German Parliament Passes NIS‑2: What Companies Must do Now for Better Cybersecurity

Germany is among the 23 EU member states that have implemented the European Union's NIS-2 law on cybersecurity late.

‍

On the date of November 13, 2025, the German Bundestag passed the NIS‑2 Implementation Act – more than a year later than required by the EU. This delay even led to an infringement procedure by the EU, which could result in significant fines.

‍

Progress is now being made: The Bundesrat also approved the law on November 21, 2025. With this step, Germany officially implements the EU directive NIS 2 (Network and Information Security Directive 2, EU 2022/2555). Full implementation will take effect after publication in the Federal Law Gazette. Companies must now understand the implications of the NIS-2 law for their cybersecurity.

‍

What does NIS-2 mean?

‍

NIS‑2 (Network and Information Security Directive 2) is the EU directive designed to strengthen cybersecurity. It significantly raises the cybersecurity requirements for companies and critical infrastructures, introducing new legal requirements that organizations must fulfill to remain compliant.

‍

Companies and actors in critical infrastructures must:

• Systematically manage risks to improve overall cybersecurity
• Implement cybersecurity measures
• Report cyber incidents promptly

‍

What does NIS-2 mean for German companies?

‍

A series of changes will impact companies across Germany, and understanding the law is essential for compliance. Companies should focus on key areas such as risk management, incident response, and data protection to meet the new requirements.

‍

Complying with NIS-2 offers significant benefits, including improved organizational resilience and a reduced risk of cyberattacks.

‍

1. NIS-2: More entities are subject to strict cybersecurity rules

‍

NIS-2 will affect significantly more companies than previous regulations – around 29,850 businesses in the energy, healthcare, transport, and digital services sectors. These changes apply across all EU countries implementing NIS-2, not just Germany. A rising number of businesses have experienced cyberattacks in the past year, highlighting the widespread risk and the importance of compliance. These companies are required to implement clear cybersecurity measures to make Germany more resilient against cyberattacks.

‍

What is KRITIS? Criteria and definitions

‍

KRITIS, or critical infrastructure (German: “kritische Infrastruktur”), refers to organizations, facilities, and institutions whose failure would lead to supply bottlenecks or major disruptions to public safety. Sectors such as energy, water, healthcare, information technology, and transport are affected. Operators of critical infrastructures must implement strict protective measures, which NIS-2 strengthens to address modern cyber threats.

‍

2. Stricter minimum requirements

‍

NIS-2 increases the pressure on companies to strategically improve their cybersecurity. Companies must:

• Conduct risk analyses
• Develop emergency plans
• Implement backup and encryption solutions

‍

3. Stricter reporting obligations for cybersecurity incidents

‍

NIS-2 introduces a strict reporting process for companies, requiring cyber incidents to be reported within defined deadlines:

• Initial report within 24 hours
• Interim report after 72 hours
• Final report after one month

‍

4. Strengthened supervision by the BSI

• Greater powers for the Federal Office for Information Security (BSI)
• A central coordinator for information security (CISO Federal) will be established

‍

Continuous monitoring: The new backbone of NIS-2 compliance

‍

Continuous monitoring has become the cornerstone of NIS-2 compliance, representing a significant shift in how companies across the European Union must approach cybersecurity. Rather than simply reacting to incidents, entities are now required to proactively assess and manage security threats to their network and information systems on an ongoing basis. This innovative approach is designed to strengthen cybersecurity capabilities, ensuring the integrity and safe functioning of essential services, from hospitals to energy providers.

‍

The directive sets out clear criteria for compliance, requiring entities to conduct regular security audits, implement incident response plans, and ensure that any significant security incidents are reported to the relevant authorities within a specified timeframe—typically 72 hours. These requirements are backed by stricter enforcement mechanisms, including substantial fines for non-compliance, making accountability and transparency a top priority for management teams.

‍

The European Union Agency for Cybersecurity (ENISA) plays a vital role in supporting the implementation of NIS-2. ENISA provides guidance, best practices, and fosters cooperation and mutual trust among EU member states, helping organizations learn from each other and develop effective cybersecurity strategies.

‍

In summary, continuous monitoring is essential for companies aiming to achieve and maintain NIS-2 compliance. By adopting innovative technologies, strengthening their information security frameworks, and staying ahead of evolving cybersecurity threats, organizations can ensure the safety and integrity of their networks, protect critical infrastructure, and contribute to a more secure digital environment for people and businesses across Europe.

‍

How to make your company NIS-2-ready in six steps

‍

For companies, the law means binding cybersecurity standards, new reporting obligations, and stronger oversight of critical infrastructures. Platforms like Kevla help companies manage trust documents securely and ensure NIS-2 compliance evidence is always audit-ready.

1. Check: Is your company subject to NIS-2?
   Clarify two essential questions: Does NIS-2 apply to my company? What cybersecurity measures are required?
   Tip: The BSI (link available only in German) offers mentoring, starter packages, and virtual kick-off seminars for affected companies.
2. Develop your risk strategy
   Prepare risk analyses and emergency plans, outline scenarios, and define measures to limit damage, inform employees, and secure your company’s cybersecurity.
3. Prepare trust documents
   Ensure all security-relevant certificates and evidence are complete, current, and stored in a revision-proof manner according to NIS-2 – ideally via platforms like Kevla.
4. Strengthen ISMS & governance
   Establish or expand a management system for information security to meet NIS-2 requirements and enhance your company’s cybersecurity posture.
5. Define reporting processes
   Implement clear procedures for cyber incidents, including responsible personnel, emergency contacts, and deputies.
6. Stay compliant and audit-ready at all times
   Tools like Kevla TrustDocS ensure your company remains compliant and that cybersecurity evidence is always accessible.

Strengthen your cybersecurity capabilities with employee training & awareness

‍

Cybersecurity is an ongoing priority. Employees are the first line of defense against cybercrime, but often the greatest vulnerability. Regular training increases awareness and helps prevent incidents in companies.

‍

List of common cyberattacks: This is what your cybersecurity needs to be prepared for

‍

The number of attacks on companies’ cybersecurity in Germany is steadily increasing. The main attack types include: