On 6 December 2025, Germany’s NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) entered into force, ending approximately one year of delay relative to the European NIS2 Directive (EU) 2022/2555. Six months later, the picture in practice is sobering: while most affected companies have initiated first steps, significant uncertainty persists about which companies are actually covered and how the statutory requirements translate into concrete technical measures. Germany’s Federal Office for Information Security (BSI) has announced that it will actively audit compliance starting in the second half of 2026. The window for preparation is closing fast.
NIS2 is the most comprehensive cybersecurity law Europe has ever enacted. It dramatically expands the pool of regulated entities compared to its predecessor: whereas the earlier NIS1 framework applied primarily to operators of critical infrastructure (KRITIS), the NIS2UmsuCG now captures approximately 29,500 companies in Germany across 18 sectors – from energy, healthcare and transport to manufacturing, food, and digital infrastructure. The law distinguishes between “essential entities” and “important entities”, which are subject to different supervision regimes. For many mid-sized businesses, the NIS2UmsuCG arrives without warning and with substantial implementation burden.
The NIS2UmsuCG covers companies in certain sectors that meet a minimum size threshold. The basic rule: if an entity employs at least 50 people or generates more than €10 million in annual revenue and operates in one of the 18 regulated sectors, it falls within the scope of the law. Essential sectors include energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, and digital infrastructure. Important sectors include postal and courier services, waste management, chemicals, food, space, and manufacturing. Many companies underestimate their own exposure, since indirect involvement in critical value chains can also trigger the law’s application.
A particular challenge is the supply chain component of the NIS2UmsuCG. Regulated companies must not only secure their own IT environments, but also actively manage the cybersecurity of their supply chains. This means that companies supplying products or services to essential or important entities may indirectly fall within the law’s scope even if they do not themselves meet the size thresholds. These supply chain requirements caught many small and medium-sized enterprises by surprise, as they now face demands for security evidence and contractual assurances from their regulated customers. Any company that has not yet assessed whether it is indirectly affected as a supplier should do so without delay.
The NIS2UmsuCG imposes obligations on regulated companies in three categories: registration obligations, security obligations, and notification obligations. The obligation to register with the BSI had to be fulfilled by 6 March 2026; companies that missed this deadline are already in breach and face fines even before any security incident has occurred. The security obligations require the implementation of risk management measures in ten mandatory areas, including risk analysis and information security concepts, incident response, business continuity management, supply chain security, network security, multi-factor authentication, and staff training. These requirements are technology-specific and aligned with what the BSI defines as the “state of the art”.
Particularly significant in practice are the staggered notification obligations in the event of a significant security incident. If an incident causes or is likely to cause significant operational disruption or financial loss, the following timelines apply: an early warning to the BSI within 24 hours, an initial report with a situation assessment within 72 hours, and a final report within one month. These timelines impose enormous operational demands on companies that have not previously established structured incident response processes. Without pre-built and tested procedures, companies will be unable to meet the statutory deadlines when an incident actually occurs – with corresponding consequences in any subsequent enforcement proceedings.
One of the most practically significant aspects of the NIS2UmsuCG is the personal liability of management. Under the law, managing directors and board members must personally approve the company’s cybersecurity risk management measures, monitor their implementation, and ensure regular review. They cannot pass responsibility to technical departments or external service providers. In addition, the NIS2UmsuCG introduces explicit training obligations for management: directors and board members must demonstrably be trained in cybersecurity topics. Cybersecurity has thus become a permanent management-level responsibility that cannot be delegated away.
The NIS2UmsuCG provides for substantial fines that depend on the entity category. For essential entities, the maximum fine is €10 million or 2% of global annual turnover, whichever is higher. For important entities, the cap is €7 million or 1.4% of global annual turnover. Beyond fines, the BSI may prohibit the operation of regulated services in whole or in part, and may publicly name responsible individuals. Crucially, violations of the registration or notification obligations can be sanctioned independently of any actual security incident – meaning the risk of a fine arises from the very first procedural failure, regardless of whether any harm has occurred.
Six months after the NIS2UmsuCG entered into force, it is high time for companies to review their compliance position and address any gaps. The first step is a structured assessment of whether the company falls within the law’s scope: Is it covered as an essential or important entity? Is it indirectly caught as a supplier? Any company that is covered and has not yet registered with the BSI should do so immediately. The next step is a gap analysis across the ten mandatory risk management areas in order to identify open issues and build a prioritised implementation plan. Both the coverage assessment and the gap analysis benefit significantly from experienced legal and technical input, as the statutory requirements are complex and leave room for interpretation.
Particular attention should be paid to building incident response capabilities. The 24-hour early warning requirement can only be met if processes, responsibilities and communication channels have been defined in advance and tested in practice. Tabletop exercises – simulations in which a security incident scenario is played through and reporting procedures are rehearsed – have proven particularly effective. Finally, companies must ensure that management has completed the required training and is actively involved in cybersecurity governance, because personal liability under the NIS2UmsuCG cannot be contractually or organisationally transferred to third parties.
The NIS2 Implementation Act fundamentally and permanently changes the cybersecurity landscape for businesses in Germany. The requirements are extensive, the first registration deadline has already passed, and the BSI is ramping up audits for the second half of 2026. Companies that have not yet acted risk substantial sanctions – entirely independently of whether an actual security incident occurs. NIS2 compliance is not a one-time project but a continuous obligation: it demands regular review, documentation, training, and active management involvement. For mid-sized businesses encountering comprehensive cybersecurity regulation for the first time, specialised legal counsel is indispensable when building a legally sound compliance framework.
Do you have questions about the NIS2 Implementation Act or your cybersecurity obligations? The lawyers at HUFELD PartGmbB are here to provide comprehensive advice. Get in touch now.
Are you looking for a specific topic?
.png)
.png)
.png)