Fejléc

Germany moves closer to full NIS2 implementation: what companies need to know

Szerző ikon Ivett Dobay

Dátum ikon 2025.11.27

2025. Germany has taken a major step toward implementing the NIS2 Directive: on 13 November 2025, the Bundestag adopted the NIS2-UmsuCG, pushing the country into the final phase of alignment with EU cybersecurity rules. Although some regulatory details are still pending, it is now clear that companies must begin preparing immediately.

What the Bundestag’s Approval Means in Practice

  • The Bundestag has approved the national NIS2 law, but this is not yet the final parliamentary step.
  • The overall regulatory framework is still being finalized.
  • The law is expected to enter into force between late 2025 and early 2026.
  • No transitional grace period — meaning obligations become active immediately.

What Happens Next?

Several steps remain before NIS2 becomes legally binding in Germany:

  1. Bundesrat review and approval, which may take weeks or months.
  2. Development of BSI implementation rules, including detailed requirements for incident reporting, risk management, supply-chain security, and audit processes.
  3. Possible sector-specific regulations for industries such as energy, healthcare, transport, and telecommunications.
  4. A formal entry-into-force announcement, expected in early 2026.


What Companies Must Do Now

Even with details still emerging, the overall expectations for compliance are clear. Organizations should immediately begin:

1. Applicability Assessment

Determine whether the organization qualifies as an essential or important entity and identify which activities and suppliers fall under NIS2.

2. Gap Analysis & Risk Assessment

Identify missing controls, such as risk management processes, incident response procedures, supply-chain requirements, and required documentation (ISMS, IRP, DRP, supplier policies).

3. Launching Priority Projects

Key focus areas include:

  • Creating or updating an ISMS (ISO 27001 / IT-Grundschutz)
  • Strengthening governance and management accountability
  • Implementing 24h/72h incident reporting capabilities
  • Establishing supply-chain security and contractual requirements
  • Enhancing logging, monitoring, and detection capabilities
  • Organization-wide cyber security awareness training


Important Considerations for Companies

  • Many more organizations are included than under previous KRITIS rules — especially mid-sized firms in manufacturing, logistics, healthcare, and digital services.
  • Executives have personal responsibility for cybersecurity compliance.
  • Supplier compliance is mandatory, including ongoing monitoring of risks.
  • No soft transition period is expected once the law becomes active.

How to Prepare

  • Plan budgets and resources for a 6–18-month implementation timeline.
  • Prepare for audits or audit-ready control structures.
  • Improve the maturity and completeness of security documentation, often a major weakness among German companies.
  • Modernize cybersecurity tools such as SIEM, log management, EDR/XDR, network monitoring, segmentation, and incident management.


EURO ONE – years of experience in supporting NIS2 compliance

EURO ONE is one of Hungary’s leading cyber security and NIS2 consulting companies, which has supported numerous medium-sized and large domestic companies in preparing for NIS2 in recent years. Based on the company’s experience:

  • Supports organizations in performing comprehensive gap analysis.
  • Assists in the development or updating of ISMS systems (based on ISO 27001).
  • Develops complex risk management, incident management, and supplier security frameworks.
  • Provides technological support in the implementation of log management, EDR/XDR, network monitoring, and SIEM systems.
  • Provides professional NIS2 audit preparation, focusing on increasing documentation maturity and management compliance.
  • Has extensive experience in sectors affecting critical infrastructure, as well as in companies that are now coming under the scope of the regulation for the first time.


Read the full article on our International subsidiary’s website by clicking on the logo:


Do you have any questions? Are you interested in our NIS2 training?

Visit our NIS2 Directive page for more information!

Get in touch with our colleagues!