Cyber Resilience Needs More Than Checkboxes, Says German Business Chamber

Key Takeaways

• DIHK urges practical NIS2 implementation: Germany’s business chamber supports the EU directive but warns that vague terms and legal uncertainty risk overwhelming SMEs.
• Exempting public administration raises concerns: The Chamber criticizes the government’s decision to exclude municipalities and much of the federal sector from comparable cybersecurity obligations.
• Supply chain burden is mounting: Without clear recognition of certifications like ISO 27001 and TISAX, certified suppliers face redundant compliance checks and rising costs.
• National deviations could undermine EU alignment: Unique German definitions, such as “negligible activities,” may clash with NIS2 and create regulatory inconsistency across the bloc.
• DIHK calls for clear, proportional rules: The Chamber stresses that cybersecurity can’t be built on bureaucracy alone, it needs clarity, consistency, and a sense of proportion.

Deep Dive

As Germany scrambles to catch up on implementing the EU’s updated cybersecurity directive, the country’s leading business group is warning lawmakers not to let good intentions get lost in bad bureaucracy.

The German Chamber of Industry and Commerce (DIHK) is throwing its weight behind the goals of the EU’s NIS2 Directive, which aims to raise the cybersecurity bar across member states. But in its latest statement, the Chamber is urging Berlin to avoid turning that bar into a bureaucratic hurdle, especially for small and midsized companies already stretched thin.

“Economic resilience cannot be enacted by law,” DIHK’s Digital Economy Director Dirk Binding said. “Companies need clear guidelines and practical support—not more red tape.”

While the legislation is intended to align Germany with NIS2, which required national strategies by late 2022, the process has been anything but timely. A missed EU deadline in October 2024 and a federal election earlier this year pushed the timeline back further. Now, as the draft law finally moves forward, DIHK wants to make sure it does more good than harm.

A Legal Maze No One Asked For

At the heart of DIHK’s criticism is a familiar but thorny issue of legal uncertainty. Businesses, especially SMEs, are left deciphering vague definitions like “important facilities” and “critical installations” just to figure out if the law even applies to them. That means hours with lawyers and consultants before any actual cybersecurity improvements can begin. And that’s before they start implementing risk management frameworks, documenting controls, or responding to audits.

Even the impact assessment, DIHK says, is riddled with ambiguity.

“We’re seeing companies spend enormous amounts of time just trying to determine their obligations,” said Binding. “This isn’t productive. It’s paralyzing.”

One of the Chamber’s biggest concerns is that Germany’s draft law introduces terms and thresholds that don’t exist in the EU directive, like the concept of “negligible activities” to exclude certain business lines from compliance. While well-meaning, this could backfire. DIHK warns that such national deviations may not hold up under EU law, exposing companies to even more legal risk.

And while the draft expands the scope of who must comply, it carves out a notable exception for the public sector.

“It’s hard to explain why municipalities and large parts of the federal administration are exempt,” said Binding. “If they’re part of the digital value chain, they should also be part of the security architecture.”

The Supply Chain Squeeze

Another point of contention is the ripple effect on supply chains. Companies with recognized cybersecurity certifications like ISO 27001 or TISAX are still having to respond to endless client inquiries and audits, because it’s not clear if those certifications will be recognized under the new rules. In DIHK’s words, “Certified suppliers shouldn’t have to answer hundreds of individual inquiries.”

This uncertainty is especially punishing for SMEs, which often lack the capacity to handle such demands. DIHK is calling on the government to formally accept recognized standards and cut through the noise.

DNS Confusion and Energy Sector Ambiguity

The Chamber also flagged worries about data access under the new rules. Germany’s implementation, as drafted, limits WHOIS domain data access to only a handful of domestic authorities, which DIHK says runs counter to the EU’s broader vision. That could make it harder for cybersecurity teams and rights holders to get the information they need in time to stop a threat or enforce a claim.

Meanwhile, in the energy sector, the inclusion of so-called “digital energy services” has sparked more questions than answers. What exactly counts? Does every IT-enabled energy platform fall under these rules? DIHK wants clear thresholds and definitions—otherwise, the country risks over-regulating small cooperatives and stalling the energy transition.

Across the board, DIHK’s message is that cybersecurity matters, but implementation must be measured, not manic.

“Cybersecurity needs clear rules, but also a sense of proportion,” said Binding. “We can’t afford to drown businesses in complexity while claiming to make them more resilient.”

The Chamber isn’t rejecting NIS2. On the contrary, it welcomes a stronger cybersecurity framework. But it wants lawmakers to remember that digital resilience isn’t built with legislative volume, it’s built with clarity, coordination, and trust.

And for companies navigating a sea of uncertainty, trust begins with knowing exactly where they stand.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.