Regulatory update
Fleet Security Under NIS2
A firewall is no longer enough
“We have a firewall and up-to-date antivirus software, so we are covered.” Security experts hear this regularly at mid-sized companies. Under NIS2, that assumption is no longer legally defensible.
As of 6 December 2025, the NIS2 Implementation Act and the KRITIS Framework Act (effective 17 March 2026) define security obligations that extend well beyond IT perimeters, into physical infrastructure, supply chains, and fleet operations.
What is NIS2 and who is affected?
NIS2 is the EU’s updated Network and Information Security directive. Germany transposed it into national law in November 2025. The regulation targets organisations operating in 18 critical sectors including energy, transportation, healthcare, food production, and digital infrastructure.
The scope is broader than most companies expect:
- Critical entities: 250+ employees or €50M+ revenue with €43M+ balance sheet. Fines up to €10 million or 2% of global annual revenue.
- Important entities: 50+ employees or €10M+ revenue. Fines up to €7 million or 1.4% of revenue.
Roughly 30,000 organisations in Germany fall within scope, compared to just 4,500 previously regulated companies. As of the March 2026 registration deadline, only around 11,500 had registered with the BSI.
Why fleet management is now a compliance issue
Vehicle keys give access to company premises, loading docks, warehouses, customers, and sensitive supply chains. Under NIS2’s “defence in depth” model, unlogged physical access to vehicles is a documented security gap, and a compliance failure.
The requirement is clear: every access event must be recorded, attributable, and auditable. A key box on the wall with no log does not meet this standard.
Three mandatory obligations under NIS2
1. BSI registration
The registration deadline of 6 March 2026 has passed. If your organisation has not registered, act immediately. There is no grace period.
2. Risk management and protective measures
Required measures include multi-factor authentication, backup management, supply chain security, physical access controls, and complete documentation across all systems, including fleet access.
3. Incident reporting
Early warning to BSI within 24 hours. Full incident report within 72 hours. Final report within 30 days.
Personal liability for management
NIS2 is explicit: management bodies bear personal liability for compliance failures, independent of corporate sanctions. Active monitoring, mandatory training participation, and direct accountability for fleet security shortfalls are now required by law.
Electronic key management as the practical solution
Smart key cabinets, such as the Traka systems that integrate directly with Commander, log every access event by identity (PIN, RFID, or biometric), timestamp, and vehicle. They restrict access to authorised personnel only and generate the audit-proof documentation NIS2 requires. The full booking, key release, and return cycle is captured automatically.
This is not a complex infrastructure project. For smaller fleets, cost-effective systems are now available. A properly configured key management system makes fleet compliance achievable quickly, and the data feeds directly into Commander for operational visibility alongside the compliance record.
Close your fleet's compliance gap before the auditors do.
Book a consultation and we will show you how Commander and integrated key management deliver the access logs, audit trails, and documentation NIS2 requires, without disrupting daily fleet operations.