Stellungnahme

DIHK on NIS2 Implementation: Greater Clarity, Less Bureaucracy, Strong Cybersecurity Frameworks

The NIS2 Implementation Act transposes the EU Directive into national law, expanding obligations for IT security, reporting requirements, and risk management for companies – including in supply chains. The German Chamber of Commerce and Industry (DIHK) evaluates opportunities and risks, highlighting areas for action.

The draft NIS2 Implementation Act aims to ensure a higher security level for critical infrastructures and companies in Germany. Companies face new reporting and evidence requirements, while the practicality and comprehensibility of the law are crucial for its effectiveness. It is particularly important for medium-sized enterprises that obligations are clearly defined, implementable, and EU-compliant. The DIHK analyzes the draft and provides recommendations for policymakers.

Key points in brief

  • Many more companies affected: The scope is being massively expanded – even indirect implications in supply chains are increasing.
  • High burden on SMEs: Unclarity in definitions and duties causes high legal and verification effort.
  • Harmonisation urgently needed: Requirements must be synchronised with EU law, umbrella legislation for critical infrastructures and sectoral regulations.
  • Strengthening state structures: Clear processes, functioning cooperation between authorities, and a strong Federal Office for Information Security (BSI) are essential.
  • Cybersecurity as a collective task: Companies need comprehensible situational assessments, concrete support, and practical implementation aids.

Background

With the EU NIS2 Directive, the requirements for cybersecurity in Europe are significantly expanded. Germany is now implementing this through the NIS2 Implementation Act, bringing many more companies – including numerous medium-sized businesses – within its scope.

The government draft specifies reporting obligations, risk management, information exchange, and the new powers of the Federal Office for Information Security (BSI). In parallel, the KRITIS Framework Act is emerging as another key regulatory framework. For companies falling under both laws, complexity grows significantly.

What companies now need to consider

  • Examine impact early: Medium-sized businesses, in particular, should determine whether they are classified as "important" or "particularly important entities."
  • Focus on supply chain: Companies must take greater responsibility for the cyber resilience of their suppliers.
  • Prepare risk management: Documentation and security evidence requirements are becoming more extensive. Certifications can help.
  • Understand reporting paths: Cyber incidents will need to be reported faster and more comprehensively. Companies should adjust internal processes accordingly.
  • Utilize informational resources: The planned Information Sharing Portal of the BSI will be a key resource – companies should familiarize themselves with its functions once it becomes available in early 2026.

DIHK’s demands

  • Create legal and planning certainty: Clearly define terms, categories, and areas of application in an EU-compliant manner – especially in conjunction with the KRITIS Framework Act.
  • Reduce bureaucracy: Simplify, digitize, and tailor reporting, documentation, and evidence requirements to ensure proportionality, preventing overburdening companies – especially SMEs.
  • Relieve supply chains: Recognize certifications like ISO 27001, VdS, or TISAX as sufficient evidence and avoid redundant audits.
  • Enable efficient collaboration: Establish clearly defined processes between authorities and companies, a user-friendly Information Sharing Portal, and a well-equipped cybersecurity infrastructure.
  • Incorporate the public sector: Federal, state, and local governments must also adhere to binding high IT security standards to ensure reliable and secure administrative processes.

FAQ

Frequently Asked Questions

Who does the law affect?

Significantly more companies than before – both directly as "important" or "especially important facilities" and indirectly through the supply chain.

What changes for medium-sized companies?

They must expect additional reporting, verification, and documentation obligations. Especially the due diligence in the supply chain notably increases the effort.

Why does the DIHK criticise national special regulations?

They create legal uncertainty, complicate EU-compliant implementation, and lead to more bureaucracy because companies have to comply with different requirements.

What role does the BSI play?

The German Federal Office shall strengthen coordination, standardise reporting channels, and establish an Information Sharing Portal – clear processes and proper equipment are required for this.

Why is the public administration not comprehensively included?

The draft provides obligations only for federal administration. However, companies expect that state offices also ensure a reliably high level of security.

How can a company prepare?

By assessing the impact, setting up an adequate risk management system, establishing clear internal processes for cyber incidents, and engaging early with certifications and requirements.

Notice

The law for implementing the NIS-2 Directive has been in effect since December 5, 2025.

Download

DIHK Statement on the Implementation of the NIS-2 Directive and the Regulation of Fundamental Aspects of Information Security Management in the Federal Administration (PDF, 167 KB) (only available in German)

 

Relevant in topic:
Innovation
Key areas:
  • Cybersicherheit
  • Digitalisierung

Released 30.09.2025

Modified 12.03.2026

Contact

Katrin, Sobania_quad

Dr. Katrin Sobania

Director Department for Information and Communication Technology | E-Government | Postal Services | IT Security

E-mail
sobania.katrin@dihk.de
Telephone
+49 30 20308 2109