At the 21st German IT Security Congress of the Federal Office for Information Security (BSI) on Wednesday, a whole block of lectures once again focused on NIS-2. The EU directive on securing corporate software and networks came into force in October 2024 and continues to concern the BSI and its partners. This is mainly because far fewer companies have so far complied with the directive’s requirements than would actually be expected with such a law.
Read more after the ad
Registration with the BSI is going slowly
As Manuel Bach from the BSI Cybersecurity in Business Department addressed in his introduction, it is very difficult to collect concrete figures on NIS 2 implementation in the German economy. In the BSI portal, the registration numbers of companies that are required by law to be “important” or “particularly important” institutions continue to remain below expectations. The relevant companies should have reported to the BSI by March 6th.
The BSI knows of several companies that are required to report that, after consulting the company’s management with legal counsel, have come to the conclusion that they deliberately do not report their own company, Bach continued. A recent report from Schwarz Digits suggests that these are not isolated cases – business leaders are unlikely to wake sleeping dogs.
In this context, Bach pointed out that management should take the issue seriously – and not just because of the personal liability of management stipulated in the law. Just because you are of the opinion that your company is not required to report does not mean that it corresponds to reality. Bach compared this to tax liability, where you cannot decide for yourself whether this applies.
Almost half of the companies have never heard of NIS-2
The fact that many companies have not yet reported to the BSI, even though they actually should, is probably also due to the fact that many companies still have a lack of awareness of what NIS-2 actually is. Worse still, there are probably a large number of companies in Germany that don’t even know that NIS-2 even exists. According to Manuel Bach, the BSI determined as part of a study at the end of last year that almost half of German companies had not even heard of the term “NIS-2” at that time.
Read more after the ad
Younes Ahmadzei, who dealt with the implementation of NIS-2 in small and medium-sized companies in Germany as part of his bachelor’s thesis at the Technical University of Munich, painted a similar picture in his lecture. Many of the companies he surveyed said they had only been dealing with NIS-2 since the beginning of 2026. According to Ahmadzei, many company representatives see the implementation of the law as a purely compulsory task and doubt that the associated processes would improve IT security in their company.
At the end of the lecture block on this topic, Manuel Bach from the BSI also stated that the federal government – but also his own agency – still had a lot of work to do on the subject of NIS-2. The lack of knowledge about this topic in large parts of the economy clearly indicates that there is still a lot of educational work to be done here. And above all, it looks as if a not insignificant part of the German IT landscape also needs to be convinced that the implementation of this EU law is more than just a job creation measure by the EU Commission and BSI.
Anyone who feels caught reading this message will find a compact and practical introduction to the legal requirements and their implementation in the iX workshop “NIS-2 – Requirements and Specifications”.
(cku)
