On 6 March 2026 marked the expiry of one of the first concrete deadlines established by the new German NIS2 implementing legislation: the obligation to register with the Federal Office for Information Security (BSI). Approximately 30,000 companies and organisations in Germany were subject to this obligation, yet a significant number failed to register within the prescribed timeframe. Those who missed the deadline should act without delay. Moreover, any company that has not yet determined whether it falls within the scope of the legislation should conduct that assessment urgently, as the scope of application of NIS2 law is considerably broader than many organisations assume.
1. What is NIS2, and How Has It Been Implemented in Germany?
The NIS2 Directive (“Network and Information Security Directive 2”) is an EU directive aimed at strengthening cybersecurity across Europe. It supersedes the original NIS Directive of 2016 and establishes significantly more stringent standards, both in terms of substantive requirements and the range of entities subject to its obligations.
In Germany, the Directive was transposed by the Act Implementing the NIS 2 Directive and Regulating Essential Principles of Information Security Management in Federal Administration (NIS2UmsuCG), which entered into force on 6 December 2025. The Act primarily amends the Act on the Federal Office for Information Security (BSIG) and gives rise to binding obligations for covered entities with immediate effect and without any transitional period.
2. Extended Scope of Application: Which Entities Are Affected?
Perhaps the most significant – and most widely underestimated – aspect of NIS2 is the substantial expansion of its scope of application. Whereas prior regulation was primarily confined to operators of critical infrastructure (KRITIS), the new legal framework now captures a large number of “ordinary” companies operating in certain sectors.
The applicable threshold criteria for entities not already expressly listed in Section 28 BSIG and thereby falling within the scope of the Act by operation of law are as follows:
- Essential entities: (1) at least 250 employees or (2) annual turnover exceeding EUR 50 million and annual balance sheet total exceeding EUR 43 million, operating in a sector listed in Annex 1 BSIG
- Important entities: (1) at least 50 employees or (2) annual turnover and balance sheet total each exceeding EUR 10 million, operating in a sector listed in Annex 2 BSIG
Critically, neither the legislature nor the BSI actively notifies affected entities. The assessment of whether a company falls within scope is a self-initiated obligation on the part of the entity concerned – entities that fail to act remain legally obligated and risk enforcement action.
3. Affected Sectors – Ordinary Companies in the Regulatory Spotlight
The BSIG distinguishes in its annexes between sectors of high criticality (Annex 1) and other critical sectors (Annex 2). The following overview sets out typical categories where a NIS2 nexus is frequently overlooked:
- Energy and Utilities
Energy suppliers, grid operators, and mid-sized municipal utilities, as well as district heating providers, may fall within scope. The digitalisation of energy infrastructure has rendered many entities that were previously regarded as pure utility operators subject to regulatory obligations. - Manufacturing and Processing Industries
Newly brought within the scope of the legislation are, inter alia, manufacturers of certain products, including medical devices, machinery, vehicles, and electronic equipment. - IT and Digital Service Providers
Cloud providers, data centre operators, managed service providers, and providers of public electronic communications networks are subject to the Act, often at considerably lower thresholds. Entities providing IT services to other companies should conduct a particularly careful assessment of their own regulatory exposure. - Postal, Courier, and Logistics Services
Logistics and postal service providers also fall within the newly captured sectors. In particular, mid-sized freight forwarders and parcel delivery operators with a high degree of digitalisation may be subject to the Act. - Food Production and Distribution
For many companies, this may come as a surprise: producers and wholesalers in the food sector may also fall within scope if the relevant size thresholds are met. Food supply is classified as systemically relevant and is regulated accordingly. - Research and Public Administration
Research institutions as well as federal and state government authorities are also included. Universities and non-university research institutes should carry out an individual assessment of their regulatory exposure.
4. Key Obligations under the NIS2UmsuCG
a) Registration Obligation (Section 33 BSIG)
All affected entities were required to register on the BSI portal by 6 March 2026. Registration is effected via the BSI’s Notification and Information Portal (MIP) using an ELSTER organisational certificate and a “Mein Unternehmenskonto” (MUK) account. Entities must provide, among other details, their company size, sector, type of entity, and a NIS2 contact point available around the clock. Any changes to company data must be updated without delay and in any event within two weeks.
b) Risk Management Measures (Section 30 BSIG)
Affected entities must appropriate technical and organisational measures (TOMs) to ensure the security of their network and information systems. Section 30(2) BSIG sets out ten requirement areas, including: risk analysis and information security policies, incident management, business continuity management, supply chain security, access controls, and cryptography and encryption.
c) Incident Reporting Obligations (Section 32 BSIG)
Significant security incidents must be reported to the BSI through a graduated notification procedure: an initial notification (early warning) must be submitted within 24 hours, a detailed follow-up report within 72 hours, and a final report within one month. These reporting obligations have applied since 6 December 2025, irrespective of whether the entity has completed registration.
d) Personal Liability of Senior Management (Section 38 BSIG)
A particularly far-reaching development: NIS2 places overall responsibility for cybersecurity with the senior management of the entity. Managing directors and board members may be held personally liable for breaches of duty – including with their personal assets. Mere delegation to the IT department or external service providers is not sufficient to discharge this liability. Senior management are also required to participate regularly in cybersecurity training.
5. Sanctions: Significant Fines and Supervisory Measures
The BSI may impose substantial fines for violations of the BSIG. Late registration alone may be sanctioned with a fine of up to EUR 500,000 pursuant to Section 65(2) no. 6 BSIG. For more serious violations, significantly higher caps apply:
- Essential entities: up to EUR 10 million or 2% of global annual turnover
- Important entities: up to EUR 7 million or 1.4% of global annual turnover
In addition, the BSI may issue public notices of violations (“naming and shaming”), suspend certifications, and issue binding orders. In the case of essential entities, supervisory inspections may be carried out without specific cause.
Practical Note:
Entities that have not yet registered and fall within the scope of the NIS2UmsuCG should complete registration without delay. It remains to be seen how rigorously the BSI will enforce non-compliance; however, the legal risk already exists. Furthermore, the obligation to report security incidents has applied since 6 December 2025, independently of registration.
Recommended Immediate Actions:
- Scope assessment: Determine, on the basis of your sector, employee headcount, and turnover, whether your company falls under Annex 1 or Annex 2 of the BSIG.
- Completion of registration: Apply for the ELSTER organisational certificate if not yet obtained, and set up a “Mein Unternehmenskonto” (MUK) account. The application process may take several business days.
- Establishment of reporting processes: Ensure that a NIS2 contact point available around the clock has been designated and that internal escalation procedures for security incidents have been put in place.
- Implementation of a risk management framework: Conduct a structured risk analysis and document the measures taken. Existing ISO 27001 certifications or BSI IT-Grundschutz implementations will significantly facilitate compliance.
- Involvement of senior management: Inform managing directors and board members of the personal liability exposure and mandatory training obligations. NIS2 is a matter for senior leadership!
- Review of supply chains: NIS2 requires entities to secure their supply chains. Assess which service providers and suppliers have access to your IT systems and whether the applicable security requirements are adequately reflected in contractual arrangements.
NIS2 is not a one-off compliance project, but an ongoing regulatory framework. The requirements relating to risk management, incident reporting, and supply chain security demand sustainable organisational structures.
Contact:
Jens Borchardt