NIS2 shortly before implementation – update June 2025

What managers need to know now

What's new?The BMI draft billof June 23, 2025 is now the official basis for participation by associations and specialist groups. The 206-page document replaces the draft from June 2, 2025 (209 pages).

The focus is on the private sector:

With the recent exceptions for large parts of the federal administration, it is clear: full regulatory attention is now focused on the private sector.

Wider scope?

In the new draft, the vague wording in Section 28 Paragraph 3 NIS2UmsuCG ("negligible activities") was retained, which is causing discussion and criticism as it could massively expand the circle of companies affected without providing a clear definition. All company activities must now be taken into account during the audit - only those that can be classified as “negligible” are left out. Many could unexpectedly come into focus.

On the other hand, since there is no legal definition of “negligible” (yet), companies could try to evade responsibility by broadly interpreting their own activities and excluding relevant business activities from the scope. This could lead to the actually intended scope of protection of the regulation being undermined.

This leads to both uncertainty regarding the scope and risks in the application of the regulation - both in terms of excessive inclusion and a possible gap due to the targeted exclusion of companies.

Personal liability is real:

The NIS 2 implementation is aimed directly at management - ignorance or delegation does not protect against fines and personal responsibility. Therefore, immediately review your governance and control structures and anchor regular review and approval processes directly at management level. Transferring responsibility to the IT department or external service providers is not enough to relieve management of their duties. Personal responsibility and active control remain essential.

Compliance is a competitive advantage:

Companies that act proactively now not only protect themselves legally, but also build digital resilience, which becomes a decisive advantage in the market.

An underestimated factor for your strategic planning

The deadline for the implementation of theNIS2 policyis getting closer, and with the latest draft of the German implementation law (NIS2UmsuCG) from June 23, 2025, the situation foraround 30,000 companies in Germanymore serious. It is no longer just another IT compliance issue. It's about strategic risk management, operational continuity and the personal liability of company management.

Deep Dive: The key insights from the bill

The “negligibility” trap

The draft bill states in Section 28 Paragraph 3 NIS2UmsuCG:

“When assigning the facility to one of the types of facility in accordance with Annexes 1 and 2, business activities that are negligible in relation to the facility's overall business activities may not be taken into account.“

What this really means:

Conclusion for practice

The “negligibility” clause is legally shaky, operationally unclear and strategically risky. Instead of spending time on limit gymnastics, companies shouldnowBuild robust information security and risk management structures. Anyone who proactively invests in cyber resilience is protected regardless of whether the exception ultimately stands or not:

1. Have a broad scope – quote criticality instead of sales.
2. Immediatelyinvest in a resilient ISMS (ISO 27001/BSI-Grundschutz), incident playbooks and resilient supply chain controls.
3. Put resources into security maturity instead of limit gymnastics - this way your company is protected, no matter how the clause ends politically.

More than just IT: Why NIS2 is an issue for the entire management

Many executives mistakenly delegate cybersecurity exclusively to the IT department. This is a strategic mistake under NIS2 that can lead directly to personal liability.

The business impact in focus:

• ROI:Investing in a robust information security management system (ISMS) according to ISO 2700I is not just a cost factor. It is your insurance against fines and against operational failures that threaten your existence. The return on investment is ensuring your business continuity.
• Risk minimization:The law explicitly obliges management to monitor cybersecurity measures. Anyone who violates this obligation is personally liable. This includes the entire supply chain. A weak link in a supplier falls back on you.
• Operational efficiency:An ISMS built according to NIS2 standards forces you to optimize your processes. You identify weak points, create clear responsibilities and improve your ability to respond. The result is a leaner, safer and more resilient organization. ISMS built according to NIS2 standards forces you to optimize your processes. You identify weak points, create clear responsibilities and improve your ability to respond. The result is a leaner, safer and more resilient organization.

Your Roadmap to NIS2 Compliance: A Strategic 5-Step Plan

Instead of just ticking off checklists, you should see the implementation as a strategic project.

Step 1: Scope analysis

Start immediately with a new, honest analysis of your business activities under the premise of “Non-negligibility". What services that you might consider a fringe activity could you consider bringing into scope?

Step 2: Implement ISMS as a strategic asset

Don't see the introduction of an ISMS (e.g. according to ISO 27001 or BSI IT-Grundschutz) as a bureaucratic hurdle, but rather as the central nervous system of your digital defense.

Step 3: Make supply chain security a top priority

Audit the cybersecurity of your critical suppliers and service providers. Anchor clear security requirements in the contract. Your resilience is only as strong as that of your weakest partner.

Step 4: Understand incident response as brand protection

A security incident is likely to occur at some point. What matters is how you react. A tried and tested and quick reporting and response process (report within24 hoursto thatBSI) not only protects against penalties, but also against massive reputational damage.

Step 5: Understand documentation as liability protection

Careful documentation is your most important evidence to the authorities. It shows that you took your duties seriously and acted to the best of your knowledge. This is your crucial shield in the event of an audit.

Strategic implications for decision makers

From fulfiller of duties to designer:NIS2 is no longer purely a compliance issue. It is a catalyst for digital transformation. Companies that set the right course now will be more agile, secure and trustworthy than their competitors.

Risk awareness as a new currency:The ability to assess and manage cyber risks not only technically but also commercially is becoming a core competency of successful managers. The unclear legal situation requires a conservative, risk-conscious attitude.

The supply chain as a strategic battlefield:The security of your supply chain becomes a key differentiator. Anyone who can prove that their entire value chain is secure will win the trust of customers and partners.

Conclusion: Your next logical step

The recent changes to the NIS2 Implementation Act are a clear signal: waiting is no longer an option. The implementation is currently being pushed forward at full speed.

Your job as a manager is to turn this regulatory challenge into a strategic opportunity. Instead of looking for loopholes, start building a robust digital fortress.

The logical next step is immediate and comprehensiveGap analysis. Seeking external expertise to navigate this legal uncertainty is not a sign of weakness, but rather an act of strategic foresight.

Next step: Free initial consultation

Do you want to complete your NIS-2 registration? Our experts will be happy to advise you - without obligation and in a practical manner.Arrange an initial consultation now →