Public and private entities in 14 sectors
which are listed in Annexes 1 and 2 of the BSI Act (2025) with at least 50 employees or at least EUR 10 million in annual revenue and total annual assets.
NIS 2 Directive at a glance
What matters for businesses now
Get a clear overview of what the EU’s NIS 2 Directive and the German implementation law mean for companies in Germany. This will ensure you’re well-prepared to take your next steps.
What is NIS 2?
With the NIS 2 Directive, mandatory security measures and reporting obligations apply to many companies and organizations in 14 sectors. Many may also be indirectly affected as suppliers. The goal of NIS 2 is to achieve a higher common level of cybersecurity across the EU. The information on this page is based on the German NIS 2 implementation law. Other EU countries have similar, but not entirely identical requirements.
What does “NIS” stand for?
The NIS Directive stands for the “Network and Information Security” Directive.
When did NIS 2 come into effect?
- The NIS 2 Directive (EU) 2022/2555 has been in force at the EU level since 2023.
- As a directive, it is not directly applicable but must first be transposed into national law.
- The German NIS 2 implementation law entered into force on December 6, 2025.
There is no transition period. The obligations and sanctions have been in effect since the German law came into force. While companies are normally only required to submit proof of implementation after three years, those that stand out or are particularly relevant must expect independent bodies to review their implementation even before then. So for companies, it’s very urgent.
Dr. Matthias Zuchowski, Regulatory Affairs & Compliance Manager, G DATA CyberDefense AG
NIS 2: Who is affected?
The NIS 2 assessment from the German Federal Office for Information Security (BSI) provides an initial guide to help you determine whether your company is affected by the NIS 2 Directive. The NIS 2 Directive applies to the following entities that provide their services in the European Union or carry out their activities there. “Negligible business activities” may be disregarded.
Special cases
Certain special cases regardless of their size
How are NIS 2 and the German BSI Act related?
The German NIS 2 implementation law does not itself contain any new substantive provisions, but rather amends existing laws. In Article 1, it redefines the BSI Act (BSIG). The references on this website therefore refer to the “BSI Act (2025)”. The other articles amend other laws. Example: Article 17 amends the Energy Industry Act (EnWG), which contains measures for the energy industry.
What must companies and organizations affected by NIS 2 do?
Cybersecurity risk management measures
§ 30 BSI Act (2025)
According to NIS 2, you must implement at least the following measures to manage the risks to the security of your network and information systems – and to minimize the impact of security incidents as much as possible. You must protect the IT systems and their physical environment (“all-hazards approach”). You should determine exactly what is appropriate for your organization using a risk-based approach.
- Policies: Concepts for risk analysis and security for information systems
- Incident response: Detection, analysis, containment, and response to incidents
- Business continuity: Backup management and recovery, crisis management
- Supply chain: Security in the supply chain
- Procurement: Security in the acquisition, development, and maintenance of IT systems, including vulnerability management and disclosure
- Effectiveness: Assessment of the effectiveness of risk management measures
- Cyber hygiene, training: Cyber hygiene (e.g., updates) and cybersecurity training
- Cryptography: Use of cryptography and, where applicable, encryption
- Personnel, access, assets: Personnel security, access control, and asset management
- Authentication: Multi-factor authentication or continuous authentication
- Communication: Secure voice, video, and text communication, including in emergencies if necessary
Management’s responsibility
§ 38 BSI Act (2025)
- must implement the measures and monitor their implementation
- is liable for violations under the rules of the applicable corporate law
- must participate in training
Mandatory reporting of security incidents
§ 32 BSI Act (2025)
The EU NIS 2 Directive stipulates that significant security incidents must be reported to the national authority and, where applicable, to the recipients of the organization’s services.
The German BSI Portal serves as the reporting center. The following deadlines apply for reporting an incident to the BSI:
- Early warning within 24 hours of becoming aware: Suspicion as to whether the incident is based on an unlawful or malicious act and whether it is cross-border.
- Detailed report within 72 hours of becoming aware: Initial assessment of the security incident, including severity, impact, and, if applicable, indicators of compromise.
- Progress/final report one month after notification: Detailed description, information on the nature of the threat, causes, remedial measures, and, if applicable, cross-border impacts.
NIS 2 registration
§§ 33–34 BSI Act (2025)
If NIS 2 applies to you, you must register with the Federal Office for Information Security (BSI). The registration process consists of two steps: First, you must sign up for the digital service Mein Unternehmenskonto (MUK) and then register on the BSI Portal. You can find out exactly how to proceed in the step-by-step guide (German).
The following information must be submitted:
- Name of the organization, including its legal form and, where applicable, its commercial register number
- Address and current contact information, including email address
- Public IP address ranges and telephone numbers
- Relevant sector listed in Annex 1 or 2, or, where applicable, industry
- List of those European Union member states in which the entity provides services of the types of entities listed in Annex 1 or 2
- The federal and state supervisory authorities responsible for the activities on the basis of which registration is taking place
- Additional information, if applicable, depending on the type of entity, in particular for operators of critical infrastructure and other particularly critical types of entities
What happens if you do not comply with the NIS 2 regulations?
Particularly important facilities | Important facilities | |
|---|---|---|
Regulatory oversight (§§ 61–62 BSI Act 2025) | Proactive oversight even in the absence of prior indications of violations, for example (at the discretion of the BSI):
| Reactive oversight only following indications of violations, for example (at the discretion of the BSI):
|
Fines for violations (§ 65 BSI Act 2025) | Up to EUR 10 million or 2% of the previous year’s global revenue – whichever is higher | Up to EUR 7 million or 1.4% of the previous year’s global revenue – whichever is higher |
Who is included? | Large companies as defined in Appendix 1 of the BSI Act (2025):
Size-independent special cases | Large companies as defined in Annex 2 of the BSI Act (2025):
Medium-sized enterprises as defined in Annex 1 or Annex 2 of the BSI Act (2025):
Size-independent special casesNote: Classification as “particularly important” always takes precedence. |
How G DATA solutions help you comply with NIS 2 regulations
Do you need help implementing the NIS 2 Directive?
Then our NIS 2 Consulting service is the perfect solution. It is offered by G DATA Advanced Analytics GmbH, a highly specialized IT security consultancy within the G DATA Group. Feel free to contact us for more information – there’s no obligation.
Note: The information provided is for informational purposes only and does not constitute individual legal advice.