NIS2 Implementation in Germany: All Obligations from 06 December 2025
Practitioner note: This article is practice-oriented compliance documentation, not legal advice. We are compliance specialists, not a law firm. For legally binding advice, please consult a qualified attorney.
TL;DR
- NIS2UmsuCG in force since 06 December 2025 (BGBl. 2025 I No. 301) — no transition period
- ~29,500 entities affected — essential and important
- 10 mandatory measure areas under Section 30 BSIG
- Personal managing director liability under Section 38 (5) BSIG (internal liability, no waiver for 3 years)
- Fines up to EUR 10 million / 2% of turnover (essential entities)
1. NIS2UmsuCG Status 2026
The German NIS2 Implementation Act has been in force since 06 December 2025 (BGBl. 2025 I No. 301). It amends the BSIG (German IT Security Act) and implements the NIS2 Directive (EU 2022/2555).
Key dates in 2026:
- 06 March 2026: BSI registration deadline (expired)
- April 2026: Supervisory practice fully operational
- 2026/27: First fine proceedings expected
2. Who is affected? Scope analysis
Three categories under Section 28 BSIG:
| Category | Size | Sectors | Estimated number in Germany |
|---|---|---|---|
| Particularly important (KRITIS) | independent | 11 high-criticality sectors + KRITIS thresholds | ~4,500 |
| Essential | ≥250 employees or ≥EUR 50 million turnover | 11 high-criticality sectors | ~7,000 |
| Important | 50-249 employees, EUR 10-50 million | 18 sectors (all Annex I + II) | ~18,000 |
If you do not want to compile the Section 30 BSIG measures yourself across 11 areas, the NIS2 Kit provides 22 ready-to-use templates — including ISO 27001 mapping and BSI Grundschutz crosswalk.
3. Section 30 BSIG: 10 mandatory measures
Section 30 (2) BSIG lists 10 measure areas. Every affected entity must take appropriate measures in each area:
- Concepts for risk analysis + security of information systems
- Handling of security incidents
- Business continuity (backup, disaster recovery, crisis management)
- Supply chain security
- Security in acquisition, development and maintenance
- Effectiveness assessment of measures
- Cyber hygiene + training
- Cryptography and encryption
- Personnel security + access control
- MFA, continuous authentication, secure communication
4. Section 38 BSIG: Management obligations
Section 38 BSIG is the strictest norm — it holds the managing director personally accountable:
| Subsection | Obligation |
|---|---|
| (1) | Approval of Section 30 measures — non-delegable |
| (2) | Monitoring of implementation |
| (3) | Obligation to participate in training |
| (5) | Personal internal liability for culpable breach of duty; waiver/settlement only after 3 years |
5. 24h/72h/30d reporting obligations
| Deadline | Content | Address |
|---|---|---|
| 24h from awareness | Early warning — initial assessment | BSI 'Mein Unternehmenskonto' |
| 72h | Incident notification — damage assessment, measures | BSI 'Mein Unternehmenskonto' |
| 1 month | Final report — root cause, lessons learned | BSI 'Mein Unternehmenskonto' |
What counts as a 'significant incident'? Definition in EU Implementing Regulation 2024/2690: number of affected users, financial/economic impact, geographical spread, duration.
6. BSI registration
Via the 'Mein Unternehmenskonto' portal. Mandatory information: company, sector, category (essential/important), contact points, brief description of IT infrastructure. Obligation to update upon changes.
7. Fines + personal liability
| Category | Maximum fine | Application |
|---|---|---|
| Essential entity | EUR 10 million or 2% of annual turnover (whichever is higher) | serious breach of duty |
| Important entity | EUR 7 million or 1.4% of annual turnover | serious breach of duty |
| Management personally | Internal liability against managing director's private assets | Section 38 (5) BSIG in case of breach of duty |
8. 12-step roadmap
- Scope analysis (essential/important?)
- Complete BSI registration (if not yet done)
- Managing director briefing on Section 38 BSIG — obligations + internal liability
- Set up ISMS policy, obtain managing director approval
- Implement risk analysis methodology (ISO 27005)
- Systematically cover all 10 Section 30 measure areas
- Incident response playbook + 24/72/30 reporting templates
- Supplier risk assessment + contractual clauses
- Cyber hygiene training for all employees
- Effectiveness review (KPIs, pentest, audit preparation)
- Documentation review + version management
- Managing director approval + quarterly reporting
Sources
- Directive (EU) 2022/2555 — NIS2 (EUR-Lex DE) (As of: 02 May 2026)
- BSIG 2025 (consolidated version after NIS2UmsuCG) (As of: 02 May 2026)
- NIS-2 Implementation Act — BGBl. 2025 I No. 301 (As of: 02 May 2026; in force 06 December 2025)
- BSI press release — NIS2UmsuCG in force from 06 December 2025 (As of: 02 May 2026)
- BSI — NIS-2 FAQ for regulated companies
Frequently Asked Questions
Am I affected by NIS2 if I have 49 employees?
Generally no, but caution: sector-specific rules apply regardless of size (public administration, some telecommunications providers, trust service providers, DNS, TLD .de). Corporate group affiliation (Section 28(4) BSIG, German IT Security Act) can include affiliated companies.
What does a NIS2 compliance program cost?
Internal setup: EUR 8,000-25,000 in personnel costs over 12 weeks. External consultancy: EUR 30,000-150,000. Compliance-Kit NIS2 Kit: one-time fee of EUR 490-1,490 with all 72 templates. Ongoing costs: ISMS maintenance approx. 0.5 FTE, external audit every 2 years.
Is an ISO 27001 certification sufficient?
Largely yes, with gaps. ISO 27001 covers 70-80% of Section 30 BSIG requirements. Gaps: NIS2 reporting obligations 24h/72h/30d (Section 32), supply chain due diligence (Section 30(2)(5)), Section 38 management approval. The Compliance-Kit NIS2 Kit provides a mapping workbook.
Who is the supervisory authority?
The BSI (Federal Office for Information Security) is the central supervisory authority. Sectoral special supervisions: BaFin (finance), BNetzA (telecommunications, energy), Bundesbank (critical infrastructure finance). In practice: a company may be subject to several supervisory authorities — coordination is a compliance task.
What happens if management does not approve the risk measures?
Pursuant to Section 38(5) BSIG: personal internal liability towards the entity in case of culpable breach of duty. Waiver or settlement only possible after 3 years (analogous to Section 93(4) AktG, German Stock Corporation Act). D&O insurance often does not cover gross negligence.
Missed the BSI registration deadline of 06.03.2026 — what now?
Catch up immediately via the 'Mein Unternehmenskonto' portal. Late registration is not separately sanctioned, but missing registration is. Practice 04/2026: the BSI primarily pursues systematic violations.
Do we have to report within 24h — including at night and on weekends?
Yes, Section 32(1) BSIG. 'Without undue delay, no later than 24h after becoming aware'. In practice: 24h availability (CSIRT on-call) is mandatory for essential entities. External SOC service providers can handle this.
DORA and NIS2 — what applies to banks?
DORA (Regulation 2022/2554) is lex specialis for financial entities. Entities falling under DORA are exempt from NIS2 (Art. 4 NIS2 Directive). Non-financial subsidiaries of a banking corporate group may fall under NIS2.
Sources
- Directive (EU) 2022/2555 — NIS2 (As of: 2026-05-02)
- BSIG 2025 (consolidated after NIS2UmsuCG) (As of: 2026-05-02)
- BSI — NIS-2 FAQ (as of: ongoing)