Germany Braces for Cybersecurity Overhaul: NIS2 and the Cyber Resilience Act
Thousands of German companies are facing a significant shift in cybersecurity regulations as the EU’s NIS2 Directive and the forthcoming Cyber Resilience Act (CRA) demand stricter IT security measures. This marks a departure from voluntary standards, ushering in an era of mandatory compliance and heightened responsibility.
NIS2: Registration Deadline Looms for 29,000 Organizations
March 6, 2026, is a critical date for approximately 29,000 German organizations across critical sectors like energy, healthcare and digital infrastructure. By this date, they must register with the Federal Office for Information Security (BSI). The regulations apply to organizations with 50 or more employees or an annual turnover of ten million euros or more.
However, registration is just the first step. NIS2 requires comprehensive risk management measures, clear processes for security incidents, and stringent reporting obligations. Experts warn that many companies underestimate the ongoing effort required for compliance, with 17 percent admitting they have barely begun implementation.
BSI Outlines Path to Cyber Resilience Act Compliance
Alongside NIS2 implementation, the BSI is proactively preparing for the next wave of EU regulation. On Monday, the authority published a draft of the technical guideline TR-03183-H, detailing the path to compliance with the Cyber Resilience Act (CRA), which will be mandatory for manufacturers of digital products by December 2027.
The draft focuses on “Module H,” based on comprehensive quality assurance. Manufacturers can leverage existing ISO/IEC 27001-certified management systems as a foundation, streamlining the process by evaluating processes rather than conducting extensive individual audits. Manufacturers and associations have until March 31, 2026, to provide feedback.
AI: A Double-Edged Sword in the Threat Landscape
The increased regulatory pressure is a direct response to a rapidly evolving threat landscape, where artificial intelligence plays a dual role. It’s both a weapon for attackers and a tool for defenders.
AI-generated disinformation campaigns are a growing concern. A CISO from BASF recently warned of a new extortion method involving the creation of fake datasets and alleged victim lists to pressure companies. These deceptions complicate the verification of security incidents.
Simultaneously, attackers are using AI to personalize phishing campaigns and CEO fraud attempts, making the “human firewall” a critical security factor. Defenders are countering with AI-powered systems that detect anomalies and proactively hunt for threats. The speed of modern attacks necessitates automated defense mechanisms that react in seconds.
The End of Voluntary Cybersecurity
NIS2 and CRA signal the end of an era where cybersecurity was optional. It’s becoming a legal obligation with demonstrable standards. Companies must integrate security into their core business strategy, not treat it solely as an IT issue.
The focus is shifting from pure prevention to comprehensive cyber-resilience, encompassing the entire lifecycle – from secure product development (CRA) to the secure operation of internal infrastructure (NIS-2). Integrated security platforms and holistic approaches like Zero Trust are gaining prominence.
A Marathon Begins
With the NIS2 deadline approaching, affected companies are embarking on a long-term effort. Implementing and continuously improving security measures will be an ongoing task. Simultaneously, the CRA requirements will grow clearer in the coming months.
The planned shortening of the validity period for security certificates in March 2026 will further accelerate the trend toward automation, driving demand for intelligent, compliance-focused platforms.
Companies that fail to invest strategically risk more than just penalties; they jeopardize their competitiveness in an increasingly connected – and threatened – digital world.
Frequently Asked Questions
What is NIS2? NIS2 is the second EU directive on network and information security, aiming to harmonize cybersecurity levels across the EU.
What is the Cyber Resilience Act? The CRA will mandate cybersecurity requirements for manufacturers of digital products.
Who needs to comply with NIS2 in Germany? Organizations with 50+ employees or a turnover of €10M+ in critical sectors.
What is the deadline for NIS2 registration? March 6, 2026.
What is Zero Trust? A security framework based on the principle of “never trust, always verify.”
Did you understand? The number of regulated entities in Germany may increase from approximately 4,500 to around 29,000 due to NIS2.
