Representative study reveals significant differences

NIS 2 is not yet officially in force, but more than 63 per cent of companies have already begun implementation or are currently in the process of doing so. This is one of the findings of the representative study ‘Cybersecurity in Numbers’ by G DATA CyberDefense, Statista and brand eins. Only one-eighth of companies have already fully implemented the directive. Companies that are just starting to plan or have not yet begun are falling behind schedule.

Germany, along with several other countries, is lagging behind in the implementation of the second Network and Information Security Directive (NIS-2). The original EU deadline of 17 October 2024 has already passed. It is currently assumed that NIS-2 will come into force at the beginning of 2026. Regardless of the legislative process, however, numerous companies have begun implementing the regulatory requirements early on. In the representative study ‘Cybersecurity in Numbers’ by G DATA CyberDefense, Statista and brand eins, almost two-thirds of IT and management executives report active implementation measures. Of these, more than 30 per cent are in the middle of the process. One in five respondents said their company is in the final implementation phase. Twelve percent of companies have already fully implemented the necessary measures. It is worrying that one in four companies is only just getting started or has not yet begun. The time pressure is increasing here, because NIS-2 is complex and cannot be implemented in a rush. In addition, NIS-2 applies without a transition period.

‘Many companies are currently still in the planning phase. This is an important step, but one that shows how crucial it is to take action now,’ says Andreas Lüning, co-founder and CEO of G DATA CyberDefense. “Smaller businesses in particular are faced with the task of making targeted use of their limited resources. Those who take action now are laying the foundation for a strong, resilient company – and demonstrating courage, responsibility and foresight in an ever-changing digital world.”

About NIS-2: Latecomers under time pressure

The NIS-2 Directive introduces risk-based cybersecurity management and sets clear governance requirements. IT managers must not only implement technical measures, but also demonstrate that the IT security strategy is anchored in corporate management. Essentially, it is about strengthening information security at the operational level. The new directive affects tens of thousands of companies in Germany and covers a total of 18 economic sectors, 11 of which are classified as ‘highly critical sectors’. These include energy, transport, banking, financial market infrastructures, healthcare, wastewater disposal and digital service providers.

Cybersecurity in figures for download

‘Cybersecurity in Figures’ has been published for the fifth time and is characterised by a high density of information and particular methodological depth: More than 5,000 employees in Germany were surveyed in a representative online study on cybersecurity in a professional and private context. The experts at Statista closely monitored the survey and, thanks to a sample size that far exceeds the industry standard, are able to present reliable and valid market research results in the magazine ‘Cybersecurity in Figures’. In addition, the market researchers have compiled figures, data and facts from more than 300 statistics into a comprehensive reference work on IT security.

Those interested can find further information on NIS-2 here.