Everything you need to know about the NIS2 directive in Deutschland: transposition law, competent authority, fines, deadlines, and how Reglyze helps SMEs become compliant.
NIS2-Umsetzungs- und Cybersicherheitsstaerkungsgesetz (NIS2UmsuCG)
Adopted / in force: 2025-12-06
Bundesamt fuer Sicherheit in der Informationstechnik (BSI)
https://www.bsi.bund.deUp to EUR 10 million or 2% of global annual turnover
Up to EUR 7 million or 1.4% of global annual turnover
2025-12-06
NIS2UmsuCG entered into force. All in-scope entities are legally bound.
2026-04-17
Mandatory registration deadline with BSI for essential and important entities.
2026-07-01
Full enforcement and active supervision by BSI begins for most sectors.
Germany was the first major EU economy to enforce NIS2 with a real fine: EUR 850,000 issued to a cloud provider in February 2026.
The NIS2UmsuCG replaces the BSIG and expands scope from ~5,000 KRITIS operators to an estimated 30,000+ in-scope companies.
Personal liability for management (Geschaeftsfuehrer-Haftung) — directors can be held personally liable for non-compliance.
Registration with the BSI portal is mandatory within 3 months of becoming in-scope.
Significant incidents must be reported to CERT-Bund within 24 hours (early warning) and 72 hours (full notification).