It has been three months since Germany’s NIS2 implementation went live on 6 December 2025 with no grace period, no soft launch, just “go.” And now that the dust is settling, some honest lessons are starting to emerge.

Some organisations were ready. few weren’t. But even the well prepared ones have learned things they didn’t expect. Here’s what’s really happening on the ground across incident response, governance, supply chains, and operational resilience.

The Operational Impact of the 24-Hour Reporting Rule

Ask any security team what is changed most under NIS2, and the 24-hour incident reporting window comes up almost immediately. It sounds straightforward on paper: detect a significant incident, report it within a day, follow up at 72 hours, and file a final report within a month.

In practice, it has been a stress test for processes that many organisations had never actually put under pressure. The uncomfortable discovery? A lot of those processes looked fine in a playbook but fell apart when the clock was running. Detection gaps, unclear escalation paths, nobody sure who signs off on the external report.

That is not necessarily a bad thing. Knowing where the gaps are is the first step to fixing them. But it does mean that “we have an incident response plan” and “our incident response actually works” are two very different things.

Cybersecurity Has Finally Made It Into the Boardroom

Security professionals have been trying to get leadership attention on cyber risk for years. NIS2 has done in three months what internal campaigns couldn’t do in a decade: it put cybersecurity on the agenda as a leadership responsibility.

Under the law, management is expected to understand the risks, participate in training, and be accountable for outcomes

The reason this matter is that cyber decisions are not purely technical. They touch budgets, operations, supplier contracts, legal exposure, and business continuity. Having a CISO fight for resources in isolation was never a sustainable model. Now, at least in theory, leadership has to be part of the conversation.

Whether boards are genuinely engaged or just ticking boxes is a separate question but the pressure is real, and that’s a start.

ISO 27001 and NIST Help Organisations Adapt Faster

One of the clearest patterns from the first three months is companies that had already adopted ISO 27001 or NIST frameworks are adapting to NIS2 significantly faster than those starting from scratch.

It makes sense. These frameworks give you a head start on nearly everything NIS2 demands:

•        Governance structures and defined ownership

•        Risk management processes that are already documented

•        Incident response plans

•        Some degree of supplier oversight

•        Business continuity frameworks

That said, having a framework and being NIS2 compliant are not the same thing. The requirements are specific, and gaps still need to be addressed. But there is a real difference between refining what you have and building everything from the ground up.

Supply Chain Security: Everyone Knows They’re Behind

If there’s one area where organisations are most candidly acknowledging they have work to do, it’s supply chain security. NIS2 expects you to manage manage cyber risk across your suppliers and service providers.

For large organisations, that is a significant undertaking. You might have hundreds of suppliers, operating on different contract cycles, assessed by different teams under different standards. Getting that under control requires coordination between security, procurement, legal, and business owners.

The honest assessment from most organisations are that they know where they stand, and they know it is not good enough yet. Supply chain maturity has become something of a benchmark for how seriously a company is taking its overall security programme internally.

The Gap Between Policy and Practice Is Showing

Another recurring theme is the distance between what companies have documented and what they can actually demonstrate. Most organisations have security policies. Most have patching standards. Most have some form of business continuity framework.

Proving that those policies translate into operational reality is the challenge. Are asset inventories actually accurate and up to date? Are exceptions being tracked and resolved, or just logged and forgotten? Are recovery plans tested, or just written? Are lessons from incidents actually feeding back into improvements?

Vulnerability management and business continuity testing are the two areas where this gap is most visible. NIS2 is pushing organisations to move from “we have a policy” to “we can show it works.”

What NIS2 Compliance All Actually Means

None of this is a surprise if you have watched how regulations tend to land. Attention comes first. Operational improvement takes longer. That’s why the high visibility areas such as incident reporting timelines, board accountability are further along than the harder, slower work of supplier remediation and day-to-day vulnerability management.

The organisations getting the most out of NIS2 right now are not treating it as a compliance exercise to be finished and filed away. They are using it as a reason to fix things they always knew needed fixing, with leadership buy-in they didn’t have before.

That is ultimately what good regulation should do. Not just impose requirements, but raise the floor on how seriously organisations take the underlying risks. On that measure, at least in these early months, NIS2 is doing its job.