pds-it
['Blog post','no']
Service and project management
Blog

NIS2 Directive poses problems for German companies

Stefan Schasche
Published on
6.3.2025

Contents

    A recent survey by the Eco Association shows alarming gaps in the preparation of many German companies for the new requirements of the NIS2 Directive. This European cybersecurity directive, which is to be transposed into German law by October 2024, places high demands on IT security that companies have not yet adequately addressed. Specifically, the NIS2 Directive requires companies that are considered operators of critical infrastructure to comply with strict IT security standards. Companies that fall under the scope of the NIS2 Directive must review their cyber security strategies and adapt them if necessary. This may require significant investment in new technologies and training to meet the new requirements. Overall, the NIS2 Directive aims to strengthen the EU's resilience to cyber threats and ensure the security and reliability of network and information systems in Europe.

    A survey of 250 IT decision-makers, conducted by the market research institute Civey on behalf of the eco Association, has now revealed that many companies have not yet implemented the necessary measures. Alarmingly, 32.8 percent of those surveyed have not yet taken any measures to meet the requirements. A further 40 percent state that they are not sufficiently informed about the new legal regulations and only 13.2 percent of the companies surveyed have already improved their IT risk management accordingly at this point in time.

    High requirements and lack of implementation

    The new NIS2 Directive expands the number of affected companies from 2,000 to over 30,000, meaning that tens of thousands of companies in Germany will be subject to EU-wide cybersecurity regulation for the first time. The directive provides for ten specific risk management measures that must be implemented by companies. These include raising employee awareness, compliance with security requirements and the introduction of emergency and crisis management systems. At present, only 14.6 percent of companies have sensitized their employees accordingly, 14.5 percent comply with security requirements and only 12.1 percent have implemented an emergency and crisis management system. Even more alarming is the fact that only 7.1% of companies have introduced industry standards such as ISO 27001 or BSI IT baseline protection.

    Urgent need for action

    Ulrich Plate, head of the Eco KRITIS competence group, is concerned about the reluctance of companies to prepare for the new requirements. He emphasizes that NIS2 is coming in any case, and compliance with legal requirements is not an "opt-in procedure." In view of the greatly increased fines and the personal liability of management bodies in the event of breaches, IT managers should be aware of their responsibility and act accordingly.

    The Eco Association advises IT managers to take a close look at the new requirements now and take appropriate measures. Among other things, it recommends implementing business continuity management (BCM), managing cybersecurity risks on a professional and transparent basis and reviewing supply chain security. In addition, companies should install comprehensive IT baseline protection and prepare their staff and management bodies for the new challenges through training and awareness-raising measures.

    Another important point is the installation of holistic IT baseline protection. In addition to technical aspects, infrastructural, organizational and personnel issues should also be taken into account. This includes procedures for the use of cryptography and measures that reduce IT security risks due to the human factor. Companies should use multi-factor authentication and secure communication systems, including for emergencies.

    Finally, the Eco Association emphasizes the importance of training, education and awareness-raising. Companies should empower their employees and management bodies and raise awareness of security risks. Particularly vulnerable target groups should be familiarized with social engineering and other threats in order to effectively counter possible attacks.

    SAFe 6.0 Scrum Master - Training with certification

    In this course SAFe 6.0 Scrum Master - Training with certification you will learn about the most important tasks of the Scrum Master in the context of the SAFe framework and the interaction of several agile teams that are controlled by the Agile Release Train (ART). The focus is on the importance of Scrum in the SAFe environment, the responsibilities of the Scrum Master and the interaction between team and program level. You will gain basic psychological knowledge and effective methods for coaching Agile teams and learn how to create transparency about the progress of an iteration. The course is aimed at existing or prospective Scrum Masters as well as team leaders and SAFe Release Train Engineers. Methodologically, the course combines theory, exercises and discussions to provide practical answers and practices for your daily work.

    Author
    Stefan Schasche
    As an experienced IT editor, Stefan Schasche writes about everything that has microchips or Li-ion batteries under the hood. He also reports on campaigns, programmatic advertising and international business topics.
    smart tech qualification
    Legal notice
    Data Protection
    Terms and conditions
    Cookie settings