On 13 November 2025, the German Bundestag passed the final ‘NIS 2 Implementation and Cybersecurity Strengthening Act’ (NIS2UmsuCG). This ends the uncertainty: the EU’s NIS 2 Directive is now binding German law.

The 3 most important game changers in today’s decision:

1. Expanded scope of applicability:

The focus is no longer solely on the traditional 2,000 or so ‘KRITIS’ operators. The categories ‘important’ (e.g. mechanical engineering, food production, chemicals) and ‘particularly important’ (e.g. energy, banking, health) facilities mean that the probability of your company (as one of a total of around 40,000) now being affected has increased massively.

2. Personal liability of management:

The management boards (managing directors, board members) are now personally responsible for the implementation (and non-compliance!) of cybersecurity measures. They must accept the measures and monitor their implementation. Violations are subject to heavy fines that can no longer simply be passed on to the company.

3. Stricter requirements & deadlines:

It is no longer just a matter of having a firewall. NIS2 requires comprehensive risk management that covers the entire supply chain. In addition, the reporting requirements for security incidents are drastically reduced (often to 24 hours for an initial report).

What you should do now:

Those who have only been analysing the situation so far must now take action. NIS2 is not purely an IT issue; it is a strategic management issue that determines the resilience and future viability of companies.

Clarify whether you are affected: Does your company fall under the new regulations? If so, you will also have to meet the requirements of your customers/supply chains.

Perform a gap analysis: Where do you stand? Which of the required measures are missing?

Involve management: Top management must understand the new personal liability risks and release the necessary resources.

Create a roadmap: Develop a clear, prioritised plan to close security gaps and implement management processes.

Still not quite sure what exactly to do? Then we recommend our NIS2 Readiness Check:

The offices of IT Kombinat were the location for an engaging seminar on the topic of the Network & Information Security Directive2 (NIS2) yesterday. Many thanks to Mr Herbert Schulte, Director of the Wirtschaftssenat for organising the event in partnership with IT Kombinat!

Expanding on the scope of NIS1, NIS2 aims to further strengthen critical infrastructure and essential services within the EU. This should be achieved by requiring companies providing these services to implement appropriate security measures and to rapidly reportany incidents to the appropriate authorities (in Germany the BSI).

Bernhard Borsch, our Information Security specialist and co-founder presented a high-level perspective of NIS2, its scope, and enforcement guidelines. He also outlined the benefits of a business-centric approach to information security and the utility of a general Information Security Management System (ISMS) which encompasses many of the NIS2 requirements.

An active and informative Q&A session followed, with the attendees sharing their experiences of navigating security regulations and discussing the difficulties of recruiting and retaining good information security professionals. SMEs rarely have the resources to launch large security initiatives as some larger companies do, and the challenge of monitoring systems, diagnosing issues, analysing logs, fixing issues and informing authorities can seem daunting. Through his years of IT and OT security experience, Bernhard Borsch was able to provide pragmatic and right-sized guidance

One significant area of discussion was Operation Technology security (OT security), which is a focus of NIS2. OT has traditionally not been within the remit of Information Security teams as these systems (e.g. production lines) operated only within their own networks. With the growth of Industry4.0 and other applications for operative system data, OT systems are increasingly connected to other networks and are thus vulnerable to attack.

We hope all attendees left the event well refreshed and well informed. We look forward to the next even with our Partner BVMW and thank all involved for their time and attention.


Check the teaser slide set below or contact us for additional information!