Germany’s NIS2 Law: One step away from taking effect | McDermott Skip to main content

Germany’s NIS2 Law: One step away from taking effect

Germany’s NIS2 Law: One step away from taking effect

|
  1. HOME
  2. INSIGHTS

Overview

Executive summary

The Germany’s Network and Information Systems 2 (NIS2) Implementation Act is entering its final stage of the legislative process. The act is awaiting formal signatures and publication in the Federal Law Gazette, expected in December 2025 or early 2026. Importantly, no transition period will apply. Compliance obligations will take effect immediately.

The law significantly broadens the scope of the covered entities and introduces enhanced governance, risk management, and reporting requirements under the amended Federal Office for Information Security Act (new BSI Act). Approximately 29,850 entities in Germany are expected to fall within scope, including organizations in energy, transport, health, research, manufacturing, and digital (infrastructure) services.

With immediate applicability and broad sectoral coverage, organizations operating in or offering services in Germany should urgently assess:

  • Whether your company falls within the broadened scope of the new BSI Act;
  • Ensure you are ready to register with the authority in time;
  • Align internal risk management and incident reporting frameworks with the German NIS2 implementation ahead of enforcement.

Introduction

The German NIS2 Implementation Act transposes the requirements of the EU NIS2 Directive (Directive (EU) 2022/2555) into German law, primarily through amendments to the main national cybersecurity framework the BSI Act and, inter alia, to laws regulating the energy and telecommunications sectors.

With this step, Germany is poised to join the growing list of European Economic Area (EEA) countries that have already transposed the NIS2 Directive, including Belgium, Croatia, Cyprus, the Czech Republic, Denmark, Finland, Greece, Hungary, Italy, Latvia, Liechtenstein, Lithuania, Romania, Slovakia, and Slovenia. Malta’s NIS2 transposition is expected before the year’s end, and Portugal’s implementation will become effective 120 days after publication (see the McDermott Will & Schulte NIS2 Monitoring Tracker showing the progress of the NIS2 implementation).

This article outlines who will be affected by the new BSI Act, key cybersecurity and governance obligations, and practical steps companies should take now to prepare.

Who is affected by the new BSI Act?

The new BSI Act distinguishes between “particularly important” (equivalent to “essential” under the NIS2 Directive) and “important” entities, imposing different levels of cybersecurity obligations on both categories.

The law will apply to a wide range of entities operating across critical and key sectors, including energy, space, transport, health, research, digital infrastructure, and manufacturing (e.g., chemicals, medical devices, and electrical equipment).

A company should take action to assess its compliance with the new BSI Act in particular if it:

  • Is established in Germany and carries out activities falling within Annex 1 or Annex 2 of the new BSI Act (e.g., manufacturing of chemicals, manufacturing of medical devices, manufacturing of electrical equipment, machinery and equipment, manufacturing of motor vehicles, postal and courier services, waste management, production, processing and distribution of food, healthcare providers, entities carrying out research and development activities of medicinal products, entities manufacturing basic pharmaceutical products and pharmaceutical preparations, etc.);
  • Acts as a provider of public electronic communications networks or publicly available electronic communications services in Germany; or
  • Its main establishment in the EEA is in Germany (i.e., HQs, or otherwise main economic/decision-making center), if providing digital (infrastructure) services, including cloud computing providers, data center operators, managed (security) service providers, and digital providers such as online marketplaces, search engines, and social networking platforms.

Certain entities will be covered regardless of size for example, such as trust service providers. “Operators of critical facilities” within the category of “particularly important” entities will be identified based on specific thresholds to be defined in secondary legislation (not yet available).

What are the key obligations?

The scope and key obligations largely align with the NIS2 Directive, though – as with many other countries that implemented NIS2 – Germany introduces specific national provisions that companies must consider when implementing the requirements of the new BSI Act.

Registration

Entities in scope must register with the BSI within three months of becoming subject to the law. Details on how to register will be determined by the BSI in cooperation with the Federal Office of Civil Protection and Disaster Assistance (Bundesamt für Bevölkerungsschutz und Katastrophenhilfe, or BBK). The registration should take place through a dedicated registration platform set up jointly by the BSI and BBK.

Operators of critical facilities will have to provide additional information such as facility locations, contact points, and details on critical components used, as well as report any relevant changes.

Cybersecurity risk-management measures

Covered entities must implement appropriate, proportionate, and effective technical and organizational measures to prevent disruptions to the availability, integrity, and confidentiality of the information technology systems, components, and processes they use to provide their services, and to minimize the impact of security incidents. These measures must be documented.

The minimum list of cybersecurity risk-management measures mirrors the NIS2 Directive and includes:

  • Policies on risk analysis and information system security;
  • Incident handling;
  • Business continuity;
  • Supply chain security;
  • Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure;
  • Policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
  • Basic cyber hygiene practices and cybersecurity training;
  • Policies and procedures regarding the use of cryptography;
  • Human resources security, access control policies, and asset management;
  • The use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems within the entity, where appropriate.

Notable German-specific aspects include the following:

  • Provisions may be specified or extended by ordinance where the EU Implementing Regulation 2024/2690 (IR) does not provide exhaustive requirements;
  • Secondary legislation may mandate cybersecurity certification for specific ICT products, services, or processes;
  • Telecommunications providers must appoint a security officer, designate an EU-based contact person, and prepare a security concept describing key threats and measures implemented.

In this context, the German telecommunications regulator (Federal Network Agency, Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen, “BNetzA”) published a draft of the revised Security Catalogue in November 2025, under consultation until 19 December 2025. Once finalized, the new requirements will take effect upon publication, with a one-year transition period. This means obligations will apply no earlier than the end of 2026.

Incident reporting

Both particularly important and important entities must report significant incidents, providing certain information to a joint reporting office set up by the BSI and the BBK. Reporting follows a multi-stage timeline consistent with the NIS2 Directive:

  • Early warning: Within 24 hours of becoming aware of a significant incident;
  • Incident notification: Within 72 hours of becoming aware of a significant incident;
  • Intermediate report: Upon request from the BSI;
  • Final report: Within one month after the submission of an incident notification (or progress report if ongoing).

In the context of notification to the authorities, organizations should closely monitor the European Commission’s proposed regulation introduced as part of its Digital Package on Simplification — the “Digital Omnibus.” This legislative proposal would establish a Single-Entry Point (SEP) — a secure, EU-wide reporting platform to be developed and operated by the European Union Agency for Cybersecurity (ENISA). The SEP is intended to serve as a centralized channel for notifying competent authorities of cyber and data incidents under multiple frameworks, including: the NIS2 Directive, GDPR, the Digital Operational Resilience Act, the Electronic Identification and Trust Services Regulation, and the Directive on the Resilience of Critical Entities (see ‘EU proposes sweeping reforms to the GDPR, cookie rules, Data Act, and breach reporting’ for more details).

In some cases, affected entities must also notify service recipients. For example, the BSI may require that an entity immediately inform the recipients of the entity’s services about a significant security incident, which could affect the provision of the respective service.

Management duties and training

Management bodies of covered entities

  • must implement and oversee the implementation of cybersecurity measures and
  • will be personally liable for breaches of these duties under applicable corporate law.

Importantly, management bodies must regularly participate in training courses acquire sufficient knowledge and skills to identify and assess risks and risk management practices of information technology security and to be able to assess the impact of risks and risk management practices on the services provided by the entity. The BSI has published a 20-page preliminary guidance on management training obligations, recommending that such training should be conducted at least every three years (in line with the reasoning of the new BSI Act). The guidance further suggests that each session should last around four hours and advises extending the training requirement to other individuals within the company who hold comparable responsibilities or support the management in their duties.

Sanctions

The act establishes a tiered fine system tied to company size and gravity of non-compliance:

  • Highest level, particularly important entities: Up to 2% of the total turnover, if the entity’s total turnover exceeds EUR 500 million
  • Highest level, important entities: Up to 1.4% of the total turnover, if the entity’s total turnover exceeds EUR 500 million
  • Second level, particularly important entities: Up to EUR 10 million
  • Second level, important entities: Up to EUR 7 million
  • Third level: Up to EUR 5 million
  • Fourth level: Up to EUR 2 million
  • Fifth level: Up to EUR 1 million
  • Sixth level: Up to EUR 500,000
  • Seventh level: Up to EUR 100,000

The highest fines apply inter alia to violations of cybersecurity risk-management and incident reporting obligations. ‘Total turnover’ is defined as the sum of all revenue generated worldwide by the company to which the particularly important or important entity belongs in the financial year preceding the authority’s decision. Total turnover can be estimated.

Practical steps for companies

To prepare for the German and broader EEA NIS2 landscape, organizations should:

  • Assess whether NIS2 applies to your company – Determine whether your company qualifies as “particularly important” or “important” entity and is thus subject to the new BSI Act. Note that it remains often challenging to determine precisely which entities are covered, as with the category of “cloud computing services”. In practice, the question arises whether any service that relies on cloud infrastructure falls under this definition or whether the law should apply only to entities that provide cloud services as such.

If your company is within the scope, take the following steps:

  • Prepare for mandatory registration – Gather all the details required for BSI registration within three months from the new BSI Act applicability to your company and establish internal processes for updates. For companies active in several EU jurisdictions, a registration in multiple countries might be required. It is therefore strongly recommended to maintain a registration tracker, identifying not only the relevant registration deadlines in each Member State, but also the specific modalities for doing so (e.g., via email or platform; and whether a  power of attorney is required).
  • Identify gaps in your cybersecurity risk-management measures – Undertake or finalize a gap analysis and develop any missing internal policies to manage cyber risks and implement any missing technical and organizational measures. In this regard, consider, as far as applicable, the IR, laying down the technical and the methodological requirements with regard to certain types of NIS2-covered entities, including cloud computing and data centre service providers, the Technical Implementation Guidance published by ENISA and accompanying the IR, and if applicable, relevant secondary legislation specifying cybersecurity requirements.
  • Update your incident reporting procedures and playbooks – Update the internal incident reporting processes to reflect the 24 hour / 72 hour, and 1-month timelines, and monitor the developments in the context of the introduction of the SEP.
  • Revise and roll out necessary contractual provisions with your suppliers – Consider the best format to deploy supply chain contractual terms in your everyday supplier contracting practices, whether as an integral part of your master services agreements or as standalone addendums. The BSI Act and IR require that covered entities put in place measures ensuring supply chain security, including mandatory supply chain contractual terms to be concluded with their direct suppliers. The terms include detailed obligations regarding cybersecurity risk-management measures, training and personnel, reporting, audit, and other key supply chain security requirements.
  • Be ready to provide evidence of your compliance – Consider that the BSI may order individual particularly important entities to have audits, inspections, or certifications carried out by independent bodies to verify compliance with the obligations. For operators of critical facilities, there are specific evidence requirements.
  • Conduct tabletop incident response exercises and cybersecurity trainings – Conduct exercises to be prepared for incidents, and implement regular, documented training for management and IT/security personnel.
  • Monitor European and local developments – Follow and analyze BSI and ENISA guidance, issuance of any relevant secondary European and national legislation, and progress on the Digital Omnibus Proposal introducing the SEP.

Outlook

Once promulgated, the German NIS2 law will mark the formal completion of NIS2 transposition in one of the EEA’s largest economies. Given the absence of transitional periods and the broad reach of the new rules, companies should concentrate their efforts on their compliance programs now, focusing on risk management, incident reporting, registration readiness, and governance alignment across all relevant EEA jurisdictions.

Stay Connected

Subscribe Follow us on LinkedIn Get in touch

Authors

Dr. Natallia Karniyevich
Partner | Düsseldorf
/ +49 211 30211 239
View Profile >