany, NIS2 was transposed into national law through the NIS2 Implementation Act (NIS2UmsuCG).
The objective: a uniform, high level of security for essential and important entities across the EU.
Who Is Affected?
NIS2 distinguishes two categories:
Essential Entities
Businesses in particularly critical sectors such as energy, healthcare, water, and digital infrastructure. Stricter requirements, higher fines.
Important Entities
Businesses in additional relevant sectors — including legal services, postal and courier services, waste management, food, and more.
The Key Thresholds
A business falls under NIS2 if at least one of the following criteria is met:
- Employees: 50 or more
- Revenue: EUR 10 million or more per year
- Balance sheet total: EUR 10 million or more
Smaller businesses may also be affected if they operate in critical sectors or are considered part of a critical supply chain.
Are Law Firms Affected?
Yes — under certain circumstances.
Law firms do not automatically fall under NIS2, but the thresholds are reached more quickly than expected. A firm with 50 lawyers and corresponding annual revenue can be directly affected.
Beyond that: firms that serve clients in regulated sectors (energy providers, hospitals, financial institutions) can fall under NIS2 as part of the supply chain — regardless of their own size.
What this means: Even if your firm is not currently directly affected, your clients will increasingly demand that their service providers demonstrate verifiable IT security standards.
Are Medical Practices Affected?
Solo practices generally not — larger facilities very much so.
Individual medical practices with fewer than 50 employees typically do not fall under NIS2. The situation is different for:
- Medical care centers (MVZ) that reach the thresholds
- Hospitals and clinics — these fall directly under NIS2 as essential entities
- Practice networks that collectively exceed the thresholds
Regardless of NIS2: patient data is already subject to strict GDPR requirements. NIS2 adds further technical requirements on top of that.
Are Tax Advisors Affected?
Potentially — depending on size and client structure.
Tax advisory firms with 50 or more employees or EUR 10 million or more in revenue can be directly affected. Additionally: those who serve clients in regulated sectors may be classified as important service providers within their clients’ supply chains.
What Is Required of Affected Businesses?
NIS2 mandates specific measures:
Technical Measures
- Risk analysis and security concepts
- Business continuity measures
- Supply chain security
- Encryption and access control
- Regular security audits
Organizational Measures
- Mandatory incident reporting (within 24 hours to the BSI, Germany’s Federal Office for Information Security)
- Training for employees and management
- Documentation of all security measures
Management Liability An important point: NIS2 makes managing directors and board members personally liable for implementing the requirements. Ignorance is not a defense.
What Are the Penalties for Non-Compliance?
The fines are substantial:
- Essential entities: up to EUR 10 million or 2% of global annual revenue
- Important entities: up to EUR 7 million or 1.4% of global annual revenue
In addition, there are potential business interruptions, reputational damage, and civil liability toward affected customers or clients.
What Should You Do Now?
Step 1: Determine whether you are affected Clarify whether your business meets the thresholds and which sector you operate in. When in doubt, assume that you are affected.
Step 2: Analyze the current state What IT security measures do you already have in place? Where are the gaps? A structured security audit gives you clarity.
Step 3: Prioritize measures Not everything at once. Start with the measures that address the highest risk: access control, encryption, incident response.
Step 4: Document everything NIS2 requires evidence. Record all measures in writing — this protects you in an emergency.
Conclusion
NIS2 is not a bureaucratic side issue. The directive affects more businesses than expected — and the personal liability of management makes it a leadership-level concern.
For law firms, practices, and tax advisors: even if you are not currently directly affected, your clients and business partners will increasingly require that you demonstrate verifiable IT security standards.
Now is the right time to assess your own situation — not after the first security incident.
Want to know whether your business is affected by NIS2? Tell us about your situation — free and with no obligation.