German Bundestag passes German NIS 2 Implementation Act

On 13 November 2025, the German Parliament ("Bundestag") passed the German NIS2 Implementation Act, taking a key step toward strengthening cyber and information security. The decision comes at a time when companies and public authorities are increasingly exposed to complex digital threats and cyber resilience has become a decisive factor in competitiveness and stability. Although more than a year later, the new law transposes the European requirements of the NIS2 Directive into national law.

For many companies, this means a significant tightening of their existing compliance obligations in cybersecurity. For the first time, large parts of the SME sector are subject to supervision by the Federal Office for Information Security (“BSI”).

Companies should promptly check whether (i) they fall within the scope of the new NIS-2 rules and (ii) their existing IT security structures comply with the updated legal requirements. In particular, reporting channels, emergency processes, supply chain dependencies, and the maturity of information security management are coming into focus.

What does the German NIS2 Implementation Act regulate?

The NIS2 Implementation Act fundamentally revises the BSI Act (“new BSIG"). At the same time, sector-specific laws, such as the Energy Industry Act (“EnWG”) and the Telecommunications Act (“TKG”), are also being amended.

1. Expanded target audience

The scope of the new NIS2 cybersecurity obligations is very broad. While the previous rules primarily imposed obligations on operators of critical infrastructures, the NIS2 rules now also apply to large parts of medium-sized industry. The legislator's aim is to increase the resilience of digital processes, regardless of whether a company provides physical utilities or not.

Companies fall within the scope of application if their activities are mentioned in the sectors defined by the new BSIG and they are classified as at least “medium-sized.”

• A company is considered a “medium-sized enterprise” if it has more than 50 employees or if its annual turnover and annual balance sheet total exceed €10 million. When determining these thresholds, “negligible” activities may be disregarded (Section 28 (3) new BSIG).
• The sectors cover a wide range of activities such asenergy, transport, digital infrastructure, manufacturing, and the production of goods. In addition, all relevant parts of the digital sector are included, such as communications and services for data processing and storage. Managed services are also in scope.
• The new BSIG distinguishes between “important entities” (wichtige Einrichtungen) and “essential entities” (“besonders wichtige Einrichtungen”) The rule of thumb is: the larger a company and the more socially relevant the sector in which it operates, the greater the obligations.

However, certain companies are covered regardless of size, particularly in the digital and telecommunications sectors.

2. Registration requirements

Companies must register with a reporting office to be set up by the BSI and the Federal Office for Civil Protection and Disaster Assistance (“BBK”) within three months of falling within the scope of the NIS2 obligations.

This registration should be carefully considered: by registering, a company declares that, based on its own assessment, it is subject to NIS2.

3. Risk management obligations

The new BSIG specifies a minimum catalog of risk management measures for obligated companies (Section 30 (2) sentence 2 of the new BSIG).

This catalog sets out the fundamentals of cybersecurity, i.e., basic requirements that apply across all industries such as risk analyses, procedures for handling security incidents, requirements for business continuity (including backups and recovery processes), requirements for secure software development, structured vulnerability management, strong authentication procedures, cryptographic protection, supply chain security measures, and regular effectiveness tests.

How these abstract requirements are implemented in practice depends on the individual risk profile of the company concerned. The greater the risk, the more comprehensive cybersecurity measures must be. Companies must therefore assess their specific cybersecurity risks preventively (an“inventory”) and then determine, on this basis, which protective measures they need to implement.

4. Obligations for management

The new BSIG is not only a “boardroom issue” because of its impending fines (see below). In the future, company management will be obliged to implement risk management measures and monitor their execution. Any violation of this obligation may result in liability for the managing director. In addition, members of management must regularly participate in cybersecurity training.

5. Reporting obligations

The current single-step reporting scheme is now replaced by a three-tier reporting regime for significant security incidents: an initial report within 24 hours, a detailed report within 72 hours, and a final report no later than one month after the incident.

6. Extended supervisory powers

The supervisory authorities, particularly the BSI, are granted far-reaching powers of control and enforcement. These include issuing orders, conducting audits, requesting evidence, and initiating fine proceedings.

7. Fine system

The fine system is based on global group turnover:

• “Essential entities”: up to €10 million or up to 2% of global annual turnover.
• “Important entities”: up to €7 million or up to 1.4% of global annual turnover.

In addition to financial penalties, the BSI may issue orders and hold management personally liable. As with the GDPR, typical triggers include late or incomplete reports and insufficient security measures.

What needs to be done now?

Companies need to assess whether they fall under the expanded scope of the new BSIG as an “important” or “essential” entity. If already subject to the old regime, organisations should review and upgrade their cybersecurity framework to meet the new requirements.

First step:

Analyse whether your company falls within the scope of the new BSIG, taking into account industry-specific characteristics. If affected, prepare for registration with the joint registration office of the BSI and BBK and designate one of the contact points. Second step:

Performgap analysis by comparing existing security measures with the legal requirements, particularly in the areas of: risk management, incident response, business continuity, patch and vulnerability management, authorisation management, secure development, cryptography, supply chain security, training, and control mechanisms.

Companies should then begin implementing measures that are not yet in place, in particular:

• Expand IT security organisation

It is recommended to establish or further develop a formal information security management system, e.g., in accordance with ISO/IEC 27001 or BSI basic protection. 

• Operationalise reporting and communication channels

In addition, resilient reporting chains must be established. This includes 24/7 availability, the provision of reporting templates, and clear responsibilities. NIS2 and GDPR reports must be coordinated.

• Strengthening emergency management and crisis organisation

Companies should update and strengthen emergency plans, conduct regular exercises and penetration tests, improve communication channels, and define crisis response units.

• Professionalise supply chain security

Contractual requirements regarding security, audit rights, evidence, and subcontractors must be established. In addition, third-party risk management should be introduced, and a systematic supplier register maintained.

• Management involvement and training

Management bears explicit responsibility. Training concepts, reporting lines, and effectiveness controls must be established. For “essential entities”, stricter, regular reporting obligations to the BSI apply.

When will the law come into force?

After the German NIS-2 Implementation Act was passed by the Bundestag on 13 November 2025, the next step is for the German Federal Council (“Bundesrat”) to review the legislation (changes are not expected). The Act will come into force immediately upon publication in the Federal Law Gazette – no transition periods are planned. The law is expected to take effect by early 2026 at the latest.

Summary and Outlook

The new German NIS2 Implementation Act significantly broadens cybersecurity obligations. The new NIS2 rules cover a much wider range of entities than the previous regime, including medium and large companies in critical sectors, based on size and turnover thresholds. The law applies not only to German businesses but also to companies from other countries that operate in Germany or provide services to the German market.

Companies should immediately: (i) assess applicability under the expanded scope, (ii) update existing frameworks (even if they were already subject to the previous regime); and (iii) establish governance and reporting structures to meet stricter timelines and oversight requirements.

Compliance with the new rules is crucial. The new NIS2 rules elevate cybersecurity to a strategic management responsibility and signal a trend toward tighter EU-wide harmonisation and stronger enforcement. Organisations that act early can reduce compliance risk and strengthen resilience against growing cyber threats. Suppliers contracting with German businesses must support their customers in complying with recognised IT security standards and contractual provisions. They must also prepare the necessary documentation and anticipate stricter obligations.