The new BSIG has been in effect since December 6, 2025. Approximately 29,000 companies are affected, many for the first time: in addition to companies in the energy and healthcare sectors, this includes, for example, small and medium-sized enterprises in IT, mechanical engineering, medical technology, and research. Those affected must check their own compliance — no official notification will be sent.
The law distinguishes between “particularly important” and “important” entities, depending on size, industry, or systemic relevance. For both, management bears personal liability. This includes mandatory training, at least every three years, with proper documentation.
The obligations are extensive: technical and organizational measures, supply chain due diligence, and comprehensive documentation. In the event of significant incidents, the clock is ticking—initial report to the BSI within 24 hours, assessment after 72 hours, final report after one month. Fines: up to 10 (in individual cases even 20) million euros or 2 percent of global group revenue.
A properly implemented information security management system can help meet these obligations. A folder full of policies won’t stop an attacker or meet a 24-hour deadline. What matters are systems in practice—clear responsibilities, automated detection, tested reporting channels, and carefully selected and contractually secured suppliers.
Our recommendation: Start with an honest assessment of your current status. Where are processes in place, and where are there only documents? The BSI does not conduct audits from day one—but tangible progress in implementing NIS2 is expected. More information on NIS2 obligations and implementation is available here.
This text was translated using AI.
