One year of NIS2 legislation - and no end in sight

The actual goal - more cybersecurity for companies and digital infrastructure - is now in danger of finally being lost sight of. The current draft bill (as of 23 June 2025) leaves key questions unanswered, overburdens SMEs with detailed specifications and at the same time practically removes government agencies from responsibility.

"Cybersecurity cannot be conjured up by filling out forms," says Sebastian von Bomhard, founder and CEO of SpaceNet AG. "The draft law attempts to counter structural problems with checklists. We see neither properly defined responsibilities nor fixed reporting channels or clear conditions for technical requirements - which is exactly what would have been needed."

No transition periods despite unclear rules

Another key point of criticism from SpaceNet AG is that companies are being forced into compliance as soon as the law comes into force, even though the practical feasibility has not yet been sufficiently clarified. Many companies lack a consistent framework - for example, when it comes to defining security incidents, reporting deadlines or dealing with third-party providers.

"We have been taking responsibility for our IT infrastructure and that of our customers for over 30 years. We certainly have no problem with obligations - but if the government does not grant transition periods on the one hand and does not provide clear guidelines on the other, then chaos is inevitable and there is no protection," says von Bomhard.

Warning signal of a lack of responsibility among authorities

According to SpaceNet, the fact that central players on the government side, such as federal authorities, are to be largely excluded from the requirements is another critical development. While overburdened SMEs have to report a security incident within 24 hours, authorities are subject to different rules or no rules at all.

"It is an obvious mistake to set lower requirements for the public sector than for private companies," warns von Bomhard. "Public authorities often operate highly sensitive infrastructure and manage a lot of sensitive data - if they are exempt from the rules, this not only weakens our defence capabilities, but also trust in the state."

Cybersecurity needs substance, not just a façade

SpaceNet is calling for the NIS2 directive to be implemented in a practical and consistent manner - with clear terms, binding technical standards and a standardised level of security for all operators of digital infrastructure, whether private or public.

"Security in the digital space is not a bureaucratic process in the administrative apparatus - it is an ongoing organisational and technical process. Political symbolism does not help entrepreneurs affected by cyberattacks. What we need is a robust set of rules and government support for implementation," summarises Sebastian von Bomhard. "It is simply disappointing and incomprehensible that we have been waiting months for progress on the implementation of NIS2 and are now confronted with such an immature draft bill."