What companies need to consider now and how VPN solutions can help

NIS-2 comes into force in Germany: What companies need to consider now and how VPN solutions can help

After a lengthy delay, the NIS-2 Implementation Act came into force on 6 December 2025. This means that the requirements of the European NIS-2 Directive (Network and Information Security Directive 2) are now binding. According to the Federal Office for Information Security (BSI), this affects an estimated 29,500 companies in Germany.

NIS-2 – Who is affected?

The law distinguishes between particularly important facilities and important facilities that are crucial to the functioning of the economy and society.

Particularly important institutions include operators of critical infrastructures (KRITIS). KRITIS are organisations and institutions that are essential to the state community. Their failure or impairment would lead to sustained supply bottlenecks, significant disruptions to public safety or other serious consequences.

As of 30 September 2025, 1,177 KRITIS operators were registered with the BSI – in the sectors of energy, information technology and telecommunications, transport and traffic, health, water, food, finance and insurance, and municipal waste disposal. Until now, they have been subject to sector-specific obligations for the physical protection and security of their IT systems.

With the NIS 2 Implementation Act, significantly more companies are now being added, including those in the manufacturing industry, the digital services sector and research, with cross-sector IT security obligations. The BSI provides an official list of the sectors affected.

Impact assessment according to NIS 2

The law requires companies to independently assess whether they fall under NIS 2 and which category (particularly important or important institutions) they belong to. Threshold values such as number of employees and turnover are decisive factors in this assessment. The following values apply to important facilities: fewer than 50 employees or a turnover or balance sheet total of no more than 10 million euros.

To provide support, the BSI has developed a decision tree and an online tool that can be used to determine whether a company is affected.

The most important obligations for companies under NIS-2

The following obligations apply to both important and particularly important facilities:

• Registration with the BSI in a two-step process. First with the digital service ‘My Company Account’ (MUK), followed by registration on the BSI portal. There is also a comprehensive help page from the BSI for this.
• Incident management requires organisations to report significant security incidents to the BSI. These include, among other things, serious operational disruptions.
  • Concepts relating to risk analysis and information technology security
  • Incident response
  • Business continuity management, such as backup management and disaster recovery, and crisis management
  • Supply chain security, including security-related aspects of relationships with direct suppliers or service providers
  • Security measures for the acquisition, development and maintenance of information technology systems, components and processes, including management and disclosure of vulnerabilities
  • Concepts and procedures for evaluating the effectiveness of risk management measures in the area of information technology security
  • Basic training and awareness-raising measures in the area of information technology security
  • Concepts and processes for the use of cryptographic procedures
  • Creation of concepts for personnel security, access control and the management of ICT systems, products and processes (asset management)
  • Use of multi-factor authentication (MFA) or continuous authentication solutions, secure voice, video and text communication and, where appropriate, secure emergency communication systems within the institution
• Responsibility for implementation and monitoring is assigned to senior management. They are held liable for this and are legally required to undergo training. The BSI has published a guide with recommendations for training.

For particularly important institutions, the following also applies:

• Proactive and in-depth supervision by the BSI
• Mandatory audits
• Faster-acting and more intensive sanctions and official measures

Risk management under NIS-2: How VPN solutions support companies

Many of the NIS-2 requirements in the area of risk management can be covered by NCP’s professional VPN and remote access solution:

• Secure remote access. NIS-2 requires the protection of networks against unauthorised access. NCP offers granular access control (role-based policies, endpoint policies, centralised management) and multi-factor authentication (MFA) for secure access to networks and applications. These features directly contribute to strong authentication and access control.
• Encryption of data transfers. NCP encrypts data traffic end-to-end using IPsec, which meets the requirement for adequate encryption and protects the confidentiality of sensitive data.
• Centralised management & documentation. Business units can be centrally administered and logically separated with the NCP VPN solution, limiting the spread of attacks. At the same time, policies, certificates and accesses are logged in a verifiable manner.
• Supply chain protection. MFA and endpoint policy checks (e.g. virus protection, OS version, domain membership) prevent insecure end devices or external accesses from becoming a gateway for attacks.
• Business continuity support. VPN failover functions and centralised management contribute to availability and support business continuity in accordance with NIS-2 (BCM/redundancy).

Implementation of NIS-2: progress and remaining challenges

The implementation of NIS-2 is in full swing at companies, thanks in part to the intensive educational work and advice provided by the BSI. According to a recent Statista survey commissioned by G DATA, 63% of companies in Germany have begun implementation, but one in four companies has not yet.

With the publication of the law in the Federal Law Gazette, NIS-2 now applies without any further transition periods. Violations are punishable by fines of up to 10 million euros or up to two per cent of annual turnover. According to media reports, however, companies currently only have to expect fines in very extreme cases, as the BSI is striving for business-friendly implementation and is doing its utmost to advise and support companies in the implementation process. After all, NIS-2 is intended to help companies protect themselves against cyber threats. BSI President Claudia Plattner expects that the increasing implementation of NIS-2 will lead to a noticeable improvement in the IT security situation in Germany. The BSI’s next status reports will show this.

Nevertheless, implementation remains a major challenge, especially for smaller companies with limited resources. This is where integrated security solutions such as those from NCP offer a decisive advantage: several NIS-2 requirements can be fulfilled simultaneously and in a practical manner – an important step towards sustainable compliance and higher IT security.