NIS2 in Germany
Everything you need to know about the NIS2 directive in Deutschland: transposition law, competent authority, fines, deadlines, and how Reglyze helps SMEs become compliant.
The NIS2-Umsetzungs- und Cybersicherheitsstaerkungsgesetz (NIS2UmsuCG) entered into force on 6 December 2025 and fully re-enacts the BSI Act (BSIG 2025), widening scope from roughly 5,000 KRITIS operators to an estimated 30,000+ in-scope companies. Unlike France or Italy, Germany included no general transitional period: obligations bind from the day the law took effect, and the BSI may already exercise its supervision powers.
Key facts at a glance
NIS2-Umsetzungs- und Cybersicherheitsstaerkungsgesetz (NIS2UmsuCG)
Adopted / in force: 2025-12-06
Bundesamt fuer Sicherheit in der Informationstechnik (BSI)
https://www.bsi.bund.deUp to EUR 10 million or 2% of global annual turnover
Up to EUR 7 million or 1.4% of global annual turnover
These ceilings come from the directive — see how NIS2 fines are calculated, recent enforcement cases and director personal liability.
How IT-Grundschutz maps to NIS2
Each layer of IT-Grundschutz — the national framework for NIS2 — shown against the NIS2 controls it covers. This is the authority's own correspondence, not a generic article list: where a layer has no direct NIS2 control nexus, we say so.
| Layer (IT-Grundschutz) | NIS2 control(s) | ISO 27001 correspondence | Status |
|---|---|---|---|
| Security ManagementISMS · 1 building block | — | No direct NIS2 mapping | |
| Organisation and PersonnelORP · 5 building blocks | Art. 20(2) Art. 21(2)(a) Art. 21(2)(f) Art. 21(2)(g) Art. 21(2)(i) Art. 21(2)(j) | Mapped | |
| Concepts and ApproachesCON · 9 building blocks | Art. 21(2)(c) Art. 21(2)(c)(1) Art. 21(2)(e) Art. 21(2)(g) Art. 21(2)(h) Art. 21(2)(i) Art. 21(2)(j) | Mapped | |
| OperationsOPS · 14 building blocks | Art. 21(2)(a) Art. 21(2)(b) Art. 21(2)(c) Art. 21(2)(d) Art. 21(2)(e) Art. 21(2)(g) Art. 21(2)(i) Art. 21(2)(j) | Mapped | |
| Detection and ResponseDER · 7 building blocks | Art. 21(2)(b) Art. 21(2)(b)(1) Art. 21(2)(c) Art. 21(2)(c)(3) Art. 21(2)(f) | Mapped | |
| ApplicationsAPP · 20 building blocks | Art. 21(2)(e) Art. 21(2)(g) Art. 21(2)(i) Art. 21(2)(j) | Mapped | |
| IT SystemsSYS · 25 building blocks | Art. 21(2)(c) Art. 21(2)(e) Art. 21(2)(i) | Mapped | |
| Industrial IT (OT/ICS)IND · 7 building blocks | Art. 21(2)(b) Art. 21(2)(c) Art. 21(2)(d) Art. 21(2)(e) Art. 21(2)(j) | Mapped | |
| Networks and CommunicationNET · 11 building blocks | Art. 21(2)(e) Art. 21(2)(h) Art. 21(2)(i) Art. 21(2)(j) | Mapped | |
| Infrastructure (Physical)INF · 12 building blocks | Art. 21(2)(c) Art. 21(2)(e) Art. 21(2)(g) Art. 21(2)(i) | Mapped |
ISO 27001: IT-Grundschutz can be certified as “ISO 27001 auf der Basis von IT-Grundschutz”; the BSI does not publish a per-layer ISO 27001:2022 Annex A correspondence.
Mapping derived from the authority's published IT-Grundschutz framework. Reglyze maintains it as the source data evolves — see the platform for the full control-by-control view.
Priority sectors for NIS2 in Germany
NIS2 covers 18 sectors across Annex I (essential) and Annex II (important). These are the sectors where Germany's transposition and BSI supervision focus most.
Energy, water and KRITIS operators
Critical-infrastructure operators (KRITIS) under § 31 BSIG keep their pre-existing obligations stacked on top of the general § 30 baseline — triennial Nachweispflichten (§ 39) plus mandatory attack-detection systems (Systeme zur Angriffserkennung). NIS2 does not replace KRITIS; it widens the net around it.
Manufacturing and the Mittelstand
The bulk of the new ~30,000 in-scope entities are medium-sized manufacturers — automotive suppliers, machine-tool builders, chemical and food producers — that fall under Annex II as important entities once they pass the 50-employee / EUR 10M threshold.
Digital infrastructure and IT services
Cloud providers, data centres, managed service providers and DNS/TLD operators are in scope regardless of size. A small German MSP serving regulated customers is typically caught even below 50 employees.
Key deadlines
2025-12-06
NIS2UmsuCG entered into force. All in-scope entities are legally bound.
2026-03-06
Mandatory registration deadline with the BSI for essential and important entities — three months after entry into force (§ 33 BSIG).
2026-07-01
Full enforcement and active supervision by BSI begins for most sectors.
Is your company in scope? Common Germany scenarios
Two worked examples of how NIS2 scoping plays out in Germany. Not sure where you land? Run the free NIS2 scope checker.
Manufacturing sits in Annex II and the company is above the 50-employee threshold. It must register with the BSI within 3 months of becoming in-scope (§ 33 BSIG) and implement the Article 21 risk-management measures.
ICT service management is a covered sector and managed / cloud service providers can be in scope regardless of headcount. The MSP must treat itself as in-scope even below the general size thresholds.
What Germany businesses need to know
Germany included no general transitional period: NIS2 obligations bind from the entry into force of the NIS2UmsuCG on 6 December 2025.
The NIS2UmsuCG replaces the BSIG and expands scope from ~5,000 KRITIS operators to an estimated 30,000+ in-scope companies.
Personal liability for management (Geschaeftsfuehrer-Haftung) — directors can be held personally liable for non-compliance.
Registration with the BSI portal is mandatory within 3 months of becoming in-scope.
Significant incidents must be reported to CERT-Bund within 24 hours (early warning) and 72 hours (full notification).
How BSI enforces NIS2 in Germany
For essential entities the BSI exercises continuous, ex-ante supervision under § 61 BSIG — on-site inspections during normal operating hours, security audits, certification orders and information requests on demand — so plan your artefact set to be retrievable in hours, not weeks. Important entities face ex-post supervision only (§ 62), triggered by specific concerns. Management bodies (Geschaeftsleitung) carry an explicit triple duty — implement, oversee and train (§ 38) — plus personal civil liability for damage caused by negligent breach (§ 38 Abs. 2). The fine schedule in § 65 stages seven severity tiers, from EUR 100,000 for accessibility or negligence violations up to the EUR 10M / 2% ceiling.
NIS2 in Germany: frequently asked questions
- What is Germany's NIS2 transposition law (NIS2UmsuCG)?
- The NIS2-Umsetzungs- und Cybersicherheitsstaerkungsgesetz (NIS2UmsuCG) is Germany's NIS2 transposition, in force since 6 December 2025. Its Article 1 fully re-enacts the BSI Act (BSIG 2025), so pre-2025 paragraph citations (§ 8a, § 8b, § 32, § 64) are now obsolete and should be updated in your audit reports and contracts.
- Who must register with the BSI, and by when?
- Every entity identified as essential or important must register with the BSI within three months of becoming in-scope (§ 33 BSIG). Missing the deadline is itself a separate administrative offence. The first-wave registration deadline was 6 March 2026 (entry into force plus three months).
- How high are NIS2 fines (Bussgelder) in Germany?
- Up to EUR 10 million or 2% of global annual turnover (whichever is higher) for essential entities, and EUR 7 million or 1.4% for important entities. The § 65 BSIG schedule stages seven severity levels rather than a single ceiling, so even smaller breaches carry six-figure exposure.
- What is the difference between KRITIS and NIS2 in Germany?
- KRITIS operators (§ 31 BSIG) keep their stricter pre-existing obligations on top of the general NIS2 baseline (§ 30) — triennial evidence reports (§ 39) and mandatory attack-detection systems. NIS2 widens coverage to roughly 30,000 entities; KRITIS remains a smaller, more heavily regulated subset within that population.
Official sources
Primary references for NIS2 in Germany — verify the latest text and deadlines directly with the authority.