NIS-2, medical technology & ERP

The grace period is over. Registration deadlines at the BSI expired on March 6, 2026, and the Federal Office has moved to active enforcement. For managing directors in medical technology, this means: those who have treated NIS-2 as an IT issue so far may face unexpected personal consequences.

The legal situation since December 2025 – what has fundamentally changed

With the entry into force of the NIS2 Implementation Act On 6 December 2025, the legal situation changed fundamentally. For a long time, IT security was considered a matter that could safely be delegated to the IT department or external service providers. This practice is no longer legally tenable. Since then, cybersecurity has unequivocally become a matter for senior management – and the law spells out precisely what that means in concrete terms.

§ 38 BSIG: Three duties that company directors are personally liable for

The crucial mechanism is found in § 38 of the Act on the Federal Office for Information Security (BSIG). He establishes three core duties that are personal to governing bodies and cannot be delegated.

Approval obligation, monitoring obligation, training obligation

the Approval requirement requires managing directors to actively sign off on the company's risk management measures. An informal „go ahead“ is no longer legally sufficient. Furthermore, there is a Duty of supervisionManagement bodies must continuously monitor the implementation of these measures and, in the event of an emergency, be able to demonstrate that they have regularly received reports on the security status. Finally, the law stipulates Compulsory education fest – Managing directors must personally attend cybersecurity training to be able to assess risks themselves.

The explosive part is this: anyone who culpably breaches these duties is personally liable to the company with their private assets. Any contractual exclusion of this liability is legally void.

MDR compliance is not NIS 2 compliance – a dangerous misconception

In the medical technology sector, the prevailing assumption is often that the stringent requirements of Medical Device Regulation (MDR) already covers all relevant safety aspects. However, this is a dangerous misconception, which the new legal situation clearly corrects.

Die MDR fokussiert primär die Sicherheit des Produkts und den Patientenschutz. NIS-2 adressiert dagegen die operative Resilienz des gesamten Unternehmens. Wer zwar MDR-konforme Produkte baut, dabei aber seine Lieferkette nicht nach NIS-2-Standards überwacht oder keine 24-Stunden-Meldewege für IT-Vorfälle etabliert hat, riskiert folglich Bußgelder von bis zu 10 Millionen Euro oder 2 % des weltweiten Jahresumsatzes. Beide Regulierungen existieren nebeneinander – und erfüllen unterschiedliche Anforderungen.

The specific challenges for medical technology manufacturers

Much available information on NIS-2 remains superficial or focuses on the hospital sector. However, medical technology manufacturers face their own specific challenges.

Firstly, the integration of a quality management system requires (ISO 13485) and information security management system (ISO 27001a careful integration that merges both normative worlds. Furthermore, companies must secure complex supply chains in a global market according to NIS2 standards. Added to this is the necessity of mapping compliance processes directly within the ERP system – for example, in SAP Business One – to be in a position to report within 24 hours in an emergency. Generic white papers generally do not cover this combination.

From 6 March 2026: BSI in active enforcement phase

Since the registration deadline expired on 6 March 2026, the BSI has moved to active enforcement. Random checks and requests for re-registration are increasing – linked with concrete threats of fines.

Cybersecurity is therefore no longer an issue that can be postponed. For medical technology companies, this is not just about avoiding fines. Those who implement the requirements of the NIS2UmsuCG auditable will not only minimise their liability risks but also build digital resilience, which can prove to be a real competitive advantage. The first step is to acknowledge personal responsibility as a management body – and to act accordingly before the BSI knocks on the door.

What a validated ERP does for your medical technology

Traceability without gaps, document control according to regulations, paperless manufacturing with complete proof – a validated ERP system bundles precisely the capabilities that medical technology companies need in their day-to-day regulated operations. Every batch, every process step, every release is automatically documented. Forward and backward traceability works at the touch of a button, not after days of searching through files. Quality-relevant documents such as work instructions, test plans, and release protocols are centrally versioned and provided with an expiry date – the system automatically blocks outdated versions. In the production Do digital companion documents replace the paper tracker: measured values and test results are recorded directly, deviations trigger an immediate notification, and at the end of each order, there is a complete Device History Record – automatically generated, not painstakingly compiled. Crucially: validation is not a one-off project, but an integrated standard. User permissions, audit trails, electronic signatures, and change logs are all part of the basic equipment. Companies build on a standard software which has already been validated in hundreds of medical technology companies – including IQ/OQ templates that significantly reduce the effort. This way, you validate cleanly once and remain in a validated state even with updates.

SAP B1 blog