NIS-2 in Germany Comes into Force: What Companies Must Consider Now and How VPN Solutions Can Help

After a long delay, the NIS-2 Implementation Act took effect on December 6, 2025, making the European NIS-2 Directive (Network and Information Security Directive 2) legally binding in Germany. According to the Federal Office for Information Security (BSI), approximately 29,500 companies in Germany are impacted.

Who Does NIS 2 Affect?

The law differentiates between particularly important and important entities critical to the economy and society. Particularly important entities include operators of critical infrastructures (KRITIS), such as those in energy, IT and telecommunications, transport, health, water, food, finance, insurance, and waste management. These organizations are essential to public services, and any failure could lead to serious supply disruptions or threats to public safety. As of September 30, 2025, 1,177 KRITIS operators were registered with the BSI.

With the NIS-2 Implementation Act, many more companies are now included, extending to sectors like manufacturing, digital services, and research. These entities face cross-sector IT security obligations.

Assessing NIS-2 Applicability

Companies must evaluate whether NIS-2 applies to them and identify their category - particularly important or important entity - based on criteria such as employee count and revenue. For important entities, thresholds are fewer than 50 employees or revenue or total assets up to 10 million euros.

Key Obligations Under NIS-2

Both important and particularly important entities must:

• Register with the BSI  through a two-step digital process: first via My Company Account" (MUK) then on the BSI portal. The BSI also provides detailed guidance for registration.
• Implement incident management requiring reporting of significant security incidents, such as serious operational disruptions. Entities must have effective processes to detect, assess, respond to, and track incidents.
• Establish and document risk management measures. Entities are required to take appropriate and proportional technical and organizational steps to prevent major security incidents. The BSI recommends measures including risk analysis, incident response, business continuity planning, supply chain security, secure IT system development, regular effectiveness assessments, IT security training, cryptographic methods, personnel security, and the use of multi-factor authentication (MFA) and secure communication solutions.
• Assign responsibility for implementation and oversight to management. The BSI offers training recommendations and guidance.

For particularly important entities, additional requirements apply:

• Increased proactive supervision by the BSI
• Mandatory audits
• Stricter sanctions and regulatory actions

How VPN Solutions Support NIS-2 Compliance

Many of the NIS-2 requirements in risk management can be addressed with NCP’s professional VPN and remote access solution:

• Secure remote access: NCP offers granular access controls, including role-based and endpoint policies, centralized management, and MFA to ensure secure network and application access.
• Data encryption: NCP provides end-to-end IPsec encryption to protect sensitive data confidentiality.
• Central management & documentation: Departments can be managed centrally with logical separation, limiting attack spread. Policies, certificates, and access are fully logged and auditable.
• Supply chain security: MFA and endpoint checks (e.g., antivirus status, OS version, domain membership) help prevent insecure devices from gaining access.
• Business continuity support: Features such as VPN failover and centralized management help ensure availability and operational resilience in alignment with NIS-2 requirements.

Implementation Progress and Ongoing Challenges

Thanks to intensive awareness campaigns and consulting by the BSI, NIS-2 implementation is well underway in companies. Thanks to strong awareness campaigns and guidance from the BSI, many German companies are progressing with NIS-2 implementation. A recent Statista survey commissioned by G DATA found that 63% of companies have begun preparing, though 25% have yet to start. 

With the law now officially in force, there is no further transition period. Violations can lead to fines up to 10 million euros or 2% of annual revenue. However, the BSI seeks a business-friendly approach and offers significant support, intervening with fines only in severe cases. The goal is to enhance cyber defense capabilities across companies. BSI President Claudia Plattner expects NIS-2 adoption will lead to noticeable improvements in Germany’s IT security landscape, which upcoming BSI reports will confirm.

Nonetheless, implementation remains challenging, especially for smaller organizations with limited resources. Integrated security solutions from providers like NCP offer a critical advantage by addressing multiple NIS-2 requirements efficiently and effectively - an important step toward lasting compliance and stronger cybersecurity.