NIS-2 in force: TÜV NORD GROUP warns companies of cyber risks and calls for swift action

The threat of cyber attacks in Germany remains high. German companies, public authorities and private individuals are not adequately protected against cyber attacks, according to the latest IT security report from the Federal Office for Information Security (BSI). According to the report, small and medium-sized companies are particularly affected. TÜVIT, a subsidiary of the TÜV NORD GROUP, warns companies of the elementary and financial damage caused by a cyber attack, as well as the high penalties for failing to carry out IT security activities that are now in force. "Only by taking proactive measures can we ensure the security of our digital infrastructure and prevent economic damage," says Jacques Kruse Brandao, Global Head of Advocacy at TÜVIT. The European Union launched the NIS 2 Directive to increase resilience against cyber attacks. Yesterday (13 November 2025), the German Bundestag passed the law implementing the European NIS-2 Directive. The Bundesrat still has to give its approval.

The NIS 2 Directive significantly expands the scope of the previous NIS Directive. "While the previous directive focussed primarily on critical infrastructure such as energy suppliers or the financial sector, postal and courier services, vehicle and mechanical engineering companies, the food sector and digital services are now also included," explains Kruse Brandao. "The NIS-2 applies to companies with 50 or more employees and a turnover of ten million euros from 18 defined industries and sectors."

In Germany, an estimated 29,000 companies will be affected by NIS-2, and around 400,000 in Europe. The directive not only requires companies to carry out a comprehensive risk analysis and implement suitable security measures, but also to train their employees in cybersecurity. "Cybersecurity management is becoming mandatory for the companies concerned," emphasises Kruse Brandao. "In future, management will be responsible for implementing security measures and can no longer delegate this to third parties."

TÜVIT, an expert in IT security, supports companies in implementing the NIS-2 directive. "Companies affected by NIS-2 should take action now to implement the necessary measures," advises Kruse Brandao. "It is crucial to take a close look at the cybersecurity of the supply chain and seek external support if necessary."

The introduction of the NIS 2 Directive also introduces strict reporting obligations. The supervisory authorities must be informed of an incident within 24 hours and of the countermeasures taken within 72 hours. Violations can result in severe penalties of up to ten million euros or up to two per cent of annual global turnover.

TÜVIT offers comprehensive services to support companies in fulfilling the requirements of the NIS 2 Directive, for example with vulnerability analyses. "The enormous damage caused by cyber attacks makes it clear that companies should regard cyber security as a central task. This includes reducing attack surfaces, strengthening technical protection measures and setting up efficient emergency management," says Kruse Brandao.

Founded over 150 years ago, we stand for security and trust worldwide. As a knowledge company, we have our sights firmly set on the digital future. Whether engineers, IT security experts or specialists for the mobility of the future: in more than 100 countries, we ensure that our customers become even more successful in the networked world.