Cybersecurity Reform Faces Scrutiny as NIS2 Implementation Lags
Berlin, October 16, 2025 – Concerns are mounting over teh pace of implementing the EU’s Network and Data systems Directive 2 (NIS2), with industry groups urging for swift clarity and legal certainty as deadlines approach. While acknowledging ongoing political discussion, the German association for IT companies, eco, is calling for a finalized legal framework to ensure businesses can adequately prepare for the directive’s cybersecurity requirements.
The NIS2 Directive aims to establish a new baseline for cybersecurity across the European Union, significantly expanding the scope of organizations considered “essential” and subject to stricter security obligations. Delayed implementation threatens to leave critical infrastructure and essential services vulnerable, potentially impacting both economic stability and citizen safety. The directive’s focus on proactive cyber resilience, coupled with harmonized reporting requirements, is intended to strengthen the EU’s collective cybersecurity posture.
Recent developments highlight the ongoing process. On July 30, 2025, the German government presented a draft law to implement NIS2, a move lauded by Claudia Plattner as a meaningful step towards modernizing German IT security law. Together, discussions are underway regarding the interplay between NIS2 and existing data protection regulations like GDPR, with experts noting that GDPR compliance can ease the transition to NIS2’s cyber resilience requirements.
Upcoming events, such as a DsiN talk on October 27, 2025, are designed to address the opportunities and challenges NIS2 presents for small and medium-sized enterprises (SMEs). Further guidance from the European Union Agency for Cybersecurity (ENISA), published on June 26, 2025, provides technical implementation details for the directive. Though, eco emphasizes that these resources are insufficient without a firm legal foundation.
