Germany's NIS2 Compliance Stalls at 14% While Workplace Safety Rules Quietly Loosen
12.06.2026 - 01:11:40 | boerse-global.de
A fresh survey from TÜV Rheinland paints a stark picture: just 14.3 percent of German companies have fully implemented the NIS2 cybersecurity directive, with a mere 16.9 percent far along in their preparations. The findings, based on responses from 500 IT decision-makers, arrive as Berlin simultaneously rolls back workplace safety obligations for smaller firms—a move critics say undermines protection just as digital threats escalate.
The government’s reform, which took effect in May 2026, raises the threshold for appointing mandatory safety officers from 20 to 50 employees. The change primarily relieves micro and small businesses, though exceptions remain. If a special hazard situation exists, even smaller operations must still designate safety personnel. Trade associations (Berufsgenossenschaften) retain the authority to order such appointments if they deem it necessary.
Supporters of the relaxation argue it offers long-overdue relief for the Mittelstand. Critics, however, warn that companies with 20 to 49 employees now risk operating without a dedicated contact for occupational safety questions. The debate echoes a broader tension: while physical workplace protections are being eased, the digital front demands ever tighter controls.
Under the NIS2 directive, security and risk management become a boardroom responsibility. From June 30, 2026, German supervisory authorities plan to intensify inspections of required protective measures. The stakes are high elsewhere: Bulgaria has already introduced personal liability for senior management since June, with fines reaching up to €10 million or two percent of global annual turnover. Luxembourg requires affected companies to register by July 10, 2026.
At the “State of Security” conference in Berlin on June 10, experts warned of growing dangers from AI-powered cyberattacks. The National Security Council responded the day before, on June 9, by ordering the creation of a national AI Security Institute. Initially, it will operate virtually, drawing on expertise from the Federal Network Agency (Bundesnetzagentur) and the Federal Office for Information Security (BSI).
Legislative activity is also intensifying around physical security. In Hesse and Lower Saxony, draft laws introduced in June tighten security vetting procedures. They demand expanded disclosures regarding any links to criminal or terrorist organisations, and will allow internet searches to play a greater role in assessing reliability.
With physical security requirements tightening across Europe, fire safety compliance deserves equal attention. A free Fire Safety Toolkit provides ready-to-use risk assessments, evacuation plans, and fire extinguisher training materials to help you meet your legal duties and protect your workplace. Download the free Fire Safety Toolkit
Spring brought a new guidance note on alarm transmission for fire detection systems. When no municipal concessionaire exists, the system operator bears full responsibility for availability and liability—a rule that places additional legal weight on building owners already juggling compliance deadlines.
