Skip to content

Secure by Design: From Compliance to Cyber Resilience

Bottom line: The EU NIS2 Directive triples the number of regulated organizations in Germany from 4,500 to 29,500. Cybersecurity must be understood as a holistic approach – not merely as a compliance checkbox, but as effective integration of processes, responsibilities, and architecture.

The new EU NIS2 Directive significantly tightens cybersecurity requirements. No longer only classic critical infrastructure operators, but also IT service providers, cloud providers, and many small and medium-sized enterprises now fall within its scope. The German Federal Office for Information Security (BSI) expects an increase from around 4,500 to approximately 29,500 affected organizations in Germany.

The NIS2 Directive establishes, for the first time, a binding minimum standard for cybersecurity. Importantly, security is far more than just the implementation of technical measures – it represents a holistic combination of processes, responsibilities, and architecture. What matters is not merely the existence of security controls, but their actual effectiveness in daily operations.

The impact is substantial: While previously around 4,500 organizations in Germany were regulated as critical infrastructure operators, this number increases through NIS2 to approximately 29,500 enterprises across 18 different sectors. Even group-internal IT service providers can fall within the regulatory scope if they provide operational services for the network and information systems of other group companies and have administrative access.

A common mistake is reducing security to a mere compliance checklist. Organizations that view security primarily as a regulatory control box often overlook critical vulnerabilities – until a security incident exposes them through costly delays and significant damage. The changing threat landscape makes a proactive rethinking necessary.

Share on: