21st BSI Security Congress: NIS-2 implementation far behind expectations

At the 21st German IT Security Congress of the Federal Office for Information Security (BSI), a whole block of presentations once again dealt with NIS-2 on Wednesday. The EU directive for securing corporate software and networks came into force in October 2024 and continues to keep the BSI and its partners busy. This is mainly because far fewer companies are currently complying with the directive's regulations than would generally be expected with such a law.

Registration with the BSI is slow

As Manuel Bach from the BSI's “Cybersecurity in Business” department mentioned in his introduction, it is very difficult to collect concrete figures on NIS-2 implementation in the German economy. The registration numbers of companies that are obliged to do so as “important” or “particularly important” entities according to the law remain below expectations on the BSI portal. By March 6th, all relevant companies should actually have reported to the BSI.

The BSI is aware of several companies required to report that, after consulting top management and legal counsel, have concluded not to deliberately report their own company, Bach continued. A recently published report by Schwarz Digits suggests that these are not isolated cases – company leaders apparently do not want to stir up trouble.

In this context, Bach pointed out that management should take the topic seriously – not only because of the personal liability of the management stipulated in the law. Just because one believes that their own company is not required to report does not mean that this corresponds to reality. Bach compared this to tax liability, where one cannot decide for oneself whether it applies.

Nearly half of companies have never heard of NIS-2

The fact that many companies have not yet reported to the BSI, even though they should, is probably also because many companies still lack awareness of what NIS-2 actually is. Worse still, there is likely a large number of companies in Germany that do not even know that NIS-2 exists at all. According to Manuel Bach, the BSI found in a study at the end of last year that almost half of German companies had not even heard the term “NIS-2” by that time.

Younes Ahmadzei, who dealt with the implementation of NIS-2 in small and medium-sized enterprises in Germany as part of his bachelor thesis at the Technical University of Munich, painted a similar picture in his presentation. Many of the companies he surveyed stated that they had only started dealing with NIS-2 in early 2026. According to Ahmadzei, many company representatives see the implementation of the law as a mere compliance task and doubt that the associated processes would improve IT security in their company.

At the end of the presentation block on this topic, Manuel Bach from the BSI also stated that the federal government – but also his own agency – still has a lot of work to do on NIS-2. The low awareness of this topic in large parts of the economy clearly indicates that much educational work still needs to be done here. And above all, it looks like a significant portion of the German IT landscape will also have to be convinced. The implementation of this EU law is more than just a job creation measure by the EU Commission and the BSI.

If you feel addressed while reading this report, you will find a compact and practical introduction to the legal requirements and their implementation in the iX workshop “NIS-2 - Requirements and Specifications”.

(mki)