Volker Schwaberow
Volker Schwaberow
NIS2 in Germany: Overregulation and Systemic Challenges

NIS2 in Germany: Overregulation and Systemic Challenges

December 3, 2024
18 min read
Table of Contents

NIS2 in Germany: Overregulation and Systemic Challenges

The NIS2 Directive (Network and Information Security 2), aimed at enhancing essential service providers’ resilience and response capabilities, is set to significantly impact Germany. According to OpenKRITIS1, implementing the IT-Sicherheitsgesetz as part of NIS2 brings about stricter controls and increased regulatory oversight, with significant implications for companies now considered part of critical infrastructure. The Bundesamt für Sicherheit in der Informationstechnik (BSI) notes that NIS2 seeks to establish a unified level of cybersecurity across the EU by extending obligations to a wider array of sectors and tightening requirements for those covered under the original NIS12. At first glance, this effort enhances cybersecurity standards by covering a broader range of industries. However, there is an increasing perception that we may be heading towards overregulation—a situation that raises more questions than provides clear solutions. The detailed incident reporting process is one specific aspect of NIS2 that is perceived as overregulation. Companies are required to provide an initial report, multiple updates, and a final report for each incident. For many, this feels redundant and overly burdensome, particularly for smaller enterprises that may not have the resources to keep up with such demands. Additionally, the requirement for extensive supply chain assessments—demanding companies evaluate each of their vendors’ cybersecurity postures—further illustrates the challenge. While intended to enhance security, these measures often become more about generating bureaucratic paperwork than fostering meaningful improvements in cybersecurity.

Background and Scope

The groundwork for NIS2 has been laid over several years, building on the initial NIS Directive (NIS1) implemented in 2018 to regulate critical infrastructure across Europe. Germany and other EU member states have been working to improve their cybersecurity framework ever since. OpenKRITIS points out that NIS2’s approach emphasizes the resilience of essential services and the accountability of the entities involved in managing critical services, increasing the requirements placed on them in governance and compliance[^3]. However, NIS2—which must be transposed into German law by October 2024—significantly broadens this scope, adding substantial new requirements around incident handling, risk assessments, and security governance. OpenKRITIS further highlights that these expanded requirements necessitate a considerable increase in technical and administrative resources for compliance, making it particularly challenging for smaller enterprises1.

New sectors like postal services, food production, waste management, public administration, the chemical sector, and space are now labeled as “critical infrastructure,” which poses enormous challenges for businesses that may lack the resources or expertise to meet these requirements. This broad inclusion increases the strain on companies, especially smaller entities, as they must meet heightened cybersecurity governance and risk management requirements.

Challenges with NIS2 Implementation

Expanding the scope of NIS2 might seem like a proactive move, but it inevitably brings criticism. A recent survey highlighted in a G DATA report indicates that many employees in Germany significantly underestimate the impact of the NIS2 Directive2. The report’s tone suggests an almost alarmist stance, emphasizing the lack of awareness and the supposed dangers that such ignorance could pose. However, it is worth critically examining whether this framing genuinely improves awareness or simply incites unnecessary fear. Many of these requirements need to be more connected to the practical realities that companies face. The compliance deadlines are ambitious, and the regulatory framework needs to be equipped to provide the necessary support to help entities meet these expectations. Specifically, the missing support needs to be included include financial assistance to help companies implement the required cybersecurity measures, technical guidance for interpreting the broad requirements of NIS2, and training programs for staff to ensure compliance. Without these essential resources, companies—particularly SMEs—struggle to effectively meet stringent requirements. For example, businesses must report security incidents within tight deadlines, regardless of size or capabilities. Yet, it remains unclear what happens with all of these reports. How is this information processed, and what tangible actions are taken? This lack of transparency is unsettling and needs to be addressed to ensure that companies feel informed and involved in the process.

Moreover, companies face the additional burden of detailed reporting, requiring initial reports, updates, and final reports following an incident. For example, during the implementation of the GDPR, numerous small businesses needed help with the detailed reporting requirements, which overwhelmed their already limited resources. This led to compliance fatigue and, in some cases, incomplete or delayed reporting, which ultimately undermined the effectiveness of the regulation. While this can be helpful, businesses are also expected to assess their supply chains, which not only adds legal pressure but also requires assessments that become outdated quickly due to the dynamic nature of the environment. These reporting requirements are more about generating paperwork than about fostering meaningful improvements. Without clear information on how these reports drive actual security progress, we risk turning an important security initiative into little more than a bureaucratic exercise.

Imbalance of Responsibility

A glaring issue with NIS2 is the imbalance of responsibility between businesses and the state. The directive imposes heavy obligations on organizations, yet the state seems unwilling to meet similar standards. For example, while private companies are expected to ensure prompt incident reporting and compliance with stringent cybersecurity measures, government institutions often need to catch up in updating their systems or adhering to these requirements. A notable case is the repeated criticism of public sector IT infrastructure, which has lagged significantly behind in security updates and risk assessments, as highlighted in several reports by the Federal Audit Office in Germany. This disparity is concerning, as it suggests that the state is not holding itself to the same standards it demands of private enterprises.

graph TD
    A[State Responsibilities] --> B[Cybersecurity Governance]
    A[State Responsibilities] --> C[Incident Reporting]
    A[State Responsibilities] --> D[Compliance Enforcement]
    A[State Responsibilities] --> E[Support & Resources]

    I[Company Responsibilities] --> J[Cybersecurity Governance]
    I[Company Responsibilities] --> K[Incident Reporting]
    I[Company Responsibilities] --> L[Risk Management]
    I[Company Responsibilities] --> M[Compliance & Documentation]

    A --> I

The disparity between expectations for the private and public sectors undermines trust. Trust in the state, trust in the regulatory process, and trust in the overall cybersecurity framework. It raises questions about the state’s commitment to the same level of cybersecurity. By demanding stringent compliance from private enterprises while failing to demonstrate the same commitment at a governmental level, the state is merely shifting accountability without setting a positive example. This hypocrisy undermines the credibility of the entire initiative. Why should companies comply if the government does not adhere to the same standards it sets for the private sector?

Impact on Small and Medium-Sized Enterprises (SMEs)

The costs of increased security requirements are more than merely financial. The administrative burden is immense, especially for small and medium-sized enterprises (SMEs). These smaller businesses, now categorized as “critical infrastructure” due to vague definitions of “essential services,” face significant challenges. SMEs often need more dedicated cybersecurity teams and resources than larger corporations have, making compliance daunting. It is doubtful that this added paperwork will translate into real security improvements. Instead, there is a risk that valuable resources will be diverted from practical protective measures to focus on satisfying arbitrary regulatory demands.

Broader Societal Impact

The broader societal impact of these regulations must also be considered. NIS2 is part of a trend where the state increasingly intervenes in private business operations under the guise of cybersecurity. This raises concerns about the extent of control over critical infrastructure and the privacy implications. Furthermore, it is difficult to trust that the state can adequately secure the vast amount of sensitive data it collects. Incidents involving breaches of government systems are not uncommon, and the risk of misuse or negligence is real. Adding more sectors to the list of entities required to submit incident reports only increases these risks, demanding better oversight and management. According to OpenKRITIS, it remains to be seen how the government plans to handle the influx of incident reports effectively without significant improvements to the current infrastructure1. The G DATA report further emphasizes the supposed urgency of compliance, which, while important, often leans towards creating a sense of crisis rather than offering balanced, actionable guidance for businesses. Such an approach can alienate the stakeholders who need support, particularly smaller enterprises that require more resources to respond to sudden and expansive compliance requirements.

Enforcement Challenges

The practicality of enforcing these regulations also remains a major concern. Ensuring consistent compliance is a herculean task with so many sectors now under NIS2. Regulatory bodies are already stretched thin trying to monitor critical sectors, and expanding this scope will only dilute their effectiveness. There are pros and cons to this expansion. On the positive side, a broader scope could enhance overall security across more sectors, theoretically making Europe more resilient against cyber threats. Increased standardization could also ensure that best practices are adopted widely, improving baseline security measures for a larger group of industries. However, there are significant downsides to consider. Enforcement will likely become inconsistent, which could lead to companies that genuinely strive for compliance being treated the same as those that ignore the rules. The additional burden on regulatory bodies may mean less efficient oversight, creating gaps that adversaries could exploit. A similar situation was seen during the rollout of the GDPR, where regulatory agencies were overwhelmed by the sheer volume of compliance requirements, leading to inconsistent enforcement. This inconsistency allowed some organizations to fall through the cracks, effectively reducing the intended impact of the regulation. Furthermore, inconsistent enforcement undermines trust in the regulatory process and disincentivizes companies from making earnest efforts if they perceive a lack of fairness or accountability. If enforcement is inconsistent, what is truly being achieved with these regulations? It becomes an exercise in bureaucracy rather than a meaningful effort to bolster cybersecurity.

Complexity of Supply Chains

The problem becomes even more pronounced when we consider the complexity of modern supply chains. Organizations are not only asked to secure their operations but also to assess the cybersecurity posture of their entire supply chain, including third-party vendors. Existing standards such as ISO/IEC 27001 and the NIST Cybersecurity Framework offer guidelines for managing supply chain security. However, applying these frameworks consistently across a dynamic supply chain takes time and effort. Evaluating suppliers often involves substantial effort, including extensive documentation and regular audits. These audits can be resource-intensive, requiring time and personnel to assess compliance accurately. Supply chains are inherently fluid, and conditions change rapidly. 

Expecting businesses to maintain up-to-date assessments under these conditions is unrealistic. It diverts crucial resources from direct security measures. SMEs, in particular, need to be equipped to undertake such extensive evaluations, making them especially vulnerable to regulatory penalties without corresponding gains in actual security. This sector is further burdened in Germany by increasing costs and a need for more support. The constant rise in compliance obligations, coupled with minimal governmental assistance, places an unfair strain on SMEs, putting them under the pressure of regulatory expectations without providing adequate resources to manage these demands efficiently.

Lack of Standardization

The challenges are further compounded by a need for more standardization in how cybersecurity measures are to be implemented. The directive offers broad guidelines, but the absence of clear, standardized methods means that organizations are often left to interpret requirements as best they can. This results in significant disparities in how different sectors and organizations approach compliance, further complicating enforcement. The lack of uniformity not only hampers the efficacy of the NIS2 Directive but also places companies in constant uncertainty regarding whether they are actually meeting the expected standards.

To address these concerns, the European Union Agency for Cybersecurity (ENISA) has developed the “Implementation guidance on NIS 2 security measures.” This technical guidance aims to support entities in implementing the technical and methodological requirements of the measures referred to in Article 21(2) of Directive (EU) 2022/2555. The draft of this guidance is currently available for industry consultation.

Additionally, ENISA has published the “Guideline on Security Measures under the EECC,” which provides detailed guidance on implementing Articles 40 and 41 of the European Electronic Communications Code (EECC). This guideline lists 29 high-level security objectives grouped into eight security domains, offering specific security measures and evidence for compliance assessment.

These resources aim to provide clearer, standardized methods for implementing cybersecurity measures and reducing disparities in compliance approaches across different sectors and organizations.

Work Of “Experts” On Political Level

Further complicating the issue is the perspective of some cybersecurity experts, who may sometimes seem more aligned with the state or their own business interests rather than fully considering the welfare of the general public. For example, statements supporting introducing a centralized European digital identity often highlight the benefits of efficiency and ease of control for state agencies. Still, they may need to adequately address individuals’ significant privacy concerns. While these experts emphasize the necessity of tighter state control for security reasons, ensuring that these measures are balanced with the protection of citizens’ privacy rights is crucial. It is simply unacceptable that the whole topic is being driven as something that only has an impact on the company part of the economy in Germany.

Compliance Timeline and Human Factor

The compliance timeline set by NIS2, demanding adherence by October 2024, is particularly challenging for companies already struggling to meet the requirements of NIS1. OpenKRITIS highlights that many organizations need more expertise to manage these new obligations effectively, pointing to a systemic shortage of skilled cybersecurity personnel[^3]. There must be more room to address underlying issues, such as the lack of effective enforcement mechanisms, the disconnect between regulatory goals, and the resources available for real improvements.

The human factor is often ignored—the fact that more regulation and compliance demands lead to fatigue, confusion, and often non-compliance simply due to the overwhelming nature of the obligations.

For instance, employees and managers are asked to manage increasingly complex security protocols, such as multi-stage incident reporting or implementing advanced encryption standards, often with minimal training. This leads to a higher risk of critical errors. An example of this can be seen during audits, where staff, overwhelmed by the technical requirements, frequently need help understanding the expectations. Without adequate support, such as practical workshops on incident response, data encryption techniques, supply chain risk management, or clear, simplified guidelines, these individuals are far more likely to make mistakes or bypass important security measures entirely. Providing tailored training programs focusing on these critical areas would significantly enhance the ability of employees to comply with the complex requirements of NIS2.

The lack of structured guidance ultimately increases the likelihood of errors and oversights, leading to an ineffective compliance effort that only adds more bureaucracy rather than enhancing security.

Need for Practical and Transparent Solutions

What is truly needed is a practical and transparent approach—one that benefits both regulatory authorities and the businesses affected by these mandates. Rather than overloading companies with reporting obligations and bureaucratic exercises, the government should demonstrate how it uses the collected information to improve overall cybersecurity. Are authorities learning from incidents and using this knowledge to make centralized recommendations? Or are the reports simply being archived with no follow-up? Transparent communication regarding the use of reported data would help build trust and make reporting obligations more meaningful.

The state should also establish a feedback loop where companies receive timely and actionable guidance based on their submissions. This would make the reporting process more reciprocal, providing value to the organizations involved. If the government cannot commit to utilizing this information to genuinely enhance cybersecurity, the entire reporting exercise becomes highly questionable. Without clear answers and practical follow-through, NIS2 risks becoming yet another layer of bureaucratic overreach—an effort that appears effective on paper but ultimately adds complexity without delivering real improvements.

Shifting Perspectives on Cybersecurity

Cybersecurity should be integrated into business processes strategically and operationally. While this approach might sound new, it is actually something that has been practiced for some time, especially at the compliance level. However, the state lacks an overview of these ongoing practices and instead makes decisions at a bureaucratic level, often relying on consultants who are clearly driven by their own interests. Instead of merely meeting compliance checklists, businesses should be empowered to view cybersecurity as an ongoing, integral part of their operations. This shift in perspective requires education, resources, and support—elements currently lacking in the NIS2 framework. A proactive, rather than reactive, approach to cybersecurity would yield far greater dividends in terms of security posture and resilience.

Final Thoughts and Critical Evaluation

There is no realistic expectation that NIS2 will deliver genuinely positive outcomes without confronting core issues that extend beyond regulatory frameworks. One glaring issue is the ineffective law enforcement against cybercriminals. The masterminds behind significant cyberattacks often operate with impunity, with law enforcement unable or unwilling to bring them to justice. The detection rate of these criminals is frustratingly low, further exacerbating the issue. Imposing additional compliance requirements on organizations without addressing these root causes is a superficial fix. This bureaucratic piling on will likely remain the same in the security landscape.

Moreover, the current implementation plan needs to provide meaningful support to organizations. According to OpenKRITIS, meaningful results can only be achieved if the government offers tangible assistance, such as financial resources, skilled personnel, and clear guidelines. Yet, such support is conspicuously absent from the current strategy. Without these crucial elements, the entire directive risks becoming an illusion of progress—lots of paperwork and reporting but very little actual enhancement of security.

For NIS2 to deliver substantive improvement, there must be a transparent and practical commitment to action. We need to see a concerted effort to bolster the detection and prosecution of cyber criminals and a genuine initiative to simplify the regulatory landscape before NIS2 remains a burdensome bureaucratic exercise. The current focus on compliance, as highlighted in the G DATA report, serves bureaucratic interests more than any meaningful improvement in cybersecurity. The entire directive is a checklist exercise, prioritizing regulatory formalities over tangible outcomes.

Ultimately, NIS2’s success will hinge on its capacity to transcend bureaucratic hurdles and deliver measurable security improvements. These improvements could include specific metrics such as reducing the number of successful cyberattacks on critical infrastructure, faster incident response times, and increased resilience against disruptions. Another key outcome would be the effective implementation of security best practices across all covered sectors, leading to measurable decreases in vulnerabilities and more robust data protection measures. Additionally, having consistent and timely reporting, followed by actionable guidance from authorities, would be a clear indicator of progress in making cybersecurity efforts more efficient and impactful. However, an overly tight collaboration between the state and private enterprises raises significant concerns about the risks to democratic values. When the state begins to dominate and assert its influence through regulatory overreach, it risks undermining the autonomy of businesses and citizens alike. If the government’s role shifts from being a facilitator to an enforcer, it can lead to a situation where privacy rights and individual freedoms are compromised. This dynamic not only puts enterprises’ independence at risk but also paves the way for an intrusive, overbearing state presence that erodes public trust. The involvement of consultants, whose motivations might align more with political or personal interests than the public good, exacerbates this problem. Without a clear separation of roles and limits to state power, NIS2 could easily evolve into a tool for excessive control rather than a mechanism for enhancing security. Effective collaboration between the state, private enterprises, and genuine cybersecurity experts—motivated by more than just political alignment—is essential. Without this careful balance, NIS2 will never fulfill its potential to genuinely strengthen Europe’s cybersecurity framework while safeguarding democratic freedoms. Should we set some bets on that?

The directive’s goals are ambitious, but more than ambition is required. To make a meaningful difference, accountability must extend to all stakeholders—businesses and government bodies- which must provide adequate support, enforce these rules effectively, and simplify compliance, particularly for SMEs. Without this balanced responsibility, the directive risks overburdening private enterprises while failing to achieve its intended security improvements.


Footnotes

  1. OpenKRITIS - NIS2 Implementation and its Implications 2 3

  2. Bundesamt für Sicherheit in der Informationstechnik (BSI) - NIS2 and IT Security Law 2