The EU NIS2 Directive is intended to strengthen cybersecurity across Europe – but in Germany, national implementation is still pending. The corresponding law was supposed to take effect last year. Instead, Germany now faces infringement proceedings, as the European Commission is increasingly pushing for swift adoption.
What this delay means, what experiences Stackfield has already had with NIS-2, and why it’s not too late for organizations to engage with the topic is explained by Torsten Zinke, Information Security Expert and Compliance Manager at Stackfield. He knows: "Nobody is condemned to inaction."
Torsten, the implementation of NIS2 in Germany is delayed, despite cybersecurity becoming an increasingly important political issue. Still, it can seem like the topic isn’t being prioritized under the new government. In your view, how realistic is it that Germany will now move quickly to implement the EU’s requirements?
ZINKE: The deadline for transposing the NIS2 Directive into national law passed on October 17, 2024 – and has already been missed. Unfortunately, that puts Germany among the stragglers at the European level. In my opinion, the project hasn’t received the political prioritization it needs and hasn’t been driven forward with the necessary determination.
Torsten Zinke – Information Security & Compliance Manager at Stackfield
The change in government has further contributed to delays, as various processes need to be restarted. That said, the Federal Ministry of the Interior of Germany announced that it intends to speed up the implementation process several months ago. Not least because the EU has already initiated a second-stage infringement procedure.
On a more positive note, a new draft bill was published at the end of May. So it seems at least realistic that the legislative process for implementing NIS2 could be completed by the end of 2025.
What does this slow implementation of NIS2 mean for citizens – particularly when it comes to cyberattacks on critical infrastructure like hospitals, utility providers, or public authorities?
ZINKE: The sluggish implementation of the NIS2 Directive in Germany is far from just a bureaucratic issue. It has direct consequences for the security of our critical infrastructure and, by extension, for the daily lives of all citizens. The directive establishes binding security standards for operators of critical entities, like the ones you mentioned. Without the adoption of these standards, the risk of successful cyberattacks on such organizations increases.
"The impact of cyberattacks can be severe."
The impact of cyberattacks can be severe, potentially disrupting energy supply, compromising water management, or halting local government services. To put it plainly: citizens may not be able to apply for ID documents, register changes of address, or, in the worst case, receive urgent medical care.
And we’re not talking about hypothetical scenarios. These are real incidents: in 2020, the emergency room at Düsseldorf University Hospital had to close temporarily following a ransomware attack. In early 2024, the state government of Mecklenburg-Vorpommern was hit by a massive cyberattack. And as recently as March 2025, the headquarters of the Federal Employment Agency was affected.
Stackfield began preparing for NIS2 early on. What steps did you take, and what proved to be especially important during the process?
ZINKE: We recognized the significance of the NIS2 Directive early and took action accordingly. One of the first steps was to assess our potential exposure using the BSI (German Federal Office for Information Security) portal. Even though we are not currently directly covered by the directive, we’re closely monitoring developments. Why? Because if a regulated company outsources critical IT services to us, we as a service provider must guarantee an appropriate level of security. We could also be affected by contractual requirements or in our role as a subcontractor, especially if our services are essential to system-relevant institutions.
Overall, I believe we’re in an excellent position. Our existing certifications – such as BSI C5, ISO 27001, 27017, and 27018 – demonstrate that we already meet many of the relevant requirements. We also plan to add ISO 27701, which addresses data privacy specifically, later this year. Many NIS2 requirements already align with ISO 27001 principles, including risk management, incident response planning, access controls, and data encryption.
Two points are especially important to me:
First, practical implementation. There’s no point in drafting policies and requirements that end up gathering dust on a shelf, only to be pulled out for audits or compliance checks.
Second, continuous improvement in information security. Simply maintaining the status quo over several years is one approach, but in the medium term, it makes you vulnerable. I believe it’s much more effective to continuously adapt and improve security measures over time.
Is it still possible for companies that have done little so far to react in time to NIS2? Do you have any advice for affected organizations?
ZINKE: Since the national implementation is still pending, companies certainly still have time to act. Especially those that aren’t starting entirely from scratch. Organizations that have already implemented measures based on established standards like ISO 27001 or the BSI’s IT baseline protection can build on that foundation.
It’s also helpful to follow a structured process when tackling the issue. That’s exactly how we approached it at Stackfield. Generally, the following steps can be addressed in sequence:
- First, clarify responsibilities
- Then conduct a risk analysis
- Define and implement minimum security measures
- Prepare incident reporting processes
- Involve the supply chain and relevant service providers
- Raise awareness and provide regular employee training
- And most importantly: don’t forget documentation. These records are essential for any organization that may be subject to audits by regulatory authorities.
Many companies see NIS2 as an additional burden, even though the threat of cyberattacks in Germany is greater than ever. So far, however, there hasn’t been a strong political push. Is Chancellor Friedrich Merz and his cabinet losing public trust, or is the extra time needed to ensure a thoughtful and effective implementation?
ZINKE: As I said at the beginning, I think too much time has already been wasted. I understand companies that haven’t yet taken steps toward information security and now view NIS2 as an added burden. Which, in fact, it is. We're talking about additional investments, the development and maintenance of documentation and processes, clear reporting lines, technical and organizational measures, and much more. The to-do list is long, and understandably intimidating for many.
At the same time, the facts speak for themselves: the BSI’s annual situation report and studies such as the one from digital association Bitkom show that in 2023, every second company in Germany was affected by cyberattacks. According to the latest TÜV cybersecurity study, that hasn’t changed significantly in the past year. Attackers are acting with increasing professionalism, coordination, and criminal intent. Small and mid-sized businesses, municipal institutions, the healthcare sector, and energy providers are particularly at risk.
So the key question is: how much longer can we afford to crawl forward in a snail's pace on digital security?
Let’s be honest: data protection isn’t exactly a thrilling topic. Everyone agrees it’s important, but bring it up, and the reaction is often eye-rolling or stifled yawns, despite the very real dangers. What do you think can be done to raise public awareness of cybersecurity?
ZINKE: There are plenty of ways. Public awareness and education campaigns led by state institutions like the BSI or the Ministry of the Interior, for example. I think the BSI has taken a solid approach with its "BSI for Citizens" portal, which explains often complex topics in a very accessible way.
Another helpful measure could be mandatory transparency following security incidents. Only if organizations openly report attacks – respecting proportionality and data protection, and ideally without finger-pointing – can others learn from them and improve their own systems.
"Cybersecurity should become a mandatory subject in schools."
And last but not least: cybersecurity should become a mandatory subject in schools. In the long run, cyber hygiene must become as natural a habit as brushing your teeth: regular software updates, strong passwords, two-factor authentication, and so on. For that, we need trained and motivated teachers, easy-to-use tools, and continuous education.
Embedding the principles of data protection early in life would really make "security by design" more than just a slogan. But is Germany even ready for that approach, or is the right mindset still missing?
ZINKE: (laughs) It’s true that the concept demands that security be built into products, services, and processes from the start – not added on later. And yes, I do think that education is one such process.
"Security by design" is a proactive and systematic approach. Technically speaking, it’s often feasible, but it still gets overlooked. In many companies, speed to market still trumps security concerns. Security is seen as a brake on innovation. That has to change. Especially startups and SMEs often shy away from the higher upfront effort, even though the long-term cost of damage control is usually far greater.
On the other hand, customers themselves are not always willing to pay more for secure products. However, regulations such as the Cyber Resilience Act are putting increasing pressure on organizations to implement "security by design".
Germany has the technological foundation to support this approach, but the right mindset is still lacking in many areas. We need a cultural shift, more political visibility for the issue, and ultimately also legal incentives. Only when cybersecurity is seen as a value rather than a burden will it be viewed as a real competitive advantage.
What do you think needs to happen to ensure that NIS2 doesn’t become just another box-ticking exercise for governments and businesses with no real or lasting impact?
ZINKE: We need consistent implementation of the NIS2 Directive across the EU, with clear accountability mechanisms. It’s not enough to pass laws – they need to be enforced and monitored through audits, penalties, and transparency requirements for companies. Only then will we know who takes cybersecurity seriously.
At the same time, we have to anchor the topic within corporate culture. Cybersecurity must not remain an annoying obligation, but instead become second nature through training, visible leadership commitment, and strategic objectives.
Public dialogue is equally important. If we view cybersecurity as part of our collective resilience, the political and economic pressure to drive real change will grow. Research institutions, NGOs, and the professional community all play a key role here.
And finally, we need innovation – from state-funded security technologies to open and transparent software solutions. Only with skilled professionals and early education can we make lasting progress.