The NIS-2 Directive which has been transposed into German law by the NIS-2 Implementation Act, which came into force on 6 December 2025, tightens the cyber security obligations. This also applies to companies whose business models are neither digital nor data intensive. IT security is thus becoming a compliance issue and an obligation for many companies.
The German Federal Parliament (Bundestag) has adopted the law on the implementation of the NIS-2 Directive and on the regulation of essential principles of information security management in the federal administration (in short: "NIS-2 Implementation Act"). After approval by the German Federal Council (Bundesrat) and promulgation in the Federal Law Gazette, it has been in force since 6 December 2025.
The NIS-2 Implementation Act changes the Act on the German Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik, BSIG) and introduces new, stricter cyber security obligations. The group of companies that must implement cyber security measures will be significantly expanded compared to the previous group of addressees.
After the legislative process had been interrupted by the new elections in spring 2025, it went faster than expected. As the transposition deadline of 17 October 2024 had long since expired and the European Commission had already initiated infringement proceedings against the Federal Republic of Germany, the German legislator adopted the NIS-2 Implementation Act in an accelerated manner towards the end of the year 2025. It is therefore not surprising that the Act already entered into force one day after its promulgation in the Federal Law Gazette and without any transitional periods. For the companies concerned, this means that they must now implement the new cyber security obligations at very short notice. They are obliged to take suitable and proportionate technical, operative and organisational measures to ensure IT security in the company.
The NIS-2 Directive (NIS = Network Information Security), which was passed by the European Parliament on 10 November 2022, belongs to a series of EU legal acts that are part of the digital strategy of the European Commission. An evaluation of the European Commission had shown that the previous NIS Directive and its implementation in the individual EU member states had not led to a sufficient level of cyber security in the EU. Therefore, the cyber security obligations are tightened by NIS-2.
Previously, the BSIG differentiated between three categories of companies: (1.) operators of critical infrastructure (Section 8a BSIG), (2.) providers for digital services (Section 8c BSIG) and (3.) companies in the special public interest (so-called "UBI", Section 8f BSIG).
Now, Section 28 BSIG (new version) differentiates between so-called particularly important facilities (Section 28 (1) BSIG) and important facilities (Section 28 (2) BSIG). The exhibits 1 and 2 to the BSIG define, when a company - depending on the affiliation to a particular sector / an industry - is to be qualified as a particularly important or important facility.
The following criteria are decisive for determining whether a company falls within the scope of application of NIS-2: (1.) the classification as a critical infrastructure operator ("KRITIS-Betreiber") (i.e. as a particularly important or important facility), (2.) the affiliation to a sector / an industry and (3.) the size of the company.
In addition to operators of critical installations, providers of qualified trust services and providers of telecommunications services or operators of telecommunications networks, companies that employ at least 250 people and have an annual turnover of more than EUR 50 million or an annual balance sheet total of more than EUR 43 million are also particularly important facilities.
However, important facilities are not only critical infrastructure companies but also manufacturing industrial companies with more than 50 employees and an annual turnover of more than 10 million euros, provided that they belong to one of the sectors / industries mentioned in exhibit 1 or 2 of the BSIG.
Therefore, the scope of application has been significantly extended compared to the previous NIS Directive of 2015.
NIS-2 is of particular importance for the "manufacturing" sector. For the first time, it is covered by the new cyber security obligations. Many companies, whose business models are neither digital nor have a special relation to data, will therefore have to deal with cyber security compliance in more depth for the first time.
In the implementation of the NIS-2 Directive, the BSIG significantly extends the scope of application of cyber security obligations. Compared to the NIS Directive, the NIS-2 Directive also contains a much more comprehensive catalogue of cyber security obligations. Violations of cyber security obligations are also to be severely sanctioned. According to the Act on the German Federal Office for Information Security (BSIG), fines of EUR 100,000 to 10 million are provided for violations. In addition, registration and reporting obligations are introduced for companies in the event of a cyber security incident.
Pursuant to Section 30 (1) sentence 1 BSIG, so-called particularly important and so-called important facilities are obliged "to take suitable, proportionate and effective technical and organisational measures in order to avoid disruptions to the availability, integrity and confidentiality of information technology systems, components and processes, that they use for rendering their services, and to minimise the impact of security incidents."
In doing so, the extent of risk exposure, the size of the facility, the implementation costs, the probability of occurrence and severity of security incidents and their effects must be taken into account, cf. Section 30 (1) sentence 2 BSIG.
The obligations for risk management include, among others, the following measures, to which Section 30 (2) BSIG refers as minimum requirements:
Moreover, an obligation to register has been introduced, cf. Section 33 BSIG. The responsible German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) provides for a two-step registration process for facilities in Germany concerned by the NIS 2 Directive:
First, companies should create an account with "My company account" ("Mein Unternehmenskonto", MUK), in order to register in the second step with the MUK user account with a BSI portal newly developed for NIS 2. The BSI portal has been activated since January 2026. Among other things, it serves as a reporting office for significant security incidents. The deadline for the initial registration of companies with the BSI portal is 6 March 2026 or three months from the date when a company falls into the category of the important or particularly important facility.
Companies that fall within the scope of application of NIS 2 are therefore recommended to register via the BSI portal by 6 March 2026 at the latest. On the one hand, this is in order to comply with their obligation to register, and on the other hand to be able to report IT security incidents electronically within the prescribed deadlines.
The obligations to report significant security incidents have also been tightened, cf. Section 32 BSIG. Within 24 hours (so-called early initial report) or 72 hours (so-called report), reports on significant security incidents must be given in stages. After one month at the latest, a summary final report must be submitted. This entails a considerable administrative burden for companies, as they do not only carry out measures to maintain operations or to restore their IT systems in the event of a cyber-attack, but must report to authorities on type, scope and measures taken.
In particular, the monitoring obligation of the management pursuant to Section 38 BSIG is new. The board or the management must ensure that suitable and proportionate technical and organisational measures are taken within the company to minimise cyber risks. Moreover, companies are obliged to offer training on IT security for leadership personnel and other employees.
These obligations cannot be delegated completely. There remains always an ultimate responsibility at the management level. If the management violates these compliance obligations, it will be liable to pay damages to the company.
The violation of cyber security obligations, thus, constitutes a substantial risk for the management. This risk could be hedged by a D&O insurance if necessary. Companies concerned should review existing insurance contracts. Moreover, it is recommended to evaluate whether it is worth taking out cyber insurance.
Pursuant to Section 91 (3) German Stock Corporation Act (Aktiengesetz, AktG), the establishment of a risk management system is already part of the obligations of the board of a stock corporation and, thus, part of general compliance obligations of the management of companies. However, the extension to cyber security obligations is new.
After the NIS 2 Implementation Act entered into force without transitional periods, it is high time for the companies concerned to act. The following summary shall provide the companies concerned with a (non-exhaustive) guide on the most important points to be clarified as a matter of priority, in order to implement the new cyber security obligations.
Clarification of applicability of NIS 2 and obligations to register: First, it should be clarified, whether and to what extent NIS 2 is applicable to the respective company and whether obligations to register exist with the BSI. This must be determined in the individual case based on the product/service portfolio of a company.
Inventory and documentation: Cyber security concepts already existing should be reviewed, risks should be evaluated and the required documentation, such as cyber security concepts, emergency plans, etc. should be developed together with technical and legal experts.
Prevention of cyber-attacks: Investments in cyber security pay off, as they are an important contribution to protecting the corporate know-how against industrial espionage and to minimising the risk of high business interruption damage in the event of a cyber-attack. Prevention and timely preparation make the decisive difference here.
Compliance and liability: In the age of Industry 4.0 and with a view to the legal innovations, IT security should become a "matter for the boss" in companies. EDP and IT security are to be understood as management tasks in a company. This does not mean that managing directors and board members must be IT experts. Rather, they should consult IT security experts. However, it is not possible to delegate the responsibility completely, as the ultimate responsibility lies with the board or the managing director.
IT security in the supply chain: Even if a company does not fall within the scope of application of NIS 2, it will have to meet the NIS 2 requirements for its clients sooner or later. Companies will be confronted with the fact that their clients will pass on their cyber security obligations to their suppliers.
The factual scope of application of NIS 2 is thus even wider. Numerous companies delivering to companies that must meet the new cyber security requirements pursuant to NIS 2 are indirectly affected. This applies, for example, to suppliers to the medical technology and pharmaceutical industries, but also to the manufacturing industry which only produces parts for use in the automotive industry, various areas of mechanical engineering or electrical engineering.
In fact, almost every company will sooner or later have to deal with the topic of IT security.
![[Translate to English:]](/fileadmin/_processed_/a/0/csm_IP_Header_Scott_738ee40874.jpeg "[Translate to English:]")
