Socwise logo
close
Ivett Dobay
11/27/2025

Germany one step closer to full implementation of NIS2: what does the Bundestag decision mean for companies?

Ivett Dobay
With Germany nearing full NIS2 implementation, companies face immediate action. Benefit from our proven NIS2 compliance experience—covering gap analysis, ISMS, SOC services, and end-to-end readiness to meet upcoming obligations.

On November 13, 2025, the German Bundestag passed the NIS2-UmsuCG law for the domestic implementation of the NIS2 Directive. This milestone means that Germany has now entered the final phase of the full implementation of NIS2, albeit with a significant delay. Although the detailed provisions of the law and the implementing regulations are still being drafted, it is now clear to companies that there is no further room for delay: the mandatory preparation period has begun.

Below, we summarize what this means in practice, what steps need to be taken, and what the organizations concerned need to focus on.

What does the Bundestag's decision mean?

  • The German transposition of the NIS2 Directive has now been adopted at parliamentary level.
  • However, the detailed regulatory framework is still taking shape: approval by the Bundesrat, BSI guidelines, implementing regulations and technical annexes are still pending.
  • The directive is expected to come into force between the end of 2025 and the beginning of 2026, with gradual activation.
  • Based on indications so far, no lengthy transitional "preparation" period is expected in Germany: the obligations will be applicable immediately upon entry into force.

What steps will be taken by legislators?

Following the decision, the following processes are expected to commence or be completed:

1. Approval by the Bundesrat

The provincial chamber is still reviewing the law. This process may take several weeks or months.

2. BSI (Federal IT Security Authority) implementation rules

BSI is working on detailed technical requirements:

  • incident reporting protocols,
  • risk management controls,
  • supply chain security requirements,
  • audit and certification mechanisms.

3. Sector-specific regulations

Key sectors such as energy, healthcare, transport, and telecommunications may be subject to specific regulations.

4. Announcement of entry into force

This will trigger legal obligations for companies, which are expected to come into effect in early 2026.

What should companies do NOW?

Although some details remain to be worked out, the framework is already clearly visible. Companies need to take three major steps immediately:

1. Applicability Check

It must be determined:

  • the classification of the organization: "particularly important" or "important" entity,
  • the relevance of activities and services according to NIS2,
  • obligations arising from supplier relationships.

This step forms the basis for the entire strategic planning process.

2. Gap analysis and risk assessment

Organizations should assess whether:

  • which NIS2 controls are already in place,
  • where there are gaps (e.g., risk management, incident management, supply chain),
  • what documentation is missing (IRP, DRP, ISMS, supplier security rules).

Experience shows that most companies currently only partially comply with the new NIS2 level.

3. Setting priorities and launching projects

The following areas are the most critical:

  • new or updated ISMS system (based on ISO 27001/IT-Grundschutz),
  • establishment of management responsibility and governance structure,
  • incident management and reporting system (24h/72h),
  • cybersecurity of the supply chain – with new contractual requirements,
  • strengthening logging, monitoring, and detection capabilities,
  • security awareness training throughout the organization.

What should companies pay attention to?

1. Many organizations are newly subject to regulation

NIS2 is much broader in scope than the previous KRITIS.
Most medium-sized manufacturing, logistics, healthcare, and digital service companies will be affected.

2. Managerial responsibility as a central element

Management will also be personally liable for information security breaches.

3. Supplier compliance cannot be avoided

Companies must audit, rate, and continuously monitor supplier risks.

4. There is no time to delay – there will be no "soft" transition period

As the law comes into force, the obligations also come into effect.

How should organizations prepare?

1. Cost and resource planning

The NIS2 project typically requires a transition period of 6 to 18 months.

2. Regular audits and certifications

Mandatory audits or auditable control systems are expected to be introduced.

3. Improving documentation maturity

One of the most critical shortcomings currently affecting German companies is inadequate or incomplete information security documentation.

4. Updating IT security technologies

Log management, EDR/XDR, network monitoring, SIEM, incident management, segmentation — all of these can become part of the requirements.

Several years of experience in supporting NIS2 compliance

The EURO ONE Group is also present in German-speaking countries: its subsidiary, SOCWISE, has been providing SOC-as-a-Service and other managed cybersecurity services on the German market for several years. The services operated by SOCWISE – including 7/24 monitoring, incident detection and handling, log management, and continuous monitoring of supplier and network risks – directly support the security controls required by NIS2.

Building on these, EURO ONE and SOCWISE offer complex NIS2 preparation and cybersecurity support to players in the region – from applicability testing and gap analysis to ISMS development and ongoing SOC services.

All this enables us to serve as a reliable, professionally prepared partner to organizations in the DACH region in the effective and auditable implementation of NIS2 obligations.

SOCWISE © 2022 ALL RIGHTS RESERVED  Business value protection in expert hands.
crossmenu
SOCWISE
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.