NIS2 Implementation Act - an overview

With the adoption of the NIS2Um­suCG, many questions that have long concerned operators of critical infrastructures and the affected institutions can now be answered. Legally correct, the comprehensive revision of the BSI Act (BSIG) is the core of the law that has now been passed, so that legal experts refer to the following references to paragraphs (§) in the BSIG. For ease of reading, we assign the sections to the NIS2Um­suCG in the following article.

NIS2Um­suCG (NIS-2 Implementation Act) at a glance

Status: December 2025

On December 27, 2022, the NIS2 Directive ("The Network and Information Security (NIS) Directive") was published in the Official Journal of the European Union. It came into force on January 16, 2023. The European Commission has identified the risk to the security of critical infrastructure from physical and cyber attacks as one of four main risks to the European economy. Increasing the resilience of the economy to the dangers of criminal or state attacks is therefore a central task for the actors involved in the state, economy and society.

The entry into force of the NIS2Um­suCG in December 2025 marks a profound paradigm shift in German IT security law.

Important questions can now be answered in a binding manner:

• Which sectors and institutions are affected?
• What size of company is affected?
• How specific will the requirements for technical and organizational measures be?
• What about fines and directors' liability in the event of incidents?
• ...

Germany has significantly exceeded the EU-wide implementation deadline for the NIS2 Directive. Originally, this should have been met by October 2024.

Who is affected by the NIS2 Implementation Act?

The new BSIG regime significantly expands the group of regulated companies. In future, not only operators of critical infrastructures (KRITIS) and companies in the special public interest as well as providers of digital services will be covered, but also the new categories of "particularly important institutions" and "important institutions".

• On the one hand, from sectors of "particularly important" and "important facilities": Energy, transportation and transport, finance, healthcare, water and wastewater, digital infrastructure and space
• On the other hand, from "important facilities" sectors: Postal and courier services, waste management, production, manufacture and trade of chemicals, production, processing and distribution of food, manufacturing and production of goods, digital service providers and research

However, companies operating in these sectors are not automatically affected.

Depending on the specific number of employees and financial thresholds ("size-cap rule"), a distinction is made in Section 28 NIS2Um­suCG between "particularly important" and "important" entities:

• Particularly important entities are companies from the sectors listed in Annex 1 with over 250 employees or over EUR 50 million in annual turnover and an annual balance sheet total of over EUR 43 million. Qualified trust service providers, top-level domain providers, DNS providers, telecommunications providers and operators of critical facilities are also classified with special regulations.
• Companies from the sectors listed in Annex 1 and Annex 2 with more than 50 employees or more than EUR 10 million turnover and more than EUR 10 million annual balance sheet total are considered important institutions. Trust services and telecommunications providers are also subject to special regulations.

The NIS2 impact assessment of the Federal Office for Information Security (BSI) provides an initial orientation in just a few steps. However, companies in critical supply chains may also be indirectly obliged to implement NIS2-relevant measures, regardless of their size.

What are the obligations for affected organizations?

The NIS2Um­suCG prescribes a wide range of suitable, proportionate and effective technical and organizational measures that are closely aligned with international standards such as ISO 27001. The core obligations include

• Systematic information security risk management
• Risk analyses and security concepts
• Incident management
• Business continuity management and emergency planning
• Backup and encryption solutions
• Security checks of the supply chain (supply chain security)
• Training and awareness measures for employees
• Regular audits and inspections

The aim of these technical and organizational measures is to prevent disruptions to the availability, integrity and confidentiality of the IT systems, components and processes used by the institutions concerned to provide their services. And, a very important economic objective is to minimize the impact of security incidents.

What reporting obligations are set out in the NIS2 Implementation Act?

Section 32 provides for the introduction of a three-stage reporting system. In the event of a significant security incident, affected companies are obliged to ...

• submit an early initial report to a joint reporting office of the Federal Office for Information Security (BSI) and the Federal Office of Civil Protection and Disaster Assistance (BBK) immediately, but at the latest within 24 hours of becoming aware of the incident.
• confirm or update this report within 72 hours and supplement it with an initial assessment of the severity and impact.
• submit a final report no later than one month after reporting the incident, explaining the incident in detail and disclosing the causes.

If the security incident continues for more than one month, progress reports must be submitted.

How are the provisions on fines structured?

Anyone who intentionally or negligently violates NIS2 requirements or fails to take measures or fails to take them correctly, completely or on time is committing an administrative offense as defined in Section 65. The administrative offenses listed in detail there are subject to fines. These are sanctioned in a similar way to violations of the General Data Protection Regulation (GDPR).

The upper limits are fines of up to EUR 10 million for particularly important institutions or fines of up to 2 percent of annual turnover for institutions with an annual turnover of more than EUR 500 million. As with the GDPR, the aforementioned administrative offenses will certainly not be punished immediately when the law comes into force. However, anyone who intentionally or negligently violates the law in the years following its entry into force could be subject to fines.

What do affected companies have to do?

Pursuant to Section 33, any registration obligations apply to "particularly important entities", "important entities" and certain service providers who are obliged to register no later than three months after the new law comes into force after they are considered one of the aforementioned entities for the first time or again or offer certain services. Early identification as an affected entity and legally compliant registration is therefore a high priority.

How can NIS2 compliance be achieved?

There is no "one" way! The approach depends on the size of the company, available resources and other considerations. In principle, it makes sense to consider suitable risk management methods in the area of information security. The cross-reference to the state of the art and European or international standards describes a further field of action that affected organizations should address.

Based on our experience, we can confirm the statement that the introduction of an information security management system in accordance with the international standard ISO 27001 represents a reliable starting point for the effective implementation of technical and organizational measures in accordance with section 30, paragraph 1.

Does NIS2 require ISO 27001 certification?

No. The NIS2 guideline does not require certification and is not legally binding proof of compliance. It is important to make a clear distinction between the legal requirements of NIS2UmsuCG and the technical and organizational measures of an information security management system. However: ISO 27001 maps many structures and processes that are relevant for the implementation of NIS2. However, it is no substitute for dealing with the specific legal requirements. Companies must continue to check and implement their respective obligations to the authorities independently.

In short: ISO 27001 covers a large part of the technical and organizational NIS2 requirements and, with its practical Annex A, provides a solid basis for meeting the compliance requirements. Irrespective of NIS2UG, organizations that demonstrate compliance with the standard also send a strong signal of trust to authorities, business partners and customers.

NIS2 Implementation Act - Conclusion

According to estimates by the European Central Bank, the cost of cyber attacks worldwide is in the three-digit billion dollar range per year, with Europe accounting for a significant proportion of this. The cyber threat situation has changed significantly and is causing massive economic damage. With the widespread use of cloud services, organizations find themselves in a challenging technology transition.

For these reasons, among others, the Parliament and Council of the European Union have adopted the NIS2 Directive to regulate comprehensive cyber security in the European Economic Area. The aim of the NIS2 Directive is to ensure a high common level of cybersecurity in the European Union. The aim is to establish comprehensive and sustainable economic protection that includes not only IT-related technical measures, but also risk-minimizing plans in the areas of organization and personnel.

The entry into force of the NIS2Um­suCG on December 6, 2025 marks a milestone for cybersecurity in Germany. Section 30 of the NIS2UG refers to technical and organizational measures that have a large overlap in content with the internationally recognized ISO 27001 standard. The introduction and implementation of an information security management system in accordance with the well-known ISO standard undoubtedly provides a robust and sustainable foundation to support proof of compliance.

In good hands with DQS

Our certification audits provide you with clarity. The holistic, neutral external view of people, processes, systems and results shows how effective your management system is and how it is implemented and controlled. It is important to us that you perceive our audit not as an examination, but as an enrichment for your management system.

Our approach always starts where audit checklists end. We specifically ask "why" because we want to understand the reasons why you have chosen a particular way of implementation. We focus on potential for improvement and encourage a change of perspective. In this way, you recognize options for action with which you can continuously improve your management system.

DQS carries out all certifications competently, objectively, neutrally and impartially. As proof, the national accreditation bodies carry out numerous accreditation audits and witness audits at DQS every year. You can find out more about this in our audit philosophy.

Trust and expertise

Our articles and white papers are written exclusively by our standards experts or long-standing auditors. If you have any questions about the text content or our services to our author, please send us an e-mail: [email protected].

Note: For reasons of better readability, we use the generic masculine. However, the directive includes persons of all gender identities where necessary for the statement.