Knowledge · NIS2

The German NIS2 Implementation Act

The NIS2 Implementation Act — officially the "NIS-2 Implementation and Cyber Security Strengthening Act" (NIS2UmsuCG) — transposes the EU NIS2 Directive into German law. It supplements the BSI Act and significantly tightens cybersecurity obligations.

Unlike previous KRITIS regulations, the law also targets many mid-sized industrial companies — particularly in the energy, water, food, transport, manufacturing, and digital services sectors.

Violations can be penalized with fines of up to €10 million or 2% of total worldwide annual turnover . Management boards can also be held personally liable.

NIS2 Implementation Act: national implementation of the EU directive in Germany

What the NIS2 Implementation Act regulates

Expanded scope of application
Minimum cyber risk management measures
Reporting & registration obligations
Fines & management liability

Implementation status in Germany

The EU deadline for national transposition was October 17, 2024. The German implementation act is currently in the parliamentary process. Companies should not wait for the enforcement date — the technical requirements are already known and can be implemented in practice today.

What obligations will companies face?

  • Registration with the BSI as an essential or important entity
  • Risk management with documented technical and organizational measures
  • Reporting obligations: Early warning within 24 hours, comprehensive report within 72 hours
  • Proof of measure effectiveness to the BSI
  • Training and management accountability

Fines and liability

Essential entities face fines of up to €10 million or 2% of their total worldwide annual turnover. Important entities up to €7 million or 1.4%. Management can also be held personally liable for omissions.

What should OT operators do now?

With our Managed OT Security Services we cover the minimum technical and organizational NIS2 requirements in OT — particularly Asset Management, Vulnerability Management and Intrusion Detection.

Further reading

Let's find out where your organization is already NIS2-ready today.
Check NIS2 readiness