In the current comply. (1/2026), Dirk Libuda and Dr. Thomas Altenbach explain why Art. 14 NIS2UmsuCG fundamentally changes the role of the internal reporting office.
Breaches of IT security regulations now explicitly fall under the Whistleblower Protection Act. This effectively makes the reporting office the critical sensor in a company's cyber early warning system, and the „second line of defence“ for IT security.
The crucial point is the attribution of knowledge:
If a notification concerning a significant IT security incident is received by the reporting office, this knowledge is immediately attributed to senior management – regardless of whether the report has already been processed operationally. Simultaneously, the 24-hour reporting obligation under § 32 BSIG is triggered.
If the process is not aligned, this creates a liability risk: If the deadline passes without an early warning being reported to the BSI, the administrative offence has already been committed – even before a substantive review has taken place.
Many organisations have set up HinSchG processes cleanly. What is often missing is integration into the incident response framework. That is precisely where the gap lies.
Companies affected by NIS2 need:
clear escalation paths between the reporting office and the CISO
Binding triage times in hours
documented interface regulations
a robust and minute-by-minute documentation
The question is not whether HinSchG and NIS2 are met.
The question is whether both regimes are conceived as being organised together.
Anyone acting with structure here significantly reduces liability risks. Anyone who lets it slide shifts the risk to the management.
For all with a comply. subscription: the post goes into detail on the practical implementation.
