NIS 2: Why Germany Is Falling Behind

NIS-2 has been enforceable law in Germany since December 2025. No transition period, no grace period, no exceptions. Around 29,500 companies across 18 sectors are required to implement risk management, report security incidents, and register with the BSI. And yet: at the 21st German IT Security Congress of the Federal Office for Information Security, the BSI was forced to admit that implementation is falling far short of expectations. Registration numbers are disappointing, awareness of the directive is alarmingly low, and a significant number of affected companies have made a deliberate choice not to register at all.

What is driving this? And more importantly: how can companies finally clear the compliance hurdle without overstretching their operational resources? The answer lies, to a large degree, in modern GRC software solutions.

Key Takeaways

• According to the BSI, nearly half of all German companies had never heard of NIS-2 by the end of 2024.
• The NIS-2 Implementation Act has been in force since December 6, 2025, with no transition period. The BSI registration deadline expired on March 6, 2026.
• The main reasons for non-compliance: lack of awareness, perceived complexity, resource constraints, and a deliberate wait-and-see approach.
• Non-compliance can result in fines of up to 10 million euros or 2% of global annual turnover.
• Managing directors and executives face personal liability for meeting cybersecurity obligations.
• GRC software demonstrably reduces implementation effort by up to 40–50% and delivers structure, automation, and audit-readiness in a single tool.

The Wake-Up Call from the BSI Congress: Germany Is Asleep at the Wheel

At the 21st BSI Security Congress, Manuel Bach of the BSI’s Cybersecurity in Business division spoke plainly: registration numbers in the BSI’s reporting portal remain well below expectations. Worse still, the BSI is aware of companies that — after consulting their legal counsel — have made a conscious decision not to register, hoping to stay below the radar.

And then came perhaps the most alarming statistic: nearly half of all German companies had never heard the term “NIS-2” at the time of a BSI study conducted at the end of 2024. Not unfamiliar as an obligation — simply unknown as a concept.

Younes Ahmadzei, who examined NIS-2 implementation in German SMEs as part of his bachelor’s thesis at the Technical University of Munich, painted a similar picture: many of the companies he surveyed had only begun engaging seriously with the topic at the start of 2026 — after the law had already come into force without a transition period. And even those who are aware of the directive often doubt whether implementing it would actually improve their company’s IT security. NIS-2 is being perceived as a bureaucratic checkbox exercise, not as a strategic opportunity.

This finding is alarming — and, at the same time, entirely explainable.

Why So Many Companies Are Ignoring NIS-2: The Five Biggest Barriers

1. Lack of Awareness and Uncertainty About Being Affected

The first and most fundamental reason is simply a lack of awareness. Many companies do not know that NIS-2 applies to them. The directive has dramatically expanded the circle of organizations under obligation: from around 4,500 companies under the old NIS directive to more than 29,500 in Germany alone. Now covered are mid-sized companies across 18 sectors — including energy, transport, healthcare, manufacturing, digital services, financial services, and public administration.

As a general rule: companies with at least 50 employees or more than 10 million euros in annual revenue may fall within scope. Those who do not actively ask whether this applies to their organization risk overlooking their own legal obligations.

2. The Perceived Complexity of the Regulatory Framework

NIS-2 is complex. Germany attempted to address multiple regulatory challenges simultaneously within a single piece of legislation — the result is a layered rulebook that even experts find challenging. For many mid-sized businesses, the legal text feels abstract and difficult to translate into concrete operational measures.

According to the study “Cybersecurity & Digital Resilience 2026,” 47 percent of surveyed companies rate the implementation of NIS-2 as difficult or very difficult. The most commonly cited barriers — each named by around 39 percent of respondents — are the high effort required to adapt processes and policies, and the sheer complexity of the requirements themselves. A further third cite unclear regulatory guidance and integration challenges with existing IT systems.

Governance obligations, risk management, incident response, supplier assessments — many of these requirements feel as though they were written for large corporations with dedicated compliance teams. For a mechanical engineering firm with 80 employees in southern Germany, the reality looks very different.

3. Resource Constraints in SMEs

Large companies have dedicated IT departments, security teams, and in-house compliance expertise. Small and medium-sized enterprises — precisely the group that NIS-2 brings into scope for the first time — simply do not. In interviews with affected business representatives, the workload was estimated at a minimum of one person spending two to three days per week on this topic alone — a realistic assessment that many SMEs cannot absorb without significant additional cost.

There is another layer to this: many companies are technically reasonably well set up, but fall short when it comes to organizational structures and documentation. Missing process frameworks, no embedded security culture, barely any reporting structures in place — all of this makes compliance work laborious and draining.

4. The Wait-and-See Strategy

For as long as the national implementation law was not finalized, many companies chose to wait. This hesitation was a deliberate strategic calculation: investing too early might mean heading in a direction that the final legislation would correct. This posture led to a dangerous standstill — and when the law came into force in December 2025 without a transition period, many companies were completely unprepared.

That argument is now obsolete. The law is in effect. The registration deadline passed on March 6, 2026. Any company that has not yet registered is already risking a fine.

5. Underestimating Personal Liability

NIS-2 is the first German cybersecurity law to hold managing directors personally accountable. Section 38 of the new BSIG requires company management to, among other things, regularly undergo training in four core areas — at least every three years. And any executive who ignores their organization’s reporting obligations faces personal liability.

Manuel Bach of the BSI drew a sharp analogy at the congress: you cannot simply decide for yourself that you are not subject to tax obligations. The same logic applies here. Just because a company believes it falls outside the scope of NIS-2 does not make that belief legally valid.

The Cost of Inaction: What Companies Are Risking

The fine frameworks under NIS-2 are substantial. For particularly important entities, sanctions can reach up to 10 million euros or 2 percent of global annual turnover — whichever is higher. For important entities, the framework is up to 7 million euros or 1.4 percent of global revenue.

On top of that comes the personal liability of senior management, the full weight of which many executive teams have yet to appreciate. Companies with inadequate security measures also face significant reputational damage if a security incident becomes public and it is clear that no appropriate steps had been taken.

And finally: companies that are part of a supply chain are increasingly being scrutinized by larger customers and partners for compliance status. NIS-2 compliance is becoming a competitive differentiator.

Why Manual Implementation Hits a Wall

The traditional approach — bringing in consultants, maintaining Excel spreadsheets, assembling documentation in Word files — works for large corporations with the necessary resources. For mid-sized businesses, it is simply too time-consuming, too error-prone, and too difficult to scale.

NIS-2 is not a one-time project you can tick off and forget. It demands continuous risk management, regular review of security measures, structured incident response within strict reporting deadlines — significant security incidents must be reported to the BSI within 24 hours — and ongoing documentation of supply chain security.

That is not a workload you can manage with a checklist in a drawer.

How GRC Software Closes the Compliance Gap

Governance, Risk & Compliance — or GRC — software was built precisely for this problem: translating complex regulatory requirements into structured, scalable, and traceable action. For NIS-2, GRC software is not a nice-to-have. It is a strategic tool.

A Structured Starting Point Instead of Disorientation

Modern GRC platforms deliver pre-configured NIS-2 frameworks that include all relevant control areas, compliance objectives, and documentation templates. Instead of starting from scratch, a company begins with a structured gap assessment: where does the organization stand today? Which requirements are already met? Where do gaps remain?

This gap analysis is the foundation for a prioritized action plan — and exactly what many companies have been missing: a clear picture of where to start.

Automated Risk Management

NIS-2 demands the continuous identification, assessment, and mitigation of risks. Handled manually, that means recurring workshops, spreadsheet maintenance, and internal coordination rounds. A GRC platform automates these processes: risks are captured, assessed, linked to specific measures, and documented in a living risk register — one that updates automatically as the threat landscape or organizational structure evolves.

Incident Management with Integrated Reporting Workflows

The 24-hour reporting deadline for significant security incidents is one of the toughest operational requirements in NIS-2. Without structured processes, it is nearly impossible to meet. GRC software provides integrated incident management modules: incidents are recorded in a structured way, automatically classified, relevant stakeholders are notified, and reporting pathways to the BSI can be prepared in advance. Comprehensive documentation also protects management in the event of a liability claim.

Supply Chain Security and Third-Party Management

NIS-2 also requires companies to secure their supply chains. That means: suppliers and service providers must be assessed for their security practices. A GRC platform allows this third-party management to be mapped systematically — with automated questionnaires, structured assessment workflows, and a central overview of all relevant partners.

Audit-Readiness at the Push of a Button

Particularly important entities must demonstrate their measures to the BSI within three years. Organizations that map their NIS-2 compliance in a GRC platform are audit-ready at any time: all evidence, documents, risk assessments, and action logs are stored in one central location, versioned, and retrievable on demand.

Relieving the Burden on Management and IT

An often-underestimated benefit: GRC software takes pressure off executive leadership. Instead of being overwhelmed by compliance details, decision-makers get clear dashboards that show at a glance where the organization stands on NIS-2 conformity. IT teams are relieved because routine tasks are automated — by up to 40 percent, according to research data.

Multi-Framework Coverage: NIS-2 Does Not Stand Alone

Companies required to implement NIS-2 often carry other regulatory obligations as well: GDPR, ISO 27001, DORA (for financial entities), TISAX (for the automotive industry), or the forthcoming KRITIS Umbrella Act. Well-integrated GRC platforms can map these frameworks in parallel and leverage synergies — organizations that are already ISO 27001 certified have a significant head start on NIS-2 compliance.

Zazoon: GRC Software That Does Not Overwhelm

At Zazoon, we have observed the realities of the mid-market up close. Companies do not need another checklist or another consultant’s slide deck. They need a software solution that breaks NIS-2 down into manageable steps, guides the implementation, and does not demand more IT expertise than realistically exists within the organization.

Our GRC platform delivers exactly that: a structured NIS-2 onboarding experience, integrated risk management, automated documentation, and a central dashboard for both management and IT — without requiring a dedicated compliance team to be built from scratch.

Conclusion: The Cost of Waiting Is Too High

NIS-2 is not a bureaucratic construct you can wait out. It is enforceable law with substantial penalties and personal liability for management. The sobering figures from the BSI Congress show that a significant portion of German business has yet to grasp this reality — or is deliberately choosing to ignore it.

The good news: it is not too late to get started in a structured way. And GRC software makes it realistic for the first time to achieve NIS-2 compliance without a large compliance team and without six-figure consulting budgets. Companies that act now are not just protecting themselves from fines and liability risks. They are building the foundation for a more resilient IT infrastructure, strengthening the trust of their customers and partners, and positioning themselves as dependable links in a security-conscious supply chain.

The effort is real. But it is manageable — with the right tools.

Frequently Asked Questions (FAQ)

Does NIS-2 apply to my company if we are not a technology business?
Yes, in many cases. NIS-2 covers companies across 18 sectors, including energy, transport, healthcare, mechanical engineering, chemicals, food production, and public administration. As a general rule: organizations with at least 50 employees or more than 10 million euros in annual revenue should actively check whether they fall within scope. This assessment should be carried out as soon as possible.

What happens if my company missed the registration deadline?
The BSI registration deadline expired on March 6, 2026. Companies that have not yet registered are at risk of fines and should complete registration without delay. The BSI has indicated that it is actively monitoring compliance with the obligations.

How significant are the potential fines?
For particularly important entities, fines can reach up to 10 million euros or 2 percent of global annual turnover. For important entities, the framework allows for fines of up to 7 million euros or 1.4 percent of global revenue.

What is the difference between “important” and “particularly important” entities?
Particularly important entities are larger organizations in critical sectors such as energy, water, financial market infrastructure, and healthcare. Important entities include mid-sized companies and organizations from additional sectors such as manufacturing, food, and digital services. The precise classification depends on sector, company size, and market position.

Does ISO 27001 certification help with NIS-2 implementation?
Yes, significantly. ISO 27001 and NIS-2 overlap in many areas — particularly around the information security management system (ISMS), risk analysis, and the documentation of security measures. Organizations that are already ISO 27001 certified have a meaningful head start. Good GRC platforms map both frameworks in parallel and use existing work as the foundation for NIS-2 compliance.

How long does NIS-2 implementation take with GRC software?
It depends on the organization’s starting point. With a GRC platform that includes structured templates, gap analyses, and automated workflows, well-prepared companies can reduce the time to compliance by up to 50 percent compared to a purely manual approach. Realistic timelines for reaching an initial solid compliance baseline are three to six months.

What exactly do I need to do as a managing director or executive?
Under Section 38 of the new BSIG, company management must actively oversee and approve the implementation of risk management measures. Regular training in four core areas is also mandatory — at a minimum every three years. Those who neglect these obligations face personal liability. A GRC platform helps document and evidence these activities in a structured and verifiable way.

Can GRC software also cover supply chain security?
Yes. Modern GRC platforms offer third-party management modules that allow suppliers and service providers to be systematically assessed and documented. This is particularly important given that NIS-2 explicitly requires supply chain security as part of an organization’s overall risk management obligations.