With the implementation of the NIS2 directive into German law, the responsibility of many companies in the area of ​​cybersecurity has fundamentally changed. Since December 6, 2025, significantly stricter requirements for information security, risk management and documentation requirements have applied. However, many organizations still lack a realistic overview of their actual security status.

What makes matters even worse: The legal registration period with the responsible authorities ended on March 6, 2026. Since then, many affected companies have been struggling with the question of whether their existing security measures even meet the regulatory requirements.

Between individual measures and a lack of an overall strategy

Many companies already have technical protection mechanisms such as firewalls, access controls or backup concepts. However, what is often missing is a comprehensive assessment of the entire security architecture. Processes, responsibilities and risk assessments are often only partially documented or not systematically coordinated with one another.

This is exactly where so-called GAP analyzes come into play. They are intended to make visible the gaps between the current security level and the requirements of the NIS2 directive. The aim is not to implement measures in isolation, but rather to prioritize them and embed them comprehensibly into an overall strategy.

“Cybersecurity is increasingly developing into a company-wide management task,” says security consulting professionals. In the future, companies would not only have to implement security measures, but also be able to demonstrate “how systems are operated, risks are assessed and security processes are documented”.

Self-assessments are intended to make it easier to get started

To make it easier to get started with the regulatory requirements, providers such as AirIT-Systems now provide structured self-assessments. The company’s “NIS2 GAP Analysis Self Assessment” is based on the requirements of ISO 27001 and is intended to help companies systematically classify their current level of maturity.

Various subject areas of information security are assessed based on defined maturity levels. This gives companies an initial assessment of which requirements are already being met and where specific action is needed.

The main advantage of such analyzes is their transparency. Those responsible for security can identify risks at an early stage and prioritize investments more specifically. Medium-sized companies in particular benefit from this because they often do not have fully developed compliance and security departments.

NIS2 increases the pressure on management

The practical implementation of NIS2 now clearly shows that cybersecurity is no longer the exclusive responsibility of the IT department. Management and management are increasingly becoming responsible for actively controlling security risks and demonstrably complying with regulatory requirements.

The experience of the past few months also shows that many organizations continue to misjudge their own impact. This creates dangerous delays in the implementation of necessary security measures.



Istaka Karya Membangun Negeri

Building SafetyCommercial ConstructionConstruction InnovationConstruction PlanningConstruction ProjectsConstruction TechnologyConstruction TipsCost ManagementDesign-BuildEco-Friendly ConstructionGeneral ContractingGreen Building MaterialsIndustrial ConstructionInfrastructure DevelopmentPrefabricationProject ManagementQuality ControlRenovation and RemodelingResidential ConstructionSustainable Building
By Leave a Comment on NIS2 forces companies to have an honest security record

Leave a Reply

Your email address will not be published. Required fields are marked *