NIS2 Country Guide

NIS2 Germany: Implementation, Authorities & Key Requirements

Germany transposed the NIS2 Directive through the NIS2UmsuCG (NIS2-Umsetzungsgesetz), which entered into force on 5 December 2025.

Get Ready Checklist Get Consultation
Germany Law in force: 28 Oct 2024 Registration required

Introduction: NIS2 Directive & the German context

Germany has one of the most mature cybersecurity regulatory environments in the EU. Before NIS2, it already operated the IT-Security Act (IT-Sicherheitsgesetz) and KRITIS regulations for critical infrastructure.

With NIS2, Germany substantially expanded its cybersecurity obligations, affecting thousands of additional businesses through the new NIS2 Implementation Act (NIS2UmsuCG).

NIS2 Directive implementation in Germany

Germany transposed the NIS2 Directive through the NIS2UmsuCG (NIS2-Umsetzungsgesetz), which entered into force on 28 October 2024. The law updates Germany’s cybersecurity framework, replaces parts of the existing KRITIS regulations and expands obligations to both essential and important entities across more sectors.

Status

NIS2UmsuCG is fully in force since 5 December 2025.

Supervising authority

The Federal Office for Information Security (BSI) leads supervision, audits, reporting and sector coordination.

Designation & registration

Entities in scope must register with BSI and provide key information, including management contact details.

NIS2 Germany: compliance requirements

Germany follows the standard NIS2 structure (essential and important entities), but with additional German-specific enhancements and KRITIS-aligned expectations.

Scope

  • Entities in NIS2 Annex I & II sectors.
  • Medium-sized or larger organisations (size cap applies).
  • Entities covered regardless of size: DNS, TLD registries, trust services, public communications, major digital services.
  • German KRITIS operators continue to face stricter obligations.

Obligations

  • Risk management measures aligned with NIS2 Annex I security controls.
  • Incident reporting via BSI within 24 hours (early warning) and 72 hours (detailed report).
  • Business continuity & crisis management readiness.
  • Supply-chain risk management with mandatory contractual security controls.
  • Mandatory cybersecurity training for management bodies.

Certification / Standards

BSI recognises ISO 27001, BSI IT-Grundschutz and equivalent frameworks as suitable for alignment. Certification is not mandatory but strongly encouraged for demonstrating compliance.

Important: Germany maintains stricter KRITIS rules for certain sectors, meaning some organisations must meet requirements beyond EU-wide NIS2 minimums.

Competent authorities & CSIRT

The BSI is Germany’s central authority for NIS2, complemented by sectoral regulators depending on industry.

RoleAuthorityNotes
National CSIRT BSI (Federal Office for Information Security) Receives NIS2 notifications; operates 24/7 national cyber defence capabilities.
Single Point of Contact BSI Coordinates EU-wide information exchange under NIS2.
Sector-specific supervision BSI + sector regulators Energy, health, finance, transport, water and telecom sectors have additional supervisory bodies.

NIS2 timeline & key dates (Germany)

27 Dec 2022 — Directive (EU) 2022/2555 (NIS2) is published in the Official Journal of the European Union.
17 Oct 2024 — EU transposition deadline for Member States. Germany did not meet this deadline.
5 Dec 2025 — The German NIS2 Implementation Act (NIS2UmsuCG) enters into force, amending the existing cybersecurity framework (including the BSIG/KRITIS regime).
Dec 2025 - early 2026 — In-scope entities must register with the Bundesamt für Sicherheit in der Informationstechnik (BSI) within the statutory timeframe following entry into force.
2026 onward — Full supervisory regime applies, including audits, incident reporting obligations, sector-specific requirements and enforcement.

Sector-specific notes for Germany

  • Energy: alignment with German KRITIS; stricter requirements apply.
  • Transport: rail, aviation, maritime and road operators must follow BSI incident reporting.
  • Healthcare: hospitals and labs have enhanced requirements tied to patient safety.
  • Finance: supervision coordinated with BaFin and BSI; overlaps with DORA regulation.
  • Water: drinking and wastewater operators face strict resilience and redundancy duties.
  • Digital services: cloud, hosting, data centres, DNS, TLD, trust services — in scope regardless of size.

Penalties under NIS2UmsuCG

Germany applies the NIS2 maximum penalty framework:

  • Essential entities: fines up to €10 million or 2% of global annual turnover.
  • Important entities: fines up to €7 million or 1.4% of global turnover.
  • Management can be held personally liable for failure to oversee cybersecurity.

How to prepare for NIS2 in Germany

  1. Check if you are essential or important: map your services to NIS2 Annex I & II sectors.
  2. Register with BSI: mandatory for all entities in scope.
  3. Conduct a gap assessment: compare current controls with NIS2 risk management requirements.
  4. Improve governance: train management bodies; document responsibilities.
  5. Strengthen incident reporting: ensure readiness for 24-hour early warning reports.
  6. Secure the supply chain: update vendor contracts with cybersecurity clauses.
  7. Adopt a recognised framework: implement ISO 27001, IT-Grundschutz or NIST CSF alignment.
  8. Build evidence: maintain logs, documentation and records for audits.
Run Eligibility Check Start Readiness Test

Official links & resources

🇩🇪 BSI — Bundesamt für Sicherheit in der Informationstechnik
📘 NIS2UmsuCG — Full text (German Federal Law Portal)
📄 Guide: What is NIS2? · NIS vs NIS2

FAQ: NIS2 in Germany

Is NIS2 already in force in Germany?
Yes. NIS2UmsuCG has been in force since 5 December 2025.
Who supervises NIS2 in Germany?
BSI is the central authority responsible for supervision, auditing and NIS2 reporting.
Does NIS2 replace German KRITIS rules?
No. KRITIS requirements remain and often exceed NIS2 minimums, depending on the sector.
Do we need to register with BSI?
Yes. All entities in scope must register, including important entities.
Is ISO 27001 required?
No, but ISO 27001 or IT-Grundschutz alignment is strongly recommended for demonstrating compliance.
Information provided for general guidance; refer to official BSI publications and national law for definitive requirements.