NIS-2 Implementation Act: New compliance obligations for numerous companies
After the German Bundestag passed the NIS-2 Implementation and Cybersecurity Strengthening Act (“NIS2UmsuCG”) in November 2025 and the Bundesrat approved the act, it was published in the German Federal Law Gazette on 5 December 2025 and came into force the following day. The NIS2UmsuCG transposes the NIS2 Directive (EU) 2022/2555, which was adopted at EU level, into national law after some delay. It provides for comprehensive amendments, in particular to the Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik – “BSIG”).
By way of the NIS2UmsuCG, further companies will now have to fulfill the cybersecurity obligations laid down in the amended BSIG in addition to the already previously regulated operators of critical facilities (“KRITIS”). The scope of the BSIG will thus be extended to approximately 30,000 additional companies in many economic sectors.
Affected companies
Companies must assess themselves whether they are classified as a “particularly important entitiy” (besonders wichtige Einrichtung) or an “important entitity” (wichtige Einrichtung) and are therefore affected by the NIS2UmsuCG. The assessment is generally based the sector and size of the company.
Regardless of company size, “particularly important entity” includes KRITIS operators, qualified trust service providers, top-level domain name registries, and domain name system service providers. Telecommunications service providers and operators of telecommunications networks are also covered, provided they employ at least 50 persons or have an annual turnover and annual balance sheet total of more than EUR 10 million. Finally, certain companies from the energy, transport and traffic, finance, health, water, digital infrastructure, and space sectors are also covered, provided they employ at least 250 persons or have an annual turnover of more than EUR 50 million and an annual balance sheet total of more than EUR 43 million.
“Important entities” are all trust service providers. In addition, telecommunications service providers and telecommunications network operators that do not meet the thresholds for classification as particularly important entities are covered. Certain companies in the energy, transport and traffic, finance, health, water, waste management, chemical, food, manufacturing, digital infrastructure, digital services, and space sectors are also considered important entities, provided that they employ at least 50 persons or have an annual turnover and annual balance sheet total of more than EUR 10 million.
Affected companies‘ obligations
Affected companies are required to implement certain cybersecurity measures, with the specific obligations depending on the company’s status (KRITIS operator; other particularly important entity; important entity).
The NIS2UmsuCG provides for an obligation to implement risk management measures. In particular, these measures include concepts for the continuous assessment of risks, mitigation measures in the event of a security incident and the documentation of measures taken. The implementation and monitoring of these measures is the responsibility of the company’s management. Importantly, the NIS2UmsuCG stipulates that management is liable to the company if it has failed to fulfill its obligations under the NIS2UmsuCG, the company suffers damage as a result, and the relevant corporate law provisions do not contain any liability provisions.
Affected companies’ risk management measures must also consider any weaknesses in the supply chain. In this regard, the German Federal Office for Information Security (“BSI”) recommends contractually obliging suppliers to comply with IT security standards and to provide evidence of compliance. Suppliers who do not themselves fall within the scope of the NIS2UmsuCG are therefore likely to be indirectly affected through contractual obligations to their customers and may need to strengthen their IT security.
In addition, affected companies must register with the BSI. This involves submitting certain company data, sector classification, location information, and the names of contacts for cybersecurity issues. Registration must be completed within three months of the NIS2UmsuCG came into force or after the affected company fell within the scope of the NIS2UmsuCG. The BSI portal through which registration is to take place is expected to go live in early January 2026.
Affected companies are also required to report significant security incidents to the authorities in a three-step process. In such cases, an initial warning must be sent to the BSI within 24 hours, followed by a detailed report with an assessment of the incident within 72 hours and a final report within one month. KRITIS operators are required to provide further details in their reports.
The management of the affected company is also required to participate in regular training to acquire sufficient knowledge and skills to identify and assess risks and risk management practices in the area of cybersecurity, as well as to be able to assess the impact of risks and risk management practices on the services provided by the institution.
Failure to comply with compliance obligations constitutes an administrative offense and can generally be punished with a fine of up to EUR 10 million or, for companies with a total turnover of more than EUR 500 million, up to 2 percent of total turnover.
What companies should do now
Companies should promptly assess whether they fall within the scope of the NIS2UmsuCG. The assessment and its results should be documented. If the company concludes that it is a “particularly important entity” or an “important entity” within the meaning of the BSIG, the company must register with the BSI and fulfill all applicable obligations. Where possible, existing internal systems may serve as a basis for this purpose.
