Germany’s NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) is expected to come into force in spring 2025. This new regulation will have significant implications for service provider contracts and cybersecurity. Companies should not wait passively but actively prepare to comply with the legal requirements. This article outlines how NIS2 will affect future service provider contracts for regulated entities and what actions must be taken.
Urgency of NIS2 Implementation
In practice, the delay in Germany’s NIS2 law does not exempt regulated companies from preparing. Although penalties cannot be imposed before the law takes effect, cyber insurers may refuse coverage for incidents occurring after October 17, 2024, if NIS2 requirements are ignored
. This deadline marked the end of the EU’s transposition period. For companies operating across borders, legal uncertainty arises: who is liable if an incident occurs in an EU country that has implemented NIS2, but the responsible company is based in unregulated Germany?
Who Needs to Prepare?
A simple rule applies: any company regulated under NIS2 must begin preparations immediately. In Germany, this affects up to 29,500 companies
. However, due to NIS2’s supply chain security requirements, it’s unclear how many service providers and suppliers will also be impacted.
Supply Chain Security
NIS2 requires regulated companies to contractually ensure that all external partners comply with cybersecurity standards—whenever outsourcing, third-party services, or hardware/software products affect business-critical processes. In such cases, contractors must commit to meeting the same requirements as the regulated company itself
.
This is not entirely new for many providers. Companies pursuing ISO 27001 or BSI IT-Grundschutz certifications already face supplier audits and contractual requirements for resilience, integrity, and confidentiality. Data center operators, for example, are used to regular checks by clients with sensitive data needs.
Impacts on Service Providers
What’s new with NIS2 is that compliance is enforced indirectly—through contractual obligations from regulated clients. Paradoxically, suppliers may face compliance demands before their clients do. While regulated companies benefit from transition periods (up to three years for critical infrastructure operators), service providers do not. Many contracts are renewed every 2–4 years, and upcoming negotiations will require NIS2-compliant clauses.
If a contract’s term overlaps with the law’s effective period, regulated companies must ensure their suppliers are compliant. Procurement teams will demand proof of cybersecurity measures during contract renewals. Risk management will only allow partnerships that meet legal standards.
Recommended Actions for Service Providers
Service providers should begin implementing the minimum security requirements listed in Article 21 of NIS2, such as security concepts and encryption. Most of these are not new, especially for platform operators, data centers, or software developers working with regulated clients.
A useful benchmark is the questionnaires used by cyber insurers, which assess crisis management, network security, and user privileges. Clients will expect readiness for audits, penetration tests, and exercises. Additional cybersecurity clauses may be added to SLAs. Written declarations of compliance with IT-Grundschutz may become mandatory—already a requirement in public tenders.
Conclusion: NIS2 and the Supply Chain
Ignoring rising cybersecurity expectations is no longer an option—especially for service providers working with NIS2-regulated companies. Future contracts will only be awarded to those who can demonstrate an appropriate level of cybersecurity. NIS2 dramatically expands the scope of cybersecurity obligations. Thousands of companies must now meet their clients’ elevated expectations. Compliance may even become a competitive advantage, especially if high resilience and security are emphasized in marketing.
