NIS2 and CER Rippling the Waves in 2025

There’s no doubt that the European cybersecurity – namely, the European cybersecurity directive NIS2 and the Critical Entities Resilience Directive (CER) – will have an exceptional impact on strengthening the robustness and governance of critical industries, and particularly the information and communication technology sector throughout Europe. It is likely that they will finally be enforced at some point, even though they have been postponed transposing into national law, and nobody knows when they will finally come around to it.

A significant expansion of regulated entities

Once the pending transposition of the European cybersecurity NIS2 Directive into German law is concluded, the number of companies in its scope is estimated to reach at least 30,000 in Germany alone. This is a huge increase from about 1,150 providers of critical infrastructure services registered with the German Federal Office for Information Security (BSI), and supervisory authority for those so-called “KRITIS” operators – the very same that will be regulated under the CER or its German transposition in the corresponding “KRITIS-Dachgesetz,” with very little changes to the original Critical Infrastructure Act of 2015 in terms of scope. In even considering another 3,500 “digital service providers” that have had to comply with statutory cybersecurity obligations for years, the introduction of NIS2 and its cybersecurity requirements will expand the directly regulated entities to over six times of the previous number. Moreover, companies implicated in the supply chain of those officially regulated entities could multiply the figures to an extent that’s very difficult to estimate, but will certainly have an overarching impact on practically all providers in the ICT services sector: all suppliers of products and services contributing to critically relevant business processes will also need to comply with most of the same rule set as their directly NIS2-affected clients.

Delayed implementation and missed deadlines

Things remain somewhat unclear regarding when NIS2 and CER will come into full effect across the European Union. The deadline set in both directives (17 October 2024) had already flown by for most member states: by that date, European national legislators were expected to transpose NIS2 and CER into their domestic legal frameworks. Both directives have already been in force in the EU since January 2023 and are intended to ensure that facilities classified as critical in one way or other can maintain a stable supply of vital goods and services to the population in European member states.

While the CER sets the rules for physical protection against sabotage and other attacks, cybersecurity – i.e. the security of information and communication technology – is regulated in NIS2. The scope of both directives covers a total of eighteen industrial sectors for which they define comprehensive requirements on risk management and application of physical and cybersecurity measures. 

By missing the deadline – along with more than twenty other EU member states – Germany has become subject to infringement procedures that the European Commission opened already by end of November 2024 for all those countries failing to fully transpose the directives. With the dissolution of the German Bundestag – and subsequently all drafts of legislation dropped until elections and the constitution of a new federal government – Germany will probably have to face the full force of the Commission’s infringement procedures.

Widespread uncertainty for organizations

Among those organizations potentially affected by the regulatory reform on cybersecurity and the resilience of critical entities, what is known in terms of technical and operational requirements has triggered a similar sort of unrest as witnessed between 2016 and 2018 during the implementation phase of the General Data Protection Regulation (GDPR). One key difference, however, is that it is more difficult to determine who will be affected. With the GDPR, it was virtually every entity who ever dealt with Personally Identifiable Information (PII), but NIS2 has a sophisticated system for identifying who falls under its rule. Business associations and consultants are providing some assistance to companies to determine whether their sector affiliation and service portfolio suggest that they will be either directly implicated or indirectly affected by the regulation as a link on the supply chain. That responsibility – auto-determination of NIS2 applicability – lies entirely with the companies themselves, as supervisory authorities like BSI are in no position to make this assessment, lacking not only staff resources but also the data on size and financial figures of companies across critical sectors necessary to determine whether they might hover above the threshold of the NIS2’s size-cap rules.

Supply chain complexity and compliance challenges

Although its reach over individual “essential” and “important” entities can be predicted quite reliably, the enhanced scope is so vast that many of the companies affected in the future have no idea what awaits them. Supply chain security requirements are particularly difficult to assess: companies under NIS2 rule have to contractually define cybersecurity compliance with all external partners – to the extent of all outsourcing or other third-party ICT services, or even hardware and software suppliers, provided their services or products affect business-relevant processes of the regulated entity.

Key changes introduced by NIS2

In essence, NIS2 will bring three fundamental changes to affected organizations. Firstly, more than twice as many sectors will be classified as critical in future compared to what was previously within the scope of the regulation. Secondly, violations of the NIS2 requirements will be subject to a considerably stricter catalogue of todays’ fines, limited only by similar percentages introduced by the GDPR at the time. And thirdly, perhaps the most cutting edge: NIS2 introduces top managerial responsibility on a level far beyond past legislation. In bluntly interpreting the directive’s stated requirement in Article 20 of NIS2, management bodies will “approve the cybersecurity risk-management measures (…), oversee its implementation and (…) be held liable for infringements,” while CEOs will personally have to answer to claims for damages or pay fines out of their own pockets if they neglect their cybersecurity duties.

Preparedness and overlap with existing standards

For those in the field already familiar with information security management of their company’s IT and network technology, the requirements to be met in the future are hardly new or troublesome to achieve. Most of the requirements are already standard under previous IT security laws or common practice. Many companies have voluntarily adopted the Information Security Management System (ISMS) standards and have even obtained certifications in accordance with ISO 27001 or its German equivalent BSI “IT-Grundschutz,” mostly in order to avoid losing important customers who require proof of implementing cybersecurity measures along their supply chain. IT-Grundschutz compliance is frequently required for bidders in tendering procedures for projects in Germany’s public sector. Since approximately 72% of the NIS2 risk-management measures are already covered by controls in the ISO 27001 standard, organizations already certified will have fewer difficulties in fulfilling the requirements of the European regulation.

Changes under CER for critical service providers

As to the conditions applying to critical service providers according to CER (or KRITIS-Dachgesetz), the most important change from previous regulations lie in the compulsory risk management measures that will yet have to be determined, but will follow an all-hazard approach, encompassing physical security aspects. During the law’s sunrise period, critical entities along with their industry associations and the supervising authority – in this case, Germany’s Federal Office of Civil Protection and Disaster Assistance (BBK) – will cooperate in developing a catalogue of standard procedures to cover the requirements from both the existing KRITIS cybersecurity measures and any new demands outlined in the articles of the CER Directive.

Conclusion

The NIS2 and CER Directives represent a pivotal step toward strengthening cybersecurity and resilience across Europe’s critical industries. While their implementation poses significant challenges – particularly due to widespread delays, expanded scope, and complex supply chain requirements – organizations with existing ISO 27001 or the IT-Grundschutz certifications are better positioned for compliance.

To ensure a smooth transition, effective collaboration between policymakers, industry associations, and supervisory authorities is essential. Clear guidance, realistic timelines, and practical frameworks for compliance will be crucial to mitigate uncertainty and ensure successful implementation. With proper execution, these transformative regulations can enhance not only the security of critical sectors but also the trust and stability of Europe’s digital infrastructure.

Ulrich Plate currently leads eco’s Competence Group for Critical Infrastructure Providers (KG KRITIS). Since 1995, he has held various management positions in ISPs and infrastructure/network consultancies. From 2005 to 2017, he worked as a Political Advisor to Members of the German Bundestag. He then served as the Chief Information Security Officer (CISO) at aconium GmbH (formerly known as atene KOM) from 2017 to 2022. In 2022, he returned to nGENn as CISO, continuing his contributions to cybersecurity and critical infrastructure protection.