Germany implements NIS2 and brings 30,000 entities into the scope of regulation

On 6th December, Germany formally adopted its NIS2 Implementation Law, transposing the requirements of the EU NIS2 Directive (NIS2) into national legislation.

Coming more than a year after the expiry of the Directive’s deadline for Member State implementation, the snappily titled Act on the Implementation of the NIS 2 Directive and on the Regulation of Essential Principles of Information Security Management in the Federal Administration, maps to the extensive NIS2 requirements and will result in a substantial increase in the number of regulated organisations in Germany, rising from approximately 4,500 to 30,000 entities covered by the Act.

Progress on delivering NIS2 across the EU has been slow and patchy - only 16 of the 27 members have so far succeeded, a woeful 60% completion rate after the initial enthusiasm to update critical infrastructure protections across the region.

Germany’s legislative package updates the existing national cybersecurity framework, substantially revises the BSI Act for information security controls and triggers statutory registration timelines for all operators now in scope.

What does the Act bring for German organisations?

For many organisations in the country, the Act introduces broad new compliance obligations - most notably mandatory registration with the Federal Office for Information Security (BSI) and extensive operational and governance requirements.

Other EU countries have worked together to harmonise their approach to implementing risk based controls. Germany has decided to go in a different direction.

The new Act has additional requirements, such as mandatory disclosure of certain ICT components and uses a tiered system of regulated entities mapped to the NIS2 risk profiling model with “particularly important entities” (besonders wichtige Einrichtungen) and “important entities” (wichtige Einrichtungen) instead of the Directive’s “essential” (wesentlich) and “important” (wichtig) groupings.

The revised BSI Act layers the new NIS2 groupings on top of the existing KRITIS framework which includes the separate classification of critical entities. For NIS2 purposes, all entities designated as critical under the BSI Act will automatically be reclassified as “particularly important entities.” Simple?

Scope of inclusion

An entity falls within scope of the NIS2-equivalent rules of the updated BSI Act if:

• It operates in one of the Act sectors - energy, transportation, digital infrastructure, manufacturing, communications, or data processing and storage services and;
• It qualifies as a medium-sized enterprise with more than 50 employees or annual turnover exceeding €10 million.

In-scope entities must now register with a reporting office set up by the BSI and the Federal Office for Civil Protection and Disaster Assistance within three months of the BSI Act taking effect - 6th March 2026. Details on how to register are expected to follow soon.

Sectors in scope include:

• Energy
• Transport
• Banking
• Financial market infrastructure
• Health
• Drinking water
• Waste water
• Digital infrastructure
• ICT service management
• Space
• Public administration
• Postal and courier services
• Waste management
• Manufacture, production and distribution of chemicals
• Production, processing and distribution of food
• Manufacturing  industry/production of goods
• Digital providers
• Research

Regulated entities must implement appropriate, proportionate and effective cybersecurity risk-management measures to prevent the impact of incidents on recipients of their services. Minimum measures are set out.

Operators of critical facilities must ensure an even higher level of IT security including mandatory attack detection systems and must provide evidence of compliance to the BSI every three years.

Breaches of compliance follow NIS2’s predefined framework with maximum fines of:

• €10m or 2% of the total worldwide annual turnover for particularly important entities
• €7m or 1.4 % of the total worldwide annual turnover for important entities

Powers to prohibit ICT components

For critical German entities, the Federal Ministry of the Interior may prohibit the use of certain components if their deployment is likely to endanger public order or national security.

Critical entities must disclose the specific types of critical components they deploy when registering.

Whilst this approach is not new under the updated Act, the formal adoption of NIS2 represents a shift toward a more mature cybersecurity regulatory landscape in Germany and the deadline to register is approaching.

‍Key action points

• Conduct a scope assessment to verify if your organisation is covered by the new requirements
• ‍Prepare for BSI registration and ensure cyber security risk management and incident reporting capabilities are in place and working well‍
• Critical facility operators must inventory all critical components ready for regulatory review, potential continuous supervision and even prohibition of use

Read the full Act online and Overcyte's previous assessment of the threat landscape in the EU.