In November 2025, the German Bundestag passed the law implementing the NIS-2 Directive. This introduced new national rules for cybersecurity and information security that go far beyond previous requirements. Companies that have so far operated under the radar must now assess whether they are affected – and if so, urgently adapt their security measures, processes and governance structures.
The delay in implementation gave many organisations a bit of breathing room, but now the pressure to act begins. Those who prepare early can gain a competitive advantage – those who react too late risk penalties, reputational damage or even business disruption.
Key Points at a Glance
The Bundestag adopted the NIS-2 Implementation Act on 13 November 2025.
The law expands its scope to significantly more companies and public authorities – an estimated 29,500 entities in Germany.
New obligations include risk management, technical and organisational measures, incident reporting with defined deadlines (e.g., first report within 24 hours), as well as expanded oversight and sanctions by the Federal Office for Information Security (BSI).
Companies should now carry out an impact assessment, revise regulatory and compliance processes and align governance and IT security architecture with the tightened requirements.
Why This Topic Matters
Digital connectivity and dependency on IT systems and services have increased significantly in recent years. At the same time, the threat posed by cyber attacks, targeted sabotage, espionage and hybrid attacks on critical infrastructure continues to grow. In this environment, the previous legal framework in Germany was no longer considered sufficient by many experts.
The EU NIS-2 Directive aims to ensure a high and consistent level of security for network and information systems across the Union.
Since Germany missed the deadline for implementing the directive, action was required – the newly adopted law represents the next crucial step.
For companies, this means the following: not only traditional operators of critical infrastructures (KRITIS) are affected, but also many organisations that were previously not within this category. This significantly increases the number of regulated entities – creating a competitive advantage for those who prepare early.
What Requirements and Obligations Must Be Met?
Companies that fall under the new rules face several new elements. The most important obligations at a glance:
Scope and Categories
The law distinguishes between “essential entities” and “important entities”. Both categories are subject to the requirements, with different intensities depending on criticality.
Companies from sectors such as energy, healthcare, transport, digital services or public administration typically fall under these rules. However, other organisations may also be affected if their services are relevant for the functioning of society.
Technical and Organisational Measures (TOM)
Affected entities must implement IT security measures that reflect the state of the art. These include risk analyses, business continuity plans, backup concepts, encryption, access controls and monitoring and detection of attacks.
The integration of supply chain and third-party risks is now much more strongly required – companies must understand and manage their dependencies.
Incident Reporting and Notification Obligations
A central element is the reporting obligation for security incidents. A new three-stage regime applies:
- First notification within 24 hours after detection
- Interim report after 72 hours
- Final report no later than one month later
These deadlines turn incident reporting into a time-critical compliance and management task.
Expanded Oversight and Sanctions
The BSI assumes expanded supervisory and audit functions. It can issue sanctions, publish guidance and maintain the required registers.
Companies must also register and designate responsibilities – such as a person responsible for information security.
Role of Public Administration
New: Public authorities and federal administration are now also subject to minimum requirements. This brings governmental IT security to the same level as the private sector – an important step for overall resilience.
What Companies Should Do Now
- Conduct an impact assessment to determine whether the organisation falls under the categories “essential” or “important”.
- Perform a gap analysis of existing IT security, governance and reporting processes and align them with NIS-2 requirements.
- Revise governance and risk management processes: Who is responsible? How is risk measured? How quickly do we report incidents?
- Implement and document technical measures: risk analysis, access controls, incident response plan, backup and recovery strategy.
- Establish reporting and notification processes: define responsibilities and ensure deadlines can be met.
- Provide training and awareness programmes for employees: cyber risks, reporting obligations, responsibilities.
- Set up monitoring and reporting structures: dashboards for incidents, risks and measures, including third-party risk management.
Those who start early can not only ensure compliance but also gain competitive advantages – for example, by strengthening trust in partner relationships or reducing insurance premiums.
Conclusion
With the law implementing the NIS-2 Directive, Germany marks a decisive step towards digital resilience. For companies, this means cybersecurity is no longer voluntary but becomes a regulated and strategically essential task.
The requirements are demanding – but those who act early secure legal certainty and build trust with customers, partners and investors.
FAQ
Who is affected by NIS-2 implementation?
Affected are companies classified as “essential entities” or “important entities”, particularly in sectors such as energy, healthcare, transport, digital services, as well as public authorities and administration.
When do the new regulations apply?
The Bundestag adopted the law on 13 November 2025. It still needs approval by the Bundesrat and publication in the Federal Law Gazette before it enters into force.
What deadlines apply for reporting security incidents?
Initial report within 24 hours of detection, interim report after 72 hours, final report after one month at the latest.
What happens if the requirements are not met?
The BSI receives extended supervisory and sanctioning powers. Violations may lead to fines and further legal consequences.
How should companies proceed now?
Conduct an impact and gap analysis, adjust governance and risk processes, document technical measures, establish reporting processes and train employees.
Share
Table of Contents
- Key Points at a Glance
- Why This Topic Matters
- What Requirements and Obligations Must Be Met?
- Scope and Categories
- Technical and Organisational Measures (TOM)
- Incident Reporting and Notification Obligations
- Expanded Oversight and Sanctions
- Role of Public Administration
- What Companies Should Do Now
- Conclusion
- FAQ
Related posts
How BaFin Uses Artificial Intelligence: Digitizing Financial Supervision
Germany’s Federal Financial Supervisory Authority (BaFin) is modernizing its tools for monitoring financial markets. To do this, it is increasingly relying on Artificial Intelligence (AI) to detect risks faster, uncover market manipulation, and automate compliance processes. In this blog post, we explore how BaFin uses AI, what benefits it brings, and what it means for<a href="https://zazoon.com/how-bafin-uses-artificial-intelligence-digitizing-financial-supervision/">Continue reading <span class="sr-only">"How BaFin Uses Artificial Intelligence: Digitizing Financial Supervision"</span></a>