Eighty-two percent of German security leaders call the EU’s NIS2 cybersecurity directive useful or necessary. Yet more than half have not confirmed whether their own organization is legally obliged to register for it — a gap that a new study by Everpure says leaves executives personally exposed.

The findings come from “NIS2 Reality Check 2026,” a survey of 202 chief information security officers and IT security managers across NIS2-relevant sectors in Germany, fielded by Cint on behalf of Everpure in May 2026. The study’s authors call the pattern an “acceptance paradox”: strong strategic buy-in coupled with unfinished technical and organizational groundwork.

Registration status unresolved for half of respondents

NIS2 requires organizations that provide critical services to register with Germany’s Federal Office for Information Security (BSI). The federal deadline for registration has been extended to July 31, 2026; as of May, roughly 18,500 of an estimated 29,000 affected organizations had completed the process, according to the study.

Among participants, 72.3 percent said their organization provides critical services to users in the EU — a core criterion for falling under NIS2. Yet only 47.0 percent had formally verified their registration obligation. Just under 30 percent said the check was still outstanding, and 23.8 percent could not answer the question at all, pointing to the legal complexity of NIS2 scoping across sectors and supply chains.

Governance gaps, personal liability

NIS2 shifts accountability for cybersecurity risk management explicitly to the executive level. Under Article 20 of the directive, management bodies must approve and actively oversee risk management measures. German company law adds teeth: under Section 43 of the GmbH Act, managing directors can be held personally liable with their private assets for breaches of duty of care, and delegating responsibility to a CISO does not by itself discharge that obligation.

Despite this, 50.5 percent of surveyed organizations reported operating without clearly defined internal responsibilities for NIS2 implementation. The study attributes part of this to a structural disconnect: security teams often drive technical work while formal board-level accountability lags behind.

Detection and the 24-hour reporting clock

NIS2’s reporting regime, set out in Article 23 of the directive and Section 32 of the German BSI Act, requires an early warning within 24 hours of a significant incident, a follow-up report with compromise indicators within 72 hours, and a final report with root-cause analysis within one month.

Meeting that timeline depends on infrastructure visibility. According to the study, 53.5 percent of organizations have not defined a Security Information and Event Management (SIEM) system. Among the 94 that do operate one, log retention often falls short of what incident reconstruction requires: 35.1 percent delete log data within 14 days and a further 28.7 percent within 30 — meaning close to two-thirds discard logs before the one-month mark. Germany’s BSI recommends retaining security-relevant logs for at least 90 days; fewer than one in five SIEM operators meet that standard, the study found, or under 5 percent of all respondents.

Backup resilience: progress, with gaps

On business continuity, results were more mixed. A majority, 66.8 percent, said they protect critical systems with immutable backups that cannot be altered or deleted after the fact — a defense against ransomware that targets production data and backups simultaneously. But 33.2 percent reported no such protection, and 37.6 percent had not yet formally classified which applications are business-critical.

On recovery testing, 61.4 percent said they had run a disaster-recovery exercise for critical applications in the past 12 months, and of those, 88.7 percent documented the results — data volume, recovery time and recovery throughput. Combined, however, only about 54.5 percent of all respondents can show both a completed test and its documentation, the metric auditors most often request.

Cost is a factor, not a blocker

Nearly half of respondents, 48.5 percent, called NIS2 implementation expensive, and 33.2 percent called it time-consuming. Only 12.4 percent expect negative effects on ongoing business operations. Separately, 49.0 percent said they invest in cyber resilience independent of regulatory obligations, suggesting NIS2 is accelerating modernization plans already under way rather than triggering them outright. IT budget was the most cited barrier (44.1 percent), followed by legal uncertainty (43.6 percent) and a shortage of in-house expertise (23.8 percent).

“As responsibility for cyber resilience shifts to company leadership, there is a growing need for genuine resilience rather than treating compliance as a formal checkbox exercise,” said Markus Grau, Enterprise Architect EMEA at Everpure. “Our survey shows that German companies recognize the need to act, but cost, complexity and a lack of clarity are slowing implementation.”

A note on the source

The study was commissioned and published by Everpure, a data storage and backup technology vendor whose offerings include the immutable-backup and log-retention capabilities the survey identifies as gaps. Its recommendations — including a vendor-run “NIS2 Recoverability Check” workshop — should be read with that commercial interest in mind. Data collection was conducted by the independent research firm Cint among 202 respondents; results are not broken down by industry or company size due to sample size, and rounding may cause percentages not to total exactly 100.

By Jakob Jung

Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM. Contact via Mail: jakob.jung@security-storage-und-channel-germany.de

Leave a Reply

Your email address will not be published. Required fields are marked *

WordPress Cookie Notice by Real Cookie Banner