NIS 2 Directive: Implementation by Germany

The most important thing in brief:

NIS 2 Implementation Germany: Introduction

The EU's NIS 2 Directive places new cybersecurity requirements in companies. Data leaks, ransomware attacks and targeted cyber attacks on companies and public institutions are becoming increasingly common, which can result in enormous economic damage and loss of image. In this context, the NIS 2 Directive (Network and Information Security Directive 2) is becoming increasingly relevant for many organizations. While the original NIS Directive was already committed to protecting critical infrastructures, NIS-2 is now going one step further and imposes more extensive requirements on a wide range of industries and institutions. But What exactly does that mean for German companies? Who must implement NIS2 by when — and what can a structured implementation look like? We provide an overview of deadlines, obligations and The current legal situation in Germany.

Overview of the NIS 2 Directive

The NIS 2 Directive (EU) 2022/2555 is an evolution of the original NIS (Network and Information Security) Directive from 2016. The aim is to significantly increase the cyber resilience of critical and important infrastructures in Europe — with clear requirements for security measures, risk management and reporting requirements in the event of security incidents. You can find a general overview of the policy in our blog article NIS2: Requirements, penalties, and implementation.

The Directive was published in the EU Official Journal on December 27, 2022 and was required by the member states no later than October 17, 2024 be incorporated into national law.

Current status of the NIS 2 Directive (implementation in Germany)

In Germany, that is Federal Ministry of the Interior and Home Affairs (BMI) together with Federal Office for Information Security (BSI) responsible for implementation. With the NIS2 Implementation Act (NIS2UMsucg) Germany has transposed the European NIS 2 Directive into national law. that NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmSUCG) is still in the legislative process. Although a government draft has been available since July 22, 2024, timely implementation is currently questionable. The reasons for this are the upcoming New elections, one faltering government formation as well as the so-called Discontinuity principle: All pending legislative proposals must be introduced and discussed again after the election.

Germany — like 22 other EU member states — has already been approved by the EU Commission because of delayed implementation officially admonished. Since the first reading in the Bundestag in October 2024 and an expert hearing in November, the Federal Government has remained silent.

The draft provides for extensive adjustments to various laws, including BSI Act And that Energy Industry Act (EnWG). Operators of critical infrastructures (KRITIS), large companies from defined industries and individual federal institutions are particularly affected.

Conclusion: It is currently unclear when the NiS2umsucG will be finally adopted. However, companies should Don't rely on political processes, but are already strategically aligning their cybersecurity measures and proactively starting to implement them. The latest status of the legislative process is available on the official website of the Federal Ministry of the Interior and Home (only in German): BMI — legislative process for Nis2umsucg

Public hearing on the NIS2 Directive

As part of a public hearing of the Committee on Home Affairs on November 6, 2024 In the Bundestag, the draft for NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmSUCG) discussed intensively by experts from business, administration and science. In doing so, the Fundamental action needed to strengthen cybersecurity widely recognized — several experts spoke at the same time critical remarks on the draft law. In particular, the extensive range of applications, the practical feasibility for small and medium-sized enterprises (SMEs) as well as unclear definitions of terms were mentioned as potential challenges. The hearing showed that although there is broad consensus on the need for the Directive, there is still a need for improvement on important detailed issues.

Who needs to implement NIS2?

A key change to the NIS2 Directive is the significantly expanded scope of application. In addition to traditional KRITIS operators such as energy or healthcare providers, many other industries are now also affected — such as providers of digital services (e.g. cloud services, DNS, Internet nodes), suppliers of critical chains, parts of public administration and companies from sectors such as waste management, food, chemicals or automotive. Even smaller service providers and previous “suppliers” can now fall under the Directive. Whether a company is affected requires careful consideration on a case-by-case basis. You can find detailed information about this in our blog article NIS2 - Who is affected.

When do I have to implement NIS2?

The implementation of the EU Network and Information Security Directive (NIS2) is significantly delayed in Germany. Although the national implementation deadline ended on October 17, 2024, the corresponding law is expected to Only in spring 2025 enter into force. The Federal Government has already acknowledged that the timetable cannot be met.

Regardless of the delay We strongly advise companies to deal intensively with the requirements of the NIS2 Directive now. The Directive sets uniform and ambitious standards across Europe Minimum cybersecurity standards fixed — with direct effects on internal processes, IT infrastructure and risk management. Those who act early not only strengthen their own cyber resilience, but also minimize the risk of having to make improvements later under time pressure. Address the questions:

• Are we already meeting all requirements of the NIS2 Directive?
• Which systems, processes and information are particularly worthy of protection?
• Where are there still gaps in risk management or technical implementation?

In this phase in particular, a well-founded inventory is essential — because anyone who now transparently documents and specifically optimizes not only reduces the risk of security incidents, but also possible sanctions from supervisory authorities.

How must companies implement the NIS 2 Directive?

The NIS 2 Directive requires, among other things, the implementation of technical and organizational measures to increase cyber resilience. According to the guideline, this includes in particular:

• risk management processes for information security
• Crisis management and emergency plans
• Encryption, authentication, and access protection
• Supplier and supply chain controls
• Reporting security incidents within 24 hours

Practical example from everyday IT life:

A medium-sized German IT system house that provides services for hospitals is classified as an important service provider under the NIS2 Directive. Those responsible use an inventory tool such as Docusnapto seamlessly document all IT components, user rights and network connections. In this way, it is possible to systematically check which systems are critical, whether current security updates are missing or where unnecessary rights exist. Such transparency is the first step towards effective risk management in accordance with NIS2.

How Docusnap supports NIS2 implementation

The structured implementation of NIS2 requirements starts with a complete overview of your own IT landscape — This is where Docusnap comes in:

✅ Automated IT inventory — even agentless
✅ Documentation of all assets, user permissions, and dependencies
✅ Visualization of networks and responsibilities
✅ Assistance with Identifying critical systems
✅ Basis for creating emergency plans and safety concepts

Central, regularly updated documentation is a decisive success factor, especially in companies with complex IT structures or a large number of service providers.

Outlook and Conclusion: Act now instead of waiting

The NIS-2 Directive is a clear indication that Germany is demanding more binding and stringent IT security. The numerous mandatory aspects — from risk assessment to reporting security incidents to potential fines — show that the time of voluntary focus on best practices is over for many companies. Anyone who reacts too late risks not only financial losses and image losses, but also fines.

However, NIS-2 is not static: In the coming years, regulations and standards will continue to develop, new industries will come into focus and technical standards will be tightened. It is therefore all the more important to establish a coherent security concept that is tailored to the specific requirements of your company. This concept should:

• Technology investments in hardware and software include
• define clear processes and responsibilities,
• sensitize the workforce to the issue of cybersecurity,
• and firmly anchor sustainable, automated IT documentation.
  

Docusnap can help you complete this complex task over the longer term. With automated inventory, structured reports, compliance checks and efficient processes, you lay a solid basis that significantly relieves you of the burden of implementing the NIS 2 Directive.

We would be happy to assist you if you have any further questions about Docusnap or would like individual advice. To do this, please also visit our IT inventory division to get even more detailed information.

‍