With the official enactment of the NIS-2 Implementation Act, Germany has taken a major step toward modernizing its cybersecurity framework. Starting from 6 December 2025, stricter requirements will apply to both federal administration and thousands of private companies. This law revises the BSI Act (BSIG) and introduces comprehensive obligations for IT security and risk management. The NIS2 Directive is the EU’s updated cybersecurity framework. It requires organizations to implement risk management measures, ensure incident reporting within an initial 24-hour timeline, strengthens supply chain security while introducing management accountability, including personal liability for non-compliance.
Who Is Affected?
The scope of regulation expands dramatically:
- Around 29,500 entities will now fall under the supervision of the BSI (Bundesamt für Sicherheit in der Informationstechnik – Federal Office for Information Security), compared to 4,500 previously.
- Newly regulated organizations include those in critical sectors that meet specific thresholds for staff, revenue, and balance sheet.
- These entities are classified as “essential” or “important” facilities. Operators of KRITIS (Critical Infrastructure) automatically qualify as “essential.”
Key Obligations
Affected companies must comply with three core requirements:
- Register as NIS2 entities within three months.
- Report significant security incidents to the BSI within 24 hours at the latest (with an update within 72 hours and a final report within 30 days).
- Implement and document risk management measures.
The BSI has issued guidance on the mandatory management training in this regard.
Registration Timeline
The BSI has announced a two-step registration process:
- Step 1: Create an account on Mein Unternehmenskonto (MUK).
- Step 2: From January 6, 2026, register via the new BSI portal, which will also serve as the reporting platform for major security incidents.
Call to Action
Non-compliance with NIS2 can not only lead to severe fines up to €10 million or 2% of global annual turnover, andpersonal liability for non-compliance, but in practical terms, it can also pose significant risks to a company’s cybersecurity.
