German Companies Largely Underestimate and Fail to Comply with NIS2 Cybersecurity Directive

Since December 6, 2025, the European NIS2 Directive has been in force in Germany, dramatically expanding the scope of cybersecurity regulation from about 4,500 to 30,000 companies, including all firms with over 50 employees or revenues exceeding €10 million. These companies must register with the Federal Office for Information Security (BSI) by March 6, 2026, implement rigorous risk management protocols such as multi-factor authentication, and promptly report significant cybersecurity incidents. Crucially, the directive holds company executives personally liable for breaches, imposing fines up to €10 million or 2% of global turnover.

Despite these strict requirements, German companies are seriously underestimating their obligations. According to the Cyber Security Report 2026 by Schwarz Digits, 48% of firms do not fully recognize their responsibilities under NIS2. Small businesses with strong revenues are especially unaware, with 92% wrongly believing they are exempt. This lack of awareness persists amid alarming cyber risks; cyberattacks cost the German economy over €202 billion annually, representing 70% of total economic damages.

Moreover, the report highlights substantial gaps in cybersecurity practices. While 73% of large companies have implemented clear AI usage guidelines, over half of all surveyed firms underestimate the cyber threats posed by AI, overlooking emerging risks like autonomous AI attacks that can manipulate physical processes. Supply chain vulnerabilities also remain unaddressed: half of companies report cyberattacks via suppliers, but 75% fail to conduct regular security audits of these partners.

Only 13% of organizations invest in reducing technological dependencies, despite 80% of EU software spending flowing to US providers, underscoring challenges to digital sovereignty. Many companies feel inadequately supported by government agencies, with 62% expressing dissatisfaction with official guidance. Christian Müller, co-CEO of Schwarz Digits, emphasized that cybersecurity is no longer merely an IT issue but a strategic management priority, warning of severe repercussions for businesses lagging in compliance.

Overall, this widespread underestimation of NIS2 responsibilities puts German companies at significant risk of penalties, operational disruptions, and strategic vulnerabilities as the registration deadline looms and cyber threats intensify.