QRTrust Logo
Don't trust every QR code.
Back to blog
Security

NIS2 Law 2025: Why Companies with Public QR Codes Must Act Now

12 min read

The new NIS2 Implementation Act of December 2, 2025 massively tightens cybersecurity requirements. Quishing attacks are reportable, executives are personally liable. Fines up to €10 million.

On December 5, 2025, the NIS2 Implementation Act came into force – a milestone for cybersecurity in Germany. For companies using QR codes in public spaces, this means: Act now, or risk massive fines and personal liability of management.

What is the NIS2 Law?

The NIS2 Implementation Act (Federal Law Gazette 2025 I No. 301) transposes EU Directive 2022/2555 into German law. It massively expands the circle of affected companies and tightens requirements for IT security, incident reporting, and executive liability.

The law distinguishes between 'essential entities' and 'important entities' – both categories are subject to strict obligations.

Who is Affected?

The law affects far more companies than previously thought:

Essential Entities

From 250 employees OR >€50 million revenue

Energy, Transport, Finance, Health, Water, Digital Infrastructure, Space

Important Entities

From 50 employees OR >€10 million revenue

Postal/Courier, Waste Management, Chemicals, Food, Manufacturing, Digital Services, Research

Typical QR code applications in affected sectors:

  • EV charging station operators (Energy sector)
  • Parking meter providers (Transport)
  • Banks with QR codes in letters (Finance)
  • Hospitals with patient wristbands (Health)
  • Restaurant chains with digital menus (Food)

Key Obligations under § 30 BSI Act

The law mandates comprehensive risk management measures:

1

Risk Analysis

QR codes as attack vectors must be considered in risk analysis

2

Incident Response

Processes for handling quishing incidents must be established

3

Supply Chain Security

QR code printing service providers and transport routes must be verified

4

Training

Employees and customers must be informed about quishing dangers

5

Multi-Factor Authentication

Required for access to QR code management systems

Reporting Requirements: 24 Hours

Strict reporting deadlines apply for quishing attacks under § 32:

24h

24 Hours: Initial Report

Immediate notification to BSI with first suspicions

72h

72 Hours: Detailed Report

Severity, impact, and indicators of compromise

1M

1 Month: Final Report

Complete description, causes, and measures taken

Example Dortmund 2025: The 90+ manipulated parking meters would have had to be reported within 24 hours under NIS2 – with all consequences for the operator.

Personal Liability of Management

§ 38 of the new law makes board members and CEOs personally responsible:

Management is required to implement and oversee risk management measures. In case of breach of duty, they are liable to their organization for culpably caused damages.

This means: Anyone who ignores quishing risks as CEO or board member is personally liable – not just the company.

Additionally, management must regularly participate in training to be able to identify and assess risks.

Fines: Up to 10 Million Euros

The sanctions under § 65 are drastic:

Essential Entities

Up to €10 million or 2% of worldwide annual revenue

Important Entities

Up to €7 million or 1.4% of worldwide annual revenue

Example calculation for utility company with €800 million revenue: The maximum fine for an unreported quishing incident is €16 million.

QRTrust: The Technical Solution for NIS2 Compliance

QRTrust is the only German QR code security platform specifically developed for NIS2 requirements:

Risk Analysis Fulfilled:Threat Intelligence Dashboard with real-time threat overview for your QR codes
Automated Incident Response:Immediate detection and alerting for quishing attempts
Reporting Requirements Supported:Pre-formatted reports for BSI notifications, complete audit trail
Evidence Preservation:Chain of Evidence for prosecution: Screenshots, timestamps, hash values
GDPR Compliant:German servers, no data transfer to third countries

Recommended Action: Start Now

Companies with public QR codes should act immediately:

Immediately (this week)

Check your NIS2 applicability based on size criteria and sector classification

Short-term (1-3 months)

Create an inventory of all public QR codes and their target URLs

Medium-term (3-6 months)

Implement QRTrust Enterprise for continuous monitoring

Long-term

Establish processes for regular audits and documentation

Conclusion: NIS2 Makes QR Code Security Mandatory

With the NIS2 Implementation Act, public QR codes are part of the IT infrastructure that must be protected. Quishing attacks are reportable security incidents, and management is personally liable.

The good news: With QRTrust, you can meet all requirements – before the first incident occurs. Invest in prevention rather than fines.

Legal Sources

  • Federal Law Gazette 2025 I No. 301: NIS2 Implementation Act
  • BSI Act 2025 (BSIG) §§ 28-65
  • EU Directive 2022/2555 (NIS2 Directive)

Free NIS2 Initial Consultation

Let's check together how QRTrust can support your NIS2 compliance.

Schedule Consultation Now

*About QRTrust: QRTrust is Germany's first QR code security platform, developed in Dortmund. With AI-powered real-time detection, local threat database, and 6-layer security check, QRTrust protects citizens, authorities, and businesses from quishing attacks. GDPR compliant, hosted in Germany. Participant in start2grow, the startup competition of Dortmund Economic Development.*

Back to blog