At a pivotal moment in Germany’s legislative timeline, ISC2 brought stakeholders together to examine how NIS2 can strengthen the country’s long-term cyber resilience.
As Germany moved towards final steps to transpose the EU NIS2 Directive into national law, ISC2 convened a timely policy roundtable in Berlin on November 10 to examine what meaningful cyber resilience will require in the years ahead. Held at a pivotal legislative moment, the discussion took place just days before the final vote that transposed NIS2 into national law on November 13. It also occurred one month before the new law entered into force on December 6.
The event brought together key parliamentary groups, policymakers, industry voices and cybersecurity practitioners. Their focus was one of Germany’s most pressing challenges: ensuring the country has the skills, workforce and governance structures needed to operationalize NIS2 effectively.
NIS2 is the European Union’s updated cybersecurity directive that significantly expands the number of regulated sectors, raises security requirements and introduces stricter incident-reporting obligations. Because it imposes more rigorous expectations for risk management, accountability and supply-chain security, NIS2 will reshape operational practices across organizations of all sizes, making Germany’s ability to build capacity and readiness a central concern for cybersecurity professionals.
Against this backdrop, the roundtable, attended by event sponsor Member of Parliament (MP) Jeanne Dillschneider, explored how Germany can shift from a narrow compliance mindset to a resilience-driven approach that strengthens national security, supports digital transformation and sustains long-term economic competitiveness.
Since 6 December, affected companies have been required to register with the BSI as NIS2 entities. In addition, they must implement and document IT risk management measures and report significant security incidents to the BSI. With this law, the BSI is becoming the central reporting authority for cybersecurity in Germany.
NIS2: A Necessary Step Amid Rising Cyber Threats
Participants noted that Germany is experiencing cyber threats at unprecedented scale, with attacks increasing dramatically over the past year. According to ISC2’s 2024 Workforce Study, 72% of cybersecurity professionals in the EU agree the threat landscape is the most challenging they have experienced in the last five years. In this context, the overdue transposition of NIS2 is broadly viewed by attendees as a welcome and necessary move to strengthen the country’s defensive posture.
Opening remarks from Dillschneider highlighted that the Directive’s expanded scope, heightened expectations for governance and new reporting requirements will place significant operational demands on organizations of all sizes. Stakeholders agreed that NIS2 represents an important opportunity, but only if organizations receive the clarity, support and workforce capacity they need to act.
Cyber Workforce as the Foundation of Resilience
A dominant theme across the discussion was the centrality of cybersecurity skills to successful NIS2 implementation. Participants stressed that while legislative momentum is essential, Germany’s ability to deliver operational resilience will depend on the availability of qualified cybersecurity professionals both in the public sector and across the private economy.
The roundtable discussion highlighted several challenges:
- A growing shortage of skilled cybersecurity professionals at all levels
- Lack of a coordinated national approach to workforce development
- Limited awareness across organizations of the skills needed to meet NIS2 obligations
- Fragmented roles and competencies that make hiring, training and retaining talent difficult
Participants pointed to the value of ENISA’s European Cybersecurity Skills Framework (ECSF), which summarizes cybersecurity-related roles into 12 profiles, as a practical tool for establishing consistent role profiles, clarifying competencies and supporting workforce planning. ISC2’s mapping of its certifications to the ECSF was recognized as contributing to harmonization efforts across Europe.
Attendees also highlighted the importance of diverse teams, renewed investment in public-sector skills and preparing the workforce for the accelerating impact of AI on both cyber defense and attack techniques.
Regulatory Fragmentation Risks Slowing Progress
Amid NIS2, the Cyber Resilience Act, the Critical Entities Resilience Act, the AI Act and other new frameworks, organizations are navigating an increasingly complex regulatory environment. Participants noted that the overlapping and sometimes fragmented requirements create uncertainty, leading some organizations to delay investments, especially in workforce development.
Stakeholders emphasized the need for clearer, more coordinated guidance at national level, particularly for smaller organisations that often lack the capacity to interpret regulatory expectations on their own. Attendees viewed stronger alignment across ministries and agencies as critical to ensuring consistent implementation and avoiding duplicated effort.
In this context, stakeholders highlighted the central role of the Federal Office for Information Security (BSI). As Germany’s central specialist authority, the BSI is expected to offer practical, easy-to-apply guidance and standardized support services, leveraging formats such as the Alliance for Cyber Security, to reduce complexity and help organizations, particularly SMEs, navigate NIS2 requirements more confidently.
Measuring Progress: What Success Should Look Like
Roundtable participants reflected on how Germany should assess whether NIS2 implementation is delivering the intended outcomes. Suggested metrics included:
- Improved baseline cybersecurity maturity across essential sectors
- Increased availability of qualified cyber professionals
- Stronger incident response capabilities and reduced systemic vulnerabilities
- Clearer, more consistent regulatory interpretation across federal and state levels
There was broad agreement that success should be defined not simply by compliance rates but by tangible improvements in resilience across the economy.
ISC2’s Role: Supporting Germany’s Cyber Ambitions
Throughout the roundtable, stakeholders highlighted how ISC2 can help advance Germany’s cyber resilience goals by:
- Raising awareness of the need for a skilled, certified cybersecurity workforce
- Supporting organizations and public bodies through globally recognized certifications and skills development programs
- Contributing to policy discussions on competency frameworks and workforce planning
- Bringing international perspectives from other jurisdictions facing similar challenges
- Partnering across Germany’s cybersecurity ecosystem, including initiatives to reach underrepresented groups
ISC2 reaffirmed its commitment to supporting the transposition and implementation of NIS2, and to working with partners to strengthen Germany’s long-term cyber capability.
A Call for Coordinated Action
The roundtable concluded with a shared recognition that building cyber resilience requires more than legislative action. It demands sustained investment in people, coordinated policymaking, practical guidance for organisations and a unified vision for national cybersecurity.
ISC2 will continue convening dialogues and providing insights informed by its global membership of more than 8,000 professionals in Germany and 265,000 worldwide to help ensure that workforce needs and practitioner realities remain central to policy decisions.
As Germany prepares for the implementation of NIS2, expanding obligations across the federal administration and enhancing the BSI’s role, ISC2 urges policymakers, industry and cybersecurity professionals to work together to turn this milestone into practical capability. With many companies still uncertain about their readiness, coordinated support and clear guidance will be critical for effective implementation.
