NIS2 in Germany: How the New BSI-Gesetz Transposes the EU Directive

Who should read this: Compliance Officers, CIOs, CISOs, In-house Counsel, Risk Leaders, and Operations Leaders at organisations active in Germany.

After more than two years of preparation, two failed legislative attempts in previous Bundestag terms, and an unusually wide-ranging omnibus design, Germany has transposed the NIS2 Directive (Directive (EU) 2022/2555) into national law. The Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Regelung wesentlicher Grundzüge des Informationssicherheitsmanagements in der Bundesverwaltung, known during the procedure as the NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG), was published as BGBl. 2025 I Nr. 301 on 5 December 2025 and entered into force on 6 December 2025. Its Art. 1 enacts an entirely new BSI-Gesetz (BSIG) that replaces the prior BSI-Gesetz of 14 August 2009 (BGBl. I S. 2821), repealed by Art. 29. Articles 2 through 28 amend twenty-seven adjacent statutes and ordinances, including the Energiewirtschaftsgesetz (EnWG), the Telekommunikationsgesetz (TKG), several SGB volumes and digital-services ordinances. The full citation is the NIS-2-Richtlinie-Umsetzungsgesetz (NIS2-RLUG), and the working name in practice remains NIS2UmsuCG.

For organisations operating in Germany, the legal posture has shifted in three concrete ways since 6 December 2025. First, the scope of regulated entities is vastly wider than under the prior BSIG: the IT-Sicherheitsgesetz 2.0 had captured roughly 4,500 KRITIS operators; the new regime covers an estimated 29,000 to 30,000 entities, including most medium and large undertakings across the fourteen sectors of Anlage 1 and Anlage 2. Second, the institutional architecture concentrates significant power at the Federal Office for Information Security (BSI, Bundesamt für Sicherheit in der Informationstechnik), which serves as competent authority, single point of contact, CSIRT, central reporting point and (under § 60) the EU-wide competent authority for digital-infrastructure entities with their main EU establishment in Germany. Third, the enforcement teeth are real: administrative fines (Bußgelder) reach EUR 10 million or 2% of worldwide group turnover for besonders wichtige Einrichtungen, with periodic penalty payments (Zwangsgelder) of up to EUR 100,000 per established breach on top.

This article is a practical, business-reader guide to what the new BSIG requires of leadership teams that are now roughly six months into implementation. It maps each obligation to its EU directive counterpart, identifies which German authority handles each interaction, and points to the source articles that go deeper on the underlying topic. It is not legal advice; for that, consult counsel. But it should give a leadership team enough to plan, budget, and assign owners.

For wider context on the directive itself, see our NIS2 Compliance guide.

The legislative path: from IT-SiG to the NIS2UmsuCG

NIS1 was transposed into German law in 2017 through the BSI-Gesetz as amended by the first IT-Sicherheitsgesetz (IT-SiG, 2015) and the second IT-Sicherheitsgesetz (IT-SiG 2.0, 2021). That framework regulated approximately 4,500 KRITIS operators identified by the BSI-Kritisverordnung (BSI-KritisV), plus digital service providers in a narrow set of categories. It introduced, among other obligations, the mandatory deployment of attack-detection systems (Systeme zur Angriffserkennung) for KRITIS operators, an obligation that has now been carried over into § 31 Abs. 2 of the new BSIG.

The path to transposition was not smooth. Two earlier drafts, in the 20th Bundestag, failed to reach a vote before the dissolution of the legislature. The current 21st Bundestag adopted the NIS2UmsuCG on 13 November 2025, the Bundesrat consented on 21 November 2025, the President signed on 2 December 2025, BGBl publication followed on 5 December 2025, and Art. 30 set entry into force on the day after publication, 6 December 2025. The transposition deadline under the directive had expired on 17 October 2024, which had attracted infringement proceedings from the European Commission; those proceedings have now wound down following entry into force.

The omnibus design (Mantelgesetz) is the structural choice that distinguishes Germany from most other Member States. Art. 1 enacts the new BSIG. Arts. 2 through 28 thread NIS2 obligations through 27 adjacent acts and ordinances, ranging from the EnWG to the TKG, the SGB V and SGB XI, the DiGAV (digital health applications ordinance), the AWV (foreign trade ordinance, for investment screening), the Hinweisgeberschutzgesetz (whistleblower protection), and the VDG (trust services law). Art. 29 repeals the old BSIG in full. Art. 30 governs entry into force. The consolidated new BSIG is published at gesetze-im-internet.de/bsig_2025; the BGBl entry sits at recht.bund.de/bgbl/1/2025/301/VO.html under the ELI permalink recht.bund.de/eli/bund/bgbl-1/2025/301.

If your organisation was already covered as a KRITIS operator under the old BSIG, you do not get a clean slate. Your designation carries forward, with a single bridge of grace under § 39 Abs. 3: the next conformity proof (Nachweis) under the new audit cycle may be filed within three years of your last § 8a Abs. 3 audit under the old BSIG. New obligations otherwise apply immediately. For a recap of what changed between the two regimes, see NIS1 vs NIS2: Key Differences.

Who is in scope

§ 28 of the new BSIG implements the directive’s two-step scoping logic and introduces the German taxonomy.

Two regulated tiers. The Law distinguishes especially important entities (besonders wichtige Einrichtungen), which correspond to the directive’s “essential entities”, from important entities (wichtige Einrichtungen), which correspond to the directive’s “important entities”. § 28 Abs. 1 lists who counts as besonders wichtig: (i) operators of critical installations (Betreiber kritischer Anlagen, KRITIS operators) regardless of size; (ii) qualified trust service providers, top-level-domain registries and DNS service providers regardless of size; (iii) providers of public telecoms services exceeding 50 staff or EUR 10 million turnover and balance-sheet thresholds; and (iv) other Anlage 1 entities with at least 250 employees or more than EUR 50 million turnover and more than EUR 43 million balance sheet total. § 28 Abs. 2 captures the wichtige tier: trust service providers below the qualified threshold, smaller telecoms providers, and other entities in Anlage 1 or Anlage 2 that meet the medium-enterprise threshold of at least 50 employees or more than EUR 10 million in turnover and balance sheet. Size criteria follow Commission Recommendation 2003/361/EC per § 28 Abs. 4. For a deeper read on this two-tier model, see Essential vs important entities under NIS2.

Anlage 1: seven sectors of high criticality. Energie (Strom, Fernwärme, Kraftstoff, Gas), Transport und Verkehr (Luft, Schiene, Schifffahrt, Straße), Finanzwesen (Bankwesen, Finanzmarktinfrastrukturen), Gesundheit, Wasser (Trinkwasser, Abwasser), Digitale Infrastruktur (IXP, DNS, TLD, Cloud, Rechenzentren, CDN, Vertrauensdienste, Telekom, MSP, MSSP), and Weltraum (space).

Anlage 2: seven other critical sectors. Post- und Kurierdienste, Abfallbewirtschaftung, Chemie, Lebensmittel, Verarbeitendes Gewerbe (Medizinprodukte, EDV/Elektronik, Elektrik, Maschinenbau, Kfz, sonstiger Fahrzeugbau), Anbieter digitaler Dienste (Online-Marktplätze, Online-Suchmaschinen, soziale Netzwerke), and Forschung. Manufacturing readers will want to pair this with NIS2 in the manufacturing sector, which walks through the verarbeitendes-Gewerbe carve-in in detail.

KRITIS operators. § 28 Abs. 1 Nr. 1 automatically classifies operators of critical installations as besonders wichtige, regardless of size. What counts as a kritische Anlage is set by the revised BSI-Kritisverordnung (BSI-KritisV) under § 56 Abs. 4, amended by Art. 8 of the Mantelgesetz. The KRITIS perimeter remains the heart of Germany’s high-criticality regime and overlays a stricter set of duties under § 31, discussed below.

The federal administration. § 29 BSIG brings the federal administration (Bundesverwaltung) within scope: federal bodies, public-law IT service providers of the Bund and similar entities are treated as besonders wichtige with carve-outs. Specifically, §§ 38, 40 Abs. 3, 61 and 65 do not apply to them, so the management-body, sanction and direct-supervision regimes are replaced by an internal information-security governance structure (a Koordinator für Informationssicherheit under § 48, Ressort-ISBs under § 46, and per-Einrichtung ISBs under § 45). The Auswärtiges Amt, the BMVg, the Federal Intelligence Service (BND, Bundesnachrichtendienst) and the Federal Constitutional Protection Office (BfV, Bundesamt für Verfassungsschutz) are carved out by § 29 Abs. 3; the Bundeswehr’s IT is exempt from BSI inspection except at interfaces (§ 7 Abs. 7); and § 37 contemplates an Ausnahmebescheid where national security so requires.

The Länder gap. This is a distinctly German feature and one that compliance teams need to internalise. The new BSIG does not cover Länder, Kommunen or Sozialversicherungsträger. Per Art. 2(2)(f)(ii) NIS2, each Land must legislate its own regional NIS2 regime to capture its administration and the entities it supervises (§ 28 Abs. 9 expressly excludes wholly Land-owned bodies covered by parallel Land law; § 40 Abs. 2 mandates BSI coordination with the Länder supervisors that are designated). Several Länder have published draft Landes-NIS2-Gesetze, others are in consultation, and a patchwork of regional regimes is emerging. Multi-Land entities should track each relevant Land’s legislative file separately.

If you are unsure whether the new BSIG applies to your organisation, the fastest first check is our NIS2 scope checker, which walks through sector and size in three clicks. For a deeper read on how scoping works in the directive itself, see NIS2 scope and applicability.

Sectoral carve-outs. § 28 Abs. 6 Nr. 1 excludes financial entities falling within the scope of Regulation (EU) 2022/2554 (DORA) from §§ 30, 31, 32, 35, 36, 38 and 39 BSIG. Where DORA applies, it applies in place of NIS2 for the same conduct. § 28 Abs. 5 establishes an analogous principle for public telecoms and EnWG-regulated energy entities: sector law applies for the regulated activity, but the BSIG continues to apply to any additional kritische Anlagen they operate. The DORA boundary is unpacked in NIS2 and the financial sector: how DORA overlaps with banking and in NIS2, DORA and CER: overlapping regulations explained.

The German institutional architecture

The new BSIG concentrates the bulk of cybersecurity supervision at a single federal body, the BSI, and layers sectoral supervisors on top for the regulated industries. This concentration is a deliberate choice and a meaningful contrast with the Luxembourg model. For the EU-wide perspective, our reference article on NIS2 institutional architecture: authorities, CSIRTs and contact points lays out the pattern.

Federal Office for Information Security (BSI, Bundesamt für Sicherheit in der Informationstechnik). The BSI is the national competent authority, single point of contact (zentrale Verbindungsstelle), national CSIRT and central reporting point (zentrale Melde- und Anlaufstelle) for besonders wichtige and wichtige entities under §§ 3 Abs. 1 Nr. 3 and 24, 5 Abs. 3 Nr. 5, and 40 Abs. 1. The same body that drafts technical standards, certifies products, advises ministries and runs the federal CERT now also inspects, audits, instructs and sanctions in-scope entities. Practical implication: the BSI is the body that will inspect, audit, request information, issue binding instructions, and (subject to a sectoral co-decision rule) impose fines on most non-financial entities.

EU-wide central competence under § 60. This is the single most strategically significant German provision. For cross-border digital-infrastructure and digital-service providers whose main establishment in the EU is in Germany (cloud providers, data centres, CDN operators, MSPs, MSSPs, DNS providers, TLD registries, online marketplaces, search engines and social networks), the BSI is competent for the entire EU footprint, not merely the German part. Combined with the size of the German market, this means the BSI may end up as the de facto NIS2 supervisor of several major hyperscalers and digital-service businesses on behalf of the entire Union. § 34 imposes a parallel registration regime for these entities, with data forwarded to ENISA.

Federal Network Agency (BNetzA, Bundesnetzagentur). BNetzA retains sectoral primacy in telecoms and energy. For telecoms, the substantive regime sits in TKG §§ 165 to 168 as amended by Art. 25 of the Mantelgesetz, with the rewritten § 168 routing incident reports to both BNetzA and the BSI Meldestelle. For energy, EnWG §§ 5c to 5e (Art. 17) require BNetzA to issue the IT-Sicherheitskatalog im Einvernehmen with the BSI; the kritische-Komponenten catalogue must follow by 6 January 2026.

Federal Financial Supervisory Authority (BaFin, Bundesanstalt für Finanzdienstleistungsaufsicht). Most financial entities fall under DORA rather than the new BSIG, with BaFin as the supervisor. Where NIS2 still has a hook, the BSI/BaFin cooperation mandate at § 3 Abs. 1 Nr. 29 governs information exchange and joint action.

Federal Office of Civil Protection and Disaster Assistance (BBK, Bundesamt für Bevölkerungsschutz und Katastrophenhilfe). The BBK does not regulate, but it co-operates the joint reporting and registration portal with the BSI under §§ 32 Abs. 1 and 33 Abs. 1. Operationally this means a single front door: in-scope entities register, change contact data and notify incidents through one platform that serves both bodies.

Federal Ministry of the Interior (BMI, Bundesministerium des Innern). Under § 41, the BMI (im Benehmen with the sectoral ministry) may prohibit a KRITIS operator from deploying a specific vendor’s critical component (kritische Komponente). The provision is the successor to old § 9b BSIG and to the politically charged 5G and Huawei discussions. § 41 Abs. 2 allows a ban to extend to all operators and to future deployments, not just the one in question.

Federal Commissioner for Data Protection and Freedom of Information (BfDI, Bundesbeauftragte für den Datenschutz und die Informationsfreiheit). The BfDI is not a NIS2 authority, but it sits at the cross-roads of two important interfaces: §§ 7 Abs. 8 and 61 Abs. 11 require the BSI to inform the GDPR supervisor of personal-data breaches encountered during inspections, and § 65 Abs. 11 codifies a non-bis-in-idem rule preventing double fines where the BfDI or a Land DPA has already sanctioned the same conduct under the GDPR.

The Länder authorities. As noted above, the Länder must designate their own regional NIS2 supervisors per § 2 Nr. 2b; the BSI coordinates them through § 40 Abs. 2. Multi-Land entities therefore deal with the BSI at federal level and with the relevant Land supervisor for any Land-owned or Land-supervised activity.

Germany has not created a new federal cyber-crisis structure under NIS2: the BSI’s existing CSIRT role under § 3, § 5 and § 40 continues, and EU-CyCLONe representation runs through the BSI.

National strategy and crisis posture

The NIS2UmsuCG does not enact a single new statutory cybersecurity strategy document the way the Luxembourg Law does. Germany has long published a Cybersicherheitsstrategie für Deutschland (most recently 2021) and a Konzeption Zivile Verteidigung (2016), and the BMI is preparing a successor strategy under Art. 7 of the directive. For the EU baseline of what a national cybersecurity strategy must cover, see The national cybersecurity strategy: what Article 7 requires. For Germany’s role in the EU coordination architecture, including EU-CyCLONe and the CSIRTs Network, see The Cooperation Group, EU-CyCLONe and the CSIRTs Network.

The ten cybersecurity risk-management measures (§ 30)

§ 30 of the new BSIG is the operational core for the general regulated population. It requires besonders wichtige and wichtige entities to take “geeignete, verhältnismäßige und wirksame” technical and organisational measures, applying an all-hazards approach and reflecting the state of the art (Stand der Technik) under § 30 Abs. 2 Satz 1. The Verhältnismäßigkeit (proportionality) test in § 30 Abs. 1 weighs risk exposure, the entity’s size, implementation cost, likelihood and severity of incidents, and societal and economic impact. The deep treatment of how this proportionality test plays out across entity types is in NIS2 proportionality and compliance.

§ 30 Abs. 2 lists the ten measure categories verbatim from Art. 21(2) of the directive:

• policies on risk analysis and information system security;
• incident handling;
• business continuity, including backup management, disaster recovery, and crisis management;
• supply-chain security, including security-related aspects of relationships with direct suppliers and service providers;
• security in the acquisition, development, and maintenance of network and information systems, including vulnerability handling and disclosure;
• policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
• basic cyber-hygiene practices and cybersecurity training;
• policies and procedures regarding the use of cryptography and, where appropriate, encryption;
• human resources security, access-control policies, and asset management;
• multi-factor authentication or continuous authentication solutions, secure voice, video and text communications, and secure emergency communication systems within the entity, as appropriate.

For the deep dive on what each of these covers in practice, see The 10 cybersecurity measures of NIS2 Article 21. The all-hazards principle is unpacked in The all-hazards approach: physical security under NIS2. Supply chain risk gets its own treatment in Supply-chain security and vendor risk under NIS2.

Two Germany-specific notes. First, § 30 Abs. 6 authorises the Bundesregierung to mandate certified products or services by Rechtsverordnung (statutory ordinance), so a control family can be tightened over time from “appropriate” to “must use a scheme-certified product”. Second, § 30 Abs. 8 carries forward the German tradition of industry-proposed sector standards (branchenspezifische Sicherheitsstandards), recognised by the BSI and replacing the old § 8a Abs. 2 framework. In practice, expect your industry association to update its B3S standards over the next eighteen months, with BSI recognition refreshed against the new BSIG references.

KRITIS: the stricter overlay (§§ 31, 39 and 41)

KRITIS operators sit at the top of the regulatory pyramid. They are automatically besonders wichtige (§ 28 Abs. 1 Nr. 1) and they carry a stricter overlay that is one of Germany’s distinctive contributions to the European cybersecurity regime.

§ 31 stricter measures. § 31 Abs. 1 presumes that measures going beyond the ordinary § 30 baseline are proportionate where their cost is proportionate to the consequences of a failure of the kritische Anlage. In practice, this is the legal hook for requiring expensive segmentation, hardened operational technology, and redundant control planes from a power utility or a water operator that would not be required from an ordinary Anlage 1 entity.

§ 31 Abs. 2 attack-detection systems. KRITIS operators must deploy and operate attack-detection systems (Systeme zur Angriffserkennung), defined in § 2 Nr. 41 as “durch technische Werkzeuge und organisatorische Einbindung unterstützte Prozesse zur Erkennung von Angriffen auf informationstechnische Systeme”, with continuous automated capture and evaluation reflecting the state of the art. Germany was the first Member State in the EU to mandate these systems through IT-SiG 2.0 in 2021, and the new BSIG retains and clarifies the obligation. For most KRITIS operators this means a documented Security Operations Centre (SOC) or Managed Detection and Response (MDR) capability, not a pure log archive.

§ 39 conformity proof. KRITIS operators must demonstrate implementation of § 30 and § 31 through audits, tests or certifications every three years, with results filed with the BSI. § 39 Abs. 3 provides the transitional bridge: an operator’s next Nachweis under the new regime may be filed within three years of the operator’s last § 8a Abs. 3 audit under the old BSIG, so most existing KRITIS operators will hit their first new-regime Nachweis between 2026 and 2028 depending on their prior audit cadence.

§ 41 critical-components ban. Under § 41, the BMI (im Benehmen with the sectoral ministry) may prohibit a KRITIS operator from deploying a specific vendor’s critical components (kritische Komponenten) if doing so would impair public order or security. § 41 Abs. 2 allows the ban to extend to all operators of the same kritische Anlage type and to future deployments. This is the successor to old § 9b BSIG and the operative tool for vendor-trust calls in 5G, optical transport, smart-metering and similar contexts.

For sector-specific reading on the KRITIS overlay in energy and healthcare, see NIS2 in the energy sector and NIS2 in healthcare: hospitals and pharmaceuticals.

Management body accountability (§ 38)

§ 38 BSIG, headed Umsetzungs-, Überwachungs- und Schulungspflicht für Geschäftsleitungen, is short but consequential. § 38 Abs. 1 requires the management body (Geschäftsleitung) of besonders wichtige and wichtige entities to implement and supervise the § 30 measures. § 38 Abs. 2 attaches personal liability for culpable breach: corporate-law rules apply in the first instance, and the BSIG supplies a subsidiary liability hook where the corporate-law regime is silent. § 38 Abs. 3 mandates regular training (Schulungen) for the Geschäftsleitung, and parallel training offers must be extended to staff.

Geschäftsleitung is defined in § 2 Nr. 13: it captures the natural persons who direct the entity (typically the Vorstand of an AG or the Geschäftsführung of a GmbH). Heads of federal-administration bodies are explicitly not Geschäftsleitungen in this sense: § 29 Abs. 2 disapplies § 38 to them.

Parallel provisions sit in the sectoral statutes. EnWG § 5e mirrors the § 38 framework for energy entities, and TKG § 165 Abs. 2b to 2d does the same for telecoms providers. For boards and executive committees, this means cybersecurity is no longer an “IT topic” delegated to the CISO. It is a Geschäftsleitung-level matter, with documented oversight, training records, minute trails and Haftungsdokumentation. Our article on Board accountability and governance under NIS2 walks through what a defensible governance posture looks like across jurisdictions.

Incident notification (§ 32)

§ 32 reproduces the EU directive’s three-clock reporting regime, with one operational quirk that distinguishes Germany from most other Member States: there is a single joint reporting portal operated by the BSI and the BBK (§ 32 Abs. 1 Satz 1), and the BSI forwards relevant notifications to the sectoral supervisor under § 32 Abs. 5.

Early warning, within 24 hours (§ 32 Abs. 1 Nr. 1). Without undue delay, and in any event within 24 hours of becoming aware of an erheblicher Sicherheitsvorfall (significant incident, defined in § 2 Nr. 11), the entity submits an early warning. The early warning indicates whether the incident is suspected to have been caused by unlawful or malicious acts and whether it could have a cross-border impact.

Incident notification, within 72 hours (§ 32 Abs. 1 Nr. 2). The notification updates the early warning with an initial assessment of severity, impact and (where available) indicators of compromise.

Interim updates on request (§ 32 Abs. 1 Nr. 3) and final report within one month (§ 32 Abs. 1 Nr. 4 and Abs. 2). The final report covers a detailed description, the root cause, mitigation measures applied and ongoing, and cross-border impact. If the incident is still being handled at the one-month mark, the entity files a Fortschrittsmeldung (progress report) and a final report within one month of closure.

§ 36 requires the BSI to provide an initial response to the early warning within 24 hours where possible, including guidance and operational advice. The threshold for what constitutes an erheblicher Sicherheitsvorfall is concretised in § 2 Nr. 11 and may be further specified by Rechtsverordnung under § 56 Abs. 5; in the meantime, the directive’s threshold logic applies. For the practical guide to running the clocks, see The NIS2 incident reporting timeline. For when an incident actually crosses the “significant” threshold (the hardest call in the first 24 hours), see What makes an incident significant under NIS2.

Sector parallels. EnWG § 5d Abs. 3 routes the same 24/72/one-month notifications to the BSI Meldestelle, with the BSI acting im Benehmen with the BNetzA. TKG § 168, rewritten by Art. 25 of the Mantelgesetz, requires the same timeline but to both the BNetzA and the BSI. Health entities continue to route their § 30 obligations through the SGB V framework, with §§ 30, 31 and 39 BSIG references threaded through SGB V, SGB XI, the DiGAV and the Krankenhausstrukturfonds-Verordnung (Mantelgesetz Arts. 21, 22, 24 and 26).

Vulnerability disclosure (§ 5) and threat-sharing platform (§ 6)

§ 5 designates the BSI as the coordinated vulnerability disclosure (CVD) coordinator under Art. 12(1) of the directive. The BSI must publish a documented CVD procedure description by 6 December 2026 (§ 5 Abs. 6), so researchers and operators have a one-year transition to a formalised programme. In the meantime, the BSI’s existing CVD practice continues, including the established channels for reporting vulnerabilities in widely-used products and the coordination with vendors. For the broader EU view on what a CVD framework needs to do, see Vulnerability disclosure framework under NIS2.

§ 6 codifies the BSI’s role in operating an information-sharing platform (Informationsaustauschplattform) for cyber-threat data exchange among in-scope entities. § 11 supplies a related operational tool: in herausgehobene Fälle (high-profile attacks), the BSI may take direct restoration action, with first-response costs waived. This is a meaningful operational backstop for victims of nation-state-grade incidents that exceed in-house capacity.

Registration (§§ 33 and 34)

Two registration tracks apply.

General registration (§ 33). Besonders wichtige and wichtige entities, as well as domain-name-registry providers, must register with the BSI through the joint BSI/BBK portal within three months of becoming such an entity (§ 33 Abs. 1). The dataset includes name, legal form, contact, public IP ranges, sector per Anlage 1 or 2, EU Member States served and the competent supervisors. § 33 Abs. 2 imposes an additional dataset on KRITIS operators: kritische-Anlage details, location and a 24/7 contact. § 33 Abs. 3 allows the BSI to register an entity ex officio. § 33 Abs. 5 requires changes to be notified within two weeks.

Digital-services central registration (§ 34). Entities falling under § 60 EU-wide central jurisdiction (cloud, data centres, CDN, MSPs, MSSPs, DNS, TLDs, online marketplaces, search engines, social networks) submit a more detailed dataset within three months, which the BSI forwards to ENISA for the EU-wide registry under Art. 27 of the directive.

If your business is a managed service provider or MSSP, see Are MSPs and MSSPs regulated under NIS2. For cloud, data centre, and CDN providers, see Digital infrastructure under NIS2: cloud and data centre. Note that the energy-sector parallel under EnWG § 5d Abs. 4 requires small grid operators to register by 6 March 2026, a date many smaller Stadtwerke and Netzbetreiber will only now be approaching.

Certification, BSI-Grundschutz and the Cybersecurity Act (§§ 30 Abs. 6, 44, 52 to 55)

The new BSIG consolidates the BSI’s roles in standards, certification and labelling.

§ 52 confirms the BSI as the national certification authority. § 54 designates it as the national cybersecurity certification authority under Regulation (EU) 2019/881 (Cybersecurity Act), which means it is the competent body for European certification schemes such as the EUCC and the forthcoming EUCS for cloud services. § 53 anchors the conformity-assessment and self-declaration regime. § 55 maintains the voluntary IT-Sicherheitskennzeichen consumer label.

§ 44 retains BSI authority over Mindeststandards and IT-Grundschutz for the federal administration. While IT-Grundschutz is formally only binding on the Bund, it remains the de facto benchmark that German auditors and insurers expect from KRITIS operators and large enterprises. For the relationship between BSI-Grundschutz, ISO 27001 and the NIS2 measures regime, see NIS2, ISO 27001 and certification schemes.

§ 30 Abs. 6 and § 56 Abs. 3 together provide the mechanism by which an EU certification scheme can be made mandatory in Germany for a defined class of products or services: a Rechtsverordnung of the Bundesregierung. This is not yet active, but the path is open. The most likely first targets are cloud services (once the EUCS scheme is finalised) and specific OT components in regulated KRITIS sectors.

Supervision (§§ 59 to 64)

§ 59 confirms the BSI as the sole competent authority for compliance with Teil 3 of the BSIG. The substantive supervisory toolkit then differs sharply between besonders wichtige and wichtige entities, in line with the directive.

Besonders wichtige entities (§ 61): ex-ante plus ex-post. § 61 Abs. 1 authorises the BSI to order audits, tests or certifications. § 61 Abs. 3 allows the BSI to demand evidence (the directive’s “ex-ante” inspections); however, for besonders wichtige entities that are not KRITIS, the BSI may not order such audits earlier than three years after entry into force, that is, not before 6 December 2028. For hospitals under § 108 SGB V the lead-in is even longer, with audits not orderable before 6 December 2030. § 61 Abs. 5 authorises on-site inspections (Überprüfung vor Ort). § 61 Abs. 6 authorises orders to take specific measures, § 61 Abs. 7 orders to implement obligations more generally, and § 61 Abs. 8 orders to notify customers and publish breach information. § 61 Abs. 9 contains the most severe measures, available als letztes Mittel (as a last resort), in agreement with the sectoral supervisor: temporary licence suspension and a temporary prohibition on Geschäftsleitung members exercising managerial functions.

Wichtige entities (§ 62): ex-post only. Inspections and orders are still available, but only when Tatsachen die Annahme rechtfertigen (facts justify the assumption) of non-compliance. This means the BSI must have a reasoned trigger before opening a supervisory file on a wichtige entity.

§ 63 administrative compulsion. Where an order is not followed, the BSI may impose periodic penalty payments (Zwangsgelder) up to EUR 100,000 per established breach, overriding the EUR 25,000 ceiling in § 11 Abs. 3 VwVG.

Our reference article on NIS2 enforcement powers, penalties, and fines walks through how authorities use these tools in practice.

Administrative fines (§ 65)

The headline fine tiers in § 65 Abs. 5 Nr. 1 are aligned with the directive’s minimums. Earlier draft caps of EUR 20 million and 4% of turnover were not adopted in the final text.

• Besonders wichtige Einrichtungen: up to EUR 10 million (§ 65 Abs. 5 Nr. 1); for groups with worldwide turnover above EUR 500 million, up to 2% of worldwide group turnover, whichever is higher (§ 65 Abs. 6).
• Wichtige Einrichtungen: up to EUR 7 million (§ 65 Abs. 5 Nr. 1); for groups with worldwide turnover above EUR 500 million, up to 1.4% of worldwide group turnover, whichever is higher (§ 65 Abs. 7).

Narrower or more procedural breaches carry lower caps (EUR 5 million, EUR 2 million, EUR 1 million, EUR 500,000 and EUR 100,000) under § 65 Abs. 5 Nr. 2 and following. For the deep treatment of how these caps are calibrated and applied, see Administrative fines under NIS2: the EUR 10M framework.

The Zwangsgeld cap is EUR 100,000 per breach (§ 63), as discussed above. No new criminal offences (Straftaten) are created by the NIS2UmsuCG: §§ 202a, 202b, 303a and 303b StGB continue to apply to the underlying computer-crime conduct, and § 8 Abs. 6 BSIG governs evidence transfer from the BSI to prosecutors.

GDPR non-bis-in-idem. § 65 Abs. 11 prohibits a NIS2 fine where the BfDI or a Land DPA has already imposed a GDPR fine for the same conduct. Non-monetary measures (orders, inspections, notification requirements) remain available in parallel. The interaction is unpacked in NIS2 and GDPR overlap: cybersecurity and data protection.

The Mantelgesetz: sectoral parallels you must not overlook

The omnibus design of the NIS2UmsuCG means that the new BSIG is only half the story for many in-scope entities. Arts. 2 through 28 amend 27 adjacent acts and ordinances, and for energy, telecoms and health entities, the sectoral text is the primary operational instrument.

Energy: EnWG (Mantelgesetz Art. 17). The old § 11 Abs. 1a to 1g EnWG are deleted in their entirety and replaced by new §§ 5c to 5e EnWG. § 5c carries the substantive duties: the IT-Sicherheitskatalog is set by the BNetzA im Einvernehmen with the BSI, and the kritische-Komponenten catalogue must be issued by 6 January 2026. The ten measure categories under EnWG mirror § 30 BSIG. The 24/72/one-month reporting timeline flows to the BSI Meldestelle, with the BSI acting im Benehmen with the BNetzA. EnWG § 5e mirrors the § 38 Geschäftsleitung obligations. Fines mirror the BSIG tiers: EUR 10 million / 2% for besonders wichtige and EUR 7 million / 1.4% for wichtige. § 5c Abs. 2 retains the primacy of nuclear-law obligations under the Atomgesetz (Mantelgesetz Art. 16), preserving the AtG framework for nuclear installations.

Telecoms: TKG (Mantelgesetz Art. 25). § 165 TKG is expanded with the ten measure categories (Abs. 2a to 2d) and with Geschäftsleitung liability and training requirements. § 168 TKG is rewritten with the 24/72/one-month reporting timeline to both the BNetzA and the BSI. § 167 contains a transitional provision: BNetzA retains powers on critical-component definitions until the BSIG Rechtsverordnung under § 56 Abs. 7 takes those over.

Health: SGB V, DiGAV, SGB XI, Krankenhausstrukturfonds-Verordnung (Mantelgesetz Arts. 21, 22, 24 and 26). Old § 8a BSIG references are replaced throughout with new §§ 30, 31 and 39 BSIG references. Operationally this means hospitals (subject to the longer five-year audit lead-in under § 61 Abs. 3), digital health applications (DiGA) providers and nursing-care insurance carriers continue to be regulated through their sectoral pipes, with the substantive content now drawn from the new BSIG.

Trust services: VDG (Mantelgesetz Art. 28). § 2 Abs. 3 VDG is deleted as a consequential amendment, reflecting that qualified trust service providers are now besonders wichtige under § 28 Abs. 1 Nr. 2 BSIG.

AWV: foreign investment screening (Mantelgesetz Art. 27). § 55a AWV is updated to reference the new “kritische Anlagen” terminology. The investment-screening trigger for non-EU acquisitions of KRITIS operators is preserved, and the perimeter now follows the new BSI-KritisV.

Whistleblower protection: Hinweisgeberschutzgesetz (Mantelgesetz Art. 14). Scope updated to cover the new cloud and DNS digital-services categories.

If your organisation operates across more than one of these regulated sectors, your compliance map needs to start with the sectoral text and use the BSIG as the residual default. The single registration portal at the BSI/BBK joint Meldestelle simplifies the administrative interface, but the substantive obligations are spread across multiple statutes.

Sector-specific reading

If your organisation is in a regulated sector, the Anlage 1 or Anlage 2 categorisation maps directly to the corresponding sectoral guidance:

• Energy (Anlage 1 Nr. 1): NIS2 in the energy sector, and read this alongside EnWG §§ 5c to 5e.
• Transport (Anlage 1 Nr. 2): NIS2 in transport: aviation, rail, maritime, road.
• Banking and financial market infrastructures (Anlage 1 Nr. 3): see the DORA overlap above.
• Health (Anlage 1 Nr. 4): NIS2 in healthcare: hospitals and pharmaceuticals.
• Digital infrastructure (Anlage 1 Nr. 6): NIS2 for cloud and data centres and Are MSPs and MSSPs regulated under NIS2.
• Manufacturing (Anlage 2 Nr. 5): NIS2 in the manufacturing sector.

For a comparative view of how other Member States transposed the directive, see our companion analyses of NIS2 in Luxembourg and NIS2 in Belgium. The German federal-versus-Länder split, the BSI’s EU-wide § 60 jurisdiction, and the KRITIS attack-detection mandate are the three distinguishing features that have no direct analogue in either of those countries.

What to do this quarter

Six months into the new regime, most leadership teams should already have a baseline gap assessment and a roadmap. If you do not, or if you are revisiting plans now that initial dust has settled, a reasonable sequence:

1. Confirm scope precisely. Use the NIS2 scope checker or commission a counsel review of § 28 against your activities. Pay particular attention to whether you are a KRITIS operator under the revised BSI-KritisV, because that triggers the § 31 overlay and a shorter supervisory lead-in.
2. Identify your interlocutors. BSI for the default case; BNetzA for telecoms and energy operational duties; BaFin for any residual financial-sector matter; the relevant Land supervisor for any Land-scope activity. If you are an MSP, MSSP, cloud, data-centre, CDN, DNS, TLD or online platform with your main EU establishment in Germany, you are within the BSI’s § 60 EU-wide jurisdiction and your registration runs through § 34.
3. Register. Prepare the § 33 submission (and the § 34 submission if applicable). The three-month clock runs from when you become an in-scope entity; for entities that became in-scope on 6 December 2025, that clock has already expired. If you missed it, register now and document the delay reasoning.
4. Brief the Geschäftsleitung. § 38 personal liability is the single most important conversation to have at the management body level. Document approval of measures, training delivery (the Schulungspflicht is recurring), and Haftungsdokumentation. Where applicable, mirror this with EnWG § 5e or TKG § 165 conversations for board-level sectoral responsibilities.
5. Stand up the incident regime. Map your detection, classification, and notification flow to the 24h, 72h, and one-month clocks under § 32 (and the sectoral parallels in EnWG § 5d and TKG § 168). Pre-register your contact data on the joint BSI/BBK portal and rehearse a tabletop exercise that produces a draft early warning within four hours.
6. Close the § 30 gaps, and the § 31 overlay if KRITIS. Run a controls map against the ten categories. For KRITIS operators, audit your Systeme zur Angriffserkennung against § 31 Abs. 2 and the BSI’s current Orientierungshilfe. Plan for the § 39 Nachweis cycle in 2026 to 2028.
7. Document, document, document. § 65 Abs. 10 makes cooperation and demonstrable diligence material to the fine calculation. Build the evidence trail now, not after the first BSI inspection. Where you use industry sector standards (B3S) under § 30 Abs. 8, retain proof of recognition and the implementation mapping.

For a longer playbook, the NIS2 Compliance guide walks through each obligation in sequence.

Sources and references

Primary sources:

• Germany, Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Regelung wesentlicher Grundzüge des Informationssicherheitsmanagements in der Bundesverwaltung, BGBl. 2025 I Nr. 301 of 5 December 2025, in force 6 December 2025. BGBl publication: recht.bund.de/bgbl/1/2025/301/VO.html. ELI permalink: recht.bund.de/eli/bund/bgbl-1/2025/301. Full text PDF: recht.bund.de/bgbl/1/2025/301/regelungstext.pdf.
• Consolidated new BSI-Gesetz: gesetze-im-internet.de/bsig_2025.
• Directive (EU) 2022/2555 (NIS 2 Directive). Reference page: digital-strategy.ec.europa.eu/en/policies/nis2-directive. Consolidated text on EUR-Lex: eur-lex.europa.eu/eli/dir/2022/2555/oj.
• Regulation (EU) 2022/2554 (DORA), and the sectoral carve-out under § 28 Abs. 6 Nr. 1 BSIG.
• Regulation (EU) 2019/881 (Cybersecurity Act), basis for § 54 BSIG certification authority designation.
• Commission Recommendation 2003/361/EC on the definition of micro, small, and medium-sized enterprises, applied under § 28 Abs. 4 BSIG.
• Sectoral amending acts of the Mantelgesetz: Art. 17 (EnWG §§ 5c to 5e), Art. 25 (TKG §§ 165 to 168), Arts. 21, 22, 24 and 26 (SGB V, DiGAV, SGB XI, Krankenhausstrukturfonds-Verordnung), Art. 27 (AWV § 55a), Art. 28 (VDG).

German bodies:

• Federal Office for Information Security (BSI, Bundesamt für Sicherheit in der Informationstechnik), national competent authority, single point of contact, CSIRT and central reporting point. NIS2 hub: bsi.bund.de/DE/Das-BSI/Auftrag/Gesetze-und-Verordnungen/NIS-2/nis-2_node.html.
• Federal Network Agency (BNetzA, Bundesnetzagentur), sectoral supervisor for telecoms (TKG) and energy (EnWG).
• Federal Financial Supervisory Authority (BaFin, Bundesanstalt für Finanzdienstleistungsaufsicht), supervisor for DORA-regulated financial entities and partner to the BSI for any residual NIS2 matter.
• Federal Office of Civil Protection and Disaster Assistance (BBK, Bundesamt für Bevölkerungsschutz und Katastrophenhilfe), joint operator of the BSI/BBK reporting and registration portal.
• Federal Ministry of the Interior (BMI, Bundesministerium des Innern), responsible for § 41 critical-components ban orders.
• Federal Commissioner for Data Protection and Freedom of Information (BfDI, Bundesbeauftragte für den Datenschutz und die Informationsfreiheit), GDPR supervisor for federal bodies and counterparty under § 65 Abs. 11 non-bis-in-idem.

This article reflects the law as published on 5 December 2025 and in force from 6 December 2025. The BSI will publish further Orientierungshilfen, the CVD procedure description (by 6 December 2026) and the Rechtsverordnungen under § 56 over the coming months; the Länder will progressively enact their own Landes-NIS2-Gesetze. Check the BSI NIS2 hub for the latest official guidance before finalising operational decisions.