Germany's NIS2 implementation law entered into force on 6 December 2025 with no transition period. The BSI has enforcement authority from day one. If your organisation operates in Germany and hasn't completed its gap analysis, your compliance obligations are already overdue.
BSI registration deadline passed. In-scope entities were required to register with the BSI by 6 March 2026. If you have not registered, this is now an enforcement risk in itself. The BSI portal is open at bsi.bund.de — we fast-track registration and gap analysis simultaneously.
NIS2 in Germany — at a glance
Germany transposed NIS2 through the NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG), amending the BSIG. Here is what defines your obligations.
| Status | In force since 6 December 2025 — no transition period |
| National law | NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG), amending the BSIG (§30 ff.) |
| Competent authority | BSI — Bundesamt für Sicherheit in der Informationstechnik (bsi.bund.de) |
| Registration deadline | 6 March 2026 — already passed, registration via the BSI portal & Mein Unternehmenskonto (MUK) |
| Entities in scope | ~30,000 (up from ~4,500 under the previous NIS1 regime) |
| Entity categories | Besonders wichtige Einrichtungen (particularly important) & wichtige Einrichtungen (important) |
| Maximum fines | Up to €10M or 2% of global turnover (particularly important); €7M or 1.4% (important) |
German NIS2 implementation
Germany implemented NIS2 with additional national requirements that go beyond the directive. These are the distinguishing obligations the BSI enforces.
The Bundesamt für Sicherheit in der Informationstechnik is Germany's NIS2 competent authority — one of Europe's most technically rigorous cyber agencies, with powers for ex-ante inspections of particularly important entities and ex-post audits of important entities.
Germany distinguishes besonders wichtige and wichtige Einrichtungen. The law is deliberately broader than the directive requires, bringing roughly 30,000 entities into scope versus 4,500 under the previous regime.
Operators of critical facilities must implement mandatory attack detection systems and demonstrate compliance to the BSI every three years via audit, inspection or certification (§31 BSIG) — beyond standard NIS2 requirements.
The German law introduces an obligation to disclose certain ICT components — not present in the EU baseline. It affects how you document and report your technology stack to the BSI, particularly in critical infrastructure sectors.
Board members and senior executives can be held personally liable for cybersecurity failures under the new BSIG. Management must formally approve security measures and receive documented, auditable periodic training.
German companies must audit the security posture of critical suppliers and embed NIS2-compliant clauses in contracts. A breach originating from a poorly managed supplier is your organisation's legal responsibility — and potential BSI sanction.
BSI registration
Registration is not administrative paperwork — it is a legal prerequisite for compliance. Failing to register exposes your organisation to immediate enforcement action.
The MUK is the authentication layer for the BSI portal, using ELSTER organisation certificates. It must be set up before registration. If your organisation lacks ELSTER certificates, this step alone can take several weeks.
Once your MUK account is active, registration is completed at the BSI portal (bsi.bund.de), open since January 2026. The portal also serves as the reporting platform for significant security incidents — you need it active regardless of registration status.
Changes to registered information must be reported to the BSI without undue delay — no later than two weeks after awareness — including changes to key personnel, critical systems and organisational structure relevant to NIS2 scope.
Missed the 6 March 2026 deadline? Proactive registration before any enforcement contact is always treated more favourably. We fast-track BSI registration support alongside your gap analysis — get registration support.
Webristle is a full cybersecurity agency, not only a compliance advisor. Beyond the NIS2 gap analysis and reports, our engineers deliver the security work the Directive actually requires: system hardening, MFA and identity governance, encryption and PKI, network segmentation, EDR and 24/7 monitoring, backup and disaster recovery, penetration testing and incident response. One team takes you from assessment to a fully implemented, audit-ready and resilient infrastructure.
Article 21 NIS2 · §30 BSIG
Particularly important entities face proactive BSI inspections; important entities face ex-post audits when incidents occur. Both need these measures fully implemented and documented.
Formal threat assessment, Business Impact Analysis and board-approved risk appetite, documented and reviewed periodically and whenever significant changes occur.
Detection and classification procedures plus BSI reporting: 24h early warning, 72h full notification, 30-day final report — via the BSI portal or online incident form.
Continuity plans, tested disaster recovery, backup management and crisis management with documented RTO and RPO targets approved at board level.
Security assessment of critical suppliers, NIS2-compliant contractual clauses and continuous monitoring, including the ICT products and services used in your infrastructure.
Structured vulnerability management, penetration testing and hardening. For operators of critical facilities: mandatory attack detection systems under §31 BSIG.
Policies and procedures to test the effectiveness of risk-management measures, including audits, certification cycles and red-team exercises.
Zero-trust architecture, mandatory MFA on critical systems, IAM governance and Privileged Access Management, with least-privilege principles documented and enforced.
Awareness programmes, secure onboarding/offboarding and insider-risk management. Under the BSIG, management must receive documented periodic training — auditable by the BSI.
Systematic patch management, asset inventory, endpoint security and documented BYOD policies, including the ICT component disclosure obligations of the German implementation.
Encryption of data at rest and in transit as a minimum standard, key and certificate lifecycle management and digital signatures compliant with German and EU standards.
Existing certifications
ISO 27001 covers roughly 70–80% of NIS2 Article 21 requirements. The remaining gaps are specific to NIS2 and the German law — and must be addressed separately.
Risk-management framework, security policies, access control, cryptography, supplier security, incident management and business continuity — all overlap with NIS2 and reduce your remediation effort.
24h/72h BSI incident reporting timelines, the BSI registration obligation, documented management training, NIS2-specific supply chain clauses and — for critical facilities — mandatory attack detection under §31 BSIG.
We map your existing ISMS against the NIS2 delta to avoid duplicating completed work. Most ISO 27001-certified companies need 4–8 weeks of targeted remediation, not a full programme from scratch.
How we work
A structured four-phase process with clear deliverables at each stage. We work alongside your team to minimise operational disruption.
We confirm your entity classification, identify sector obligations and support your BSI registration via MUK and the BSI portal if not yet done.
Technical-legal assessment against all 10 §30 BSIG measures, mapped to your existing controls (ISO 27001, SOC 2). Delivered within 5 working days.
Prioritised plan with effort, cost and timeline. BSI enforcement-risk and registration gaps first. Management-training documentation included.
Technical hardening, policy documentation, management training and support during BSI inspections — including attack-detection rollout for critical facilities.
Start today
The gap analysis is the mandatory starting point. In 5 working days you will have a precise picture of your position against the NIS2UmsuCG and BSI requirements.
Our senior consultants will respond within 48 hours with a free preliminary assessment of your NIS2UmsuCG exposure.
No commitment · Response in 48h · Trusted by 80+ companies across Europe
Related insights
FAQ
The questions we hear most often from German CISOs, CEOs and legal counsel.
~30,000 entities in scope. Free gap analysis in 48 hours — we assess your NIS2UmsuCG exposure, map gaps against BSI requirements, support your registration and give you a clear remediation roadmap.
EN
