Germany Launches Major NIS2 and DORA Offensive: The Strictest Era of Cyber Compliance Begins for Companies

At the end of November 2025, Germany initiated the most far-reaching cybersecurity reform of the past decade, following the Bundesrat’s adoption of the NIS2 implementation law. As a result, regulatory obligations effectively entered into force immediately, without any transitional periods — a development legal experts are calling a “compliance shock” for the business sector. At the same time, European supervisory authorities activated a key mechanism of the DORA regulation and published the first list of critical IT third-party providers, who now fall under direct EU oversight.

The Federal Network Agency (BNetzA) has already presented a draft of a new security catalogue, introducing stricter requirements for safeguarding the telecommunications supply chain. The law firm Dentons reminds that all obligations apply the moment the law takes effect, including mandatory registration with the BSI and the implementation of comprehensive cyber risk-management measures. The scope of regulated entities is expanding dramatically — from around 4,500 to almost 30,000 companies — now including logistics, food supply, and digital service providers.

DORA further tightens supervision over cloud providers, analytics companies, and software vendors serving the financial sector, introducing mandatory on-site inspections and new channels for reporting IT incidents. The common priority of both regulations is strengthened third-party risk management, meaning that suppliers can no longer rely on simple declarations of conformity but must provide evidence of their security reliability.

Regulators stress that the era of postponements is over, and companies that were counting on extended deadlines now face severe penalties and increased personal liability for management. All indicators suggest that the period leading into early 2026 will be a race to close compliance gaps across all sectors.