No matter when: NIS-2 is coming

The EU NIS-2 Directive is one of the most comprehensive regulatory innovations in the field of cybersecurity and will be a major topic for businesses, authorities, and organisations in 2025. This is despite the current political tug-of-war regarding its implementation in Germany. At present, it appears that the German law will not be passed until autumn 2025 at the earliest – more than a year later than planned. The original EU deadline for implementation was October 2024, which has already passed.

Political parties continue to debate issues such as vulnerability management and corporate liability, while the threat landscape steadily worsens. Waiting means taking a risk, as cyberattacks are not deterred by political delays. For this reason, preparation for NIS-2 is no longer optional; it is mandatory – even if the law will not come into force until next autumn.

What is NIS-2?

The Network and Information Systems Directive (NIS 2) is the successor to the original 2016 NIS Directive. Its goal is to establish uniform cybersecurity standards across the EU, encompassing not only operators of critical infrastructure (known as KRITIS in Germany) but also a wide range of businesses in sectors such as energy, healthcare, transport, and finance. One significant change under NIS-2 is the lowering of the threshold for classification as an "important entity," meaning many organisations will fall under its scope for the first time.

Why take action now?

Despite the uncertainties surrounding NIS-2, businesses and authorities should not wait to begin preparing for its implementation.

1. Cybercrime doesn’t wait for deadlines
   Attacks on businesses are becoming more frequent and more intense. Compliance with the minimum standards outlined in NIS-2 is not only a regulatory requirement but also an essential defence against current threats such as ransomware and phishing.

2. Implementing measures takes time
   Meeting NIS-2 standards requires extensive actions: from upgrading technical infrastructure and implementing organisational processes to conducting employee training. These measures cannot be implemented overnight. Businesses that begin analysing and optimising their security standards early will avoid panic and costly last-minute fixes when the compliance deadline approaches.

3. Competitive advantage through compliance
   Security is increasingly becoming a competitive factor. Security-conscious businesses earn the trust of their customers and partners. By complying with NIS-2, companies demonstrate not only their adherence to legal requirements but also their proactive responsibility. Those who prepare today will gain a competitive advantage tomorrow.

Complying with NIS-2 – but how?

Meeting the requirements of NIS-2 might seem complex at first glance, but with a clear strategy and targeted measures, the directive can be implemented step by step. The key is to act proactively and set the right priorities.

1. Analyse the status quo: Identify weaknesses in IT security and set clear priorities to address them.

2. Optimise processes: Define responsibilities and thoroughly document security measures.

3. Implement technology: Deploy modern security solutions such as encryption, zero-trust models, and automated threat detection.

4. Train employees: Raise awareness of cyber risks among teams and provide practical training on handling security incidents.

5. Engage partners: Leverage the expertise of experienced service providers to strengthen your compliance strategy.

The right time is now

For those still wondering when NIS-2 will become relevant: NIS-2 is not a short-term obligation but a long-term opportunity to elevate your security architecture to the next level.

Even though the exact requirements of Germany’s NIS-2 implementation are still pending, the directive already provides a clear roadmap for improving cybersecurity. Organisations that act early will benefit from enhanced protection against threats and avoid unnecessary stress and high costs from last-minute adjustments.