NIS2 Implementation Act: New cybersecurity obligations since 5 December 2025
Cyberattacks pose an increasing economic threat to companies. Against this backdrop, European legislators have set new standards for network and information security with the EU Directive NIS2. These requirements have now been made binding in Germany as well.
When did the NIS2 Implementation Act come into force?
The Act implementing the NIS2 Directive (NIS2UmsuCG) was promulgated on 5 December 2025 and entered into force immediately on 6 December 2025. No general transition period is provided.
Which companies are affected by the NIS2 Implementation Act?
Compared to the previous legal framework, the scope of application has been significantly expanded. The key criteria are, in particular:
- the sector concerned (e.g. energy, health, digital infrastructure, IT services, industry),
- the size of the company, and
- the provision of services or the performance of activities within the EU.
According to current estimates, more than 30,000 companies in Germany are covered by the new legal framework. Affiliated companies and group structures must also be taken into account when determining applicability.
Why action is required now:
The NIS2 Implementation Act introduces significant changes, including:
- an expansion of the scope of application,
- stricter security and action requirements,
- greater responsibility for company management (governance obligations),
- a multi-level reporting system for security incidents,
- as well as extended supervisory powers and authority for the authorities and a stricter framework for fines.
New organizational and legal requirements are emerging, particularly at the interface between IT security, data protection and compliance, which should be reviewed and implemented without delay.
Registration requirement with the BSI – portal now activated
‘Essential and ‘important entities’ within the meaning of the NIS2 Implementation Act must register with the Federal Office for Information Security (BSI).
Registration is a two-step process:
- via ‘Mein Unternehmenskonto’ (MUK)
- then in the BSI registration portal (available since 6 January 2026)
Registration must be completed within three months of becoming subject to NIS2.
Additional obligations may apply to certain facilities (e.g. critical facilities, digital services/infrastructures).
Quick Check: Is your company subject to the NIS2 Implementation Act?
To obtain an initial assessment of whether your organization is affected by the NIS2 Implementation Act, we provide you with a free Quick Check NIS2.
Consulting needs
We are happy to support you in assessing the scope of application, conducting GAP analyses and implementing the new obligations in a legally compliant manner – also with regard to data protection interactions with the GDPR. Further information can be found here.
January 07, 2026
