Skip to content

Secure by Design: From Compliance to Cyber Resilience

To the point: NIS2 expands the circle of regulated organizations in Germany from 4,500 to 29,500. The new directive demands more than technical controls – it requires integrated processes, clearly defined responsibilities, and effective security architecture in daily operations.

The new EU directive NIS2 significantly tightens cybersecurity requirements. Whereas approximately 4,500 CRITIS operators were previously regulated in Germany, NIS2 now encompasses around 29,500 organizations from 18 sectors – including IT service providers, cloud providers, and many SMEs.

NIS2, the updated EU directive on cybersecurity, marks a turning point in the regulatory landscape. The Federal Office for Information Security (BSI) assumes that IT service providers may fall within the scope of NIS2 if they provide operational services for the network and information systems of other group companies and possess administrative access.

For the first time, the directive establishes a binding minimum standard for cybersecurity. However, this standard encompasses far more than isolated technical measures. Security is rather a holistic combination of structured processes, clearly defined responsibilities, and thoughtful architecture. The crucial point is not merely the existence of individual controls, but their practical effectiveness in daily operations.

Many organizations have so far treated security merely as a compliance checklist – a regulatory control box to be checked off. This perspective leads to critical blind spots: vulnerabilities remain undiscovered until an actual crisis occurs and valuable time is lost. The changing threat landscape, however, demands a rethink: security must be embedded in the DNA of organizations.

Share on: