NIS2 in Germany
Germany transposed the NIS2 Directive into national law through the NIS2UmsuCG, overhauling the Federal Cybersecurity Act (BSIG). All obligations apply since 6 December 2025.
| Date | Event |
|---|---|
| 14 Dec 2022 | NIS2 Directive published in the EU Official Journal |
| 16 Jan 2023 | NIS2 enters into force at EU level |
| 17 Oct 2024 | EU transposition deadline (Germany missed it) |
| 13 Nov 2025 | Bundestag passes NIS2UmsuCG |
| 21 Nov 2025 | Bundesrat approves |
| 5 Dec 2025 | Published in Bundesgesetzblatt |
| 6 Dec 2025 | New BSIG enters into force - all obligations apply immediately |
| 6 Jan 2026 | BSI registration portal goes live |
| 6 Mar 2026 | Deadline for BSI registration |
| ~2028 | KRITIS operators: first evidence of compliance due |
There is no transition period. Risk management measures, incident reporting, and management liability applied from the day the law entered into force.
| EU Term | German Term | Abbreviation |
|---|---|---|
| Essential entity | Besonders wichtige Einrichtung | bwE |
| Important entity | Wichtige Einrichtung | wE |
| Critical infrastructure operator | Betreiber kritischer Anlagen | KRITIS |
The hierarchy: KRITIS ⊂ bwE ⊂ all NIS2 entities. KRITIS operators are automatically classified as essential (bwE).
Penalties
| Category | Maximum Fine | Turnover-Based Alternative |
|---|---|---|
| Besonders wichtige Einrichtungen (bwE) | EUR 10,000,000 | 2% of worldwide annual group turnover |
| Wichtige Einrichtungen (wE) | EUR 7,000,000 | 1.4% of worldwide annual group turnover |
| Violation | Maximum Fine |
|---|---|
| Failure to implement cybersecurity measures (§30) | EUR 10M / EUR 7M |
| Failure to report incidents (§31) | EUR 10M / EUR 7M |
| Non-compliance with BSI directives | EUR 10M / EUR 7M |
| KRITIS: failure in critical component reporting | EUR 5,000,000 |
| KRITIS: failure in audit evidence procedures | EUR 2,000,000 |
| Registration violations, failure to notify BSI | EUR 500,000 |
| Obstruction of BSI inspections | EUR 500,000 |
| Contact accessibility failures | EUR 100,000 |
Three Core Duties
Approval (Billigung)
Management must formally approve cybersecurity risk management measures per Section 30 BSIG.
Oversight (Überwachung)
Active monitoring of implementation - not passive awareness. Management must verify that measures are actually being implemented.
Training (Schulung)
Mandatory personal participation in cybersecurity training at minimum every 3 years. This duty cannot be delegated.
Executives are personally liable to their own company when they culpably violate these duties. Delegation of operational tasks is permitted, but strategic responsibility and oversight remain with management. Management cannot claim lack of technical knowledge as defense.
Section 38 BSIG explicitly prohibits contractual liability waivers by shareholders that are disproportionate to existing uncertainty regarding rights.
Deadline: 6 March 2026 (3 months after the BSIG entered into force).
Registration uses a two-step process: first create an account via Mein Unternehmenskonto (MUK/ELSTER), then register via the BSI portal (live since 6 January 2026).
Registration is a self-identification obligation - no notification from BSI. Companies must determine themselves whether they are in scope. The BSI can also order a company to register if it determines the company falls within scope.
| Aspect | Besonders wichtig (bwE) | Wichtig (wE) |
|---|---|---|
| Supervision | Proactive (ex-ante) - BSI can audit at any time | Reactive (ex-post) - only on evidence of non-compliance |
| Maximum fine | EUR 10M or 2% global turnover | EUR 7M or 1.4% global turnover |
| Audit requirements | Risk-based spot checks by BSI | Only on justified suspicion |
| KRITIS audit cycle | Every 3 years (if KRITIS operator) | N/A |