1. introduction: Scaremongering about NIS2

If you’ve opened your inbox or LinkedIn feed in the last few months, you’ve come across a buzzword: NIS2. Consultancies are outdoing each other with advertising campaigns that appear professional at first glance, but on closer inspection convey one thing above all: Fear.

The emails often begin with alarming statements such as “Your company risks millions in fines if you do not act immediately” or “Managing directors are personally liable with immediate effect”. Webinars promise “the last chance to avoid falling into the liability trap”. Some advertising texts even go so far as to claim across the board that every company in Germany is already legally obliged to implement specific measures.

This picture is not only distorted, but simply wrong. There is no question that the NIS2 directive is an important step for European cybersecurity and that companies should be concerned with it. But the reality in Germany is different: The directive has not yet been transposed into national law, there are no binding deadlines and no sanctions that would take effect today.

Nevertheless, there is an artificial urgency that has more to do with marketing interests than serious advice. Many companies feel under pressure as a result and begin to react in a hectic and uncoordinated manner. This is exactly where ISX comes in: We deliberately row against this current. Our aim is to provide clarity, classify facts clearly and show companies how they can prepare sensibly without falling for empty threats.

2. background: What is NIS2 really?

To understand the current discussion, it is worth taking a look at the basics. NIS2 is short for “Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union”. It was adopted at European level in December 2022 and came into force on January 16, 2023. The aim is to create a comparable, higher level of information and cybersecurity in all member states.

Differences to the original NIS Directive

The EU issued the first NIS Directive back in 2016. This focused on operators of critical infrastructure such as energy, transport and healthcare. However, experience in recent years has shown that this scope was not enough. Attacks on supply chains, digital services and SMEs have made it clear that security breaches no longer only affect traditional sectors.

The NIS2 Directive therefore extends the scope considerably. It now also includes many companies from sectors such as production, logistics, waste management, postal services, public administration and digital services. This increases the number of potentially affected facilities across Europe from a few hundred to several tens of thousands.

Key objectives of the NIS2 Directive

The directive pursues three core objectives:

1. Greater cyber security across the board: Not only critical infrastructures should be protected, but also important economic sectors whose failure would have significant consequences.
2. Uniform standards in all EU member states: Until now, the implementation of NIS has varied greatly in the member states. NIS2 is intended to ensure a comparable level.
3. Clearer responsibilities and duties: Companies should not only introduce technical protection measures, but also assume management responsibility, document risks and report security incidents promptly.

Typical requirements provided by NIS2

The directive itself does not yet contain a concrete to-do list for companies, but sets out a framework. Typical points are

• Introduction of risk management processes
• Technical and organizational security measures (e.g. access control, encryption, patch management)
• Emergency and business continuity management
• Reporting obligations for significant security incidents within tight deadlines
• Responsibility at management level

These points already sound familiar because they are strongly based on standards such as ISO 27001 or the IT Security Act in Germany. Many companies that are already implementing standards today have therefore already fulfilled a large part of the expected requirements.

3. status quo in Germany

The European NIS2 Directive has been in force since January 16, 2023. In order for it to take effect, it must be transposed into national law by each member state. The EU set a deadline of October 17, 2024 for this implementation, but Germany has not met this deadline, which has already led to criticism in Brussels.

The current status

On July 30, 2025, the German government passed the government draft for the so-called NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). This law is intended to transpose the requirements of the directive into national law. Although this is an important step, the law has not yet been finally passed and adopted. It has to go through the parliamentary process, in which committees, the Bundestag and Bundesrat are involved.

Schedule and outlook

It is realistic to assume that it will not be adopted until the end of 2025 or early 2026 at the earliest. Only then will the new obligations and sanctions actually come into force. Until then, there are no specific deadlines or valid fines that companies will have to adjust to.

Political discussion

The political debate also reveals differing interests. While some stakeholders are calling for rapid and strict implementation, others point to the burdens on small and medium-sized enterprises. The question of which sectors and company sizes should actually be included also remains controversial.

Implications for companies today

For companies, this status quo means

• There are currently no legally binding obligations from NIS2 in Germany.
• Threats of “missed deadlines” or “immediate penalties” are inappropriate.
• However, it makes sense to prepare for what will come with the NIS2UmsuCG. Companies that are already dealing with standards such as ISO 27001 or BSI baseline protection today will be able to implement adaptations more easily at a later date.

Conclusion on the status quo

Germany is late in implementing NIS2. Nothing is set in stone yet. Anyone who claims that the obligations already apply is not acting seriously. Companies therefore have time to plan in a structured manner instead of falling into hectic actionism.

4. what NIS2 is not

Precisely because NIS2 is currently being advertised so heavily and presented as an acute threat, it is important to clarify what the directive is not. Many of the claims circulating sound dramatic, but are simply wrong or grossly exaggerated.

No immediate fines

It is true that NIS2 provides for a stricter sanctions regime than the previous legal situation. Fines in the millions are being discussed, based on the logic of the GDPR. However, as long as NIS2UmsuCG has not been adopted in Germany, there is no legal basis for these penalties. No company can be prosecuted for NIS2 in Germany today.

No retroactive deadlines

A popular panic scenario is that companies have long since missed deadlines. In fact, there are no valid deadlines in Germany as the national law is not yet in force. Retroactive obligations would also be highly problematic in legal terms and therefore almost impossible to enforce.

Not mandatory for every company

It is often pretended that all companies in Germany are affected. The fact is: NIS2 distinguishes between essential entities and important entities. Only companies that meet certain criteria such as sector, turnover or number of employees fall within the scope of application. Small businesses or craft enterprises are generally not affected.

No obligation to report every IT problem

Another myth is that in future every minor incident must be reported immediately to an authority. In reality, the planned reporting obligations relate to significant security incidents that massively impair the availability, confidentiality or integrity of networks and information. This does not include routine disruptions or minor outages.

No complete lack of clarity

Even if the national law does not yet apply, NIS2 is not a blank slate. The directive defines a clear framework that companies can use as a guide. Those who already rely on established standards are moving in the right direction. The assertion that you know “nothing at all” and can therefore only blindly purchase expensive consulting services is also incorrect.

5 The fear industry: How marketing creates panic

A veritable fear industry has formed around NIS2. Numerous consulting and IT service providers have discovered the directive as a sales argument and are focusing on marketing that aims less to educate and more to unsettle. The scam is always the same: scenarios are outlined which, in the worst case, end with fines in the millions, personal liability or immediate audits by the authorities. However, these scenarios are not reality, but deliberately exaggerated horror stories.

Advertisements, newsletters and webinars often contain phrases such as “Failure to comply with the NIS2 directive could result in heavy fines” or “Those who wait risk personal liability and loss of reputation”. Some providers even go so far as to claim that NIS2 applies to every company regardless of industry and size. Others give the impression that there are already specific deadlines that have long since expired and that companies are already the focus of the authorities.

At first glance, these statements appear dramatic and thus generate the desired reaction: decision-makers should get the feeling that they have to act immediately, whatever the cost. However, their content is incomplete and misleading. It is true that NIS2 provides for fines and liability regulations, but as long as the directive has not been transposed into national law in Germany, there is no legal basis. The question of which companies will be specifically affected has also not yet been conclusively clarified. The reality is therefore much more differentiated than these advertising slogans suggest.

The reason for this scaremongering is obvious. In a highly competitive market in which consulting services seem interchangeable, fear creates a competitive advantage. Anyone who succeeds in creating uncertainty in a company increases the likelihood that this company will purchase an external service in the short term. This is not about sustainable partnerships or professional depth, but about quick deals that come about through artificially created pressure to act.

This is dangerous for the companies concerned. Those who set the wrong priorities out of fear often invest in measures that have little effect or have to be corrected later. Instead of a well thought-out strategy, this results in hectic actionism. This is precisely why it is important not to be driven by such messages and to focus on the actual facts.

6 Practice: Uncertainty in the economy

The uncertainty surrounding NIS2 is not theoretical; it is documented by numerous associations, specialist media and institutions. Companies are faced with a directive whose content is clearly outlined, but whose national implementation in Germany is a long time coming. This tension leads to misunderstandings and creates an atmosphere in which marketing messages can easily have a captious effect.

Although the German government passed the draft for the so-called NIS2 Implementation and Cybersecurity Strengthening Act on July 30, 2025, it is still in the parliamentary process. For companies, this means that there are no legally binding obligations that already apply today. Nevertheless, many companies feel under pressure because the public discourse and advisory services suggest that they should have acted long ago.

In an information paper, the Cologne Chamber of Industry and Commerce expressly points out that companies should currently check whether they could potentially be affected, but at the same time emphasizes that implementation into national law is not expected until the end of 2025. This classification shows that preparation makes sense, but panic is out of place.

The IHK Nord Westfalen also makes it clear that there is currently no valid German regulation that makes the EU requirements binding. Companies are in a legal transition phase in which guidance is possible, but there are no obligations.

Trade press such as heise online regularly report on the delays and the political discussions. According to these reports, the EU’s infringement proceedings against Germany in particular are contributing to the impression in the business community that there is acute pressure to act. In reality, however, the proceedings are aimed at the German government, not individual companies.

The industry association Bitkom has also criticized the current draft law and is calling for improvements. The public position makes it clear that many questions regarding the design are still unanswered. For companies, it is therefore clear that there is still no fixed template that they have to comply with immediately.

Taken together, a clear picture emerges. Companies are unsettled because they are receiving contradictory signals. On the one hand, authorities and associations are stating that there are no specific obligations as yet. On the other hand, consultancy providers are using the situation to build up pressure with terms such as fines, liability or immediate reporting obligations. However, as long as the German law has not been passed, the reality remains: preparation makes sense, panic does not.

7 What companies should really do now

Even though NIS2 is not yet legally binding in Germany, this does not mean that companies should remain inactive. There is a constructive middle way between blind panic and complete ignorance. Those who choose this path are prepared without wasting unnecessary resources.

7.1 Check whether you are affected

The NIS2 Directive distinguishes between essential facilities and important facilities. Sectors affected include energy, transportation, healthcare, manufacturing, digital services and public administration. The criteria are usually company size (50 employees or more or annual turnover of 10 million euros) and the sector.

Companies should therefore carry out a self-assessment at an early stage to determine whether they could potentially fall under the directive according to these standards. For many small businesses, there is no risk of being affected.

One helpful tool is the NIS 2 impact assessment from the German Federal Office for Information Security (BSI). With a short questionnaire, the tool provides an initial assessment of whether your company could be affected by the directive. It can be used anonymously and the result is not legally binding, but is very useful for orientation.

7.2 Evaluate existing measures

In terms of content, NIS2 builds heavily on existing standards such as ISO 27001 or BSI basic protection. Companies that are already certified or have established corresponding management systems have a clear head start. An inventory helps to identify which requirements have already been met and where there are gaps.

7.3 Establishing risk management

The directive attaches great importance to systematic risk management. Those who document threats, vulnerabilities and potential impacts in a structured manner can prioritize them in a targeted manner. This approach is not only a regulatory must, but also a good basis for operational resilience.

7.4 Prepare reporting and response processes

Even if the reporting obligations are not yet legally binding, it makes sense to develop processes for recognizing, classifying and handling security incidents today. A functioning incident response concept not only prevents damage, but also makes it easier to fulfill legal obligations later on.

7.5 Clearly regulate responsibilities

A frequent weak point in companies is unclear responsibility. NIS2 expressly emphasizes the role of management. Tasks, responsibilities and escalation paths should already be clearly defined so that there are no gaps in authority in the event of an emergency.

7.6 Promoting internal communication

Information security is not just an IT task. Management, compliance, IT and specialist departments must have the same level of information. Transparent communication prevents panic and ensures that decisions are based on facts.

7.7 Choose reputable partners

The current situation is attracting many providers who work with pressure. Companies should check very carefully who they work with. Reputable partners provide fact-based information, point out the current legal status and work with established standards. Those who instead only operate with scare tactics rarely deliver sustainable solutions.

7.8 Documentation as a safety net

Documenting your own measures at an early stage shows that a company has done its homework in the event of an emergency. Even if no specific legal obligations apply yet, it is advantageous to record progress, decisions and analyses in a comprehensible manner.

Interim conclusion

Today, companies do not have to meet deadlines or fear sanctions. But they can use the time to build structures that will benefit them in the future. Those who are prepared will save costs and effort later on. The right approach is not to panic and rush through projects, but to take a calm, planned approach.

8. extended checklist for companies

The following checklist offers companies practical guidance on how they can make sensible preparations. It is not a substitute for legal advice, but shows the key areas of action that are likely to remain relevant after the implementation of the German NIS2 Act.

Clarify concern

• Check whether your company falls within the scope of application in terms of sector, size and turnover.
• Use the BSI’s NIS 2 vulnerability test to obtain an initial assessment.

Evaluate security architecture

• Analyze existing protective measures in IT and OT.
• Check whether basic topics such as access control, network security, patch management and encryption are covered.

Establish risk management

• Systematically document risks, threats and vulnerabilities.
• Establish procedures for risk assessment and prioritization.

Prepare emergency and reporting processes

• Develop processes for recognizing, evaluating and reporting security incidents.
• Regularly test the incident response processes in exercises.

Anchoring responsibility

• Clarify who has overall responsibility in the management.
• Define clear responsibilities in IT, compliance and specialist departments.

Internal sensitization

• Train employees regularly on cyber risks and reporting channels.
• Ensure that information is understood not only in IT, but also at management level.

Select external partners carefully

• Make sure that advisors provide fact-based information and do not work with panic.
• Look to partners who work with established standards such as ISO 27001 or BSI basic protection.

Document progress

• Record measures, responsibilities and decisions in a comprehensible manner.
• Proper documentation shows that your company acted early in the event of an emergency.

9. vision and attitude of ISX

The discussion about NIS2 shows very clearly how the market works. Many providers are panicking and want to generate short-term orders. ISX deliberately takes a different approach. Our aim is to build information security in such a way that it is not based on fear, but on clarity, substance and reliability.

We see information security as a house. This house needs a foundation, stable walls, a roof and well thought-out architecture. Individual measures or isolated projects are like loose bricks. They do not create security, but at best an illusion of it. Our approach is to build, configure and maintain the entire architecture for our customers.

This clearly sets us apart from those who work with threatening backdrops. Instead of threatening with supposedly immediate fines or advertising supposedly last chances, we create an environment in which companies can plan for the long term. Security must not be a panic product. Security is a continuous process that we take on so that our clients can focus on their core business.

Another key point of our stance is the responsibility of management. NIS2 emphasizes the role of management, and rightly so. Information security is a management issue because it determines resilience and future viability. At the same time, it is unrealistic to expect every management team to keep an eye on regulatory details, standards and technical measures themselves. This is exactly where we come in. We take on the role of external CISO, providing guidance, managing operational measures and ensuring strategic foresight.

Our vision is to make information security in companies as commonplace as electricity or water. It remains invisible in everyday life, but is indispensable when it counts. We rely on established standards, clear processes and continuous improvement. We reject scaremongering.

At a time when many consulting firms are flooding the market with fear, ISX stands for a different approach. Information security is not a sword of Damocles, but an opportunity for stability, trust and future security.

10. conclusion: clarity instead of panic

NIS2 is an important European directive that is intended to raise cyber security to a new level throughout the EU. It will also be relevant for many German companies. However, one thing is crucial: there is still no adopted law in Germany that makes the requirements legally binding. This means that there are no deadlines, no fines and no reporting obligations that would already apply today.

The current scaremongering by many consulting firms is therefore misplaced. Companies that allow themselves to be led by fear rhetoric risk unnecessary costs and wrong decisions. Instead, it makes sense to use the time until implementation constructively. Those who assess their impact, evaluate existing security measures and clearly define responsibilities will be well prepared when the law comes into force.

In this environment, ISX stands for an approach that focuses on substance and clarity. We support companies with a structured model that turns information security into a stable foundation. Planning, not panic, determines our approach. For us, information security is not a short-term project, but a continuous process that makes companies future-proof.

The article ends with a simple message. Prepare yourself, but don’t panic. NIS2 is coming, but there is no need to rush into action. Companies that take calm and planned action now will not only ensure compliance with future requirements, but also gain a real competitive advantage.