Cybervize – Cybersecurity Beratung
All articles

NIS-2 is Coming: Roadmap & 10-Minute Check for Companies

Alexander Busse·July 7, 2025
NIS-2 is Coming: Roadmap & 10-Minute Check for Companies

NIS-2 is Coming: Act Now and Avoid Penalties

The NIS-2 Directive is approaching rapidly, and many medium-sized companies in Germany face a critical question: Are we affected? Companies that fail to answer this question in time risk not only significant fines of up to 2% of annual revenue, but also operational risks and reputational damage. The good news: With a structured approach and a 10-minute self-check, you can quickly gain clarity.

In this article, you'll learn everything you need to know about the current NIS-2 implementation roadmap in Germany, how to check in just a few minutes whether your company is affected, and what concrete steps you should take right now.

The Official Roadmap: From Consultation to Entry into Force

According to the NIS-2 consultation by the German Federal Ministry of the Interior (BMI) dated July 4, 2025, the timeline looks as follows:

  • July 2025: Cabinet decision on national implementation
  • September 2025: Federal Council approval
  • October 2025: Adoption by the Bundestag
  • December 2025: Planned entry into force of NIS-2 implementation legislation

This tight timeline means: By the end of 2025, affected companies must meet the requirements of the NIS-2 Directive. Companies that don't act now will face time pressure and risk not being compliant in time.

Important: The Reporting Portal is Coming Earlier

Particularly noteworthy: The official reporting portal is scheduled to go live at it-sa 2025 (one of Europe's leading cybersecurity trade fairs). This means companies may be able to, and should, register even before the official entry into force of the legislation. Those who act proactively here demonstrate transparency and prepare optimally.

The Central Problem: Uncertainty About Scope

The biggest challenge for many companies is determining whether they are affected. NIS-2 targets:

  • Critical infrastructures (KRITIS) such as energy suppliers, healthcare, transportation, and financial services
  • Important entities in sectors like digital services, waste management, chemicals, and food production
  • Companies with more than 50 employees and annual revenue exceeding 10 million euros in relevant sectors

However, the exact classification is complex. Are you a supplier to critical infrastructures? Do you operate digital services? The boundaries are often fluid, and a wrong self-assessment can be costly.

The Solution: The BSI 10-Minute Self-Check

The German Federal Office for Information Security (BSI) offers a free NIS-2 applicability assessment. This self-check takes about 10 minutes and helps companies systematically determine whether they fall under the NIS-2 Directive.

Here's How to Proceed:

  1. Conduct the self-check: Use the BSI tool for NIS-2 applicability assessment (available on the BSI website)
  2. Secure the results: Document the results in writing and archive them
  3. Assign roles: Create synergy between IT, legal, and management by defining clear responsibilities
  4. Create an action plan: Develop a detailed plan with milestones through the end of 2025
  5. Allocate budget: Plan the necessary resources for technical and organizational measures

Why Early Transparency is Crucial

My tip: Clarify the scope as early as possible, carefully document the results, and register early in the reporting portal if necessary. Companies that act transparently today and proactively clarify their status will save themselves enormous stress, legal disputes, and potential sanctions tomorrow.

The Benefits of Early Action:

  • Avoiding penalties: Up to 2% of annual revenue can be due for non-compliance
  • Better planning: Time for structured implementation instead of last-minute panic
  • Competitive advantage: Customers and partners value demonstrable cybersecurity standards
  • Reduced liability risks: Managing directors and board members bear personal responsibility

Concrete Action Steps for Your Company

Phase 1: Analysis (Immediately)

  • Conduct the BSI self-check
  • Assess company size, sector affiliation, and criticality
  • Document the results

Phase 2: Organization (Q2/Q3 2025)

  • Establish a NIS-2 project team with representatives from IT, legal, compliance, and management
  • Appoint a cybersecurity officer
  • Define responsibilities and escalation paths

Phase 3: Measures (Q3/Q4 2025)

  • Technical measures: Incident response, multi-factor authentication, encryption, backup strategies
  • Organizational measures: Risk management processes, security awareness training, supply chain management
  • Documentation: Creation of all required evidence and policies

Phase 4: Compliance (By End of 2025)

  • Registration in the official reporting portal
  • Implementation of reporting processes for security incidents
  • Establishment of continuous monitoring and improvement

The Role of IT, Legal, and Management

A key to success is interdisciplinary collaboration:

  • IT department: Implements technical measures, manages incidents, deploys security tools
  • Legal department: Reviews contractual aspects, assesses liability risks, ensures compliance
  • Management: Provides resources, bears strategic responsibility, communicates with stakeholders

Only when all three areas work closely together does the necessary synergy emerge for successful NIS-2 implementation.

Avoiding Common Mistakes

When implementing NIS-2, you should avoid the following typical pitfalls:

  • Underestimating the effort: NIS-2 is not just an IT project, but a strategic transformation
  • Lack of documentation: Everything must be demonstrable, including the applicability assessment
  • Isolated IT solutions: Without management commitment and legal review, failure is likely
  • Budget planning too late: Many measures cost time and money

Conclusion: Start Now, Benefit Later

The NIS-2 Directive is not an abstract EU requirement but will have concrete legal and financial consequences for thousands of German companies starting at the end of 2025. The combination of a 10-minute self-check, a clear roadmap, and a structured action plan gives you the confidence to be compliant in time.

Act now: Conduct the BSI self-check, document your status, assign responsibilities, and allocate budget and resources. Those who are transparent today and act proactively not only save penalties but also gain trust from customers, partners, and regulatory authorities.

The it-sa 2025 will demonstrate how the reporting portal works. Be there when the new era of cybersecurity compliance begins.

---

Do you need support with NIS-2 implementation? Talk to experts who can help you professionally manage scope, measures, and compliance. Time is running out, but with the right strategy, you'll be well prepared.

Back to all articles