NIS2 in Germany: What the Delay in National Implementation Means for Companies & Why Preparation Is Key

11/09/2025

The European Union’s updated cybersecurity directive, NIS2, officially came into force in October 2024. Its aim is simple in principle but far-reaching in practice: raise the baseline for cyber resilience across critical sectors, expand the number of companies covered, and enforce it with teeth. 

But in Germany, the actual implementation into national law is still pending. Political transitions and legislative backlogs have left businesses in limbo. As of September 2025, there’s still no final law in place, no registry of “essential” or “important” entities, and no published enforcement timelines. 

This has led to a state of confusion among companies. Many decision makers simply don’t know what they need to do in response to NIS2, when they need to do it by, and, critically, whether NIS2 even applies to them at all.  

A 2024 study by Bitkom found that 66% of German companies say they feel unprepared for NIS2. And while it might be tempting to wait for clarity from Berlin, that’s a risky strategy. Because once Germany catches up (and it must), compliance will be mandatory, and penalties will be significant. 

Now is the time to act. The foundations of NIS2 are known. Your competitors in other countries are already adapting. There’s no benefit in delay, but there is a real and credible risk in standing still. 

What NIS2 Requires, and Who It Applies To 

The original NIS Directive (2016) was focused on critical infrastructure and the companies behind it, such as large players in energy, transport, banking, and health. But NIS2 broadens the scope dramatically.  

This time, it’s not just large companies that need to step up. It’s any organization that delivers services essential to the economy or society, and that includes many small-to-medium-sized enterprises. 

Ultimately, NIS2 applies to two tiers of companies: 

  • Essential entities, such as large firms in critical sectors like energy, health, transport, and digital infrastructure. These firms will generally have 250+ employees or more than €50 million in turnover.  
  • Important entities, such as mid-sized companies in sectors like the manufacturing of critical products, food production, postal services, chemicals, and digital services. These firms will generally have 50+ employees or more than €10 million in turnover.  

It’s important to note that the above thresholds are general guides. Specific thresholds can vary by sector and must be determined based on the organization’s size and the sector it operates in. An entity may still be considered “essential” or “important” even if it does not meet the size criteria, in specific cases, such as when it is the only provider of a critical service for societal or economic activity.  

A young woman shaking hands with another person seen from behind.

So, What Are the Expectations? 

NIS2 requires covered companies to implement risk-based security practices across their entire operations. That includes: 

  • Risk management: You must conduct regular assessments and implement security controls accordingly. 
  • Incident handling: Including 24-hour notification of significant incidents to regulators, and full reporting within 72 hours. 
  • Business continuity and crisis response: Resilience planning, disaster recovery, backups, and crisis communication processes. 
  • Supply chain security: You’re responsible not only for your own defences, but also for managing cyber risk across your vendors and service providers. 
  • Governance and accountability: NIS2 introduces top-down accountability. Senior management must approve cyber strategies and may be held personally responsible for failures. 

Non-compliance comes with teeth: up to €10 million or 2% of global turnover, whichever is higher. Unlike previous regimes, NIS2 also makes it possible to sanction executives personally. For many German companies, especially in the Mittelstand, this is the first time they’re being pulled into EU-wide cyber regulation. 

The Current Situation in Germany 

Despite NIS2 being in force across the EU, Germany has yet to pass its national implementation law. 

The original plan was to transpose NIS2 into national law via the “NIS2 Implementation and Cybersecurity Strengthening Act” by early 2025. A draft bill had been approved by the previous government. But the dissolution of the Bundestag in late 2024, then followed by new elections, hit pause on the legislative process. 

Now, under the new coalition, the entire process must start again. The German NIS 2 Implementation Act was passed by the Cabinet on July 30, but, according to parliamentary procedure, the draft law has to be resubmitted, reviewed, and debated anew. The best-case scenario would be a new national law by late 2025, but it could be 2026 before it takes effect.  

This delay has been widely criticised, with the European Commission even issuing formal warnings to Germany and others for missing the implementation deadline. What’s more concerning is that there are no signs of a grace period. Once the law is passed, companies will be expected to comply immediately. There’ll be no soft start or phasing in, as was the case in other EU member states.  

In practice, this means German companies must act now before the law arrives. Because once it does, the countdown clock on compliance and fines will already be ticking. 

What Other Countries Are Doing, and Why Germany Should Take Note 

While Germany lags, several EU neighbours have already published NIS2 implementation plans and started working with industry to prepare. Their progress provides a helpful window into what’s coming and illustrates why German companies shouldn’t wait.  

Austria: Delays, But Transparency 

Austria also experienced a legislative stall due to political reshuffles. But the new Austrian government has already prioritised NIS2 implementation and published a new draft law for public consultation. Authorities estimate around 30,000 companies in Austria will be affected, and have begun issuing sector-specific guidance and FAQs to support compliance.  

Netherlands: Clear Timelines and an Early Start 

The Dutch approach is widely seen as a model. The Dutch Cybersecurity Act, which transposes NIS2, was released for consultation in mid-2024. A final version was submitted to Parliament in early 2025, with a clear target date for enforcement by the end of the year. 

Crucially, Dutch regulators have published early guidance, helping companies assess their risk, align their governance, and test incident response protocols well before the law takes effect. 

France: Going Further, Faster 

France chose a broader, more ambitious approach by bundling NIS2 into a comprehensive “national resilience law” that also includes the CER directive (on critical entities) and DORA for the financial sector. 

By spring 2025, the law was already being finalised in Parliament. The French model puts particular emphasis on critical infrastructure, continuity planning, and national coordination. Importantly, France is also extending NIS2-style obligations beyond the EU minimum, including some municipalities and research institutions. 

Image of a black notebook with a cover reading "EU regulations" next to the blue European flag with stars

How German Companies Can Act Now 

While Germany’s national law is late, the EU directive is live, and waiting for final legislation to come through leaves you open to potential fines. Here’s what German companies (especially those operating in regulated sectors) should do now: 

1. Assess Whether You’re In Scope 

Start with the basics: If you have more than 50 employees and operate in a sector listed in NIS2 (Annexes I and II), the answer is probably yes. Even if you’re a supplier to an in-scope entity, you may be indirectly impacted. Start mapping your business functions, dependencies, and sector classifications now. Regulators in Austria and the Netherlands are working with companies based on drafts. You can too. 

2. Conduct a Gap Analysis 

NIS2 requires a documented, risk-based approach to cyber defence. That means incident response plans, security policies, vulnerability management, access controls, third-party oversight, and more. Perform a structured gap analysis by comparing your current posture against the known NIS2 requirements. Identify what’s missing and prioritise the most urgent risks and legal obligations. 

3. Strengthen Staff Awareness 

NIS2 makes cybersecurity a top-down responsibility. Leadership must understand their obligations and take ownership of cyber strategy. Now’s the time to brief boards, train department heads, and run awareness workshops across the business. Training should be tailored because different roles are exposed to different risks. Incident reporting, phishing identification, and secure handling of sensitive data are everyone’s job. 

4. Bring in External Support if Needed 

Not every company has the in-house resources to meet NIS2’s demands. That’s where external partners can help. Whether it’s a Managed Security Service Provider (MSSP) to monitor threats and respond to incidents, or a consultancy to guide compliance preparation, there’s no need to reinvent the wheel. 

Tools like the NIS2 Navigator – developed by Deutschland sicher im Netz e.V. and funded by the German Ministry for Economic Affairs – can help companies determine if they are affected by the directive, assess their current status, and identify next steps. 

In addition to this, regional chambers of commerce (IHKs), sector-specific associations, and the BSI (Federal Office for Information Security) are increasingly offering guidance, templates, and checklists to help SMEs in particular navigate NIS2. 

At Getronics, our role is to help translate those frameworks into action. We support companies in building compliant processes, strengthening resilience, and integrating cybersecurity into everyday operations – step by step. 

Act Now to Avoid Fines 

NIS2 is a major piece of legislation recognising that in our high-risk digital world, resilience is essential (and if you’re in scope, mandatory).  

Yes, Germany is late to implement, but that doesn’t mean you can afford to delay preparations.  The EU Directive is binding. Other countries are moving. And crucially, threat actors aren’t waiting, nor are your competitors. 

Getronics supports businesses across Germany with the tools and guidance they need to move forward confidently. With our managed services and strategic advisory, we’re helping enterprises turn uncertainty into clarity. 

We also invite you to join our upcoming webinar: “NIS2 für KMU – Warum ein MSP jetzt Gold wert ist.” In it, our experts will break down what NIS2 means, how to respond, and what steps to prioritise. 

Register today and take the first step towards a stronger, safer, and fully NIS2-ready organisation. 

Two man shaking their hands with a security icon on the background

Webinar: NIS2 for SMEs – Why an MSP is Worth its Weight in Gold Now


17/10/2025 14:00 CET | German

REGISTER NOW

Frank Roidl

Graduate Engineer and Sales Key Account Manager in Getronics Germany

In this article:

Share this post

Related articles

See all articles

Talk with one of our experts

If you're considering a new digital experience, whatever stage you're at in your journey, we'd love to talk.
Request a callback