Practitioner note: This self-assessment is an orientation tool, not legal advice. We are compliance specialists, not a law firm. NIS2 obligations under § 30 BSIG and the personal management liability under § 38 BSIG require an individual legal review. The German NIS2UmsuCG is in force since 6 December 2025.
Sources
- Directive (EU) 2022/2555 — NIS2 (as of 14 December 2022, transposition deadline 17 October 2024)
- BSIG 2025 (BSI Act, consolidated post-NIS2UmsuCG) (as of 6 December 2025) — § 30 mandatory measures, § 32 incident reporting (24h/72h/30d), § 38 management liability
- NIS2UmsuCG — Federal Law Gazette I 2025 No. 301 (Regulation Text PDF) (as of 5 December 2025)
- European Commission — Digital Omnibus (single-reporting mechanism for cyber incidents proposal) (as of 19 November 2025)
- Regulation (EU) 2022/2554 — DORA (applicable since 17 January 2025) — lex specialis to NIS2 for the financial sector