“Implementing NIS-2 is an organizational stress test”

Dr. Matthias Zuchowski: These requirements have long been known, and little has fundamentally changed during the legislative process. However, in the IT sector, I recommend taking a closer look, as many companies are indirectly affected—for example, as service providers for critical infrastructure or as part of complex supply chains. It is important to note that indirectly affected companies must comply with certain requirements but are not subject to registration.

A common stumbling block lies in assessing corporate structures. Group affiliations, shareholdings, or outsourced IT services can result in companies being affected even if they do not appear to fall under the regulation at first glance. A superficial assessment is often insufficient.

As an initial guideline, the German Federal Office for Information Security (BSI) offers an impact assessment that provides a well-founded first evaluation. In more complex cases, however, a legal assessment is advisable to avoid misjudgments.

My recommendation is therefore: Any company providing business-critical digital services or forming part of critical value chains should carefully assess its exposure.

Dr. Matthias Zuchowski: By this deadline, registration with the BSI should have been fully completed. This is not a single step but a structured process.

First, responsible parties had to set up a company account via the ELSTER infrastructure, which serves as the entry point for official procedures. A common pitfall here is that registration-related mail often ends up in the finance department due to the association with “ELSTER.” The actual NIS-2 registration then takes place via the BSI portal.

During registration, companies must provide various details, including company master data (legal form, register entry, registry court, or contact address), classification by sector and activity, company size based on defined categories, and the designation of contact points and responsible persons.

Particularly important is the so-called NIS-2 contact point. It acts as the central interface to the BSI and must be reachable at all times—even outside normal business hours.

Formally, the deadline was clear: March 6, 2026 marked the end of the three-month transition period following the law’s entry into force. Late registration is not permitted under the legal framework.

Dr. Matthias Zuchowski: Formally, the deadline has passed. Companies are therefore in default, and fines are generally possible. The good news is that authorities are currently still showing restraint when it comes to sanctions. Companies should use this window—not as an excuse to delay further, but as a final opportunity to catch up. From mid-2026 onwards, I expect stricter supervision, particularly regarding registration.

Registration should be completed without further delay. Every additional day increases risk—not only from a regulatory perspective but also organizationally.

If there is still uncertainty about whether a company falls under NIS-2, this should be clarified in parallel. “We are still assessing” is not a viable long-term strategy. Companies should reach a reliable decision quickly.

Even though registration is currently the focus, it is only the first step. At the same time, companies should define responsibilities, establish contact points, and set up initial reporting processes. This reduces risks in the event of a short-notice audit or a security incident.

Those who act now can still catch up in a controlled manner. Those who continue to wait increase the likelihood of having to react under pressure—which typically makes implementation significantly more difficult.

Dr. Matthias Zuchowski: NIS-2 directly addresses executive management, as they are responsible for implementing and overseeing cybersecurity measures. They must therefore possess the necessary knowledge. Under NIS-2, management assumes the role of a governing body for cyber risks. Without a basic understanding, this role cannot be fulfilled effectively.

Training requirements cover various aspects, ranging from a fundamental understanding of cyber risks and risk management to knowledge of risk management measures under the BSI Act. This enables responsible parties to assess and monitor implementation within the company.

Training should take place regularly and cover both strategic and operational aspects. A one-time training session is clearly insufficient, as the cybersecurity landscape and regulatory requirements continue to evolve.

Dr. Matthias Zuchowski: Inaction does not lead to a single risk but to a cascade of problems. On an organizational level, there is a lack of clear responsibilities and communication channels. If no one addresses where business-critical IT risks lie, it is highly unlikely that appropriate security measures will be implemented by chance. More likely is a patchwork of expensive and relatively ineffective measures, combined with significant security gaps in critical areas. This makes it difficult to handle security incidents in a structured way.

Operationally, the risk increases that incidents are detected too late or misjudged. There is also the issue of reputational damage: if companies react in an uncoordinated manner during a crisis, it quickly appears as a lack of control—both to customers and partners.

From a legal perspective, fines may be imposed if deadlines are not met. Currently, supervisory authorities are taking a cooperative approach, which companies can use to their advantage, as the BSI offers extensive support.

In short: the greatest risk is not the regulation itself, but the lack of ability to respond to it in a structured manner.

Dr. Matthias Zuchowski: Reporting processes are at the core of operational implementation. They connect internal security measures with external requirements. Initially, the focus is not on reporting to authorities, but on internal reporting to the relevant departments that may still be able to prevent the worst outcomes.

An effective reporting process includes clear criteria for classifying security incidents, structured documentation of causes, impacts, and measures, defined escalation paths within the company, and prompt, comprehensive communication with the BSI—including the ability to respond to its feedback.

Dr. Matthias Zuchowski: A structured approach reduces complexity and provides guidance. In practice, I recommend a six-step model.

First, companies should systematically assess whether and why they fall under NIS-2. Next, they should complete registration and ensure all required data is properly recorded. The third step is to establish a governance structure within the organization, clearly defining roles, responsibilities, and decision-making processes. This should be followed by implementing processes, including reporting channels, escalation mechanisms, and communication structures. Based on these structures, a clear risk analysis should be conducted to identify gaps. Management should be involved in all these steps. Finally, all measures should be regularly reviewed and adjusted.

It is also important not to view NIS-2 in isolation. Many requirements can be effectively integrated with existing frameworks such as ISO 27001 or internal compliance structures. This not only facilitates implementation but also ensures that security measures are sustainably embedded in the organization.

Dr. Matthias Zuchowski: Registration is the first visible step—but not the decisive one. The real value lies in a systematic view of IT risks, functioning processes, clear responsibilities, and a shared understanding of cyber risks.

Or put differently: NIS-2 does not require perfection—but it does require structure, and that structure must hold up in day-to-day operations.