New Study Reveals Alarming Discrepancy Between Compliance Belief and Actual Readiness
Leipzig, Saxony , Nov. 28, 2025 — Following the implementation of Germany’s NIS-2 Implementation and Cybersecurity Strengthening Act, approximately 30,000 German companies are now subject to more stringent security mandates. The updated regulations necessitate, among other things, verifiable business continuity frameworks, effective disaster recovery processes, and clearly defined responsibilities. A recent study conducted by DATA REVERSE Data Recovery indicates that a significant number of companies are failing to meet these essential requirements.
DATA REVERSE® Datenrettung – Team
The study’s findings are based on surveys conducted with 245 IT decision-makers, managing directors, and technical specialists at the IT security trade fair IT-SA in October 2025. The results present a clear picture: many organizations lack both a realistic self-assessment of their capabilities and fundamental technical and organizational safeguards.
1. Affected Status: Over Half Have Never Verified NIS-2 Applicability
Despite the law becoming binding in 2024, 53 percent of survey participants admitted they had not checked whether NIS-2 applies to their organization. Only 22 percent confirmed with certainty that they fall under the regulation. Another 25 percent suspected its relevance but remained unsure.
This indicates that a substantial proportion of companies are overlooking a mandatory legal prerequisite, thereby risking financial penalties and potential liability issues related to documentation.
2. Self-Assessment: 71 Percent Believe They Are Prepared — Despite Clear Deficiencies
Among companies that identified themselves as clearly or likely affected by NIS-2, 71 percent stated they were prepared. However, the study reveals that this self-assessment frequently diverges considerably from the actual state of readiness.
Crucial mandatory components, such as documented recovery processes, defined reporting channels, or routine recovery tests, are often not implemented.
3. Disaster Recovery Tests: Only One-Third Tests Regularly — Half of Companies Test Infrequently or Never
A key discovery relates to the recoverability of systems and data:
- 33 percent of companies conduct recovery process tests at least quarterly.
- 45 percent test only every one to two years, or not at all.
- 22 percent are unaware if recovery tests are conducted.
Article 21 of NIS-2 explicitly mandates demonstrable and tested business continuity and recovery processes. Without regular testing, this proof is considered insufficient.
4. Emergency Planning: Only About 30 Percent Possess a Comprehensive Concept
Only 30.6 percent of respondents confirmed having a functional, complete IT emergency plan. An additional 34.7 percent are currently in the process of developing such a concept.
More than 30 percent either have no IT emergency plan or are unsure if one exists — a critical shortfall given the legal requirements for organization, reporting procedures, and coordination during emergencies.
5. External Data Recovery: 96 Percent Lack an Emergency Partner on File
Only 4 percent of the surveyed NIS-2-relevant companies have a designated data recovery contact for worst-case scenarios.
This means that in 96 percent of cases, a vital element is missing: an external partner capable of intervening when internal backups fail — whether due to ransomware attacks, hardware malfunctions, or misconfigured backup systems. Many organizations, however, underestimate the critical importance of professional data recovery in an emergency, often basing their assumptions on widespread misconceptions rather than validated procedures.
Company Insights
Jan Bindig, Managing Director of DATA REVERSE®, comments:
“The fact that 71 percent consider themselves NIS-2-ready while two-thirds do not regularly test their recovery processes highlights a dangerous disparity. NIS-2 demands demonstrable business continuity — and without tests, there is no demonstration.”
He further elaborates:
“The most significant gap is in external data recovery. 96 percent of companies have not integrated an emergency partner. In reality, backups frequently fail. NIS-2 requires functional emergency concepts precisely for these situations.”
Recommendations for Businesses
DATA REVERSE advises four immediate actions for affected organizations:
- Clearly ascertain affected status — based on criteria like company size, revenue, and sector.
- Test recoverability — perform complete restores and document Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
- Establish or update an IT emergency plan — including defined escalation levels.
- Integrate external data recovery — to ensure a robust backup strategy for the worst-case scenario.
About DATA REVERSE®
For over 20 years, DATA REVERSE® has been a premier provider of professional data recovery services, setting industry benchmarks with guaranteed quality and a success rate exceeding 95%. With TÜV-certified customer service, the company ensures top-tier transparency, confidentiality, and personalized support – even during urgent emergencies with 24/7 availability. DATA REVERSE® distinguishes itself through its expertise in reverse engineering and a dedicated research and development (R&D) team, enabling innovative solutions for the most intricate data loss situations. Equipped with cutting-edge technology and a highly experienced team, the company successfully retrieves data from rare or severely damaged storage media. Furthermore, DATA REVERSE® leverages an extensive network of over 200 partners, fostering mutual support across all IT domains. This allows the company to deliver not only superior data recovery but also assist clients with IT emergency planning and infrastructure security. The company’s profile is further enhanced by strong social commitment, exemplified by its collaboration with Labdoo, where used laptops are securely refurbished and donated to underprivileged children globally. This unique fusion of technical excellence, innovation, and social responsibility positions DATA REVERSE® as a trusted partner for both businesses and individuals.
Press inquiries
DATA REVERSE®
Christine Schröder
presse@datareverse.de
+49 341 392 817 89
DATA REVERSE® Datenrettung
Nonnenstr. 17
04229 Leipzig
Germany
