In Scope, Out of Sight Why NIS-2 Isn’t Landing in German SMEs

Description

This talk explores why the NIS-2 Directive is not gaining traction in German SMEs, even though many of them are now in scope. Based on a bachelor thesis, the presentation talks about a self-developed NIS-2 Self-assessment tool, mappings to common standards (ISO 27001, TISAX, IT-Grundschutz), and outreach to 1800 SMEs across Germany.

The talk includes insights from 17 interviews with CEOs, CISOs, and IT managers, covering how companies perceive the regulation, why many have not started implementing, and what they expect from lawmakers. It also highlights the impact of Germany’s delayed transposition into national law. Attendees will leave with a grounded view of the current state of NIS-2 implementation in the German Mittelstand and ideas how to bridge the ap between regulation and reality.

Younes Ahmadzei

Younes Ahmadzei is a information systems bachelor’s student at the Technical University of Munich (TUM) and a trainee information security consultant at HvS-Consulting. His research centers around the EU’s NIS-2 Directive and its real-world implications for mid-sized German companies. As part of his thesis, he created a NIS-2 self-assessment tool, mapped the directive requirements to ISO27001, TISAX, BSI IT-Grundschutz and other standards, conducted a empirical outreach to 1800 SMEs and did 17 expert interviews with key decision-makers.