The NIS2 Implementation Act has been in effect in Germany since December 6, 2025. It transposes the European NIS2 Directive into the BSI Act and significantly tightens IT security requirements. Cybersecurity thus becomes an ongoing responsibility.
Who is affected?
The regulation covers companies in 18 sectors—energy, transportation, healthcare, digital infrastructure, industry, and other areas. The decisive factors are size and economic significance, measured by thresholds (number of employees or annual revenue and total assets).
In practice, the focus is primarily on medium-sized and larger companies, as they play a central role in the economy and critical infrastructure. At the same time, individual entities are also covered regardless of their size. Depending on their classification as “important” or “particularly important” entities, affected companies are subject to tiered obligations.
What does NIS2 require?
Companies must implement appropriate technical and organizational measures for cybersecurity. These include risk analyses, supply chain security, crisis management, cyber hygiene, as well as encryption and multi-factor authentication. Security incidents must be reported promptly and in multiple stages.
What companies should do now
Affected entities must register with the BSI on their own initiative within three months of the law taking effect. Anyone who has not yet done so by the deadline of March 6 should do so immediately.
Furthermore: NIS2 requires implementation in IT processes: clarifying responsibilities, identifying vulnerabilities, and implementing measures. Those who act early retain control over the risks. It is also worth taking a look at the Cyber Resilience Act.
This text was translated using AI.
