Implementation of the NIS-2 Directive Has Been Postponed. What Is the Impact on the KRITIS Compliance Audit?

26. February 2025

What's next for NIS-2? Due to the early elections in Germany, the parliamentary procedure for the NIS-2 implementation law NIS2UmsuCG could not be completed. This means that, for now, there is no legal basis for many of the new cyber security requirements for companies.

But which legal framework applies now? For operators of critical infrastructures (KRITIS) in particular, the question arises as to whether the existing obligation to provide proof of compliance every two years will remain.

Our colleague Vinzent Ratermann, Managing Consultant and expert for IT security of critical infrastructures, explains:

Yes, the 2-year frequency will continue to apply for the present! As long as there is no legislation to implement the NIS-2 Directive in Germany, the BSI Act, which requires a two-year audit cycle, will continue to apply. Experience shows that the new government will also draw up a new law on NIS-2 implementation, which means that the times from the current draft of the NIS2UmsuCG may be changed again. The audit frequency may therefore remain unchanged, be increased to 3 or more years, or even be reduced to 1 year. This remains to be seen. The verification obligations for important and very important companies could also change, meaning that even very important companies will have to provide regular verification.

I stand by my recommendation: All KRITIS companies should also undergo an audit in accordance with the new NIS 2 requirements in the next audit cycle. This is only a minor additional effort in the audit process, but can be very useful for further planning.


If you need support with your KRITIS audit, get in touch. We are happy to help.

Also interesting:

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

Current developments in AI systems show that vulnerabilities are found more quickly, suitable exploits are developed more quickly, and attacks are increasingly implemented automatically. This significantly reduces the time between discovery and exploitation. What used...

Bafin Publishes 9th Amendment to MaRisk

Bafin Publishes 9th Amendment to MaRisk

On 30 June 2026, all credit institutions and financial services institutions in Germany received an important circular: Following the consultation phase, the German Federal Financial Supervisory Authority (Bafin) published the 9th amendment to its Minimum Requirements...

usd AG Listed as EPI Partner for Mobile Security Evaluations

usd AG Listed as EPI Partner for Mobile Security Evaluations

The popularity of mobile payments is growing, and with it, the demand for verified security. usd AG is expanding its activities in the EPI environment and will also conduct Mobile Security Evaluations in the future. This places us among the few EPI-listed Security...

Categories

Categories