Germany is taking major steps to become more digitally secure: On June 30, 2025, the Federal Cabinet adopted the draft law by Interior Minister Alexander Dobrindt to implement the EU Directive NIS 2. This marks a comprehensive modernization of existing IT security legislation, adapting it to today’s cybersecurity challenges. Going forward, significantly more companies across industries will be required to actively protect their digital systems.
The Federal Office for Information Security (BSI) will be granted broader powers to provide targeted guidance to companies, monitor the implementation of protective measures, and ensure compliance with new digital security standards.
What Does The NIS 2 Act Include?
Reporting obligations & risk management
Affected organizations must register, report cyber incidents within 24 hours (with updates after 72 hours and a final report within one month), conduct risk analyses, and implement measures such as multi-factor authentication, employee training, and application security.
Responsibility at the executive level
Executives are required to implement risk management measures, monitor implementation via a Security Operations Center (SOC), and undergo appropriate training themselves – a key step toward governance-driven digital security.
New supervisory powers for the BSI
The BSI will gain extended authority to conduct audits and impose sanctions. Fines may be calculated as a percentage of a company’s annual revenue, similar to GDPR penalties.
Focus on federal administration
Federal authorities will also be subject to binding IT security standards based on the BSI’s IT-Grundschutz Compendium and additional federal requirements.
“With this new law, we are creating a much higher level of security for our economy and public administration. Companies and government agencies will become more resilient to cyberattacks. We're relying on clear rules without unnecessary bureaucracy.”
Minister Alexander Dobrindt
What Does NIS 2 Mean for Online Shop Operators and IT Managers?
Our step-by-step recommendations:
Check whether your organization is affected by NIS 2. Use the official online tool.
If affected, perform threat modeling to assess your specific risks.
Prioritize your tasks – start with internet-facing applications.
Create an implementation roadmap for the reporting obligations as part of your response planning.
Talk to us – we offer cost-effective 24/7 SOC teams to support you.
Why Are These Cybersecurity Requirements More Relevant Than Ever?
Cybercrime today is more professionally organized than ever before. Attackers are increasingly turning to the "Cybercrime-as-a-Service" model, where they don’t have to build their own malware, but can simply rent or buy ransomware, phishing kits, or hacking tools like standard software.
This easy access drastically lowers the entry barrier for cyberattacks, allowing even less technically skilled individuals to launch targeted attacks. At the same time, the growing use of cloud technologies introduces new IT security challenges. While modern cloud platforms offer strong protection, attackers are also well-versed in them. They exploit misconfigurations, insecure APIs, or weak access controls.
Organizations can no longer rely solely on the security measures of their cloud providers. They must proactively integrate available cloud security tools into their own strategies. This is exactly where the new legal requirements come in: they compel organizations to structurally strengthen their cybersecurity and digital security through clear processes, risk assessments, and technical defenses to respond effectively to the growing threat landscape.
Find more expert advice on cybersecurity here.
Benefits for Business and Government
At first glance, the implementation of the NIS 2 Directive may seem like pressure to comply quickly. But in the long term, it offers clear benefits for businesses, public institutions, and Germany’s entire digital infrastructure. Cybersecurity, IT security, and digital security are all strengthened through mandatory, transparent guidelines:
Unified framework: Harmonized security requirements provide a consistent foundation across sectors. This creates clarity and legal certainty for digital security compliance.
Higher security levels: Mandatory risk analyses, employee training, incident response planning, and measures such as multi-factor authentication significantly raise the bar for IT security.
Improved national cyber resilience: Enhanced BSI oversight, mandatory reporting, and structured response processes increase Germany’s ability to detect, report, and counter cyberattacks more quickly.
Legal certainty for companies: Clearly defined criteria, such as the BSI’s self-assessment tool, help companies determine if they are affected and streamline compliance efforts.
What happens next?
The draft law will now enter the legislative process in the Bundestag and Bundesrat.
If everything proceeds as planned, the implementation should be completed by spring 2026 – even though the NIS 2 compliance deadline was originally set for October 2024.
Affected organizations should start preparing now – using the BSI’s assessment tool or through expert consultation.
Conclusion
With the adoption of the NIS 2 Implementation Act, Germany is setting a clear course for a modernized cybersecurity strategy. By combining regulatory obligations with practical IT security measures, both companies and public authorities will enhance their resilience. It’s a critical step toward long-term digital security in an increasingly connected Europe.
Want to align your IT security strategy with the new legal requirements? Our experts are here to help!
