Germany implements NIS2 – What you need to know now

After a delay of more than two years, Germany has adopted its NIS2 Implementation Law, transposing the requirements of the EU NIS2 Directive (NIS2) into national legislation, which entered into force on 6 December 2025. The scope of the German Implementation Law (Implementation Law) is broad, mirroring the wide-ranging requirements of NIS2, and will result in a substantial increase in the number of regulated organisations in Germany—from approximately 4,500 to 30,000 entities.

The Implementation Law is mainly amending the existing German IT Security Law (BSIG)  as well as corresponding German sector specific regulation, such as the Energy Industry Act (EnWG), or the Telecommunication Act (TKG).

In this blogpost, we’ll shed some light on the specifics of the Implementation Law as well as some action points, relevant to affected companies providing services or carrying out activities in Germany

Companies in scope

The heightened cyber security requirements under the NIS2 generally apply to ‘essential’ and ‘important’ entities from the following 18 sectors, if (i) they are employing at least 50 people or (ii) their annual turnover and/or annual balance sheet is of more than 10 Mio EUR (with certain exceptions where companies are covered independently of their size). While the concept has been adopted almost verbatim from NIS2, the German legislator changes the terminology around the types of entities in scope to ‘important’ and ‘particularly important’ .

Sectors in scope:

On the sectors, the German Implementation Law does not foresee material deviations from the NIS2 scope, with the exception that areas like local government, educational institutions and long-term care in the healthcare sector have been excluded, which is possible under NIS2. 

Cybersecurity requirements and management body obligations

Regulated entities must implement appropriate, proportionate and effective cybersecurity risk-management measures to prevent the impact of incidents on recipients of their services. 

• The Implementation Law adopts a list of minimum measures which is nearly identical to the NIS2-list, including guidelines, processes, contingency planning, training and third party due diligence for supply chain security and vulnerability management. The possibility to develop and rely on sector specific security standards (so called B3S) and having those validated by the Federal Office for Information Security (BSI) is an option that is included in the new law.
• According to the German legislator’s explanatory memorandum, NIS2 significantly broadens the reach of the required cybersecurity measures, a change duly reflected in the Implementation Law. Whereas under the previous German IT Security law, cybersecurity measures would have to be put in place to protect IT systems, components and processes essential to the provision of critical services, the new law extends these cyber security measure to protecting all IT systems affected entities are operating —including, for example, office IT and other general IT systems.
• Beyond NIS2 , the Implementation Law introduces additional obligations for a specific subcategory of very important entities, those which qualify as ‘operators of critical facilities’. Those entities must ensure an even higher level of IT security, implement mandatory attack detection systems and provide evidence of compliance to the BSI every three years. The measures must be based on the state of the art and the criticality of the facility and take precedence over economic considerations, as long as these are proportionate. Still, the increased requirements apply only to IT systems, components and processes that are critical to the functionality of the facility, not to the entire organisation or general corporate IT.

Furthermore, the management body of an affected entity must approve the cybersecurity risk management measures taken and oversee their implementation. Members of management bodies are required to complete regular cybersecurity risk training, according to the explanatory notes to the Implementation Law, at least every three years, to ensure that they make their decisions on an informed basis (see BSI’s provisional guidance on the recommendation for compulsory NIS2-training for management for more details). If regulated entities do not comply, management bodies can be held liable for corresponding infringements under the applicable German corporate law rules, which is for example the case for public companies. Where no corporate law liability rules exist for a specific type of entity, they will be held liable directly under the newly implemented German IT Security Law rules. 

Registration obligation

In-scope entities must register with the BSI within three months of entry into application of the Implementation Law, ie 6 March 2026. In case entities qualify as ‘particularly important’ or ‘important’ at a later date, the three-month period starts with the date of becoming aware of having fulfilled the qualifying criteria. The Implementation Law includes a detailed list of the information the entity must provide upon registration. The details of the registration procedure have been published on the BSI’s website. 

Reporting obligations

The reporting obligations in case of incidents align very closely with the NIS2 wording: The Implementation Law establishes a three-phase reporting obligation for significant incidents (24 hours early warning; 72 hours incident reporting; one month final report) and adds the possibility for the BSI to request an interim report before the final report is due. It also introduces the obligation to communicate significant cyber threats to potentially affected recipients of the services without undue delay and adds that this is to be done only by order of the BSI.  

Enforcement and fines

Breaches against obligations regarding cybersecurity requirements, reporting significant incidents or communication of significant cyber threats are subject to severe GDPR-style fines for which the Implementation Law introduces a staggered system, specifying the offences subject to fines in detail and combining turnover and fixed amount frameworks in a highly differentiated manner all by staying within the NIS2’s predefined framework with maximum fines of: 

• €10m or 2 % of the total worldwide annual turnover for particularly important entities.
• €7m or 1.4 % of the total worldwide annual turnover for important entities.

Periodic payments may be imposed as a coercive measure to compel an entity to cease an infringement. 

Where infringements of the NIS2 Directive entail a personal data breach, the BSI must inform the competent Data Protection Authority (DPA) and may not impose a fine if the entity has already been fined by a DPA for the same conduct.

Critical components – gold-plating by the German legislature

The German legislation goes beyond the minimum requirements of NIS2 on supervision and enforcement regarding ‘critical components’. Here, the legislator is maintaining an already existing national set of rules, but altering it in order to make the process less burdensome for the entities using critical components and to expand the supervision focussing on continuous monitoring.

A list of critical components will now be designated and published by statutory ordinance for each sector by the Federal Ministry of the Interior (BMI) upon suggestion of the sectorial ministries. To make it on the list, these components must be ICT products used in a critical facility, performing a critical function, and where any malfunction could significantly impair the functionality of the critical facility or public safety.

• Under the previous German IT Security Law, the entity using a critical component had to notify a planned first-time use to the BMI in advance and the BMI had two months to prohibit the use. Only after the deadline had passed was the use permitted, provided that the entity disposed of a manufacturer’s guarantee statement.
• Now, when registering under NIS2, entities operating critical facilities must notify the BSI of the types of critical components they use (including version numbers) – but without the usage-restricting notification procedure and the manufacturer’s guarantee statement.
• The BMI is then empowered, in consultation with the relevant sector ministries and the Foreign Office, to prohibit operators of critical infrastructure from using certain critical components supplied by certain manufacturers, if such use is likely to pose risks to public order or security. The prohibition can be extended to other entities using the same type of critical component.

Key action points for Companies

• Conduct a scope assessment by checking the size, sector and entity type against the Implementation Law; the scope will determine your obligations and the enforcement risk you’ll face.
• Prepare for BSI registration and timely compliance with cyber security risk management and reporting requirements
• Check your board/management training programs: management liability is part of the Implementation Law.
• For critical facility operators: inventory/track all critical components and prepare for regular scrutiny. When using those, gold-plating in the Implementation Law leads to additional obligations, continuous supervision and even potential prohibition of use.
• Review supply chain contracts for new due diligence and risk requirements.