The NIS-2 Implementation Act in Germany: A Regulatory Turning Point for Cybersecurity

German cybersecurity law is undergoing a fundamental modernisation through the NIS-2 Implementation Act, passed by the Bundestag on 13 November 2025, which expands the scope from around 4,500 to approximately 29,500 entities. The law transposes the European NIS-2 Directive into national law and enshrines cybersecurity as a leadership responsibility with direct personal liability for managing directors. Without significant transition periods, affected companies must implement comprehensive technical and organisational risk management measures from the date of entry into force, comply with binding reporting deadlines for security incidents, and establish a structured information security management system.

Legislative Background

The NIS-2 Implementation Act is the outcome of a multi-year legislative process. The European NIS-2 Directive (Directive EU 2022/2555) was supposed to be transposed into national law by member states by 17 October 2024. Germany clearly missed this deadline. The collapse of the coalition government in November 2024 and the new election in February 2025 led to a complete reassessment of the legislative process. In the summer of 2025, the new federal government presented a revised draft. It was approved on 30 July 2025, the Bundestag passed the law on 13 November 2025, and the Bundesrat approved it on 21 November 2025. The law enters into force on publication in the Federal Law Gazette and is expected to take effect in late 2025 or early 2026.

The Expanded Scope

The most dramatic impact is the massive expansion of coverage. Until now, the BSI Act covered around 4,500 entities. With the entry into force of the NIS-2 Act, this circle expands through the categories of "important entities" and "particularly important entities", meaning the BSI will oversee around 29,500 entities in future.

Particularly important entities fall into this category if they employ at least 250 staff or have annual turnover exceeding 50 million euros and a balance sheet total of more than 43 million euros, and operate in one of eleven sectors of high criticality. Additionally, certain entities are included in this class regardless of their size, such as trust service providers and DNS services.

Important entities are defined as organisations with at least 50 employees or annual turnover exceeding 10 million euros and a balance sheet total of more than 10 million euros, operating in the 18 defined NIS-2 sectors. Covered sectors include energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, postal and courier services, waste management, production and trade in chemical substances, food production, manufacturing, digital service providers, and research institutions.

Mid-sized companies from logistics, mechanical engineering, food production, and other sectors suddenly become regulated entities with corresponding reporting obligations and supervisory requirements.

Core Technical and Organisational Requirements

The law specifies cybersecurity requirements in a risk management measures catalogue with at least ten concrete measures. These are intended to prevent disruptions to the availability, integrity, and confidentiality of IT systems and to minimise the impact of security incidents.

Affected entities must establish, document, and continuously develop concepts for risk analysis and security. Procedures for detecting, responding to, and managing security incidents must be implemented, encompassing clear escalation processes and technical capabilities for analysis and remediation.

Business continuity and emergency management are required, including backup management, disaster recovery, and systematic crisis management. The law requires documented emergency and recovery plans that are regularly tested, automated and encrypted backups in isolated environments, and redundancies for critical systems.

Supply chain security is mandatory, including security-related aspects of relationships with immediate suppliers or service providers. Companies must assess their suppliers' cybersecurity posture and set out higher security requirements in contracts.

Further core measures include security in the procurement, development, and maintenance of IT systems, including systematic vulnerability management. Organisations must enforce security requirements across the entire lifecycle of IT systems and implement a patch management procedure.

Effectiveness testing of risk management measures is required. Entities must carry out regular tests such as penetration tests and emergency exercises, and enforce audits and reviews.

Training and awareness measures are explicitly mandatory. All employees must be trained regularly, and management must complete specific training on cyber risk management.

Cryptographic procedures must be implemented. The law requires concepts and processes for the use of encryption in data transmission, storage, and archiving.

Personnel security, access control, and IT system management must be embedded conceptually. The law requires access controls, centralised management of access rights, logging of administrative activities, and regular review of these accesses.

Multi-factor authentication (MFA) is required. In addition, secure communication channels for voice, video, and text communication must be established, as well as, where required, secured emergency communication systems.

These requirements must be considered in a proportionality assessment. The law requires that measures be "suitable, proportionate, and effective", with proportionality determined by risk exposure, the size of the entity, costs and likelihood of occurrence, and the severity of security incidents.

Reporting Obligations: A Three-Tier Regime with Critical Deadlines

The law establishes a rigorous three-tier reporting regime for security incidents that is significantly more stringent than previous KRITIS regulations.

Initial notification within 24 hours: Companies must notify the Federal Office for Information Security (BSI) without delay, at the latest within 24 hours of becoming aware of a significant security incident. This initial notification must include a preliminary assessment of the incident and indicate whether there is suspicion of unlawful or malicious action.

Follow-up notification within 72 hours: A detailed interim report must follow within 72 hours of becoming aware of the incident, containing a full assessment of the incident. This assessment covers the severity, estimated impact, indicators of compromise, and an updated account of the situation.

Final report within one month: A comprehensive final report must be submitted no later than one month after becoming aware of the incident, containing a full description of the incident, root cause analysis, measures taken, and any cross-border impacts.

These deadlines are operationally extremely challenging. A company that discovers a cyberattack at 11:30 pm must already have the initial notification ready by 11:30 pm the following day. This requires a constant readiness to report, clear escalation processes that function 24/7, and immediate notification of the competent authority.

The law does not yet bindingly define what exactly constitutes a "significant security incident". The BSI will specify applicable thresholds by regulation. This creates temporary legal uncertainty that companies must take into account, and in cases of doubt, a conservative interpretation (reporting even on suspicion) is recommended.

Governance and Personal Liability

The law makes cybersecurity no longer just an IT department task but a direct responsibility of management. Executives must ensure the implementation of risk management measures, monitor their effectiveness, and undergo training on cybersecurity matters themselves.

The BSI's supervisory powers are significantly expanded. The BSI receives authority to inspect regulated entities, require evidence of the implementation of risk management measures, issue orders, and if necessary impose fines.

Affected entities must register with the BSI within three months of the law entering into force. This registration is not optional; failure to do so can result in fines. Changes to registered data must be communicated to the BSI without delay, that is within two weeks at the latest.

Evidence Obligations and Audit Deadlines

For operators of critical installations, evidence of the implementation of risk management measures must be provided at the earliest three years after the law enters into force, and then again every three years. The BSI will communicate individual deadlines and proceed in a risk-based manner.

This three-year period signals to companies that they have time to build up and document their security measures thoughtfully. At the same time, the deadline creates a clear point at which the authority will conduct checks.

The federal administration must meet minimum information security requirements derived in part from the BSI's IT-Grundschutz Compendium. Evidence of compliance must be provided no later than three years after the law enters into force.

Sanctions and Fines

The sanctions framework creates significant financial incentives for compliance. For particularly important entities, fines of up to 10 million euros or 2 percent of worldwide annual turnover (whichever is higher) can be imposed. For important entities, fines of up to 7 million euros or 1.4 percent of worldwide annual turnover are provided for.

These penalties are comparable to those under the General Data Protection Regulation (GDPR). The amounts are therefore not symbolic but substantial, and they can threaten the economic viability of a company.

In addition to fines, the BSI can also issue official orders to address deficiencies. Public disclosure of violations by authorities is possible, which leads to reputational damage. In extreme cases, operators of critical installations can lose their operating licences.

Implementation Deadlines and Operational Roadmap

The law was passed by the Bundestag on 13 November 2025 and approved by the Bundesrat on 21 November 2025. The law enters into force on publication in the Federal Law Gazette, expected in late 2025 or early 2026.

Immediately upon entry into force: Registration obligation. Affected entities must register with the BSI. This deadline is hard-coded at three months after classification as affected. Companies that register late risk fines and regulatory sanctions.

Immediately upon entry into force: Implementation of risk management measures. The law provides for no significant transition period for the implementation of technical and organisational measures.

After three years: Evidence obligation. Operators of critical installations must provide evidence of their implementation no later than three years after entry into force.

The operational implementation period for companies is estimated at 12 to 18 months, depending on size, complexity, and current security posture. The BSI will provide support resources: a starter package with clear information on the NIS-2 Directive, virtual kick-off seminars with step-by-step guidance, and interactive tools for checking whether entities are affected.

Critical Challenges

The industry association Bitkom has repeatedly pointed out that the government draft lacks clarity and consistency in key areas. In particular, criticism focuses on the fact that the delineation of affected companies and coordination with the KRITIS umbrella law create significant uncertainty.

An operationally critical issue is the definition of "significant security incidents". Until the BSI provides further specification, there is legal uncertainty about which incidents are actually subject to reporting.

A further structural issue is distributed supervisory responsibility. The BSI is responsible for most entities, but specific rules also apply to certain sectors: the Federal Network Agency (BNetzA) for telecommunications and energy, the Federal Financial Supervisory Authority (BaFin) for the financial sector, and others. This fragmentation can lead to inconsistencies when companies operate in multiple regulated sectors.

The supply chain security requirement creates major challenges for IT service providers and software manufacturers, who are suddenly bombarded with NIS-2 compliance enquiries from hundreds or thousands of customer companies.

An organisational issue is the lack of preparedness of SMEs. While large companies have dedicated CISO and compliance teams, smaller mid-sized companies often have to engage external consultants, leading to considerable costs.

Conclusion

The NIS-2 Implementation Act passed by the Bundestag on 13 November 2025 marks a fundamental turning point in German cybersecurity policy. Expanding the scope from 4,500 to approximately 29,500 entities is not an incremental change - it is a transformation that turns cybersecurity from a niche topic into a broad-based economic obligation.

The three-tier reporting regime with 24-hour, 72-hour, and 30-day deadlines creates a new operational standard for incident response in Germany. The personal liability of managing directors is a significant cultural shift that moves cybersecurity from an IT budget item to a board-level concern.

The sanctions framework with fines of up to 10 million euros or 2 percent of worldwide turnover creates financial incentives to take the regulations seriously.

Germany is behind on implementing NIS-2, the regulatory clock is running from December 2025/January 2026, and companies that do not act now will face massive time pressure. Companies that act proactively will strengthen their cyber resilience while achieving regulatory compliance. Companies that wait risk fines, regulatory interventions, and potential reputational damage.

Sources & References

• https://www.twobirds.com/de/insights/2025/germany/german-bundestag-passes-german-nis-2-implementation-act
• https://regina-stoiber.com/2025/11/25/nis-2-umsetzungsgesetz-deutschland/
• https://www.openkritis.de/it-sicherheitsgesetz/nis2-umsetzung-gesetz-cybersicherheit.html
• https://www.roedl.de/de-de/de/themen/Seiten/newsletter-gesundheits-sozialwirtschaft/2025/11/nis-2-umsetzungsgesetz-beschlossen.aspx
• https://www.intellior.com/ressourcen/nis2-7-schritte
• https://blog.rittershaus.net/28-november-2025-nis-2-approaching-das-umsetzungsgesetz-fuer-nis-2-final-verabschiedet-was-unternehmen-jetzt-tun-sollten-blogbeitrag-von-dr-markus-spitz-und-dr-anno-haberer/
• https://www.bitkom.org/Presse/Presseinformation/Cybersicherheit-Bundestag-NIS2
• https://www.bundestag.de/dokumente/textarchiv/2025/kw46-de-nis-2-1123138
• https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2025/251113_NIS-2-Umsetzungsgesetz.html
• https://www.datenschutz-notizen.de/verabschiedung-des-nis-2-umsetzungsgesetzes-durch-die-bundesregierung-5257102/

Summarised with the help of AI.