NIS2 Directive: New obligations and opportunities for companies in Germany
Introduction: Cybersecurity under scrutiny
The NIS2 Directive is giving the topic of cybersecurity a whole new meaning for companies and public institutions. While the threat posed by targeted cyberattacks is growing, the new EU-wide regulation establishes a uniform framework to better protect critical infrastructure, companies and public authorities. But what does this mean in practice in Germany, what challenges will arise, and what does this mean for affected organisations?
The path to greater security: the aim and scope of NIS2
The NIS2 Directive replaces the previous EU NIS Regulation and significantly expands its scope. It no longer applies only to critical infrastructure such as energy, water or digital services, but covers a total of 18 sectors, including health, transport, wastewater disposal, administration and even space travel. Companies above a certain size or with significant economic importance are specifically addressed: the so-called ‘size cap’ rule applies to organisations with 250 or more employees or an annual turnover of 50 million euros. This means that an estimated 42,000 companies in Germany are subject to the new requirements – many times more than those previously regulated.
New legal framework and operational implementation of NIS2 in Germany
Key points and provisions of the current draft law
In June 2025, the updated draft for the German implementation of NIS2 was presented. In addition to, for example, extended testing and sanctioning powers for the Federal Office for Information Security (BSI), the catalogue includes a wide range of obligations: Companies must establish robust information security management, report security incidents quickly and carry out comprehensive risk analyses. Even beyond IT issues, i.e. in relation to organisational, operational and external factors, state-of-the-art measures are required. Particularly noteworthy: federal authorities and other government agencies are granted some far-reaching exemptions and simplifications.
Obligations for companies: From risk analysis to reporting
For affected companies, NIS2 means that their entire business processes will come under scrutiny. Not only the IT area, but also supply chains, emergency management and operational continuity must be examined. Some of the risk analysis requirements go beyond existing ISO/IEC 27001 standards, which will necessitate retrofitting. In addition, security incidents must be reported to the BSI within 24 hours, often with preliminary details. Those responsible – often the CISO, sometimes also explicit information security officers – are centrally responsible for monitoring compliance. Violations can result in penalties of up to millions of pounds.
Critical voices, challenges and new tasks
Controversy: exceptions and lack of uniformity
The discussion among politicians and experts is lively. Many stakeholders criticise the large number of exemptions, especially for government agencies. While federal authorities are formally covered by the protection, they actually enjoy numerous exemptions. There is also a lack of comprehensive standardisation: different standards and supervisory structures between the federal and state governments lead to inconsistencies. This makes planning difficult, especially for companies in sectors with complex regulations, such as healthcare or energy. Similarly, the municipal level is often insufficiently involved, even though cyber attacks repeatedly have serious consequences here.
New perspectives for conformity assessment and audits
With stricter documentation requirements, the demands on external consultants, auditors and conformity assessment bodies are increasing. NIS2 does not explicitly require formal certification according to ISO/IEC 27001, but does require proof of appropriate and effective security measures. Companies increasingly need professional support with risk analyses, maturity assessments and strategic implementation. The established certification processes are supplemented by industry-specific audits, new reporting requirements and the need to document both legal and technical compliance.
NIS2: Opportunity for greater security or new bureaucracy?
Outlook: Potential and areas for improvement
The desired harmonisation of cybersecurity requirements offers companies the opportunity to adopt standards that are recognised throughout Europe and thus strengthen their own resilience.
Nevertheless, there is room for improvement: too many exceptions could undermine confidence in the German model, while late or contradictory guidelines could promote uncertainty. The role of auditors is strengthened by the growing pressure to provide evidence, but this requires new skills and a deep understanding of regulatory diversity and industry-specific requirements.
Your path to NIS2 compliance: take advantage of our expertise
The implementation of the NIS2 Directive is not a foregone conclusion and affects far more organisations than previously thought – from SMEs to large corporations, from energy suppliers to healthcare providers. Whatever your starting point, clear processes, structured risk analyses and professional support are the keys to success in an increasingly digital and connected world.
Do you need support or have questions about NIS2 implementation and the requirements for your company? Don't hesitate to contact us. We offer expert advice, tailor-made audit solutions and accompany you step by step until you achieve full compliance. Take the opportunity to make your security management future-proof now – contact us for a personal consultation!