The NIS2 Directive is intended to safeguard prosperity in Germany through economic, proportionate, and effective security measures. Already 70% of the total damage to the economy was caused by cyberattacks. However, only half of the affected companies had signed up by the Federal Office for Information Security (BSI) by March. We will discuss the reasons for this reluctance, as well as whether investing in compliance with the new legal obligations is worthwhile and which NIS2 implementation strategy is most suitable for your company.
Is your business affected by NIS2?
Many small and medium-sized enterprises (SMEs) underestimate the scope of the NIS2 legislation. We therefore strongly recommend that you first carry out a BSI impact assessment to clarify whether your company is among those subject to the requirements. This requires you to specify the number of employees and the turnover of all legal organizational units. If you provide IT services to organizations affected by NIS2, you must get legal advice to analyze whether you are affected by NIS2. As the BSI website does not provide legally binding information, you must document why your company is or is not affected.
Even if you are not directly affected, it is worth reading on to find out what benefits your company could gain from implementing the NIS2 requirements and whether these benefits are worthwhile. Based on our experience with NIS-1 and the importance of IT systems to our society, we assume that the EU will expand the scope of the regulation in the coming years.
Why are so many companies hesitating?
It is estimated that 29,500 companies in Germany are affected by the NIS2 Directive, yet by the final day of the registration period, only around 52% of companies had registered. What are the reasons for this behaviour?
The actual scope of the regulation is significantly underestimated by businesses. In particular, companies with 10 to 49 employees and a turnover of more than 10 million euros appear not to have recognised that they are affected, as shown in the Cyber Security Report 2026. The data suggests that a total of 48% of all companies surveyed may be affected without realising it.
Many companies are adopting a wait-and-see approach, as the BSI is taking a cooperative stance, and the companies have already had experience with the KRITIS Act. After auditors had discovered shortcomings in the IT security of operators of critical infrastructure, the BSI gave them enough time to implement new measures rather than threatening them with fines. The BSI understands, for example that network segmentation entails significant risks and that the process takes several months. Nevertheless, not all authorities agree: in March 2025, the Rechnungshof is reported to have called on the BSI to increase the pressure on KRITIS operators.
Staff shortages (58 per cent of companies) and limited budgets (43 per cent) are two of the challenges many businesses face when implementing NIS2. This is a sign that many business leaders view IT security as a cost rather than a means of protecting jobs. This leads to inadequate budgets, which are approved only with great difficulty. They are often insufficient for important measures such as testing the restoration of backups and servers. In my experience, the importance of IT systems is only recognised after a production outage.
It is about processes, not software
NIS2 is about establishing and optimising processes that protect the business, rather than purchasing new software. These processes should maintain operations, detect, respond to and report security incidents, and identify and mitigate risks at an early stage. Supply chain security, as well as the procurement, development, and maintenance of software, also play an important role in the NIS2 Directive. In all these areas, the first step is a risk assessment to determine which measures are economically viable and effective for the organisation. Without this, purchasing security products is not effective.
Finally, NIS2 also requires IT security training for senior management. When we drive a car or walk on the street, we want to avoid accidents and arrive safely at our destination. We are aware of the risks of road traffic. However, the risks posed by our business-critical IT systems are often not recognised by staff outside the compliance and IT departments. That is why we view the training requirements positively, provided they cover practical content.
Data protection and NIS2 compliance in the EU – Image by Tumisu from Pixabay
The most cost-effective strategy: Take action rather than wait and see!
The most cost-effective strategy is to register and analyse the greatest risks to your business processes. Doing nothing is expensive and risky. Whilst the penalties for non-compliance are a known quantity, the costs of a three-week production shutdown, a compromised supply chain, or a major data breach are incalculable unless you have assessed these risks.
The case of a Ford dealership that had to file for bankruptcy following a cyberattack, serves as a strong warning of what can happen when our IT infrastructure is paralysed. Simply waiting to see what happens could jeopardise the company’s very existence.
Organisations that focus their NIS2 programme solely on avoiding penalties are building on sand. They produce documents for auditors and draft policies that remain unread. They may comply with the letter of the law, but they miss its purpose, which is to protect jobs. Compliance alone does not stop cyberattacks or restore a paralysed production line. The minimum security measures described in Article 21 are not bureaucratic hurdles, but the foundation for operational resilience.
Positive effects of thorough implementation
A well-planned implementation of NIS2 offers the following benefits:
- Fewer operational disruptions
- A better understanding of critical processes, systems, networks, and dependencies with your suppliers
- Rapid recovery of business processes following an incident
- Reduced vulnerability to damage caused by configuration or programming errors, or ransomware
- Disruptions affecting your suppliers will cause little harm to your company
Once you have recognised the need to fulfill the NIS2 requirements on your business, you must identify your business-critical IT systems as well as secondary systems whose manipulation could indirectly lead to significant damage. One example is the domain controller through which you manage all permissions for all Windows machines. This identification defines the scope of your critical processes and increases the value of your investments in IT security, as you can focus on the most relevant areas.
You then assess the risks associated with these systems, including physical security. In this step, you save money by explicitly prioritising the risks and assessing whether current processes adequately minimise them. It is important here to consult with the relevant business department to calculate the potential loss to the company. As the risk is translated into business terms, it is easier to secure a budget for mitigation.
Once you have a budget and staff available, you begin to implement the most effective security measures. As you now know what needs to be protected, it is easier to implement a process, to improve an existing one, or to purchase a security solution. You can also demonstrate to external auditors and authorities that you are investing in improving the company’s IT security. You should regularly review whether the processes and security products are still cost-effective. For example, nowadays, there are resource-efficient ways to log access to personal data and prevent the creation of unauthorised copies of sensitive data. This allows the requirements of the GDPR and NIS2 to be met more efficiently and effectively. It is therefore worth regularly reviewing the effectiveness and cost-efficiency of your current security procedures and, where necessary, implementing alternative processes or tools.
The security of processes used by service providers, suppliers, and external IT partners must be taken into account in your risk assessment, as they are relevant to the continuity of your business. Suppliers must implement their own security measures, which will have a positive impact on multiple organisations. This will enhance IT security within your industry. When procuring or developing software, you will also document the most relevant security requirements to mitigate the key risks, rather than attempting to implement security without clear goals.
How do you get started?
The BSI provides affected companies with a starter pack and offers virtual kick-off seminars to help them get started. The first step is always to clarify whether you are affected.
Your experience
Implementing NIS2 requires the definition of a process through which you continuously improve your business. This is no different from other areas such as marketing and sales, where you constantly optimise your strategy and execution.
What experiences have you had with improving business processes through NIS2? We look forward to your comments.