NIS-2 Impact Analysis Completed – What Now?
In our consulting practice, we are increasingly receiving inquiries from companies regarding the NIS-2 Directive and the German NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). Many organizations have already assessed their status and identified themselves as “important” or “essential” entities under NIS-2. Now they are asking: what concrete steps should we take next?
Uncertainty among companies is growing, especially since the legislative process for the NIS2UmsuCG was delayed due to federal elections. Although a new government has formed, the law is still in parliamentary review. A final adoption is not expected before late 2025 or early 2026. [Aktueller…IS2UmsuCG)]
Currently, there is no legal obligation to implement NIS-2 requirements. However, there are several compelling reasons why companies should act now:
- Immediate applicability: Once the NIS2UmsuCG is enacted, it will take effect immediately. Neither the directive nor the German drafts provide a grace period, and the Federal Ministry of the Interior (BMI) has confirmed that no transition period is planned. [Entwurf ei…nd zur …]
- Stable requirements: The core cybersecurity requirements of NIS-2 are well known and have remained consistent across legislative drafts. This provides a solid foundation for preparation.
- EU pressure: Germany is already facing infringement proceedings from the EU due to delays in implementing NIS-2. The new government is expected to prioritize the law’s adoption. [Aktueller…IS2UmsuCG)]
What Should Affected Entities Do?
The NIS-2 Directive outlines 10 minimum cybersecurity risk management measures that all affected entities must implement. These measures align closely with the structure of an Information Security Management System (ISMS). Official bodies have indicated that these requirements can only be effectively met through the establishment of an ISMS.
We therefore recommend that all companies identified as “important” or “essential” under NIS-2 begin implementing an ISMS as soon as possible. Depending on company size, such a project may take 12 to 18 months, although faster implementation is possible in exceptional cases.
While NIS-2 does not restrict its scope to specific departments, it is advisable to start with areas exposed to high cyber risk—such as IT or production facilities with legacy operational technology (OT).
Scope and Capacity Challenges
According to government estimates, around 29,000 companies in Germany are directly affected by NIS-2. Many more may be indirectly impacted through supply chain obligations. However, consulting capacities are limited and will not suffice for all affected entities. This is another reason why early action is strongly recommended. [BSI – NIS-…nternehmen]
Be Proactive: NIS-2 Readiness Check for Your Company
After identifying NIS-2 relevance, we conduct a comprehensive NIS-2 Status Check for many organizations. This process begins with a kickoff workshop to introduce the core project team to NIS-2 requirements. Before interviews and assessments begin, participants gain a solid understanding of the directive.
Next, we conduct structured interviews based on audit topics, using ISO 27001 or the EU Implementing Act for ICT, depending on the entity type. For OT systems, we apply IEC 62443 standards. Interviews typically start with IT and OT structure analysis and include asset management. A site inspection completes the assessment, usually within three days.
Finally, we present a detailed report to the project team and management, providing a clear picture of the company’s current maturity level regarding NIS-2 compliance. This forms the basis for planning next steps.
Prepare early to meet NIS-2 requirements effectively.
We support companies throughout the entire process—from impact analysis to ISMS implementation and execution of required security measures. With our experience and practical solutions, we ensure you are well-prepared.
February 4, 2025 – Axel Amelung & Philipp Richter, TÜV TRUST IT GmbH