On 21 November 2025, the Federal Council approved the NIS2 Implementation Act (NIS2UmsuCG). At the core of the German implementation is the new BSI Act (BSIG n.F.) – the Act on the Federal Office for Information Security and on the Strengthening of the Security of Information Technology Systems. The law will enter into force before the end of 2025.
The overhauled BSIG will have to be implemented immediately by approx. 29,000 undertakings – with few exceptions – as emphasized by staff of the Federal Office for Information Security (BSI) in a webinar on 20 November 2025. Effective implementation must be ensured by the "management bodies" of these undertakings. From the BSI’s perspective, this includes not only managing directors and management board members, but all persons with management authority, such as CFOs, general partners, and others. From the BSI's point of view, they are subject to a non-delegable duty to occupy themselves with implementation of the BSIG.
Scope – Who is affected?
Members of the management body should first be able to understand whether their entity is affected. The new BSIG divides undertakings into two categories: "essential entities" and "important entities".
The classification is based on a combined system of company size (size-cap rule) and affiliation with certain sectors (Annexes 1 and 2 of the new BSIG).
In addition, some entities are considered essential regardless of their size or sector because they are classified as systemically relevant for the functioning of society or economy.
Entities must proactively check whether they fall under the new rules – there will be no automatic notification by the authorities about whether they do or not.
Essential entities:
- Size-dependent: Undertakings with at least 250 employees or an annual turnover of more than EUR 50 million and a balance sheet total of more than EUR 43 million, provided they provide certain services in certain sectors (e.g. energy, transport, health, banking).
- Size-independent: Undertakings that are considered systemically relevant regardless of their size, e.g. operators of critical facilities (KRITIS), providers of qualified trust services (e.g. providers of electronic signatures), providers of so-called DNS services (Domain Name System, i.e. central internet infrastructure) and top-level domain name registries (e.g. .de).
Important entities:
- Size-dependent: Undertakings with at least 50 employees or an annual turnover and a balance sheet total of more than EUR 10 million each, provided they provide certain services in the certain sectors (e.g. postal and courier services, waste management, parts of the manufacturing industry).
- Size-independent: Certain digital providers (e.g. providers of online marketplaces, online search engines, social networking services platforms) and providers of electronic communications services.
Many entities will face intense cybersecurity obligations for the first time based on the new set of rules – especially SMEs. Newly affected are, for example:
- IT service providers, in particular providers of so-called managed services (i.e. outsourced IT support and IT security services)
- Manufacturers of electronics, computers, machinery, motor vehicles, and medical devices
- Research organisations
Core obligations and strict reporting system
According to the legislator, the management bodies should be able to manage and oversee compliance with the core obligations. If a reportable incident occurs, the management body must ensure that the reporting channels are adhered to.
Proactive risk management measures (Section 30 new BSIG):
Entities must implement certain technical and organisational measures (TOMs) prescribed by law. These include both technical security precautions and organisational risk management processes, such as:
- the continuous assessment and mitigation of risks,
- mandatory due diligence in the entire supply chain,
- seamless documentation of all measures.
Reactive reporting obligations (Section 32 new BSIG):
A strict, three-stage reporting system applies in the event of significant security incidents:
- Within 24 hours: Early warning to the Federal Office for Information Security (BSI),
- Within 72 hours: Detailed icident notification,
- Final report within one month.
Members of the management body face personal liability
A direct and personal responsibility and liability of the management body is prescribed by the BSIG.
This is not necessarily limited to managing directors and management boards. During a webinar, the BSI emphasized what can already be inferred from the statutory definition of "management body" pursuant to Section 2 No. 13 new BSIG: the statutes of the entity will determine who belongs to the management body and who does not. While the management body already faces liability under corporate law and this is nothing completely new, the specific liability provision in the BSIG shows how much emphasis there is on management responsibilities re. cybersecurity. .
According to Section 38 (1) new BSIG, members of the management body must not only approve the prescribed risk management measures but also actively supervise their implementation.
This is not merely a formality: in the event of a breach of duty, they are personally liable for damages incurred (Section 38 (2) new BSIG).
To be able to meet their responsibilities, they are obliged to regularly attend training on cybersecurity to be able to assess risks correctly. The explanatory memorandum to the BSIG recommends training at least every three years.
According to the BSI, participation should be documented in such a way that participants, speakers, content of the training, and duration are kept available for potential audits. Considering this, a simple certificate of attendance may not be sufficient.
The supply chain becomes an own responsibility
Personal liability becomes particularly relevant if violations of main duties under the BSIG, such as supply chain management or reporting of security incidents, lead to damages.
The BSIG introduces an obligation to ensure cybersecurity not only within the entity but also regarding all important suppliers and service providers (e.g. through appropriate selection of "secure" service providers, contractual obligations to guarantee cybersecurity, and audits).
Strict sanctions and short reporting deadlines
The new BSIG provides for strict penalties in the event of infringements of the new cybersecurity obligations and orders issued by the BSI.
For core obligations, the amount of administrative fines is based – similar to the General Data Protection Regulation – on the worldwide annual turnover of the undertaking in the preceding financial year. The higher of the following two amounts is set as the upper limit:
- For essential entities: Up to EUR 10 million or 2% of the total worldwide annual turnover.
- For important entities: Up to EUR 7 million or 1.4% of the total worldwide annual turnover.
Even smaller undertakings can therefore be hit by substantial administrative fines if they are classified as "important" or "essential".
Act now
The new BSIG turns cybersecurity into a clear management task and no longer concerns mainly the IT department. The management faces personal responsibility and liability.
The BSI does not seem to intend to audit entities for compliance from day one. However, action should be taken now to achieve compliance.
