EU Commission Reacts to Lack of Implementation
As of June 2025, 20 EU member states, including Germany, had still not transposed the NIS2 directive into national law. The deadline for transposition expired on October 17, 2024. The European Commission is now taking decisive action: EU-wide infringement proceedings before the European Court of Justice are being prepared.
Germany: Draft bill available, but no law yet
In Germany, the Federal Ministry of the Interior (Bundesinnenministerium, BMI for short) is responsible for implementing the NIS2 directive. In May 2025, the BMI published the draft bill for the NIS2 Implementation Act (NIS2UmsuCG). This is an important milestone, but the legislative process is still in its early stages.
The statements from the federal states and associations are still pending. Only after these statements are received can the cabinet consider the proposal, which is not expected before late summer 2025. Final approval by the Bundestag and Bundesrat is expected to take until November 2025.
EU Commission increases pressure, Interior Minister reacts
Faced with the threat of fines, the new Federal Interior Minister Alexander Dobrindt is determined: He wants to avoid a lawsuit against Germany at all costs and publicly emphasizes the priority of the legislative proposal. In June 2025, Dobrindt elaborates on the timeline and ultimately sets the goal of passing the law by the end of 2025.
Why companies should take action now
Regardless of the final wording of the legislation, one thing is clear: the requirements of the NIS2 directive are extensive, technically and organizationally demanding – and they will be implemented. Operators of critical and essential facilities will be particularly affected, including companies in the energy, transport, financial, healthcare, digital services, and many other sectors.
The time until national implementation must not be wasted. Companies starting to review and digitalize their governance, risk & compliance (GRC) processes gain a clear advantage and minimize the risk of sanctions, reputational damage, and security incidents.
Athereon GRC: software-supported NIS2 readiness
The modular GRC software Athereon GRC enables efficient and audit-proof implementation of regulatory requirements such as NIS2. The solution supports companies in documenting information security processes, conducting risk assessments, clarifying responsibilities, and preparing for audits—all within a single, centralized system.
Now is the ideal time to strengthen your cyber resilience and prepare sustainably for upcoming legal requirements. Because one thing is certain: the NIS2 directive is coming, and with it, new obligations.
