NIS2 Directive: Cybersecurity Obligations for Patent Firms
The NIS2 directive tightens cybersecurity requirements across Europe. Which obligations apply to patent firms and their software vendors.
NIS2 and Patent Firms: Why Cybersecurity Is Now a Leadership Issue
The NIS2 Directive (Directive (EU) 2022/2555) has fundamentally reshaped Europe's cybersecurity landscape. Since October 2024, it has been transposed into national law across EU member states - in Germany through the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). Enforcement is intensifying throughout 2026, and patent firms face a direct question: are we affected, and if so, what must we do?
The answer is more nuanced than most expect.
Who Falls Under NIS2?
NIS2 substantially expands the scope compared to its predecessor. It covers "essential" and "important" entities across 18 sectors. Legal services are not explicitly listed as a standalone sector - but that does not mean patent firms are automatically exempt.
Two paths lead into scope:
Direct path: Firms serving as service providers to companies in regulated sectors - pharma, automotive, energy, telecommunications - can be captured as part of the supply chain. Art. 21(2)(d) NIS2 requires regulated entities to secure the cybersecurity of their supply chain. In practice, this means: clients from regulated industries will increasingly demand cybersecurity evidence from their law firms.
Indirect path: Firms operating digital infrastructure or using cloud services that fall under NIS2 must ensure their providers are compliant. As users of NIS2-regulated services, they bear a duty of care.
Additionally, Germany's NIS2UmsuCG has expanded scope beyond EU minimum requirements. Companies with more than 50 employees or more than EUR 10 million annual turnover in covered sectors fall directly under the regulation. Larger firms and firm networks should verify whether they exceed these thresholds.
Overlap with GDPR
NIS2 and GDPR pursue different objectives - NIS2 protects network and information systems, GDPR protects personal data - but in practice, the overlap is substantial.
Both require risk management measures. Both demand incident reporting. Both impose significant penalties. And both require technical and organisational measures (TOMs).
For patent firms already GDPR-compliant, NIS2 is not a complete restart. Existing TOMs provide a solid foundation. But NIS2 goes further in several areas: the incident reporting obligation is significantly stricter at 24 hours for the initial notification, compared to GDPR's 72 hours. And NIS2 explicitly requires business continuity and crisis management measures that go beyond the GDPR framework.
Registration Requirements
A concrete milestone: registration with the competent authority. In Germany, this is the Federal Office for Information Security (BSI). Affected entities had a registration deadline in April 2026. Those who missed it should register immediately, as non-registration itself carries penalties.
Registration is more than a formality. It signals to the BSI that the entity recognises its status and acknowledges its obligations. It also serves as a contact point for security notifications and information about cyber threats.
Practical Cybersecurity Measures
What NIS2 specifically requires from affected entities is set out in Art. 21. For patent firms, this means:
Incident reporting: Security incidents must be initially reported to the competent authority within 24 hours of detection, followed by a detailed notification within 72 hours and a final report within one month. A "security incident" under NIS2 is any event compromising the availability, authenticity, integrity, or confidentiality of data or services.
For patent firms, this is particularly critical: a data breach affecting unpublished patent applications may not only trigger NIS2 reporting obligations but also jeopardise the novelty protection of the affected inventions.
Supply chain security: Supply chain security is explicitly regulated. Firms must assess and document the cybersecurity risks of their software vendors, cloud providers, and IT service providers. This specifically covers patent management software, dictation and transcription services, e-filing systems, and AI tools.
Risk management: NIS2 requires a risk-based approach. This means: not working through a checklist, but identifying and addressing the specific risks of your own organisation. For a patent firm, the primary risks are typically: unauthorised access to client files, ransomware attacks on IT infrastructure, compromise of e-filing credentials, and social engineering attacks targeting employees.
Business continuity: Plans for maintaining operations during a crisis. How does the firm continue working if IT systems are compromised? Are there offline backup procedures for time-sensitive patent filings? Are deadline calendars redundantly secured?
Training and awareness: All employees - not just the IT department - must be regularly trained. Phishing recognition, secure handling of client data, reporting channels for security incidents. NIS2 requires that management itself participates in cybersecurity training (Art. 20(2)).
What to Demand from Patent Software Vendors
NIS2 affects not only firms but also their software suppliers. Providers of patent software operated as a cloud service potentially fall directly under NIS2 as providers of digital services.
What firms should require from their software vendors:
- Evidence of NIS2 compliance (certifications, audit reports)
- Transparency about server locations and data processing
- Contractual commitments on incident reporting timelines
- Documentation of technical security measures
- Regular penetration tests and their results
Vendors offering EU server locations and optional on-premise deployment give firms greater control over data security and substantially simplify NIS2 compliance.
Penalties and Personal Liability
NIS2 penalties are substantial:
- For "essential entities": up to EUR 10 million or 2% of global annual turnover
- For "important entities": up to EUR 7 million or 1.4% of global annual turnover
Particularly notable: Art. 32(6) NIS2 provides for personal liability of management. Management bodies that neglect their supervisory duties regarding cybersecurity can be held personally liable. For managing partners of patent firms, this means: cybersecurity cannot be delegated - it is a leadership responsibility.
Conclusion
NIS2 is not an IT topic to delegate to the system administrator. For patent firms that process highly sensitive client data and operate as part of the supply chain of regulated companies, the cybersecurity obligations are real and enforceable.
The pragmatic approach: determine whether your firm is directly or indirectly affected. Use existing GDPR measures as a starting point and supplement them with NIS2-specific requirements. Hold your software vendors accountable. And above all: involve management before the supervisory authority comes knocking.