NIS2 in Germany: What the Delay in National Implementation Means for Companies & Why Preparation Is Key

The European Union’s revised cybersecurity directive, NIS2, entered into force in October 2024. Its objective is clear: strengthen cyber resilience across critical and economically significant sectors, expand the scope of covered entities, and introduce stricter enforcement and accountability mechanisms.

In Germany, however, national transposition into law remains incomplete. Political transitions and legislative delays have created uncertainty for organisations that may fall within scope. While enforcement timelines are not yet finalised at national level, the obligations defined at EU level are already known.

For German companies, the strategic question is not whether NIS2 will apply, but how prepared they will be when national implementation becomes binding. Waiting for full legislative clarity may appear convenient, but preparation based on the directive’s core requirements can and should begin now.

What NIS2 Requires, and Who It Applies To 

The original NIS Directive (2016) was focused on critical infrastructure and the companies behind it, such as large players in energy, transport, banking, and health. But NIS2 broadens the scope dramatically.  

This time, it’s not just large companies that need to step up. It’s any organization that delivers services essential to the economy or society, and that includes many small-to-medium-sized enterprises. 

Ultimately, NIS2 applies to two tiers of companies: 

• Essential entities, such as large firms in critical sectors like energy, health, transport, and digital infrastructure. These firms will generally have 250+ employees or more than €50 million in turnover.  

• Important entities, such as mid-sized companies in sectors like the manufacturing of critical products, food production, postal services, chemicals, and digital services. These firms will generally have 50+ employees or more than €10 million in turnover.  

The size thresholds above provide general orientation only. Final classification depends on sector-specific criteria, organisational structure, and in certain cases strategic relevance. An entity may be designated as essential or important even below size thresholds if it provides a uniquely critical service. Specific thresholds can vary by sector and must be determined based on the organization’s size and the sector it operates in. An entity may still be considered “essential” or “important” even if it does not meet the size criteria, in specific cases, such as when it is the only provider of a critical service for societal or economic activity.  

So, What Are the Expectations? 

NIS2 requires covered companies to implement risk-based security practices across their entire operations. That includes: 

• Risk management: You must conduct regular assessments and implement security controls accordingly. 
• Incident handling: Including 24-hour notification of significant incidents to regulators, and full reporting within 72 hours. 
• Business continuity and crisis response: Resilience planning, disaster recovery, backups, and crisis communication processes. 
• Supply chain security: You’re responsible not only for your own defences, but also for managing cyber risk across your vendors and service providers. 
• Governance and accountability: NIS2 introduces top-down accountability. Senior management must approve cyber strategies and may be held personally responsible for failures. 

Administrative fines may reach up to €10 million or 2% of global annual turnover, whichever is higher. Unlike previous regimes, NIS2 also makes it possible to sanction executives personally. For many German companies, especially in the Mittelstand, this is the first time they’re being pulled into EU-wide cyber regulation. 

The Current Situation in Germany 

Despite NIS2 being in force across the EU, Germany has yet to pass its national implementation law. 

The original plan was to transpose NIS2 into national law via the “NIS2 Implementation and Cybersecurity Strengthening Act” by early 2025. A draft bill had been approved by the previous government. But the dissolution of the Bundestag in late 2024, then followed by new elections, hit pause on the legislative process. 

Now, under the new coalition, the entire process must start again. The German NIS 2 Implementation Act was passed by the Cabinet on July 30, but, according to parliamentary procedure, the draft law has to be resubmitted, reviewed, and debated anew. The best-case scenario would be a new national law by late 2025, but it could be 2026 before it takes effect.  

The delay has prompted formal reminders from the European Commission to Member States that have not yet completed transposition. While no formal grace period has been indicated, enforcement timelines will ultimately depend on the final German implementation act. What’s more concerning is that there are no signs of a grace period. Once the law is passed, companies will be expected to comply immediately. There’ll be no soft start or phasing in, as was the case in other EU member states.  

In practice, this means German companies must act now before the law arrives. Because once it does, the countdown clock on compliance and fines will already be ticking. 

What Other Countries Are Doing, and Why Germany Should Take Note 

While Germany lags, several EU neighbours have already published NIS2 implementation plans and started working with industry to prepare. Their progress provides a helpful window into what’s coming and illustrates why German companies shouldn’t wait.  

Austria: Delays, But Transparency 

Austria has published a revised draft law and initiated consultation processes following political delays. Authorities have provided preliminary sector guidance to help organisations begin preparatory assessments. 

Netherlands: Clear Timelines and an Early Start 

The Netherlands progressed early with consultation drafts and defined target enforcement timelines, offering companies regulatory guidance in advance of formal implementation. 

Crucially, Dutch regulators have published early guidance, helping companies assess their risk, align their governance, and test incident response protocols well before the law takes effect. 

France: Going Further, Faster 

France integrated NIS2 into a broader national resilience framework alongside related EU directives, emphasising critical infrastructure protection and continuity planning.

By spring 2025, the law was already being finalised in Parliament. The French model puts particular emphasis on critical infrastructure, continuity planning, and national coordination. Importantly, France is also extending NIS2-style obligations beyond the EU minimum, including some municipalities and research institutions. 

How German Companies Can Act Now 

While Germany’s national law is late, the EU directive is live, and waiting for final legislation to come through leaves you open to potential fines. Here’s what German companies (especially those operating in regulated sectors) should do now: 

1. Assess Whether You’re In Scope 

Start with the basics: As an initial screening criterion, organisations with 50 or more employees operating in sectors listed under Annex I or II of NIS2 should assume potential applicability. Even if you’re a supplier to an in-scope entity, you may be indirectly impacted. Start mapping your business functions, dependencies, and sector classifications now. Regulators in Austria and the Netherlands are working with companies based on drafts. You can too. 

2. Conduct a Gap Analysis 

NIS2 requires a documented, risk-based cybersecurity management approach. Organisations should systematically compare existing controls against directive requirements, including incident reporting procedures, supply chain security, governance structures, and business continuity planning. 

3. Strengthen Staff Awareness 

NIS2 makes cybersecurity a top-down responsibility. Leadership must understand their obligations and take ownership of cyber strategy. Now’s the time to brief boards, train department heads, and run awareness workshops across the business. Training should be tailored because different roles are exposed to different risks. Incident reporting, phishing identification, and secure handling of sensitive data are everyone’s job. 

4. Bring in External Support if Needed 

Not every company has the in-house resources to meet NIS2’s demands. External advisory or managed security partners may provide structured support in conducting assessments, strengthening monitoring capabilities, and aligning documentation with regulatory expectations. Whether it’s a Managed Security Service Provider (MSSP) to monitor threats and respond to incidents, or a consultancy to guide compliance preparation, there’s no need to reinvent the wheel. 

Tools like the NIS2 Navigator – developed by Deutschland sicher im Netz e.V. and funded by the German Ministry for Economic Affairs – can help companies determine if they are affected by the directive, assess their current status, and identify next steps. 

In addition to this, regional chambers of commerce (IHKs), sector-specific associations, and the BSI (Federal Office for Information Security) are increasingly offering guidance, templates, and checklists to help SMEs in particular navigate NIS2. 

Preparation for NIS2 should be approached as a structured resilience initiative rather than a compliance checklist. Organisations that act early can align cybersecurity governance, risk management, and operational continuity well before formal enforcement begins.

The current legislative delay does not reduce exposure to cyber threats — nor does it eliminate future regulatory obligations. Companies that treat this period as preparation time will be better positioned when national enforcement becomes active. 

Act Now to Avoid Fines 

NIS2 is a major piece of legislation recognising that in our high-risk digital world, resilience is essential (and if you’re in scope, mandatory).  

Yes, Germany is late to implement, but that doesn’t mean you can afford to delay preparations.  The EU Directive is binding. Other countries are moving. And crucially, threat actors aren’t waiting, nor are your competitors. 

Getronics supports businesses across Germany with the tools and guidance they need to move forward confidently. With our managed services and strategic advisory, we’re helping enterprises turn uncertainty into clarity. Request a callback to start a conversation with us and learn how we can help you.