Cyberattacks represent a growing economic threat to businesses. Against this backdrop, the European legislator has set new standards for network and information security with the NIS2 Directive. These requirements have now been bindingly implemented in Germany.
Since when has the NIS2 Implementation Act been in effect?
The Act for the Implementation of the NIS2 Directive (NIS2UmsuCG) was promulgated on December 5, 2025, and applies immediately as of December 6, 2025. No general transition period is provided.
For which companies is the NIS2 Implementation Act relevant?
The scope of application has been significantly expanded compared to the previous legal situation. The following factors are particularly decisive:
- the affected sector (e.g., energy, health, digital infrastructure, IT services, industry),
- the company size,
- as well as the provision of services or the exercise of activities within the EU.
According to current estimates, more than 30,000 companies in Germany are covered by the new legal framework. Affiliated companies and group structures must also be taken into account during classification.
Why there is a need for action now:
The NIS2 Implementation Act brings significant innovations, including:
- an expansion of the scope of application,
- stricter security and compliance obligations,
- increased responsibility for corporate management (governance obligations),
- a multi-stage reporting system for security incidents,
- as well as expanded supervisory and enforcement powers for authorities and a stricter fine framework.
Particularly at the intersection of IT security, data protection, and compliance, new organizational and legal requirements arise that should be reviewed and implemented promptly.
Registration Obligation with the BSI – Portal Now Open
“Essential” and “important entities” within the meaning of the NIS2 Implementation Act must register with the Federal Office for Information Security (BSI).
Registration takes place in two stages:
- via “My Business Account” (MUK)
- subsequently in the BSI registration portal (available since January 6, 2026)
Registration must take place within three months of becoming subject to NIS2 requirements.
Additional obligations may apply to certain entities (e.g., critical facilities, digital services/infrastructures).
Quick Check: Does your company fall under the NIS2 Implementation Act?
To obtain an initial assessment of whether your organization is affected by the NIS2 Implementation Act, we provide a free NIS2 Quick Check.
Need for Consultation
We would be pleased to support you in reviewing the scope of application, conducting gap analyses, and ensuring the legally compliant implementation of the new obligations – also with regard to data protection interactions with the GDPR. You can find more information here.
January 7, 2026
