In Scope, Out Of Sight: Why NIS-2 Isn't Landing In German SMEs - Younes Ahmadzei

So thank you for coming. Um I will talk about list two. So it's you're in scope but out of sight. Why is NIS 2 landing in German SMMES? Uh so a short agenda I will talk about myself uh shortly about the my bachelor thesis that's about the topic that I will present today. Uh what's N 2? Why are why did I choosememes? what is the transp transposition status of NIST 2 itself and uh I developed a self assessment tool and also interviewed some companies so who am I as uh as already told I'm unus I'm a bach student at I work as a training information security council at half hs and my b thesis was practical

implementation of mismemes comparative other standards in development of an assessment model for compliance evaluation. So um what did I do? I have developed a self assessment model um for NIS 2 readiness and mapped the NIS 2 requirements to already existing standards for example uh IS2701 that most of you know if you if you are in the automotive sector you know may may know takets and other standards and I have conducted 17 interviews with uh CESOS it and CEOs So what is NIST tool? Some of you maybe know it, some maybe don't. If you were last year here at Bites 8bit edition, there was a talk from Jennifer and Sneha about cyber resilience act and uh NIS 2.

And NIS 2 is a new EU directive 2022 and 2555. It replaces the original NIS 2 uh from 2016 and it sets a baseline for security and risk management. So the companies who are in scope have to uh apply have to um implement these requirements. It applies to critical and important entities. Entities are companies which are in this two and it's includememes. It's new before it just was companies in the crit sector uh critical entities critical companies. So it was published in 2022 and it should be should have been transposed in October of 2024. We have today November 2025 and I will talk about that just a minute. So the new scope is it has more

sectors and lower thresholds. So more companies are affected by it. So why am I talking aboutmemes? because these are new in scope and many of those companies qualify as important entities around 30,000memes uh are new are affected by NIS 2 in Germany alone and um around 99% of all companies in the U arememes so that's a huge um yeah sector of companies which are new in uh the scope. So uh also mostmemes have no security baseline. They do security but they have a baseline. They have not an isms for example based on ISO 26,0001. There's also a lack of people budget and know how. So especially also crits because crits already has these regulations don't

and there's a big uncertainty are we even affected I will tell you also later many of the companies that I talked about or which didn't answer me answer because they don't know if they are affected by this two or not so it's a common reaction and most of those companies also first- timers for many it's the first regulation they have to deal with So transposition status in 2022 NIS 2 was published and it said until October 24th NIST 2 has to be transposed into national law. Germany had uh proposed a draft bill in November 2025. So 1 month after deadline. Okay. But as you some of you know there was a sudden government change in February of

2025. So all everything has to be done again. And in July of 2025, there was the first official draft of the new government. And you see these just a little scammer. These slides were from last uh from July of this year. So the goal was to get it done until December. But there was a big change. 5 days ago, the parliament accepted the bill. So Miss 2 is now in some days national law. And only four member state managed no okay so only four member states uh managed to transpose before the deadline and you send uh sent 19 recent companies to 19 member states but we did it one year after the deadline so uh I developed a self assessment tool

it's a questionnaire based on their um controls Because the N2 is just a regulation. It's just a some legal text. Some of the companies need a lawyer to explain it to them. I tried to translate legally into German/ English. So there's a category in which uh the controls are in and a question based on the control and you can answer that. So there's the question for implementation and the question for evidence because many company already do security. So it's like maybe you know some I don't know I don't know any of them. There's no company that doesn't do anything. They do at least something. So I try to split it into implementation and evidence because this part here

evidence is important this too but most of companies do not have it. So there's a split between an implementation and the evidence. And if you answer your um the questionnaire, you get here a um uh the what's it called? Uh you see in which uh category what kind of maturity level you have. So in governance maybe you have maturity level five, risk analys. But uh threat analysis you're very low and you also get um suggestions and also measure measures to um improve your maturity level. Um exactly and also I tried to map all the two requirements to al uh already existing standards. So example is 10,0001. These are uh IT control, CDPR, SIS controls and uh VDS 10,000

because uh like I told you some companies may have not but some companies have it. They already have an SMS based on 27,0001 or they do not have to do everything again. There are many of the things that are um overlapping. So if you have already an existing SMS on a standard there's just some things that you have to do extra and you should be compliant to this too and I try to map these controls of the regulation to the standards. So what I did in the interviews I have searched for companies that were new under the scope. So I target only SMMES and non critic sectors because as I told you crits was already in scope of the

oldnessmemes not so and what is theme it's a defi the definition is 50 to 249 employees and 10 to 50 million turnover so there are many companies who fall into this threshold and it's mostly companies from the sector of NX2 important entities so if you ask what is the NX2 This you see these are annex one. So these are mostly critical infrastructure energy banking health drinking water and there are also new ones here. Postal and couer services, waste management, manufacturing. These are new in the scope of NIS 2 and also these are manymemes fall onto that and they need to be compliant in maybe next week. So um I have found around 30 uh 3,000

companies uh that could be under this tool but I try to concentrate on companies who are definitely in scope and according to NIC codes or easy definition. So there is a uh NC codes in the NX so I could uh use those and I filtered down around to one 1,800 and I emailed them all around 200 emails couldn't be delivered. Maybe there was old emails or something or the person didn't work in the company anymore. So around I hope 1,600 uh were delivered. So the first round 1,600 were sent but I've got like two 1,500 around 50 didn't answer me only and 50 declined and four accepted that they want to be part of the

interview and talk about NU and uh try my uh tool or the N2 readiness and the reasons for the 50 that declined where we are not in scope uh it's not a German lawyer it's not interesting for us it's not re relevant and we just not participating in t studies. Okay, fair. So four was not enough for me. So I tried a second round. I sent around 1,200 emails again. Around 1,100 didn't answer me. 76 declined. 10 accepted. Same reasoning is we not in scope. It's not a German law. We are waiting. It's not relevant. And okay, again four 10 or 14 still not enough. I wanted a bit more. So I tried again. I sent around 800 emails. 750 did

not answer me. 26 declined and three accepted. Same reasoning as before. So I sent 3,600 emails. 3,400 people did not answer. 152 declined and 17 accepted. So I asked myself, why didn't manage to answer? Maybe they thought it's spam. Maybe they were just interested maybe during the holiday because it was around summer so maybe some of the people were not there but I have written to the info mail so I don't know if the information this was also in in holidays but you see just small sliver of people or companies answered and the whole of them did not answer kind of worrying if you ask me because I was very sure that they are in

scope And still I'm sure that they on scope. So the companies that I have asked um did they have certificates or not five had certificates. I sent this one out. Well TX not a certificate it's a label but you know what I mean. And two are working it or did not have it. Um the average maturity level according to my readiness tool whereas the ones that had certificates at maturity level five that's good. Like I told you, ISO 20,0001 and this are very comparable and ones with no certificate have the maturity level of two. Like I told you before, some companies are doing security but they have not the evidence that they really do it. Like there's

someone in it who is running a man show. So what do they what do these companies think about this tool? They thought it is good. Yeah, more security is good but there's no transparency. Are we in scope? Are we not in scope? Because like I told you three, four, five months ago before they were just a U regulation. They were not a regula. They were not um defined thresholds or scope of the uh of yeah in German law and the requirements were not easy as understandable. That's why I tried to translate legally to German/ English. And there was a big alternative when does the German law come out? Because at the time where I did the interviews, they were not even a

draft bill. So it was just in the air. We are going to do NIST 2 some time. And what they say about implementation of NIST 2 inside the company. So it's very expensive and timeconuming. Most of them told me we have to dedicate one person solely for this because an ICMS is not just a project that you do one time and it's over. It's a continuous project that you have not project continuous thing that you have to do every time and what did they wish for lawmakers from lawmakers transparency communication and also funding because who is going to pay the people that are implementing this? You have you say to us we have to do security but who's

going to pay? And some of them already worked on this tool because they knew it. Some of them don't. So some of them don't even didn't even start it. Some have done it for a few months and some already working since 2002 or 2003. So one year and what did these company think when are they compliant? So some said end of this year this some of company said that is working one year and some that even didn't start it. They said yeah end of this year we'll be compliant. Some said middle of next year, some said end of next year. So, and companies have to be compliant until a few days. And it's a German law.

But were they happy with the tool that they provided them with? It was a very strong yes because that was the first time some of the companies had like anything to do with it. The tool translated these requirements often this two into something that they could work with a checklist some sort of that they could work and uh like just implement the um controls. So what what are the lessons learned that I got from the interviews? Many companies are not doing anything unless there is a really pressing need for it. They have to do it because it costs money, it costs people and time. No one has it. And uh maybe there is no oppressing need because it's no German

law or in a few days it will be German law and then they have to be compliant. There's no grace period. There's no transition period until when it's German law. every company who is in scope have to be compliant and like um I thought the companies were not uh um they were not like we're not doing this too they want to do it but it's very hard also when the government there was a government change there's again uncertainty do we have to do it when we've been through there we have not to do it are we in scope are we not in scope so the companies uh felt left alone there's no support from the ment.

So it's also no transparency, no clear communication. All in all, if we would scale it up, the interviews that did scale it up, only around one out of 10 companies is taking it seriously. I showed you before 1,500 companies did not answer me. Maybe they thought it was spam hopefully. And so how can we help? How can maybe I help? So um on our website uh we are trying to help uhmemes to implement this tool and why I did the tool because no one has the money for a gap analysis. A gap analyst costs money, it costs time, but the tool is self-paced. It's for free. You can contact us. We can provide you with the tool and you can um maybe

answer it and see at which uh what is the state of my of the readiness of NIST 2 in my company and also you can contact me on LinkedIn and ask me there also. So that's all for me. Um, if you have questions, feel free to ask. >> Thank you very much, Ununice. Perfect timing. Then we have enough time for the questions. >> Yes. >> Coming. You can throw the mic. >> Yeah. Um question to you. What was the most shocking uh reaction to insider interview based on your questions from the which you talk to the company? >> Um some of the interviews they interviews that I got uh said that um I'm not really in this too but I just

want to see how it is and other people said uh I will just uh put it into JPT and get some policies out and I will be compliant. >> Okay. So that's Yeah, let's see. >> Okay, thank you. Yes, throw it. Any other questions? You can throw it from far away. It also works. >> Yeah. Um, just another question. What the how experienced were the interviews and your view regarding to this two >> again? Sorry. >> How experienced were the interviews and your view regarding N2? >> Okay. So some of the companies that I talked so it was mostly IT leads some CEOs and some CESOS. So the IT leads they knew about N2 but they didn't know

what they have to do exactly. the cos itself they some there was one person who didn't know what this two was so I had to explain in the interview what this two was then explain what the tool does and what they have what he then has to do but there were also some uh people for example the CESOS they have already implemented ISMS they knew what this two was they also were working on it and yeah so it was mixed to varying to absolutely no knowledge to experience knowledge >> and what impact do you think had the interview on the interviewers um some of them they were trying to help me just to do the interviews for the BA

thesis but there were also many people who uh benefited from the tool itself. So they told me later on that uh they have used the tool as a checklist and also already working on uh it uh inside the company uh with the tool to implement this tool requirements. >> Thank you very much. Hi, sorry I have a question around what you think would drive compliance faster. So, you know, consequences of not being in this too compliant can potentially be fines financial um loss for the company. But when we don't have physical examples of those yet, it makes the speed of compliance a little bit slow. So, do you have any feelings what would drive that

a little bit f further? especially formemes. >> Yeah. So like you said there were there are already some sanctions in the NIS 2. So if um the companies are not compliant and there's an incident and they have did not have N two not two compliant they then the CEO of the company has to uh pay a big fee but you just said because there's no real example of that yet um to try to push compliance further there should be more communication of the government to the companies like um in some other member states example for Italy uh the government is going are coming to the companies and say hey you uh in the scope of this two you have to be

compliant please do these these these and these things and if the maybe the German uh government does it also is going to companies say you are in the scope of this two you have to be compliant in these uh categories please do that that's maybe a point that would drive a company or an decision maker to be uh more to get compliant in a suit. >> Yes. >> Just another question. Why do you think that the interviewers who were responsible for implementing this two um not familiar with uh N2? >> So again uh lack of communication there was a lack of communication. There was on the site of the BSI they had um sites for two what they have to do there was a

um scope check of uh BSI so you could uh see if you are in scope not in scope but the communication was just it's on the website you can see it but there was no direct communication to the companies that you have to be compliant in this tool there was also a study by TIFF this year that many companies around I don't know the exact number around 80% or 90% didn't even know what miss 2 was. There is another question there or >> do you have examples from other countries we will take a better approach >> like I thought uh for example Italy and I think also Belgium these are some member states who are practically going

to the companies to also maybe municipalities that are in scope and they're talking to them you're in you're in scope of this two please be compliant.

>> One second. Microphone flying. >> Have you talked to industry and hundles? No, I haven't. This is a typical uh Yeah. >> Yeah. No, I have not talked to them, but they have >> as far as I know, they got out of NIS during the process. >> Yeah. >> So that they don't have to. >> Yeah. So I have not talked to them. Uh I have seen some uh posts from them. They are also talking about this too and companies have to be compliant about that but I have not talked to them in this regard other questions >> then if there are no other questions I have one last one >> sure >> and then I'll let you go

>> uh regarding your self assessment tool so is it like a excel based or just a table on a website where you can select these answers >> so it's an excel tool So we will send it to you. You can download it. Um and then it's it's yours. So you can work with it. You can adjust it. It's not online tool. It's an Excel tool. >> No no macros, nothing. So just a simple Excel tool that has a questionnaire and also the um the results then after that. >> Oh, thank you. Maybe I'll get it later. >> Sure. Then thank you very much uh Ununice for being with us today. >> Thank you. And applause for Unz.