With the NIS 2 regulation, the European Union has established binding requirements for cybersecurity. the IT experts at TÜVIT, a company within the TÜV NORD GROUP, conclude: many affected companies have so far not implemented the new requirements at all, or only to an insufficient extent.
With the NIS 2 regulation, the European Union has established binding requirements for cybersecurity. The aim is to oblige companies to better protect their IT systems and digital infrastructures against attacks. The directive represents a key building block for the stability of the economy and society. Since 6 December 2025, these requirements have also applied under German law. Six months later (6 June 2026), the IT experts at TÜVIT, a company within the TÜV NORD GROUP, conclude: many affected companies have so far not implemented the new requirements at all, or only to an insufficient extent.
“In practice, we often see that NIS 2 is still underestimated or reduced to individual technical measures,” says Tim Golly, Lead Expert Management Systems at TÜVIT. “Based on our experience, only around one in ten companies has fully implemented the requirements so far. This is also reflected in various studies, for example the study on IT security in companies by DIGITAL.SICHER.NRW, the competence centre for cybersecurity in the economy of North Rhine-Westphalia. And this is despite the fact that the economic damage caused by cyberattacks continues to rise year after year.”
Around 30,000 companies in Germany now fall under the NIS 2 regulations. TÜVIT considers the impact on critical supply chains to be particularly critical. In many cases, a single inadequately secured service provider or supplier is enough to bring entire value creation processes to a standstill, for example through production outages, disrupted IT services or delayed responses to security incidents.
“The greatest challenges often do not lie in the technology,” Golly explains. “What matters are clear leadership, decision-making and reporting structures – and this is precisely where we still see considerable room for improvement in many companies.”
From TÜVIT’s perspective, the solution is less complex than often assumed – but it does require a change in mindset. “The path to NIS 2 implementation begins at management level,” says Golly. According to him, companies that make good progress firmly embed cybersecurity in their corporate governance. They first clarify the extent of their exposure and create transparency regarding their current status. Building on this, they take a holistic view of risks, not only from an IT perspective but also with regard to supply chains, physical dependencies and organisational vulnerabilities. Clearly defined responsibilities and effective reporting and crisis processes are equally important, so that they function in an emergency and are regularly tested. “Ultimately, proof is what counts: companies must be able to demonstrate that their measures actually work – self-assessments alone are no longer sufficient,” Golly adds. “NIS 2 is not an IT project, but a leadership issue. Those who clearly establish responsibilities, processes and evidence reduce liability risks, gain operational certainty and strengthen the trust of customers and partners.”
According to TÜVIT, demonstrable cyber resilience is therefore increasingly becoming a prerequisite for business relationships – particularly in regulated and safety-critical sectors.
Founded over 150 years ago, we stand for security and trust worldwide. As a knowledge company, we have our sights firmly set on the digital future. Whether engineers, IT security experts or specialists for the mobility of the future: in more than 100 countries, we ensure that our customers become even more successful in the networked world.
