NIS2 compliance 2025: relevance for SaaS and media start-ups

Why another contribution to the NIS2 Directive?

Do we really need a separate blog post on the NIS2 Directive in 2025? The short answer is yes. Although I’ve already covered general cybersecurity tightening for 2025, the NIS2 Directive is such a specific and impactful regulatory topic that it requires an in-depth look from the perspective of small and medium-sized tech providers.

NIS2 (Network and Information Security Directive 2) marks a turning point in EU cybersecurity law. This directive, which comes into force in 2023, replaces the first NIS Directive from 2016 and significantly expands the group of affected companies and the requirements for their IT security. While my previous article outlined the general tightening of cybersecurity in 2025 (such as new product requirements for hardware/software), I would like to focus here specifically on NIS2 compliance – from the perspective of SaaS start-ups, digital content providers and media platforms. These players in particular are facing new obligations that could easily get lost in the general cybersecurity discourse.

So why a separate article just about NIS2? Because NIS2 is more than “just another security buzzword”. It is an EU-wide binding set of rules that provides for mandatory cybersecurity measures, reporting obligations and even personal liability for management. Many companies that previously did not see themselves as “critical infrastructure” – such as cloud services, SaaS platforms or operators of online communities – are now coming under regulatory scrutiny for the first time . In addition, implementation in Germany in 2025 is highly topical: the national NIS2 implementation law is being delayed politically, but the EU is pushing for swift compliance. This mixed situation is causing uncertainty in the start-up scene – and this is exactly where I would like to start with facts, lessons learned and practical tips.

In the following, I share my current observations and experiences regarding the NIS2 Directive in 2025. I discuss which companies are affected, which new obligations specifically apply and which challenges arise during implementation. I draw on official sources (including BSI, ENISA, EU Commission) and initial empirical values. My aim is for start-ups and medium-sized tech companies to understand what NIS2 means for them – beyond general cyber security trends – and how they can best prepare for it.

NIS2 in brief: What’s new and who is affected?

NIS2 stands for the EU Directive 2022/2555 “on measures for a high common level of cybersecurity”. It came into force in January 2023 and must be transposed into national law by the EU member states by October 2024. Its purpose: to strengthen cybersecurity in far more sectors than before in order to meet the current threat situation. In contrast to the first NIS Directive (2016), NIS2 massively expands the scope of application and tightens the obligations and sanctions.

Which industries does NIS2 cover? The directive distinguishes between “essential” and “important” sectors. There are now 15 sectors in total. The essential sector includes traditional critical infrastructure such as energy, health, transportation, finance, water, public administration – but also digital infrastructure. Digital infrastructure includes, for example, telecommunications, internet nodes, DNS, cloud computing services, data centers and trust services. It is important to note that cloud service providers are explicitly considered critical infrastructure – a novelty that affects many SaaS providers and platform operators, provided they qualify as a cloud service.

The important sectors include other industries that are not directly vital, but are nevertheless of considerable importance. These include, for example, manufacturers of critical goods (e.g. chemicals, mechanical engineering), postal and logistics services, waste management, food production, research institutions and – particularly relevant for us – “digital service providers”. NIS2 defines digital service providers primarily as online marketplaces, online search engines and social networks –basically the categories that were already considered “digital service providers” under the old NIS1. A media or content platform can fall into this category if, for example, it functions as a social network or marketplace. For example, a video platform with community functions could be classified as a social network. Although purely traditional streaming services are not explicitly mentioned, they are likely to be at least indirectly affected: they use cloud and network infrastructure that is subject to NIS2, and a failure would have far-reaching consequences – something the authorities are keeping an eye on in the long term.

Size thresholds: An important aspect – especially for start-ups – is the question of company size. NIS2 is primarily aimed at medium-sized and large companies. Micro and small companies (less than 50 employees and <€10 million turnover) are generally excluded, unless they operate critical infrastructure in special cases. Medium-sized companies (50-249 employees, 10-50 million turnover) and large companies (≥250 employees, >50 million turnover) in the aforementioned sectors, on the other hand, fall within the scope of application. This means that a SaaS startup with 20 employees does not yet have to formally comply with NIS2 obligations, even if it is a cloud service. But beware: if this startup grows beyond the threshold or serves critical customers, the compliance requirement quickly approaches. In addition, member states can still include certain smaller “high-risk” companies if they are of particular importance. In Germany, for example, it is expected that around 29,000 companies will be newly regulated , primarily by covering medium-sized and large companies in the relevant sectors. SaaS providers and digital platforms should therefore assume that there is no way around NIS2 once they reach a certain size. And even if you are (still) small, the directive can have an indirect effect – e.g. through security requirements imposed by larger business partners in the supply chain.

Conclusion of this brief overview: NIS2 is taking many tech companies out of their “comfort zone”. What used to only apply to electricity grid operators or banks will soon also apply to cloud start-ups, online marketplaces or specialized IT service providers. For the SaaS and digital media target group in particular, this means that cyber security will go from being a nice-to-have to a legal obligation (as soon as certain thresholds are exceeded). It is therefore important to follow current developments – because 2025 is a crucial year for the implementation of the NIS2 Directive.

Current status 2025: implementation, delays and dynamic developments

Where will we be in April/May 2025 with the implementation of NIS2? Well, the situation is in flux – and quite complicated at EU level. Officially, the implementation deadline was October 17, 2024 . However, many countries did not make the deadline. At the end of November 2024, the EU Commission initiated infringement proceedings against 23 member states for failing to transpose the directive into national law on time. The reality is: NIS2 should already be law everywhere, but by 2025 the panorama is very fragmented.

Some countries are pioneers, others are lagging behind. For example, Belgium, Italy, Croatia, Latvia, Lithuania and a few others had their NIS2 laws largely ready on time. France, Denmark and the Netherlands have announced delays and are aiming for early 2025. Germany – our focus country – presented its draft law in July 2024, but it was stuck in parliament. In mid-2024, there was still optimism that NIS2 would be implemented in Germany by March 2025. However, political turbulence has delayed this. As things stand (spring 2025) , the German implementation of NIS2 is still on hold. The original draft bill – the so-called NIS2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG) – was first discussed in the Bundestag in October 2024, but was not passed due to coalition disputes. In the meantime, there has even been talk of postponing it until after the federal elections at the end of 2025. However, there are signs that the Ministry of the Interior is forging a “100-day plan” to implement NIS2 more quickly as soon as the political situation allows. In short, it is currently unclear in Germany when exactly the NIS2 obligations will be activated – it could be late in 2025 or, with luck, earlier if the legislator steps it up a gear.

What does this delay mean in practical terms? On the one hand, one might be tempted to think: “As long as there is no German law, we don’t have to do anything.” This attitude is risky. The EU Commission shows little patience with defaulting states; the pressure is high to catch up on implementation quickly. Companies in Germany therefore know that the obligations are coming – the only question is when. Some countries around us (e.g. Italy or our neighbors in Poland/Netherlands from 2025) already have their rules in place. For internationally active providers, NIS2 already applies de facto – they may have to prove compliance in other countries. Furthermore, a German delay cannot hide the fact that the contents of the directive are fixed. Those who are smart will use the grace period and prepare proactively. More on this later.

A second current trend is that implementation varies from country to country. Although NIS2 is intended to harmonize the rules, a patchwork is currently emerging. For example: France even includes local authorities in the scope of application, while Germany probably excludes local authorities. Such differences force pan-European organizations to manage several compliance regimes in parallel. For a SaaS company with customers in several EU countries, this means additional complexity in implementation. ENISA has therefore recently emphasized how important cross-border coordination remains. The ENISA NIS360 Report 2024 (published in March 2025) explicitly calls for the requirements to be interpreted as uniformly as possible everywhere and for supervisory authorities to work together across sectors. We are still some way from this, but EU-wide cooperation is picking up speed.

Third point: initial experiences & mood. Even if some of the laws are still fresh or in the making, it is becoming clear where the shoe pinches. A June 2024 survey found that while 80% of companies believed they would be able to comply with NIS2 on time, only 14% were actually compliant . So many were overly optimistic – partly because they thought national delays would give them a reprieve. Now, in early 2025, the reality is dawning: over 53% of organizations admitted to not yet fully understanding the NIS2 requirements , and almost half complained of a lack of support from senior management. In short, preparation was bumpy. This is exactly where I see lessons learned in my consulting practice: companies should have started earlier instead of waiting for the final law. Many IT teams are technically quite capable, but without the backing of management, projects were left unfinished. NIS2 now addresses this problem directly – by establishing accountability at management level. Managers can no longer talk their way out of cyber security being a “matter for IT”. More on this in a moment.

In summary, NIS2 is at an exciting threshold in spring 2025: most companies need to take a serious look at it now, even if some countries (such as Germany) have yet to make the final formal push. There are initial pioneering experiences, but also a lot of uncertainty. For SaaS start-ups and media companies, this means that the time for orientation is now. They should take the opportunity now to learn from what they have learned so far and strategically position themselves for the upcoming audit and compliance requirements – instead of making hasty improvements later.

Specific NIS2 obligations: What do SaaS and media providers need to comply with?

Now let’s take a look at the nitty-gritty: What requirements does NIS2 actually place on companies? The directive defines a catalog of cybersecurity measures that all covered essential and important entities must implement. These obligations are much more precise and comprehensive than previous requirements (e.g. from NIS1 or the German IT Security Act). It is important to note that it is not just about technology, but also about organizational processes and governance. Here is an overview of the most important compliance building blocks, tailored to the typical situation of SaaS start-ups and digital platforms:

• Risk management and security strategy: Companies must carry out risk analyses and establish a policy for information security. This means regularly assessing the threats to their own systems and planning and documenting appropriate protective measures. For a SaaS startup, for example, this means Which data and services are most critical? What happens in the event of a failure? NIS2 requires a systematic approach, not a gut feeling. The measures should be “proportionate to the risk”, taking into account the state of the art and the size of the company – in other words, proportional security, but documented in a mandatory manner. Many small providers have some catching up to do here, as formal risk management is often uncharted territory for them.
• Incident response and business continuity: Incident detection and handling are mandatory, as are provisions for business continuity and disaster recovery . Specifically, NIS2 requires every affected company to have an emergency plan: How do we respond to cyber attacks? Who informs whom? Are backup systems in place and have they been tested? This is crucial for SaaS services that host customer workflows – a cloud outage can paralyze hundreds of customers. I recommend that clients have an incident response team or at least a plan in place. The directive even stipulates reporting times: Serious security incidents must initially be reported within 24 hours (early warning) and a final report must be submitted within 72 hours. In complex cases, a final report may also be required after approximately one month. These tight deadlines mean that reporting processes and contact points must be prepared, otherwise you will be under pressure in an emergency.
• Supply chain security: NIS2 emphasizes the supply chain perspective for the first time. Companies must consider security aspects with their service providers and suppliers. For a SaaS company, this means, for example: Which cloud infrastructure do we use (e.g. AWS, Azure)? How do we secure third-party modules or libraries on which our service is based? Contracts with IT service providers should contain security clauses. The directive requires the quality and security practices of suppliers to be assessed. In practice, this will be too much for many start-ups, as very few of them check the ISO certifications of their software suppliers, for example. Nevertheless, it is to be expected that major customers will demand such proof – compliance is a downward trend. A media startup that purchases streaming servers from a third-party provider, for example, must ensure that this provider is sufficiently secure. This creates new audit obligations in the supply chain. Initial indications from practice show: Larger companies are increasingly asking their smaller partners for security checks or self-assessments in order to meet their own NIS2 obligations. Start-ups should be prepared for this.
• Secure system development and maintenance: The directive requires security by design – security in the development, purchase and maintenance of IT systems, including dealing with vulnerabilities and reporting security gaps. For software providers, this means: Establish a process for vulnerability management. E.g. regular penetration tests, bug bounty programs or at least fast patch cycles when gaps become known. Policies for dealing with the disclosure of vulnerabilities (CVD – Coordinated Vulnerability Disclosure) are also part of the requirements. For example, a SaaS provider should define: How can external security researchers report gaps to us? How do we prioritize patches? – This professionalism is now required. The BSI will probably set industry-specific minimum standards in this country. The financial sector, for example, may have stricter requirements for code integrity than the media sector. Nevertheless, the general rule is that regular updates, patches and code checks are no longer a voluntary luxury, but a mandatory program under NIS2.
• Review of measures & audits: NIS2 requires companies to regularly evaluate the effectiveness of their cybersecurity measures In other words, it is not enough to create a concept once and then put it aside. There must be a process for monitoring and improvement. This can mean internal audits or external audits. Germany, for example, is planning to require some companies to provide proof of their IT security – presumably similar to today’s KRITIS operator audits (which have to submit an audit to the BSI every two years). There could be less stringent obligations to provide proof for important institutions, but they will also have to expect random checks. The BSI will have significantly more companies under its supervision and will carry out checks accordingly. For SaaS start-ups and the like, this means planning resources to maintain compliance documentation, write reports and, if necessary, serve auditors. The aspect of “continuous monitoring” and setting up compliance monitoring systems in particular is new for many. But in my view, it is worth introducing an information security management system (ISMS) in accordance with ISO 27001, for example – this covers many NIS2 points and can serve as an organizational backbone. Some of my clients have already gone down this route in order to be virtually NIS2-ready before the authorities demand it.
• Basic measures: Hygiene, access control, personnel: NIS2 requires “basic cyber hygiene” and security training). This sounds banal, but it is essential. Every covered company must instruct its employees in cyber security and implement simple protective measures (e.g. regular password changes, software updates, phishing training). Also mandatory: regulations on access control and asset management . Who can access what? Are authorizations restrictive and role-based? All of this should be documented. For small companies, this is sometimes uncharted territory – you know every employee personally and have informal processes. But NIS2 wants to see professional structures here, comparable to what the GDPR requires in data protection (privacy by design, etc., transferred to security by design). Employee training is a decisive factor here: according to surveys, human error is still the main cause of many incidents, which is why the directive explicitly calls for continuous awareness-raising.
• Cryptography and secure communication: Another building block is policies on the use of cryptography and encryption. Companies should have guidelines on where and how encryption is used to protect data – be it during storage or transmission. In practical terms, this means, for example Use of TLS 1.3 for all data transfers, encryption of sensitive databases, end-to-end encryption for certain services if necessary. Secure internal communication channels are also addressed – for example, internal communication should take place via secure channels wherever possible and emergency communication systems must also be secure. For media companies, for example, securing live transmission channels or editorial communication could be relevant. For SaaS providers, one thing is clear: without strong encryption, there is no trust, and NIS2 now underpins this in regulatory terms.
• Multi-factor authentication (MFA): Finally, NIS2 requires the use of multi-factor authentication or continuous authentication for access where appropriate. MFA should therefore become standard for web services, admin access and all critical logins in general. A SaaS service should offer MFA to its customers and enforce MFA internally anyway. Fortunately, MFA is already widely used in practice in 2025, but NIS2 makes it mandatory: single-factor logins (password only) are considered insufficient, except in special cases. ENISA has emphasized this again in the guidance – MFA is a “must-have” for account security.

This list shows: NIS2 compliance is comprehensive. Basically, a company must implement a complete cybersecurity program that covers everything from governance (policies, responsibilities) to technical measures (network security, MFA, encryption) and incident response. For many start-ups, this sounds like a lot of wood. However, these are not exotic requirements – they are best practices that large companies often already implement voluntarily (or in accordance with ISO27001). What is new is that they are required and monitored by law. SaaS and cloud providers in particular are being held accountable here, as a lot of other digital traffic is based on them. Media start-ups and digital content platforms should also take this seriously: Even if they don’t formally fall (yet), it makes sense to address these points early on to reduce risk and scale their business. The expectations of customers, investors and authorities are clearly moving in the direction of demonstrable cyber security.

Practical implementation hurdles: What do smaller providers need to be prepared for?

The theory sounds clear – but how do you experience NIS2 implementation in practice? There are a few typical challenges, especially for small to medium-sized enterprises (SMEs):

1. identification: Am I affected? Many companies are initially unaware that they fall (or will soon fall) under NIS2. Classification by sector and thresholds is not trivial, especially for innovative business models. The BSI has developed an online tool (“NIS2 Affectedness Check”) specifically for this purpose, which provides companies with an initial orientation using a decision tree. This necessity alone shows: The demarcation is complex. A SaaS company must ask itself: Do we offer a cloud computing service within the meaning of the directive? Do we have any >50 employees? A digital media start-up: Are we considered a social network or an online platform? – These questions sometimes require legal examination. Tip: Have a legal classification carried out at an early stage in order to have planning security. The BSI tool and the FAQ can help you get started. In my consulting work, I often experience aha moments when, for example, a medium-sized SaaS provider realizes that it is actually considered an “important institution” and therefore has legal obligations. Don’t underestimate this – ignorance is no defense against punishment.

2. resources & expertise: Implementing the above measures requires manpower and expertise. However, many startups do not have a dedicated security department. For the first time, management may have to explicitly assign someone to IT security. NIS2 will make a security officer necessary for more companies. The BSI, for example, recommends appointing and training at least two people in the company who are responsible for information security. Ideally, these people should build up skills, undergo basic protection or ISO training, etc. This involves effort and costs. External consulting can help, but it is not cheap. There is also a shortage of specialists in the security sector, which makes the search more difficult. Nevertheless, support is available: in Germany, for example, the Cybersecurity Transfer Office offers free help for SMEs to make them fit for NIS2. The “Deutschland sicher im Netz” association is also launching the FitNIS2 Navigator, a tool to guide SMEs step by step. Lesson learned: It is wise to get help and not try to do everything on your own. Both internal training and external resources should be planned so that implementation does not fail due to a lack of personnel.

3. technical implementation and legacy problems: Young start-ups often have more modern tech stacks and can integrate security functions relatively quickly. It is more difficult with mature systems (keyword: legacy code). NIS2, for example, requires up-to-date encryption throughout – but anyone running old services without TLS will have to migrate them. API security, which was already a topic in the general cyber article, is also a sticking point: open interfaces must be secured, rate limiting introduced and logging improved. This costs development time. For app developers in the media sector, for example, the requirement for data protection and integrity protection can mean that additional encryption layers have to be built in. Some of my clients have had to adapt their product backlog to prioritize compliance features – such as audit logs, incorporating 2FA, or developing a system for security updates for customer instances. The challenge is to push ahead with security updates in parallel with normal feature development without slowing down the core business. Prioritization and communication are important here: NIS2 compliance is not “nice to have next year”, but possibly a prerequisite for being allowed to serve certain customers (such as the public sector, large corporations) at all. This insight often helps to free up the necessary resources internally.

4. reporting obligations and communication: Many smaller companies have never communicated with an authority regarding a cyber incident. NIS2 will change this, as security incidents must be reported to the responsible authority or the national CERT. In Germany, this will probably be the BSI. What do you report? – For example, a successful ransomware attack that affects the service or a major data theft. The threshold is “significant” incidents; the law defines precise criteria. The hurdle: internal processes are needed to recognize such incidents and compile the most important information within 24 hours. This includes an initial assessment of the incident type, affected systems and suspected cause. Detailed reports must be submitted later (including severity, impact, countermeasures taken). This is new territory for many – until now, security incidents were covered up rather than disclosed. Cultural change: NIS2 wants transparency so that others are warned and the state has an overview of the situation. Companies must learn to deal with such situations openly and quickly. I advise clients to create emergency communication plans, not only for the government, but also for customers and the public. It is better to be prepared than to act mindlessly in a crisis. Initial difficulties are inevitable – for example: Who do you reach at the BSI on a Friday evening? What happens if you report a false alarm? These practical questions will certainly arise in the first cases in 2025, and authorities and companies will have to learn from each other.

5 Regulatory pressure and liability risks: A major issue that increases the pressure on companies enormously is the threat of penalties and personal liability consequences. NIS2 sets the framework for severe fines: up to €10 million or 2% of global annual turnover for breaches for material companies, and up to €7 million or 1.4% of turnover for important companies – whichever is higher. These figures are reminiscent of the GDPR and are intended to act as a deterrent. Germany will probably exhaust these maximums (the draft bill mentions similar sums). Even much smaller penalties can threaten the existence of start-ups. In addition to fines, there is the threat of reputational damage if it becomes known that security requirements have been breached. In addition – and this is particularly tricky – managers are held accountable. NIS2 requires management boards to provide evidence of their commitment to cybersecurity. In Germany, there have been discussions about tightening the personal liability of management boards while precise liability rules are being defined nationally: Managing directors can be held personally liable if they neglect their NIS2 obligations (up to and including directors “and officers” liability or temporary professional bans). The BSI therefore emphasizes: Take responsibility as a manager – in other words, top management should actively participate in risk management and security culture This is a wake-up call for some founders and managing directors in the tech scene who may have been more focused on products or sales. I make it clear in consultations: cyber security belongs at the executive level. It’s not enough to have an admin “do something”. Board members should receive training (e.g. the Alliance for Cyber Security provides manuals and toolkits specifically for decision-makers) and demand regular status reports on IT security. Although this cultural change is a challenge, it also offers an opportunity: CEOs who make the topic a top priority send a strong signal to customers and investors that their company is acting maturely and responsibly. This can even become a competitive advantage.

6. industry-specific subtleties: Every segment has its own special cases. SaaS start-ups, for example, often operate entirely in the cloud – cloud security is the be-all and end-all here. Concepts such as zero trust, container security, client separation, etc. may need to be expanded. If a SaaS hosts its customers’ critical business data, it must offer appropriate availability guarantees and contingency plans (keyword: redundant data centers, backup policies). Media platforms, on the other hand, may have special requirements in the area of youth protection or data protection that run in parallel – NIS2 comes on top. They may have to combine two regulations: on the one hand, legally managing content (Interstate Media Treaty, GDPR) and, on the other, technical security (NIS2). For example, a streaming service that offers personalized streams must both protect personal data (GDPR) and ensure service continuity (NIS2 – failure prevention). These overlaps can tie up resources and require prioritization. In addition, media companies are often the target of hacktivists or DDoS attacks for political reasons. This is where robust incident response pays off, e.g. in order to still be able to disseminate news in the event of an attack on the platform. In short, every industry has its own “crown jewels” that need to be protected – NIS2 provides the framework, but the actual implementation must be designed on an industry-specific basis. ENISA has therefore recommended that sector-specific implementation guidelines should be developed in the current transposition period. In Germany, it is expected that separate guidelines will be published for the digital services sector (which includes SaaS) and digital infrastructure (cloud, etc.), for example. Some chambers of commerce and industry associations are already working on such guidelines. I have noticed, for example, that the Bitkom and eco associations are organizing webinars on NIS2 for their respective members – a sign that the industries are focusing on their specifics.

7. synergies with other compliance issues: Last but not least, some companies will feel overwhelmed by parallel waves of regulation in 2025. In addition to NIS2, there are also issues such as the EU Cyber Resilience Act (product cyber security), the Digital Operational Resilience Act (DORA) for financial IT, the DSA/DMA in the online platform sector, etc. There is a risk that each of these topics will be viewed in isolation and duplicate efforts. My advice is to use synergies where possible: A basic security concept and ISMS not only helps for NIS2, but also for many other regulations. Processes such as incident response, supplier evaluation or employee training can be set up in such a way that they meet several requirements. In this way, the challenge of NIS2 may become the impetus to increase professionalism in IT security in general – which will only bring benefits in the long term. In other words: NIS2 compliance should not be an annoying compulsory program, but should become part of the corporate strategy, which at the same time increases general resilience. Some progressive start-ups already advertise this aggressively: “We meet the highest security standards (NIS2, ISO 27001 etc.)” – which creates customer confidence. Communicating this positive view is also one of the tasks of a legal advisor.

Conclusion and outlook: NIS2 compliance as an opportunity for the startup scene

Even if it sounds paradoxical, a dedicated blog post on NIS2 compliance 2025 is not only relevant, but overdue. Why? Because the topic is so specialized and complex that it gets lost in general cybersecurity articles. SaaS and media start-ups in particular run the risk of initially ignoring NIS2 (“it doesn’t affect us, we’re not KRITIS”) – only to be suddenly surprised by obligations and audits when they grow or when a major customer demands compliance. My aim with this article was to show what is happening now: NIS2 is bringing a new security culture to the digital economy across the EU(NIS2UmsuCG: Everything you need to know about the directive). It is no longer enough to simply let security run its course; it is becoming a matter for the boss and compliance discipline – with laws, reports, audits and severe consequences for negligence.

For Germany in particular, the delay in legal implementation does not mean a sigh of relief, but rather the calm before the storm. BSI supervision will expand massively – from a few hundred KRITIS operators to tens of thousands of companies across all sectors. The BSI itself is signaling that it wants to support companies, but must of course also take action if requirements are ignored. I expect that the first fines or at least warnings under NIS2 will be published by 2025/26 at the latest, similar to what we know from GDPR violations. No startup wants to be the first negative example to be shown up for poor security.

Put positively: Those who set the right course now can be at the forefront. It’s not about blindly building up new bureaucracy, but about strengthening your own resilience against cyber attacks – and being able to prove this to authorities and customers. NIS2 forces us lawyers and techies to pull together: Legally compliant IT security is the keyword. For me as a consultant lawyer, this means that I help clients to translate the legal requirements into practicable measures (e.g. which policies are needed, how to redraft contracts with service providers, which training courses make sense). Experience shows: With a pragmatic, risk-based approach, NIS2 can also be managed – even in an SME environment. It is important that the management is behind it and asks the right questions: Have we identified and protected our crown jewels? What do we do in an emergency? Do we fulfill all reporting obligations? – If these questions are asked and answered regularly, you are on the right track.

Finally, I would like to emphasize that NIS2 compliance is not an end in itself. Yes, it is about regulation and compliance. But at its core, it’s about protecting our increasingly digital business world from real threats. Whether it’s a SaaS tool or a media platform, a serious cyber attack can threaten livelihoods, destroy user trust and crash entire business models. NIS2 provides a framework to prevent this and is now also bringing the start-up scene on board in terms of responsibility. I personally welcome this development because it promotes professionalism and trust in the tech sector in the long term. The implementation may be challenging in detail, but it is worth it. Or to put it pragmatically: it is better to invest in security and compliance now than to repair the damage later – or pay penalties. With this in mind, let’s take the opportunity to see 2025 as a year of learning and development for NIS2 standards. I am happy to support my clients in this and will be keeping a close eye on further developments (both nationally and EU-wide) – there is plenty of material for future blog posts.

NIS2 is here to stay. Let’s make the most of it and ensure that our agile SaaS and media start-ups in particular position themselves not as laggards, but as pioneers of a secure digital future. The relevance of this topic is beyond question for me – in 2025 and beyond.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.