The German NIS 2 Implementation Act - that transposes the NIS 2 Directive into German law - was passed by the Cabinet on 30 July 2025 and should come into force in 2025. This means that around 29,000 companies in Germany will be subject to new, extended risk management obligations that will take effect immediately after the law is promulgated. Our analysis sheds light on the specific requirements for companies and the tight schedule.
On 30 July 2025, the Federal Cabinet adopted the bill for the NIS 2 Implementation Act (NIS2UmsuCG). This marks the start of the parliamentary procedure for implementing EU Directive 2022/2555 (NIS 2). The law represents a turning point for the German corporate landscape: Instead of a few hundred critical infrastructure operators (KRITIS), an estimated 29,000 companies will be obliged to implement cybersecurity measures in their operations in future. It also redefines cyber security - as a strategic core task of corporate management. This article analyses the key contents of the draft and differences to the failed draft of the coalition government, the timetable for its entry into force and the adjustments to be expected in the parliamentary process.
The draft at a glance
Essentially, the last draft of the previous coalition government from 2024 is about to be adopted. There are only a few changes.
Extended scope of application - new: "negligibility clause"
The most fundamental change to the previous legal situation - which was, however, already planned for 2024 - is the introduction of the new regulated categories of "particularly important" and "important facilities".
While the previous regulation was primarily aimed at a few hundred critical infrastructure operators, the new law now covers an estimated 29,000 companies in Germany. The legislator distinguishes between two new categories: "particularly important entities" and "important entities". The categorisation is based on company size and sector affiliation in accordance with Annexes 1 and 2 to the BSIG-E.
- Particularly important entities (Annex 1) include large companies from sectors such as energy, transport, banking, healthcare, digital infrastructure (cloud providers, data centres) and public administration.
- Important entities (Appendices 1 and 2) are typically medium-sized companies from the sectors already mentioned as well as from areas such as postal services, waste management, chemicals, food and manufacturing.
This categorisation is relevant as it is linked to different supervisory and sanction regimes. The previous categories (Critical infrastructure operators, providers of digital services, etc.) will be replaced by the new, EU-wide standardised categories of "particularly important" and "important entities".
However, an innovation that is crucial in practice compared to the draft bill from 2024 can be found in Section 28 (3) BSIG-E: According to this, business activities that are "negligible" with regard to the overall business activity can be disregarded in the classification. This clause is initially very beneficial for many companies whose core activities are not covered by NIS2 and which would only fall within its scope due to ancillary activities. However, it creates considerable legal uncertainty, as the draft does not provide a legal definition for the term "negligible". The explanatory memorandum merely provides non-binding indicators for this, such as quantitative criteria (number of employees, turnover) or qualitative indications (mention in the company's statutes), but ultimately refers to an undefined "overall picture". This forces companies to conduct their own independent, carefully documented, and ideally legally sound risk assessment to minimize the risk of a differing assessment by the Federal Office for Information Security (BSI). It is therefore a balancing act between the legitimate application of an exemption and the risk of a misjudgment. Furthermore, it is questionable whether the planned provision would be compatible with the NIS 2 Directive at all.
Extended supervisory powers for the BSI and higher fines
The instruments of the Federal Office for Information Security (BSI) will be significantly expanded in line with the NIS-2 requirements, Sections 61, 62 BSIG-E. This includes extended inspection, ordering and sanctioning options. This is flanked by a comprehensive obligation to document the cybersecurity measures taken and a significantly stricter sanctions regime (Section 65 BSIG-E), under which fines of up to €20 million or 2% of the previous year's global turnover can be imposed on "particularly important entities"; for "important entities" up to €10 million or 1.4% of turnover (Section 65 (5-7) BSIG-E).
Personal liability of the management
A paradigm shift is the further planned explicit anchoring of personal liability for members of the management bodies (Section 38 (2) BSIG-E). Management and board members are liable for breaches of their duties when implementing and monitoring risk management measures (Section 38 (1) BSIG-E).
Stricter requirements for supply chain security
The security of the supply chain takes centre stage. Section 30 (2) no. 4 BSIG-E explicitly requires measures for "supply chain security, including security-related aspects of relationships with direct providers or service providers". This implies an obligation for proactive due diligence.
New reporting regime
The previous one-stage reporting obligation will be replaced by a three-stage system (Section 32 BSIG-E): initial report within 24 hours, detailed report within 72 hours and final report after one month. However, the BSI offers assistance here and has announced in particular that it will provide a digital reporting channel in good time - it is therefore advisable to monitor the corresponding website.
Quantified benefits of the regulation
The draft bill quantifies the expected economic benefits. The new security standards are expected to prevent an annual loss of around 3.6 billion euros for the German economy - as much as 250,000 euros per affected company.
The timetable and transition periods
The pressure from Brussels is high, as infringement proceedings are ongoing. The timetable is therefore tight:
- 30 July 2025: Adoption of the draft by the Federal Cabinet.
- 15 August 2025: Submission to the Federal Council.
- Autumn 2025: First reading in the Bundestag.
- Before the end of 2025: Planned legislative resolution.
The draft law does not provide for a general, long transition period. According to Article 30 of the draft, the law will enter into force on the day after its promulgation. The new obligations will generally apply to affected companies from this date. A specific deadline is only provided for the first-time registration with the BSI, which must take place no later than three months after entry into force (Section 33 (1) BSIG-E). However, an important exception has been created for operators of critical facilities who were already subject to verification obligations under the old law: If their verification deadline expires within twelve months of the new law's entry into force, they may submit their verification one final time according to the previous requirements (Section 39 (3) BSIG-E).
Parliamentary amendments: Where the Bundestag wants to tighten up the draft
The debate on the content in the Bundestag will begin in autumn 2025. There is cross-party agreement that the current text is a compromise that excludes controversial points. There will be discussions on these points in particular:
- Dealing with untrustworthy manufacturers
- Extension to the entire federal administration
- State vulnerability management
- Role and independence of the BSI
Why NIS 2 implementation must take place now
The implementation of the NIS 2 Directive is not only an unavoidable legal obligation, but for companies in the European single market there is no economic alternative. While the legislative process in Germany is still ongoing, 16 other EU countries have enacted their national laws. The market for qualified cyber security experts and specialised service providers is already tight across Europe. When the German law comes into force, a demand increase by a huge number of companies will further reduce the available resources and drive up the costs of achieving NIS2 compliance.
