The German NIS2 Implementation Act
The NIS2 Implementation Act — officially the "NIS-2 Implementation and Cyber Security Strengthening Act" (NIS2UmsuCG) — transposes the EU NIS2 Directive into German law. It supplements the BSI Act and significantly tightens cybersecurity obligations.
Unlike previous KRITIS regulations, the law also targets many mid-sized industrial companies — particularly in the energy, water, food, transport, manufacturing, and digital services sectors.
Violations can be penalized with fines of up to €10 million or 2% of total worldwide annual turnover . Management boards can also be held personally liable.

— What the NIS2 Implementation Act regulates —
Implementation status in Germany
The EU deadline for national transposition was October 17, 2024. The German implementation act is currently in the parliamentary process. Companies should not wait for the enforcement date — the technical requirements are already known and can be implemented in practice today.
What obligations will companies face?
- Registration with the BSI as an essential or important entity
- Risk management with documented technical and organizational measures
- Reporting obligations: Early warning within 24 hours, comprehensive report within 72 hours
- Proof of measure effectiveness to the BSI
- Training and management accountability
Fines and liability
Essential entities face fines of up to €10 million or 2% of their total worldwide annual turnover. Important entities up to €7 million or 1.4%. Management can also be held personally liable for omissions.
What should OT operators do now?
With our Managed OT Security Services we cover the minimum technical and organizational NIS2 requirements in OT — particularly Asset Management, Vulnerability Management and Intrusion Detection.
— Further reading —
NIS2 Directive explained
Fundamentals, goals, and obligations of the EU directive.
Learn moreWho is affected by NIS2?
Overview of sectors, size categories, and thresholds.
Learn moreNIS2 at ACURITY
Our service offerings for NIS2 compliance in OT.
Learn moreManaged OT Security
Continuous state-of-the-art OT protection.
Learn moreOT Vulnerability Management
Detect, prioritize, and remediate vulnerabilities.
Learn moreNetwork Intrusion Detection
Detect anomalies and attacks in the OT network early.
Learn more