Fleet Security under NIS2: What Fleet Managers, Fleet Administrators, and CEOs Need to Know Now

Regulation & Compliance · March 2026
NIS2 and the KRITIS Framework Act require companies to implement comprehensive security measures—and the registration deadline has already passed. 

 ~8 min. reading time

“We have a firewall and up-to-date antivirus software—we're on the safe side.” 

Security experts at medium-sized companies still hear this statement on a regular basis. As of December 6, 2025, it will no longer be legally accurate. With the NIS2 Implementation Act and the KRITIS Framework Act that followed shortly thereafter, lawmakers have established a new, comprehensive definition of security—one that also encompasses the physical world. And the clock is already ticking.

The EU NIS2 Directive (Network and Information Security Directive 2) has been in force in the EU since January 2023 and establishes binding minimum standards for cybersecurity across the EU. In Germany, it was adopted by the Bundestag on November 13, 2025, as the NIS2 Implementation Act, and has been law since December 6, 2025—a good year after the EU deadline of October 17, 2024, which Germany, like many other member states, had missed.

The NIS2 Act is supplemented by the KRITIS Framework Act, which the Bundestag passed on January 29, 2026, and which entered into force on March 17, 2026. While NIS2 primarily regulates IT security, the KRITIS umbrella law is the national implementation of the EU CER Directive and explicitly addresses the physical protection of critical infrastructure. Together, these two laws create, for the first time, a holistic regulatory framework that treats digital and physical security as an inseparable unit.

“Traditional security concepts are no longer sufficient. Effective security strategies today are created through networked solutions that integrate physical security, digital systems, and organizational processes.”

Who is affected?

The most important rule of thumb: Companies with 50 or more employees or annual revenue exceeding 10 million euros that operate in one of the 18 regulated sectors are subject to the law. These include, among others, energy, transportation, healthcare, food, ICT services, and digital infrastructure.

In Germany, a total of around 30,000 organizations are affected—a dramatic increase from the approximately 4,500 companies previously regulated. The law distinguishes between two categories:

• Critical entities – companies with 250 or more employees, or with revenue exceeding €50 million and total assets of €43 million. These entities are subject to the strictest requirements and fines of up to €10 million or 2% of global annual revenue.
• Important entities – companies with 50 or more employees or €10 million in revenue. Fines can reach up to €7 million or 1.4% of revenue.
• Suppliers and service providers to KRITIS companies may be indirectly regulated – even if they themselves do not meet the thresholds.

⚠ Attention: Registration deadline has already passed The statutory registration deadline expired on March 6, 2026. Affected companies were required to register on the BSI portal within three months of the law taking effect. According to media reports, only about 11,500 of an estimated 30,000 organizations had registered by the deadline. Anyone who has not yet registered is acting unlawfully without a grace period.

Personal Liability: A Matter for Top Management by Law

One of the most significant changes introduced by NIS2 is the personal liability of management. This is a first in European cybersecurity regulation. Management bodies are required to actively monitor the implementation of security measures and participate in training, and they can be held personally liable for any failures—regardless of whether the company itself is sanctioned.

In practice, this means: If your vehicle fleet is unsecured, keys are handed out without proper oversight, or access to company vehicles is not logged, the responsibility for this lies directly with the managing director or board of directors. Ignorance does not shield one from liability—precisely because the law explicitly mandates the monitoring of implementation.

When cybersecurity starts with your keychain

This is the crux of a widespread misunderstanding: NIS2 is not purely an IT law. It requires comprehensive risk management measures—and this explicitly includes physical access security. The supplementary KRITIS umbrella law stipulates for the first time that operators of critical infrastructure must not only implement physical security measures but also demonstrate their effectiveness.

For companies with a fleet, this means that vehicle keys are a means of accessing company resources. Anyone who uses a company car has access to company premises, loading docks, warehouses, customers—and in many cases, to sensitive goods or critical supply chains. An unlogged key is an uncontrolled access path. And an uncontrolled access path is a security vulnerability—regardless of how well your firewall is configured.

The concept behind this is known in technical terms as “defense in depth.” The idea is that if one layer of protection fails, the next ones take over. Digital security is one layer; physical key control is another. Together, they form a comprehensive security framework that meets compliance requirements.

If you don’t keep a record of company keys, you won’t have complete documentation—and therefore won’t be NIS2-compliant.

The good news is that there are practical solutions available for companies with vehicle fleets that ensure NIS2 compliance without requiring them to launch complex IT projects. Essentially, it comes down to two things: registration and physical key security.

Smart key cabinets — known as key management systems — automatically log who took and returned which key and when. The system links each access event to a unique user identity (PIN, RFID card, or biometric) and thereby generates the complete, verifiable documentation required by NIS2. In the event of an audit by the BSI or a security incident, the complete access log is available.

TRAKA, one of the leading providers of electronic key management solutions, is launching a new, competitively priced key box for smaller fleets in March 2026—fully NIS2-compliant. It will be on display for the first time at the Flotte! industry event from March 25 to 26, 2026, in Düsseldorf, at the Rosenberger Telematics booth (5.C39).

The System:

• Log every key access with a timestamp and user ID
• Enables digital documentation for BSI inspections and internal audits
• Restricts access to authorized personnel, thereby ensuring the physical security of keys
• Integrates with existing fleet management systems and enables the required digitization of the vehicle fleet
• Generates audit-proof reports that serve as evidence of risk management measures

1) Check if you’re affected: Do you fall under NIS2? Check your number of employees, revenue, and sector. If in doubt: yes. The BSI offers a self-assessment process on the BSI portal.

2) Register immediately: If you haven’t already, register on the BSI portal without delay. The deadline has passed, and fines may be imposed.

3) Conduct a risk inventory: Where are the physical access points in your company? Keys, access cards, vehicles, storage areas—document everything.

4) Digitize key management: Introduce electronic key cabinets, log vehicle fleet access, and define responsibilities. Even small fleets can achieve compliance.

5) Train management: NIS2 requires management to actively monitor compliance. Training is not a recommendation but a legal requirement.

This blog post is based on a conversation with Dipl.-Ing. Friedel Hacker of TRAKA Germany. The legal facts regarding NIS2 and the KRITIS Framework Act were verified using publicly available sources, including the BSI, OpenKRITIS, Wikipedia, and specialized sources such as docusnap.com. This post does not constitute legal advice.

Published in March 2026  ·  NIS2 & Physical security  ·  In conversation with TRAKA Germany