The implementation of the EU NIS-2 Directive into German law: Why concerned companies must act now

Estimated reading time: 13 minutes

---

1. The NIS-2 Directive – raising the bar for cybersecurity in Europe

Directive (EU) 2022/2555 (“NIS-2”) aims to ensure a high common level of cybersecurity across the Union. Germany’s NIS-2 Implementation Act explicitly states that it serves to implement this Directive, thereby anchoring NIS-2’s objectives directly in German law.

Understanding these EU-level objectives is essential for interpreting the NIS-2 implementation in Germany, because the BSIG-neu mirrors the Directive’s structure closely.

NIS-2 brings, in particular:

• Broader scope – more sectors and more entities than under the previous regime.

• Stricter obligations – detailed catalogues of risk-management and incident reporting obligations in the new BSIG.

• Explicit management responsibility – management bodies are required by law to implement and monitor cybersecurity measures and to train themselves.

---

2. Germany’s new act implementing NIS-2 – and what it means in practice

2.1. A reformed BSI Act at the core

Article 1 of the Implementation Act introduces a new BSI Act, the central legal framework for the NIS-2 implementation in Germany:

“Gesetz über das Bundesamt für Sicherheit in der Informationstechnik und über die Sicherheit in der Informationstechnik von Einrichtungen (BSI-Gesetz – BSIG)”

Key structural elements include:

• The BSI as central IT-security authority (§ 1 BSIG-neu),

• A comprehensive catalogue of BSI tasks (§ 3 BSIG-neu).

• Extensive obligations for essential and important entities (Part 3 BSIG-neu).

Clarification: While this article focuses on operators of critical installations, digital service providers, and companies whose services are of particular public relevance, the BSIG-neu applies broadly to all entities classified as essential or important under § 28 and Annexes 1 and 2.

For operators of critical installations, digital service providers, and the many other entities that qualify as essential or important entities under § 28 BSIG-neu and Annexes 1 and 2, the practical question is: “Am I in scope, and if yes, what exactly must I do by when?”

This question sits at the heart of the NIS-2 implementation in Germany theme.

---

2.2. Who will be affected? – A significant broadening to around 29,000 entities

The most striking change is the dramatic expansion of the number of regulated entities in Germany.

Under § 28 BSIG-neu, the law distinguishes between:

• “Besonders wichtige Einrichtungen” (essential entities), and

• “Wichtige Einrichtungen” (important entities).

These categories include operators of critical installations, qualified trust service providers, TLD registries, DNS service providers, telecom providers meeting size/financial thresholds, and numerous entities offering goods or services falling under Annex 1 and Annex 2 – covering sectors such as energy, transport, digital infrastructure, finance, health, waste management, food, chemicals, manufacturing and research.

In addition, § 60 BSIG-neu clarifies that BSI is centrally responsible at EU level for a number of digital service types – such as cloud-computing services, data centre services, content delivery networks, online marketplaces, search engines and social network platforms – provided their main establishment is in Germany.

The BSI’s Management Blitzlicht NIS-2 summarises this expansion succinctly by stating that around 29,000 new “wichtige” and “besonders wichtige” entities will be subject to statutory obligations and BSI supervision.

This dramatic expansion underscores why the NIS-2 implementation in Germany affects far more companies than before.

The NIS-2 Betroffenheitsprüfung helps entities understand whether they fall within the scope based on sector, staffing levels and financial thresholds.

---

2.3. Core obligations under the new BSIG-neu

Once an entity falls into the category of “essential” or “important”, BSIG-neu imposes a tight package of obligations.

a) Risk-management and security measures (§ 30 BSIG-neu)

§ 30 (1) BSIG-neu requires essential and important entities to implement appropriate, proportionate and effective technical and organizational measures to avoid disruptions of availability, integrity and confidentiality of the IT systems, components and processes used to provide their services and to minimise the impact of security incidents.

When assessing proportionality, entities must consider risk exposure, their size, the implementation costs, likelihood and severity of security incidents and their societal and economic impact.

§ 30 (2) BSIG-neu then sets out a minimum catalogue of elements which these risk-management measures must at least cover, including in particular:

• Concepts for risk analysis and IT security,

• Incident handling,

• Business continuity, including backup management, disaster recovery and crisis management,

• Supply chain security, including security-related aspects of relationships with immediate suppliers and service providers,

• Security in acquisition, development and maintenance of IT systems, components and processes, including vulnerability management and disclosure,

• Procedures to assess the effectiveness of IT-security risk-management measures,

• Basic training and awareness in IT security,

• Use of cryptographic concepts and processes,

• Personnel security, access control concepts and management of ICT systems, products and processes,

• Use of multi-factor or continuous authentication, secure voice, video and text communication and, where appropriate, secure emergency communications within the entity.

For KRITIS operators, § 31 BSIG-neu adds stricter requirements: they must implement systems for attack detection on IT systems and processes critical to their installations. These systems must continuously and automatically collect and evaluate suitable parameters and characteristics and be able to continuously identify and prevent threats and provide suitable remediation measures – in line with the state of the art.

b) Incident reporting obligations (§ 32 BSIG-neu)

Under § 32 BSIG-neu, essential and important entities must report significant security incidents to a joint reporting body set up by the BSI and the Federal Office of Civil Protection and Disaster Assistance within strict deadlines:

• Early initial notification – without delay, but no later than 24 hours after becoming aware of a significant security incident (“erheblicher Sicherheitsvorfall”), indicating whether there is suspicion of unlawful or malicious acts or cross-border impact.

• Main notification – without delay, but no later than 72 hours after becoming aware of the incident, confirming or updating the initial information and providing a first assessment of severity and impact, including – where applicable – indicators of compromise.

• Final report – at the latest one month after the 72-hour notification, with a detailed description of the incident, its severity and impact, root cause, remedial measures and cross-border effects; if the incident is still ongoing, a progress report must be submitted instead.

KRITIS operators must additionally provide information on the type of affected installation and critical service, and the impact on that service, where the incident affects or may affect a critical installation.

c) Registration obligations (§ 33 BSIG-neu)

§ 33 BSIG-neu obliges essential and important entities, as well as domain-name registry service providers, to register with BSI within three months after they first (or again) qualify as such an entity or start providing domain-name registry services.

The registration must include at least:

• name of the entity, including legal form and (where applicable) commercial register number,

• address and contact details (including e-mail, public IP address ranges and telephone numbers),

• relevant sector or branch (as per Annex 1 or 2),

• list of EU Member States in which services of the relevant facility types are provided,

• the competent federal and state supervisory authorities.

If an entity fails to register, § 33 (3) allows BSI to register it on its own initiative in agreement with the competent authorities.

d) Management responsibility and training (§ 38 BSIG-neu)

Crucially, NIS-2 is not just an IT topic – it is a board-level topic.

Under § 38 BSIG-neu, the management bodies (“Geschäftsleitungen”) of essential and important entities are expressly obliged:

• to implement the risk-management measures required under § 30, and

• to monitor their implementation.

Management that breaches these duties is liable to the entity for culpably caused damage under the applicable company-law rules; where those rules contain no liability provision, § 38 BSIG-neu provides one.

Moreover, management must regularly attend training to acquire sufficient knowledge and skills to identify and assess risks and risk-management practices in IT security and to understand their impact on the services provided by the entity.

The BSI’s guidance “NIS-2 – Was tun?” translates this into plain language and addresses leadership directly, calling on management to accept responsibility and act.

Across all obligations — from risk-management to reporting to registration and training — companies must align their governance and processes with the [[NIS-2 implementation in Germany]] requirements.

2.4. Deadlines: When must companies be compliant?

From a legal perspective, the timeline is clear:

• The act entered into force the day after its promulgation, i.e. on 6 December 2025.

• There is no general grace period in the act postponing the application of § 30, § 32, § 33 or § 38. These provisions apply from entry into force, subject only to the specific deadlines they themselves contain (e.g. the three-month registration period and reporting windows).

In practice, this means:

• Registration must be completed within three months of first qualifying as an essential or important entity (§ 33 (1) BSIG-neu).

• Incident reporting obligations apply immediately from the moment an entity is in scope, with the 24/72-hour and one-month deadlines triggered by awareness of a significant incident (§ 32 BSIG-neu).

• Risk-management measures and management obligations are required from entry into force; however, the law itself recognises proportionality by allowing measures to be adapted to risk exposure, size, costs and potential impact (§ 30 (1) sentence 2).

• For KRITIS operators, the first proof under § 39 BSIG-neu is due three years after they first (or again) qualify as operators of critical installations (or, for existing operators, timed relative to their last proof under the old regime), and then every three years.

These deadlines apply immediately after the act entered into force and are central to a timely and structured NIS-2 implementation in Germany.

Against this backdrop, the BSI explicitly encourages companies to start preparing now, e.g. by identifying in-scope entities, appointing responsible persons and setting up access to the federal digital portal “Mein Unternehmenskonto” (MUK), which will be used in the registration process.

---

3. Call to action – what KRITIS operators, DSPs and companies whose services are of particular public relevance should do now

The NIS-2 Implementation Act — and the new BSIG-neu — is already binding law for all entities that fall within the scope of § 28 BSIG-neu as essential or important entities, including operators of critical installations and many digital service providers.

This means that implementing the requirements of the NIS-2 implementation in Germany is not optional or future-looking — it is a current legal obligation.

A structured, non-alarmist but firm action plan is crucial and may include the following steps.

Step 1: Determine whether your entity is in scope

• Use BSI’s NIS-2 Betroffenheitsprüfung as an initial orientation tool. It guides you through questions on sector, services, employees and financials and visually shows where KRITIS/bwE, telecom providers, trust service providers and Annex 1/2 sectors are likely to fall.

• Keep in mind that the result is not legally binding; legal assessment must be based on § 28 BSIG-neu and, for certain DSPs, § 60 BSIG-neu.

For many entities that have never considered themselves “critical”, this will be the decisive wake-up moment.

Step 2: Put governance and leadership responsibility in place

BSIG-neu and BSI are very clear: NIS-2 is not a pure IT issue.

• Management bodies must implement and monitor the required measures and attend regular training (§ 38 BSIG-neu).

• The BSI explicitly recommends appointing responsible persons for NIS-2 implementation (“Benennen Sie zuständige Personen”) and urges leadership to actively take responsibility (“Übernehmen Sie als Leitung die Verantwortung”).

For many KRITIS operators, DSPs and companies whose services are of particular public relevance, a pragmatic first step is to:

• designate at least one central contact for NIS-2 (and, in practice, a deputy),

• define decision-making paths between IT/security, legal and management, and

• plan targeted management training on BSIG-neu requirements and IT-security risk management.

Step 3: Map your current security posture against § 30 BSIG-neu (and § 31 for KRITIS)

Next, companies should systematically map their existing measures against the catalogue in § 30 (2) BSIG-neu:

• Do you have documented risk analysis and IT-security concepts?

• Is your incident response process robust and tested?

• Do you have business continuity and disaster recovery plans that realistically cover your critical services?

• How do you manage supply chain security – especially cloud providers, data centres and managed service providers?

• Are there documented processes for secure acquisition, development and maintenance of IT systems, components and processes,, including vulnerability management and disclosure?

• How do you test and evaluate the effectiveness of your security measures?

• Are staff trained and aware of security issues on a regular basis?

• Do you use appropriate cryptographic methods and strong authentication, including multi-factor or continuous authentication where required?

For KRITIS operators, this assessment must also cover the special requirements of
§ 31 BSIG-neu, including systems for attack detection in the IT that is critical for the functioning of installations.

The outcome of this mapping should feed into a prioritised remediation roadmap that can be monitored at management level.

Step 4: Build incident reporting readiness

Given the tight 24-hour and 72-hour reporting deadlines under § 32 BSIG-neu, incident response is no longer just a technical discipline – it is also a compliance process.

Companies should ensure that:

• responsibilities for detecting and classifying incidents are clearly defined,

• there is a documented process for deciding whether an incident qualifies as “erheblicher Sicherheitsvorfall”,

• legal, security and management functions can collaborate quickly to prepare the 24-hour and 72-hour notifications, and

• templates and checklists exist to support complete and consistent reporting, including the final report within one month.

For KRITIS operators, the process should also capture the additional information required on critical installations and services.

Step 5: Prepare for registration and supervisory interaction

Registration (§ 33 BSIG-neu) must be completed within three months of an entity qualifying as essential or important. Companies should not wait until the last day.

• Set up access to the federal “Mein Unternehmenskonto” (MUK) portal, which will be used to manage interactions with authorities.

• Internal master data (such as legal name, registration number, etc.) should be prepared and validated early.

Finally, companies should also anticipate supervisory scrutiny:

• § 59 BSIG-neu designates BSI as the supervisory authority for compliance with Part 3 of the act .

• § 39 BSIG-neu provides for periodic proof of compliance by KRITIS operators (e.g. via audits, tests, certifications).

Being able to demonstrate a structured, risk-based implementation plan will be a crucial factor in supervisory interactions.

---

4. Conclusion: Act now – calmly, but decisively

The NIS-2 implementation in Germany establishes a new security baseline for essential and important entities. It enhances resilience, clarifies management responsibilities and introduces binding, risk-based obligations.

Acting now — calmly, strategically and with clear priorities — will position companies to meet supervisory expectations and strengthen long-term operational security.

The good news is:

• The legal framework in BSIG-neu is clear and structured,

• The BSI provides practical tools and guidance – from the Betroffenheitsprüfung to “NIS-2 – Was tun?” and the Management Blitzlicht,

• and the principle of proportionality allows entities to calibrate their measures to their actual risk exposure (§ 30 (1) BSIG-neu).

However, because the law is already in force and registration and reporting deadlines are short, companies that are likely to be in scope should not postpone action. A realistic, well-structured approach is to:

• Clarify scope based on § 28 and § 60 BSIG-neu and BSI tools,

• Put governance and management responsibility in place under § 38 BSIG-neu,

• Map and enhance security measures under § 30 BSIG-neu and, where applicable, § 31 BSIG-neu,

• Build incident reporting readiness under § 32 BSIG-neu,

• Prepare registration and data for interaction with BSI under § 33 BSIG-neu.

Approached in this way, NIS-2 does not have to be a source of alarm. It is an opportunity to establish cyber-resilience as a robust part of corporate governance – and to be well-positioned when BSI and other stakeholders look to your organization as a trusted, secure provider of critical and digital services.

---