2025-11-17 –, Westin - Partenkirchen
Everyone has heard of NIS-2, but almost no one is following it. Especially who are new under its scope, small and medium sized companies. In this talk, I will present insights from my thesis and the empirical research that I have done. I reached out to 1800 companies, send 3600 E-Mails but only got 17 Interviews. I share why many companies are not reacting, why the transposition delay matters, and what support they want from lawmakers.
This is not about theory, it is about what happens when regulations hits a sector that is not ready.
This talk explores why the NIS-2 Directive is not gaining traction in German SMEs, even though many of them are now in scope. Based on a bachelor thesis, the presentation talks about a self-developed NIS-2 Self-assessment tool, mappings to common standards (ISO 27001, TISAX, IT-Grundschutz), and outreach to 1800 SMEs across Germany.
The talk includes insights from 17 interviews with CEOs, CISOs, and IT managers, covering how companies perceive the regulation, why many have not started implementing, and what they expect from lawmakers. It also highlights the impact of Germany's delayed transposition into national law. Attendees will leave with a grounded view of the current state of NIS-2 implementation in the German Mittelstand and ideas how to bridge the ap between regulation and reality.
NIS-2, Germany, SMEs, Interviews
Younes Ahmadzei is a information systems bachelor's student at the Technical University of Munich (TUM) and a trainee information security consultant at HvS-Consulting. His research centers around the EU's NIS-2 Directive and its real-world implications for mid-sized German companies. As part of his thesis, he created a NIS-2 self-assessment tool, mapped the directive requirements to ISO27001, TISAX, BSI IT-Grundschutz and other standards, conducted a empirical outreach to 1800 SMEs and did 17 expert interviews with key decision-makers.