Douglas Adams would love NIS2

From the science fiction author Douglas Adams, who died far too young, comes the quote: “I love deadlines. I love the rush they give me.” Thousands of German companies probably had noise cancellation activated rather than the registration deadline for NIS2 facilities expiring on March 6, 2026: By this date, three months after the underlying law came into force, all "important" and "particularly important" facilities should have registered with the joint portal of the Federal Office for Information Security (BSI) and the Federal Office for Civil Protection and Disaster Assistance (BBK). Around 11,500 authorities, companies, and other critical facilities are now registered – so we are a long way from determining complete fulfillment of obligations by the approximately 30,000 companies required to register.

Ulrich Plate

Ulrich Plate is an information security consultant at nGENn GmbH and head of the Critical Infrastructure Competence Group at the Association of the Internet Industry eco e. V.

Is the procedure too complicated?

Why might so few have managed to register so far? Is the registration process perhaps too complicated? At least that's what you occasionally hear from those who have tried it but got stuck in the process. When setting up the company account required for participation in the BSI platform, proof of authorization to represent is already required at the beginning – logical. But first an ELSTER organizational certificate must be applied for, which is sent to the company by post. No problem, but certainly more time-consuming than many imagined. The authority has even made a special effort to pave the way for registration: A step-by-step guide provided by the BSI at the portal entrance leaves hardly any questions unanswered.

Once access to the portal has been successfully set up, registration also requires information that may not be immediately available – for example, the public IP address space, which is part of the mandatory basic information for every registered company. The purpose is to enable the BSI to monitor unusual data traffic and port scans, so that warnings about potential incidents can be received from the authority, independent of the company's internal network monitoring. For providers of digital services, this information must also be extended to the IP addresses in their customer segment, not just to the address space of their own facility.

Even if the registration itself is not entirely trivial, for many companies it is not the formal requirements that prevent them from registering on time. What is obviously lacking is rather the realization – or recognition – of their involvement. From countless conversations with managing directors, IT managers, and other decision-makers, it is known that many are still uncertain about which criteria regarding NIS2 relevance apply to their specific business activities. And not only that: Even larger corporate groups underestimate that, for example, a separate group company with outsourced IT services for the other group companies can also fall under the regulation when viewed on its own. This is a so-called Managed Services Provider, provided that the thresholds for employee numbers or turnover are exceeded.

In fact, there are borderline cases where it is difficult to answer the most important question without a legal opinion: Are we as a company within the scope of the law or not? If, for example, in the manufacturing industry it remains unclear whether the product and service categories listed in the EU's NIS2 Directive – and identical word-for-word in the German BSI Act – accurately describe one's own business, a certain helplessness is understandable. Under these conditions, however, it is not advisable to forgo registration or to wait and see.

Conversely, there are also companies that have registered voluntarily and as a precaution – despite justified doubts whether they are obliged to do so at all. In this way, they at least avoid potential fines, which can amount to up to half a million euros for failure to register. It is unlikely that the authorities will penalize numerous administrative offenses right at the beginning of the new regulation, but simply refusing to comply with applicable laws until sanctions are actually imminent would be more than precarious.

Ever-increasing investments

In principle, there is a willingness to implement measures to strengthen information security, even if they cost money. Since the beginning of Russia's war of aggression against Ukraine, investments in cybersecurity have also risen rapidly in Germany. According to survey results, such as those compiled by the Bitkom association or Schwarz Digit Research, the share of IT security spending is now twice as high as it was then. As a percentage of the total IT budget in the surveyed companies, it was still nine percent on average in 2022, and is now 18 percent. 41 percent of companies are even above the magical "cyber quota" that former BSI President Arne Schönbohm proclaimed years ago as a guideline for – in his words – "every digitalization project": Twenty percent of spending should thus be allocated to cybersecurity at a minimum.

If, despite this ample willingness to invest, many companies still state that they are not yet ready, the reluctance is difficult to justify. From the time the European Cybersecurity Directive was adopted in December 2022 until the German implementation law came into force in December 2025, there would have been ample opportunity to deal with the implications for one's own company. Which sectors and company key figures form the basis for awarding the status of NIS2 obligors. What these obligations consist of in detail, and which specific measures are considered minimum security requirements have all been known for more than three years.

In the area of the EU regulation for the financial sector, called DORA, which came into force at the same time as NIS2 and the CER framework directive, it was already apparent at the beginning of 2025 that implementation is proceeding much faster when regulated institutions are strictly held accountable by their supervisory authority. For over a year now, all relevant IT service providers for banks and other financial institutions have been named to the Federal Financial Supervisory Authority (BaFin) and provided with information on the implementation of cyber risk measures. The fact that BaFin can extend its supervisory functions to suppliers in cases of need or when there is a justified suspicion of non-implementation of important measures has certainly contributed to the now widespread compliance in line with this regulation. A visit from supervisors can therefore also take place at the outsourced, independent IT operations, not just at the bank for which it works.

Once the registration is finally completed, it will be high time for many of the 30,000 directly regulated entities, as well as the estimated 70,000 entities indirectly affected by the NIS2 provisions, to focus on implementing technical and organizational compliance. The famous catalog of ten minimum security requirements from 30 (2) of the BSI Act does not contain any radical innovations or unreasonable requirements for the information security of companies. Most of it has been common practice in many IT departments and other organizational units for years and is already the norm. Apart from a few explicit additions such as multi-factor authentication or emergency communication, the ten-point list of prescribed risk management measures is overwhelmingly based on international standards. While this is not explicitly stated in the directive or law, as commercial standards cannot be directly subject to legislation. In fact, three-quarters of the requirements summarized in the ten points are identical to the Information Security Management System from ISO 27001 – also the basis of the BSI IT-Grundschutz Kompendium, which implements the same standard differently.

All those who are still hesitating to fulfill the requirements for registration and reporting obligations and for the implementation of cybersecurity measures can only be reminded that compliance with laws is at the core of any entrepreneurial activity. Those who ignore NIS2 or delay its implementation in their own company can get into major legal and financial problems.

(mma)