The New IT Security Obligation for German Companies
If you searched for 'IT Sicherheitspflicht', you are looking for NIS2. Since December 2025, the revised BSIG makes cybersecurity a legal obligation for roughly 29,500 German companies.
NIS2 Is the IT Security Obligation You Have Been Hearing About
There is no standalone 'IT security obligation law' in Germany. What exists is the NIS2 Directive (EU 2022/2555), transposed into German law through the NIS2UmsuCG, which overhauled the Federal Cybersecurity Act (BSIG). This is the law that creates binding IT security obligations for companies in 18 critical sectors.
The BSIG entered into force on 6 December 2025. It requires affected companies to implement 10 specific cybersecurity risk management measures (Section 30 BSIG), register with the BSI, report significant incidents within strict timelines, and secure their supply chains. Management is personally liable under Section 38 BSIG for ensuring compliance.
If your company has 50 or more employees or exceeds 10 million euros in annual revenue and operates in one of the 18 NIS2 sectors, these obligations apply to you right now. The registration deadline was 6 March 2026. Implementation of all measures is required by 17 October 2026.
Sector
Your company operates in one of 18 sectors: energy, transport, banking, health, water, digital infrastructure, ICT services, public administration, space, postal services, waste management, chemicals, food production, manufacturing, or digital providers.
Employee Count
You have 50 or more employees. This follows the EU SME definition and includes all employees across the group, not just the German entity. Part-time employees count proportionally.
Annual Revenue
Your annual turnover exceeds 10 million euros AND your balance sheet total exceeds 10 million euros. If you exceed either the employee OR the financial threshold, you are in scope.
Critical Services
Some entity types are in scope regardless of size: DNS providers, TLD registries, qualified trust service providers, KRITIS operators, and sole providers of essential services in a region.
Register with the BSI
Complete your registration via the BSI portal (muk.bsi.bund.de). This is a legal obligation under Section 33 BSIG with its own penalty of up to 500,000 euros. The portal has been live since January 2026, and the deadline was 6 March 2026. If you missed it, register immediately.
Conduct a Risk Assessment
Identify your critical IT assets, assess the risks to each, and document treatment decisions. Section 30 BSIG requires risk management measures that are proportionate to the risk exposure. You need an asset inventory and a structured risk assessment before you can implement measures.
Implement 10 Security Measures
Section 30 BSIG defines 10 mandatory areas: risk management policies, incident handling, business continuity, supply chain security, network security, vulnerability management, cybersecurity hygiene, cryptography, access control, and multi-factor authentication. Each area requires documented policies and evidence of implementation.
Set Up Incident Reporting
Significant cybersecurity incidents must be reported to the BSI within 24 hours (initial early warning), 72 hours (full notification), and 1 month (final report). Define what a significant incident means for your company and establish a clear reporting chain before something happens.
Maintain Ongoing Compliance
NIS2 is not a one-time project. You need annual risk assessment reviews, regular training for management (Section 38 BSIG requires personal participation), supplier reassessments, and continuous incident monitoring. The platform tracks all deadlines and escalates automatically.
The penalty framework is modeled on GDPR. Essential entities face fines of up to 10 million euros or 2% of global annual turnover. Important entities face up to 7 million euros or 1.4%. Registration violations alone carry fines of up to 500,000 euros. The BSI has enforcement powers and can order compliance or restrict operations.
Beyond fines, Section 38 BSIG creates personal liability for management. Executives must approve cybersecurity measures, oversee implementation, and complete training. They are liable to their own company for culpable violations. This liability cannot be waived by contract. Claiming you did not understand cybersecurity is explicitly not a defense.
Frequently Asked Questions
Is NIS2 the same as the IT security obligation I keep hearing about?
Yes. There is no separate 'IT Sicherheitspflicht' law. NIS2 is the EU directive that was transposed into German law as the revised BSIG via the NIS2UmsuCG. When people talk about new IT security obligations for German companies, they mean this law. It has been in force since 6 December 2025.
We are a 60-person manufacturing company. Does this really apply to us?
Very likely yes. Manufacturing is listed in NIS2 Annex II (covering medical devices, electronics, electrical equipment, machinery, motor vehicles, and other transport equipment manufacturing). With 60 employees, you exceed the 50-employee threshold. You would be classified as a 'wichtige Einrichtung' (important entity) under Section 28(2) BSIG, and all NIS2 obligations apply.
The registration deadline has passed. What should we do?
Register immediately. The BSI portal at muk.bsi.bund.de is still accepting registrations. Late registration is better than no registration. The fine for non-registration is up to 500,000 euros, but the BSI evaluates good faith. A company that registers a few weeks late and can show it was actively working on compliance is in a vastly better position than one that did nothing.
Can our external IT provider handle NIS2 compliance for us?
They can help implement the technical measures, but the legal obligation stays with your company. Section 30 BSIG explicitly states that you can outsource operations but not accountability. Your management remains personally liable under Section 38 BSIG. You need to document what your IT provider does, verify their security measures, and include them in your supplier management process.
How much does NIS2 compliance cost for a mid-market company?
For a 50 to 250 employee company, expect to spend between 20,000 and 80,000 euros in the first year, depending on your current security maturity. This includes risk assessment, policy documentation, technical improvements, and training. Companies that already have basic IT security measures in place are at the lower end. The ongoing annual cost drops significantly after the first year because most work is setup, not maintenance.