Why Another Contribution to the NIS2 Directive?
Do we really need a separate blog post on the NIS2 Directive in 2025? The short answer is yes. Although general cybersecurity tightening for 2025 has been covered, the NIS2 Directive is a specific and impactful regulatory topic. It demands an in-depth look, especially from the perspective of small and medium-sized tech providers.
NIS2 (Network and Information Security Directive 2) marks a turning point in EU cybersecurity law. This directive, which came into force in 2023, replaces the first NIS Directive from 2016. It significantly expands the group of affected companies and the requirements for their IT security. While my previous article outlined the general tightening of cybersecurity in 2025 (such as new product requirements for hardware/software), this article focuses specifically on NIS2 compliance. The focus here is on SaaS start-ups, digital content providers, and media platforms. These players, in particular, face new obligations that could easily be overlooked in the general cybersecurity discourse.
So, why a separate article just about NIS2? Because NIS2 is more than "just another security buzzword." It is an EU-wide binding set of rules that mandates cybersecurity measures, reporting obligations, and even personal liability for management. Many companies, such as cloud services, SaaS platforms, or operators of online communities, previously did not see themselves as "critical infrastructure." Now, they are coming under regulatory scrutiny for the first time.
Furthermore, its implementation in Germany in 2025 is highly topical. The national NIS2 implementation law is facing political delays, but the EU is pushing for swift compliance. This mixed situation is causing uncertainty in the start-up scene. This article aims to address this uncertainty with facts, lessons learned, and practical tips.
In the following sections, I share my current observations and experiences regarding the NIS2 Directive in 2025. I discuss which companies are affected, which new obligations specifically apply, and which challenges arise during implementation. My insights draw on official sources (including BSI, ENISA, EU Commission) and initial empirical values. My goal is for start-ups and medium-sized tech companies to understand what NIS2 compliance means for them, beyond general cybersecurity trends, and how they can best prepare for it.
NIS2: Scope and Key Changes for Compliance
NIS2 stands for the EU Directive 2022/2555 "on measures for a high common level of cybersecurity." It came into force in January 2023 and member states must transpose it into national law by October 2024. Its purpose is to strengthen cybersecurity in significantly more sectors than before to meet the current threat landscape. In contrast to the first NIS Directive (2016), NIS2 massively expands the scope of application and tightens both obligations and sanctions.
Which Industries Does NIS2 Cover?
The directive distinguishes between "essential" and "important" sectors, totaling 15 sectors. The essential sector includes traditional critical infrastructure like energy, health, transportation, finance, water, and public administration. Crucially, it also covers digital infrastructure, such as telecommunications, internet nodes, DNS, cloud computing services, data centers, and trust services. It is important to note that cloud service providers are explicitly considered critical infrastructure. This is a novelty that affects many SaaS providers and platform operators, provided they qualify as a cloud service.
The important sectors encompass other industries that, while not directly vital, are of considerable importance. These include manufacturers of critical goods (e.g., chemicals, mechanical engineering), postal and logistics services, waste management, food production, and research institutions. Particularly relevant for this discussion are "digital service providers." NIS2 defines these primarily as online marketplaces, online search engines, and social networks—categories already recognized under the old NIS1. A media or content platform can fall into this category if, for example, it functions as a social network or marketplace. A video platform with community functions, for instance, could be classified as a social network. While purely traditional streaming services are not explicitly mentioned, they are likely to be at least indirectly affected. They rely on cloud and network infrastructure subject to NIS2, and a failure would have far-reaching consequences—a long-term concern for authorities.
Size Thresholds for NIS2 Compliance
An important aspect, especially for start-ups, is the question of company size. NIS2 primarily targets medium-sized and large companies. Micro and small companies (fewer than 50 employees and less than €10 million turnover) are generally excluded, unless they operate critical infrastructure in special cases. Medium-sized companies (50-249 employees, 10-50 million turnover) and large companies (≥250 employees, >50 million turnover) in the aforementioned sectors fall within the scope.
This means a SaaS startup with 20 employees does not yet formally have to comply with NIS2 obligations, even if it is a cloud service. However, if this startup grows beyond the threshold or serves critical customers, compliance requirements quickly approach. Furthermore, member states can include certain smaller "high-risk" companies if they are of particular importance. In Germany, for example, around 29,000 companies are expected to be newly regulated, primarily by covering medium-sized and large companies in the relevant sectors. SaaS providers and digital platforms should therefore assume that there is no way around NIS2 once they reach a certain size. Even if a company is still small, the directive can have an indirect effect, for instance, through security requirements imposed by larger business partners in the supply chain.
Summary of NIS2 Scope
NIS2 is moving many tech companies out of their "comfort zone." What used to apply only to electricity grid operators or banks will soon also apply to cloud start-ups, online marketplaces, or specialized IT service providers. For the SaaS and digital media target group in particular, this means cybersecurity will go from being a nice-to-have to a legal obligation as soon as certain thresholds are exceeded. It is therefore crucial to follow current developments, as 2025 is a pivotal year for the implementation of the NIS2 Directive.
Current Status 2025: Implementation, Delays, and Dynamic Developments
Where are we in April/May 2025 with the implementation of NIS2? The situation is in flux and quite complicated at the EU level. Officially, the implementation deadline was October 17, 2024. However, many countries did not meet this deadline. At the end of November 2024, the EU Commission initiated infringement proceedings against 23 member states for failing to transpose the directive into national law on time. The reality is that NIS2 should already be law everywhere, but by 2025, the panorama remains very fragmented.
Some countries are pioneers, while others are lagging behind. For example, Belgium, Italy, Croatia, Latvia, and Lithuania largely had their NIS2 laws ready on time. France, Denmark, and the Netherlands announced delays, aiming for early 2025. Germany, our focus country, presented its draft law in July 2024, but it became stalled in parliament. In mid-2024, there was optimism that NIS2 would be implemented in Germany by March 2025. However, political turbulence delayed this process.
As of spring 2025, the German implementation of NIS2 is still on hold. The original draft bill, the so-called NIS2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG), was first discussed in the Bundestag in October 2024 but was not passed due to coalition disputes. There has even been talk of postponing it until after the federal elections at the end of 2025. Nevertheless, signs suggest that the Ministry of the Interior is devising a "100-day plan" to accelerate NIS2 implementation once the political situation allows. In short, it is currently unclear in Germany when NIS2 obligations will be activated. It could be late in 2025 or, with luck, earlier if the legislator steps up efforts.
What does this delay mean in practical terms? One might be tempted to think, "As long as there is no German law, we don't have to do anything." This attitude is risky. The EU Commission shows little patience with defaulting states, and there is high pressure to quickly catch up on implementation. Companies in Germany therefore know that the obligations are coming; the only question is when. Some neighboring countries (e.g., Italy or Poland/Netherlands from 2025) already have their rules in place. For internationally active providers, NIS2 already applies de facto, meaning they may need to prove compliance in other countries. Furthermore, a German delay cannot conceal the fact that the directive's content is fixed. Smart companies will use this grace period to prepare proactively, as discussed later.
A second current trend is that implementation varies from country to country. While NIS2 aims to harmonize rules, a patchwork is currently emerging. For example, France even includes local authorities in its scope, whereas Germany probably excludes them. Such differences compel pan-European organizations to manage several compliance regimes in parallel. For a SaaS company with customers in multiple EU countries, this adds complexity to implementation. ENISA recently emphasized the importance of cross-border coordination. The ENISA NIS360 Report 2024 (published in March 2025) explicitly calls for uniform interpretation of requirements across all regions and cross-sector cooperation among supervisory authorities. We are still some way from this, but EU-wide cooperation is gaining momentum.
Thirdly, initial experiences and sentiments reveal where challenges lie. A June 2024 survey found that while 80% of companies believed they could comply with NIS2 on time, only 14% were actually compliant. Many were overly optimistic, partly because they expected national delays to grant them a reprieve. Now, in early 2025, reality is dawning. Over 53% of organizations admitted they did not yet fully understand NIS2 requirements, and almost half complained of a lack of support from senior management. In short, preparation was bumpy.
This aligns with lessons learned in my consulting practice: companies should have started earlier instead of waiting for the final law. Many IT teams are technically capable, but without management backing, projects were left unfinished. NIS2 directly addresses this by establishing accountability at management level. Managers can no longer claim cybersecurity is "an IT matter." More on this in a moment.
In summary, NIS2 is at an exciting threshold in spring 2025. Most companies need to seriously consider it now, even if some countries, like Germany, have yet to make the final formal push. There are initial pioneering experiences, but also considerable uncertainty. For SaaS start-ups and media companies, this means now is the time for orientation. They should seize this opportunity to learn from existing experiences and strategically position themselves for upcoming audits and compliance requirements, rather than making hasty improvements later.
Specific NIS2 Obligations: What Do SaaS and Media Providers Need to Comply With?
Now, let's examine the specifics: What requirements does NIS2 place on companies? The directive defines a catalog of cybersecurity measures that all covered essential and important entities must implement. These obligations are much more precise and comprehensive than previous requirements, such as those from NIS1 or the German IT Security Act. It is important to note that this extends beyond technology to include organizational processes and governance. Here is an overview of the most important compliance building blocks, tailored to the typical situation of SaaS start-ups and digital platforms:
Risk Management and Security Strategy
- Companies must conduct risk analyses and establish a policy for information security. This means regularly assessing threats to their systems and planning and documenting appropriate protective measures. For a SaaS startup, this involves identifying critical data and services and planning for potential failures. NIS2 requires a systematic approach, not just intuition.
- Measures should be proportionate to the risk, taking into account the state of the art and company size. In other words, security should be proportional but mandatorily documented. Many small providers have catching up to do here, as formal risk management is often new territory for them.
Incident Response and Business Continuity
- Incident detection and handling are mandatory, as are provisions for business continuity and disaster recovery. Specifically, NIS2 requires every affected company to have an emergency plan: How to respond to cyberattacks? Who informs whom? Are backup systems in place and tested?
- This is crucial for SaaS services that host customer workflows, as a cloud outage can paralyze hundreds of customers. I recommend clients have an incident response team or at least a plan in place. This is similar to managing a data leak in startup practice.
- The directive stipulates reporting times: Serious security incidents must be initially reported within 24 hours (early warning), and a final report must be submitted within 72 hours. In complex cases, a final report may also be required after approximately one month. These tight deadlines necessitate prepared reporting processes and contact points to avoid pressure during an emergency.
Supply Chain Security
- NIS2 emphasizes the supply chain perspective for the first time. Companies must consider security aspects with their service providers and suppliers. For a SaaS company, this means evaluating the security of cloud infrastructure (e.g., AWS, Azure) and third-party modules or libraries.
- Contracts with IT service providers should contain security clauses. The directive requires assessing the quality and security practices of suppliers. In practice, this can be challenging for many start-ups, as few check the ISO certifications of their software suppliers.
- Nevertheless, major customers will likely demand such proof, as compliance tends to flow downward. A media startup purchasing streaming servers from a third-party provider, for example, must ensure that provider is sufficiently secure. This creates new audit obligations in the supply chain. Initial indications show that larger companies are increasingly asking smaller partners for security checks or self-assessments to meet their own NIS2 obligations. Start-ups should be prepared for this.
Secure System Development and Maintenance
- The directive requires security by design, meaning security must be inherent in the development, purchase, and maintenance of IT systems. This includes managing vulnerabilities and reporting security gaps. For software providers, this means establishing a process for vulnerability management.
- Examples include regular penetration tests, bug bounty programs, or rapid patch cycles for known vulnerabilities. Policies for coordinated vulnerability disclosure (CVD) are also part of the requirements. A SaaS provider, for instance, should define how external security researchers can report gaps and how patches are prioritized. This level of professionalism is now mandatory.
- The BSI will likely set industry-specific minimum standards in Germany. The financial sector, for example, may have stricter requirements for code integrity than the media sector. Regardless, regular updates, patches, and code checks are no longer voluntary luxuries but mandatory under NIS2.
Review of Measures & Audits
- NIS2 requires companies to regularly evaluate the effectiveness of their cybersecurity measures. It is not enough to create a concept once and then neglect it. There must be a process for monitoring and improvement. This can involve internal or external audits.
- Germany, for example, plans to require some companies to provide proof of their IT security, similar to current KRITIS operator audits (which submit an audit to the BSI every two years). Less stringent proof obligations might exist for important institutions, but random checks are still to be expected. The BSI will have significantly more companies under its supervision and will conduct checks accordingly.
- For SaaS start-ups, this means planning resources to maintain compliance documentation, write reports, and serve auditors. The aspect of continuous monitoring and establishing compliance monitoring systems is new for many. However, implementing an information security management system (ISMS) in accordance with ISO 27001 can cover many NIS2 points and serve as an organizational backbone. Some of my clients have already adopted this approach to be virtually NIS2-ready before authorities demand it.
Basic Measures: Hygiene, Access Control, Personnel
- NIS2 mandates "basic cyber hygiene" and security training. This sounds fundamental but is essential. Every covered company must instruct its employees in cybersecurity and implement simple protective measures, such as regular password changes, software updates, and phishing training.
- Regulations on access control and asset management are also mandatory. Who can access what? Are authorizations restrictive and role-based? All of this should be documented. For small companies, this is sometimes new territory, as they might rely on personal knowledge and informal processes. However, NIS2 demands professional structures, comparable to what GDPR requires in data protection (privacy by design, etc., transferred to security by design).
- Employee training is a decisive factor, as human error remains a primary cause of many incidents. The directive explicitly calls for continuous awareness-raising.
Cryptography and Secure Communication
- Another building block involves policies on the use of cryptography and encryption. Companies should have guidelines on where and how encryption is used to protect data, both during storage and transmission. Practically, this means using TLS 1.3 for all data transfers, encrypting sensitive databases, and potentially end-to-end encryption for certain services.
- Secure internal communication channels are also addressed. Internal communication should take place via secure channels wherever possible, and emergency communication systems must also be secure. For media companies, securing live transmission channels or editorial communication could be relevant. For SaaS providers, without strong encryption to protect data, there is no trust, and NIS2 now reinforces this regulatory aspect.
Multi-Factor Authentication (MFA)
- Finally, NIS2 requires the use of multi-factor authentication (MFA) or continuous authentication for appropriate access. MFA should become standard for web services, admin access, and all critical logins. A SaaS service should offer MFA to its customers and enforce it internally.
- Fortunately, MFA is already widely used in practice in 2025, but NIS2 makes it mandatory. Single-factor logins (password only) are considered insufficient, except in special cases. ENISA has emphasized this again in its guidance: MFA is a "must-have" for account security.
This list illustrates that NIS2 compliance is comprehensive. Essentially, a company must implement a complete cybersecurity program covering everything from governance (policies, responsibilities) to technical measures (network security, MFA, encryption) and incident response. For many start-ups, this sounds like a significant undertaking. However, these are not exotic requirements; they are best practices that large companies often already implement voluntarily (or in accordance with ISO 27001). What is new is that they are required and monitored by law. SaaS and cloud providers, in particular, are held accountable here, as much of other digital traffic relies on them.
Media start-ups and digital content platforms should also take this seriously. Even if they don't formally fall under NIS2 yet, addressing these points early makes sense to reduce risk and scale their business. The expectations of customers, investors, and authorities are clearly moving toward demonstrable cybersecurity.
Practical Implementation Hurdles: What Smaller Providers Need to Be Prepared For?
The theory sounds clear, but how is NIS2 implementation experienced in practice? There are several typical challenges, especially for small to medium-sized enterprises (SMEs).
1. Identification: Am I Affected?
Many companies are initially unaware that they fall (or will soon fall) under NIS2. Classification by sector and thresholds is not trivial, especially for innovative business models. The BSI has developed an online tool ("NIS2 Affectedness Check") specifically for this purpose, offering initial orientation via a decision tree. This necessity alone demonstrates the complexity of demarcation. A SaaS company must ask: Do we offer a cloud computing service within the meaning of the directive? Do we have more than 50 employees? A digital media start-up: Are we considered a social network or an online platform? These questions sometimes require legal examination. My tip is to have a legal classification carried out early to ensure planning security. The BSI tool and FAQ can help you get started. In my consulting work, I often see "aha moments" when, for example, a medium-sized SaaS provider realizes it is considered an "important institution" and thus has legal obligations. Do not underestimate this; ignorance is no defense against penalties.
2. Resources & Expertise
Implementing the aforementioned measures requires manpower and expertise. However, many startups lack a dedicated security department. For the first time, management may have to explicitly assign someone to IT security. NIS2 will make a security officer necessary for more companies. The BSI, for example, recommends appointing and training at least two people in the company responsible for information security. Ideally, these individuals should develop skills, undergo basic protection or ISO training, etc. This involves effort and costs. External consulting can help, but it is not cheap. There is also a shortage of specialists in the security sector, complicating the search. Nevertheless, support is available: in Germany, the Cybersecurity Transfer Office offers free help for SMEs to prepare for NIS2. The "Deutschland sicher im Netz" association is also launching the FitNIS2 Navigator, a tool to guide SMEs step by step. Lesson learned: it is wise to seek help and not attempt everything alone. Both internal training and external resources should be planned to ensure implementation does not fail due to a lack of personnel.
3. Technical Implementation and Legacy Problems
Young start-ups often have more modern tech stacks and can integrate security functions relatively quickly. It is more challenging with mature systems (keyword: legacy code). NIS2, for instance, requires up-to-date encryption throughout, meaning old services without TLS will need migration. API security, a topic in the general cyber article, is also a sticking point: open interfaces must be secured, rate limiting introduced, and logging improved. This consumes development time. For app developers in the media sector, the requirement for data protection and integrity protection may mean building additional encryption layers. Some of my clients have had to adapt their product backlog to prioritize compliance features, such as audit logs, incorporating 2FA, or developing a system for security updates for customer instances. The challenge is to advance security updates parallel to normal feature development without slowing down the core business. Prioritization and communication are important here: NIS2 compliance is not "nice to have next year" but possibly a prerequisite for serving certain customers (e.g., public sector, large corporations) at all. This insight often helps free up necessary internal resources.
4. Reporting Obligations and Communication
Many smaller companies have never communicated with an authority regarding a cyber incident. NIS2 will change this, as security incidents must be reported to the responsible authority or the national CERT. In Germany, this will likely be the BSI. What to report? For example, a successful ransomware attack affecting the service or a major data theft. The threshold is "significant" incidents; the law defines precise criteria. The hurdle: internal processes are needed to recognize such incidents and compile key information within 24 hours. This includes an initial assessment of the incident type, affected systems, and suspected cause. Detailed reports must be submitted later (including severity, impact, countermeasures taken). This is new territory for many; until now, security incidents were often concealed rather than disclosed. Cultural change: NIS2 aims for transparency so that others are warned and the state has an overview. Companies must learn to handle such situations openly and quickly. I advise clients to create emergency communication plans, not only for the government but also for customers and the public. It is better to be prepared than to act mindlessly in a crisis. Initial difficulties are inevitable; for example, who to reach at the BSI on a Friday evening? What happens with a false alarm? These practical questions will certainly arise in the first cases in 2025, and authorities and companies will have to learn from each other. This is closely related to data leak reporting in startup practice.
5. Regulatory Pressure and Liability Risks
A major issue significantly increasing pressure on companies is the threat of penalties and personal liability consequences. NIS2 sets the framework for severe fines: up to €10 million or 2% of global annual turnover for breaches by essential companies, and up to €7 million or 1.4% of turnover for important companies, whichever is higher. These figures are reminiscent of GDPR and serve as a deterrent. Germany will likely exhaust these maximums (the draft bill mentions similar sums). Even much smaller penalties can threaten the existence of start-ups. In addition to fines, there is the threat of reputational damage if security requirements are breached. This can also lead to broader liability risks.
Furthermore, and particularly tricky, managers are held accountable. NIS2 requires management boards to demonstrate their commitment to cybersecurity. In Germany, discussions have focused on tightening the personal liability of management boards while precise liability rules are nationally defined. Managing directors can be held personally liable if they neglect their NIS2 obligations (up to and including "directors and officers" liability or temporary professional bans). The BSI emphasizes: Take responsibility as a manager. Top management should actively participate in risk management and fostering a security culture. This is a wake-up call for some founders and managing directors in the tech scene who may have been more focused on products or sales. In consultations, I clarify: cybersecurity belongs at the executive level. It's not enough for an admin to "do something." Board members should receive training (e.g., the Alliance for Cyber Security provides manuals and toolkits for decision-makers) and demand regular status reports on IT security. While this cultural change is a challenge, it also offers an opportunity: CEOs who prioritize the topic send a strong signal to customers and investors that their company acts maturely and responsibly, potentially becoming a competitive advantage.
6. Industry-Specific Subtleties
Every segment has its own special cases. SaaS start-ups, for example, often operate entirely in the cloud, making cloud security paramount. Concepts such as zero trust, container security, and client separation may need expansion. If a SaaS hosts customers' critical business data, it must offer appropriate availability guarantees and contingency plans (keyword: redundant data centers, backup policies).
Media platforms, on the other hand, may have special requirements in youth protection or data protection that run in parallel. NIS2 adds to this. They may need to combine two regulations: managing content legally (Interstate Media Treaty, GDPR) and technical security (NIS2). For example, a streaming service offering personalized streams must both protect personal data (GDPR) and ensure service continuity (NIS2 – failure prevention). These overlaps can tie up resources and require prioritization. Additionally, media companies are often targets of hacktivists or DDoS attacks for political reasons. Robust incident response is vital here, for instance, to continue disseminating news during an attack on the platform.
In short, every industry has its "crown jewels" that need protection. NIS2 provides the framework, but actual implementation must be industry-specific. ENISA has therefore recommended developing sector-specific implementation guidelines during the current transposition period. In Germany, separate guidelines are expected for the digital services sector (including SaaS) and digital infrastructure (cloud, etc.). Some chambers of commerce and industry associations are already working on such guidelines. I've noted that the Bitkom and eco associations are organizing NIS2 webinars for their members, indicating industries are focusing on their specific needs.
7. Synergies with Other Compliance Issues
Some companies will feel overwhelmed by parallel waves of regulation in 2025. In addition to NIS2, issues like the EU Cyber Resilience Act (product cybersecurity), the Digital Operational Resilience Act (DORA) for financial IT, and the DSA/DMA in the online platform sector also exist. There is a risk that each topic will be viewed in isolation, leading to duplicated efforts. My advice is to use synergies where possible: a basic security concept and ISMS not only help with NIS2 but also with many other regulations. Processes such as incident response, supplier evaluation, or employee training can be structured to meet multiple requirements. Thus, the challenge of NIS2 may become the impetus to increase professionalism in IT security generally, which will only bring long-term benefits. In other words, NIS2 compliance should not be an annoying compulsory program but part of the corporate strategy, simultaneously enhancing general resilience. Some progressive start-ups already market this aggressively: "We meet the highest security standards (NIS2, ISO 27001 etc.)," which builds customer confidence. Communicating this positive view is also a task for a legal advisor.
Conclusion and Outlook: NIS2 Compliance as an Opportunity for the Startup Scene
Even if it sounds paradoxical, a dedicated blog post on NIS2 compliance 2025 is not only relevant but overdue. Why? Because the topic is so specialized and complex that it can be overlooked in general cybersecurity articles. SaaS and media start-ups, in particular, risk initially ignoring NIS2 ("it doesn't affect us, we're not KRITIS"), only to be suddenly surprised by obligations and audits when they grow or when a major customer demands compliance. My aim with this article was to illustrate the current situation: NIS2 is ushering in a new security culture across the EU's digital economy. It is no longer sufficient to simply let security run its course; it is becoming a matter for the boss and a compliance discipline, with laws, reports, audits, and severe consequences for negligence.
For Germany specifically, the delay in legal implementation does not mean a sigh of relief, but rather the calm before the storm. BSI supervision will expand massively, from a few hundred KRITIS operators to tens of thousands of companies across all sectors. The BSI itself signals its willingness to support companies but must, of course, also take action if requirements are ignored. I expect that the first fines or at least warnings under NIS2 will be issued by 2025/26 at the latest, similar to what we know from GDPR violations. No startup wants to be the first negative example exposed for poor security.
Positively, those who set the right course now can be at the forefront. This is not about blindly building new bureaucracy but about strengthening one's resilience against cyberattacks and being able to prove this to authorities and customers. NIS2 forces lawyers and techies to collaborate: legally compliant IT security is the keyword. For me as a consulting lawyer, this means helping clients translate legal requirements into practicable measures (e.g., identifying necessary policies, redrafting service provider contracts, determining useful training). Experience shows that with a pragmatic, risk-based approach, NIS2 can be managed, even in an SME environment. It is crucial for management to be supportive and ask the right questions: Have we identified and protected our crown jewels? What do we do in an emergency? Do we fulfill all reporting obligations? If these questions are asked and answered regularly, a company is on the right track.
Finally, I emphasize that NIS2 compliance is not an end in itself. Yes, it involves regulation and compliance. But at its core, it is about protecting our increasingly digital business world from real threats. Whether it's a SaaS tool or a media platform, a serious cyberattack can threaten livelihoods, destroy user trust, and crash entire business models. NIS2 provides a framework to prevent this and is now bringing the start-up scene onboard in terms of responsibility. I personally welcome this development because it promotes professionalism and trust in the tech sector in the long term. While implementation may be challenging in detail, it is worth it. To put it pragmatically: it is better to invest in security and compliance now than to repair damage later or pay penalties. With this in mind, let's seize the opportunity to see 2025 as a year of learning and development for NIS2 standards. I am happy to support my clients in this and will closely monitor further developments (both nationally and EU-wide); there is plenty of material for future blog posts.
NIS2 is here to stay. Let's make the most of it and ensure that our agile SaaS and media start-ups, in particular, position themselves not as laggards but as pioneers of a secure digital future. The relevance of this topic is beyond question for me, in 2025 and beyond.