NIS2UmsuCG

German NIS2 Implementation Act, in force since 06.12.2025

· Category: NIS2 · Compliance-Kit
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.

TL;DR

The Act Implementing the NIS2 Directive (NIS2 Implementation and Cybersecurity Strengthening Act, NIS2UmsuCG) was adopted by the Bundestag on 13.11.2025, approved by the Bundesrat on 21.11.2025 and has been in force since 06.12.2025 (BGBl. 2025 I No. 301). It amends the BSIG (Federal Information Security Act) and implements EU NIS2 Directive 2022/2555.

What is the NIS2UmsuCG?

Key changes introduced by the NIS2UmsuCG:

Practical example

Statistics 2026 (as of 04/2026): - ~29,500 companies subject to NIS2 in Germany - ~14,000 of these registered with the BSI by 06.03.2026 - ~15,500 not yet registered (breach of obligation) - BSI enforcement practice starts Q2/2026 - First fine proceedings expected Q3/2026

Frequently asked questions

When is the BSI registration deadline?
06.03.2026 (3 months after entry into force on 06.12.2025) — already expired. Late registration must be carried out immediately.
What transition periods are there?
None. With entry into force on 06.12.2025, all obligations apply directly. However, in 2026 the BSI will focus on systematic breaches rather than individual omissions.
How does it differ from the old BSIG?
Extended scope (~4,500 → ~29,500 entities), stricter obligations in 10 areas, internal liability of managing directors, reporting obligations 24/72/30, BSI registration.

See also