NIS-2 and no end in sight: implementation in Germany delayed further

Implementation, which should originally have been completed by October 2024, is still pending due to the break-up of the coalition and the formation of a new government. Implementation is currently not expected before fall 2025.

What is NIS-2 about?

NIS-2 (“Network Information Security-2”) is an EU Directive to strengthen and increase cybersecurity and safeguard digital factors of critical infrastructures in the EU. The Directive builds on NIS-1 from 2016 and now requires significantly more companies than before to take corresponding action – around 30,000 companies in Germany.

After the Directive came into force across the EU on January 16, 2023, the member states had 20 months to transpose it into national law. Italy, Belgium and Croatia, among others, successfully implemented the Directive on time. The NIS 2 Directive goes hand in hand with the CER Directive (“Critical Entities Resilience” Directive), which is implemented by the German KRITIS Umbrella Act and is equally late in its implementation.

What does the delay mean for affected companies?

According to the previously applicable schedule, the affected companies would have had to register with the German Federal Office for Information Security “BSI” by mid-January 2025. As adoption at national level is still pending, there are currently no obligations for the companies affected in the future.

However, it is not yet clear whether there will be a further implementation period for companies after the law has been passed and for how long. Due to the great uncertainties and the already known requirements, it is advisable to prepare as well as possible in order to ensure rapid implementation and avoid fines.

Baker Tilly’s cybersecurity team supports and advises you on the implementation: After analyzing the impact, we determine the maturity level and derive the necessary NIS 2 measures.