On 13 November 2025, the German Bundestag passed the final ‘NIS 2 Implementation and Cybersecurity Strengthening Act’ (NIS2UmsuCG). This ends the uncertainty: the EU’s NIS 2 Directive is now binding German law.
The 3 most important game changers in today’s decision:
1. Expanded scope of applicability:
The focus is no longer solely on the traditional 2,000 or so ‘KRITIS’ operators. The categories ‘important’ (e.g. mechanical engineering, food production, chemicals) and ‘particularly important’ (e.g. energy, banking, health) facilities mean that the probability of your company (as one of a total of around 40,000) now being affected has increased massively.
2. Personal liability of management:
The management boards (managing directors, board members) are now personally responsible for the implementation (and non-compliance!) of cybersecurity measures. They must accept the measures and monitor their implementation. Violations are subject to heavy fines that can no longer simply be passed on to the company.
3. Stricter requirements & deadlines:
It is no longer just a matter of having a firewall. NIS2 requires comprehensive risk management that covers the entire supply chain. In addition, the reporting requirements for security incidents are drastically reduced (often to 24 hours for an initial report).
What you should do now:
Those who have only been analysing the situation so far must now take action. NIS2 is not purely an IT issue; it is a strategic management issue that determines the resilience and future viability of companies.
Clarify whether you are affected: Does your company fall under the new regulations? If so, you will also have to meet the requirements of your customers/supply chains.
Perform a gap analysis: Where do you stand? Which of the required measures are missing?
Involve management: Top management must understand the new personal liability risks and release the necessary resources.
Create a roadmap: Develop a clear, prioritised plan to close security gaps and implement management processes.
Still not quite sure what exactly to do? Then we recommend our NIS2 Readiness Check:
