NIS-2 Implementation Act

NIS-2 Implementation Act: New compliance obligations for numerous companies

Marian Niestedt, M.E.S.

Lawyer | Shareholder

Kahraman Altun, LL.M.

Lawyer | Senior Associate

After the German Bundestag passed the NIS2 Implementation and Cybersecurity Strengthening Act (“NIS2UmsuCG”) in November 2025 and the Bundesrat approved it, it was published in the Federal Law Gazette on December 5, 2025, and entered into force the following day. The NIS2UmsuCG transposes the NIS2 Directive (EU) 2022/2555, adopted at the EU level, into national law, although with some delay. It introduces comprehensive amendments, particularly to the Federal Office for Information Security Act (“BSIG”).

With the NIS2UmsuCG, in addition to the operators of critical infrastructure (“KRITIS”) already regulated, further entities will now be required to comply with the cybersecurity obligations stipulated in the amended BSIG. The scope of the BSIG (Federal Office for Information Security Act) is thus extended to approximately 30,000 additional companies across many economic sectors. Affected Companies: Companies must independently assess whether they qualify as a "particularly important establishment" or an "important establishment" and are therefore affected by the NIS2UmsuCG (Non-Ionizing Radiation Protection Act). This assessment is generally based on the company's sector affiliation and size. Regardless of company size, "particularly important establishments" include not only operators of critical infrastructure (KRITIS) but also qualified trust service providers, top-level domain name registries, and DNS service providers. Telecommunications service providers and public telecommunications network operators are also covered, provided they employ at least 50 people or have an annual turnover and balance sheet total exceeding EUR 10 million each. Finally, certain companies from the energy, transport and traffic, finance, health, water, digital infrastructure, and space sectors are also included, provided they employ at least 250 people or have an annual turnover exceeding EUR 50 million and an annual balance sheet total exceeding EUR 43 million. “Important entities” initially include all trust service providers. Furthermore, telecommunications service providers and telecommunications network operators that do not meet the thresholds for classification as particularly important entities are also included. Certain companies in the energy, transport and traffic, finance, health, water, waste management, chemicals, food, manufacturing, digital infrastructure, digital services, and space sectors are also considered critical infrastructure, provided they employ at least 50 people or have an annual turnover and balance sheet total exceeding EUR 10 million each. Obligations of Affected Companies: Affected companies are obligated to implement certain cybersecurity measures, with the specific obligations depending on their classification (critical infrastructure operator; other particularly important facility; important facility). The NIS2UmsuCG (National Information Security Act) initially stipulates the obligation to implement risk management measures. These include, in particular, concepts for the continuous assessment of risks, response measures in the event of a security incident, and the documentation of measures taken. The implementation and monitoring of these measures is the responsibility of the management. The law also stipulates that if management violates its obligations under the NIS2UmsuCG (Non-Ionizing Radiation Protection Act), it is liable to the company for any resulting damages, provided the company's applicable corporate law provisions do not contain a liability clause. Affected companies are also obliged to consider any vulnerabilities in their supply chain when implementing risk management measures. The Federal Office for Information Security (BSI) recommends contractually obligating suppliers to comply with IT security standards and requiring proof of compliance. Suppliers who are not themselves subject to the law will therefore likely be indirectly affected by the NIS2UmsuCG through contractual obligations to their customers and may need to strengthen their IT security. Furthermore, affected companies must register with the BSI. This registration requires the submission of certain company data, sector classification, location information, and contact details for cybersecurity matters. Registration must be completed within three months of the NIS2UmsuCG coming into force or after the institution first falls within the scope of the law. The BSI portal, through which registration will take place, is expected to be activated at the beginning of January 2026. Affected companies are also obligated to report significant security incidents to the authorities in a three-stage process. In such a case, an initial warning must be submitted to the BSI within 24 hours, a detailed report with an assessment of the incident within 72 hours, and a final report within one month. Operators of critical infrastructure (KRITIS) are required to provide further information as part of their notification. The management of the affected company is also required to participate regularly in training courses to acquire sufficient knowledge and skills for identifying and assessing risks and risk management practices in the area of cybersecurity, as well as to be able to assess the impact of risks and risk management practices on the services provided by the institution. Failure to comply with cybersecurity obligations constitutes an administrative offense and can generally be punished with a fine of up to EUR 10 million or, for companies with a total turnover exceeding EUR 500 million, up to 2% of total turnover. What companies should do now: Companies should promptly review whether they fall within the scope of the NIS2UmsuCG (National Information Security Act). The review and its results should be carefully documented. If the audit concludes that the company is a "particularly important institution" or an "important institution" within the meaning of the BSIG (German Federal Office for Information Security Act), the company must register with the BSI (Federal Office for Information Security) and implement the applicable obligations. Existing internal systems may be used for this purpose.

More News

Fifth Annual Report of the EU on Foreign Direct Investment

14.11.2025

On 14 October 2025, the European Commission (the “Commission”) published its fifth annual report on the screening of foreign direct investments in the Union. This report describes the latest developments in foreign direct investments (“FDIs”) in the EU, as well as legislative developments at Member State and European levels and other trends in FDI screening.

Customs law: ECJ clarifies the reimbursement procedure ex officio

31.10.2025

In its judgment C-206/24 of 1 August 2025, the European Court of Justice (ECJ) ruled on the conditions under which a customs authority is obliged to refund import duties levied without legal basis ex officio. The ECJ clarified that a refund ex officio requires the customs authority to determine, within three years of the entry in the accounts, that the duties were levied without legal basis – and to know the identity of the person concerned and the amount of the refund. If this information is lacking, the authority must take reasonable, but not disproportionate, measures to obtain it. If this is not possible, the obligation to refund lapses after the deadline – even if it has determined within the deadline that the duties were not legally owed.

The 19th sanctions package against Russia

29.10.2025

On October 23, 2025, the European Union (EU) adopted its 19th sanctions package against Russia. The new package targets the energy and financial sectors in particular. At the same time, export and service bans were tightened, and restrictions on individuals were expanded.