Bundestag decides on NIS2 – what companies have to do now
The Bundestag has thatNIS2 Implementation Actfinally decided on November 13, 2025. After more than a year of delay, the German implementation of the EU Cyber Directive is now legally binding. For tens of thousands of companies – especially SMEs – this is a turning point. The reach of regulation is increasing sharply,and significantly more companies are now considered “important” or “particularly important” institutions.
Your immediate priorities
- Obligation to test:Every companyhave to check now, whether it falls under the new NIS2 rules. The responsibility lies solely with you.
- Extended scope of application:Tens of thousands of companies that previously had no contact with safety regulation are now affected.
- Strict requirements:Affected entities are now subject to stricter obligations regarding cyber governance, risk management, documentation and reporting channels.
- Risk of delay:Inaction leads to regulatory risks and can result in fines.
The crucial next step: clarify your concerns
The central and inevitable step is clear: the formal classification of your company. Without this check, it is not possible to determine whether and which of the new, strict obligations you have to fulfill.
Companies covered by NIS2 must act promptly:
- Clearly define management responsibilities.
- Carry out risk analyzes systematically.
- Completely document security processes.
- Establish reporting channels for security incidents.
These measures are not a recommendation, but alegal requirement.
Conclusion for decision-makers: From knowledge to action
NIS2 is now law. Waiting is no longer an option. Now only one thing counts:
- Carry out mandatory inspection.
- Identify gaps.
- Prioritize measures.
The first step is the most important foundation for your compliance and cyber resilience.
How ADVISORI supports you
We will help you answer the crucial question quickly and confidently: “Are we covered by NIS2?”ADVISORI offers a structured NIS2 quick check, clear roadmaps for implementation and C-level workshopsto enable managers to act immediately. We accompany you efficiently and practically. Talk to us! Further information:NIS Consulting: Your compass for cybersecurity according to NIS and NIS2
📖 Also read:NIS2 for suppliers: How you can turn the NIS2 requirement into an unfair competitive advantage
📖 Also read:NIS2 for suppliers: How you can turn the NIS2 requirement into an unfair competitive advantage
Related articles
Continue exploring with related insights from our experts.
Cyber Insurance: Requirements, Costs, and Selection Guide for Businesses 2026
Cyber insurance covers financial losses from cyberattacks, data breaches, and IT outages. This guide explains what insurers require in 2026, coverage types, costs by company size, and how to choose the right policy — including how ISO 27001 certification reduces premiums.
Vulnerability Management: The Complete Lifecycle for Finding, Prioritizing, and Remediating Weaknesses
Over 30,000 CVEs are published annually. Effective vulnerability management prioritizes what matters most to your organization and remediates before attackers exploit. This guide covers the full lifecycle: discovery, scanning, risk-based prioritization, remediation, and compliance.
Security Awareness Training: Building Effective Programs and Measuring Impact
The human layer remains the weakest link in cybersecurity. This guide covers how to build an effective security awareness program, run phishing simulations, design role-based training, and measure whether your program actually reduces risk — with benchmarks and KPIs.