5 key questions for NIS2 Germany

NIS2 finally became law in Germany in December 2025. Unlike some countries, German NIS2 does not allow for any implementation period. So, if your company or organisation falls under the scope of the law, you MUST comply with it immediately. In this article, we look at who this is relevant for, what your new obligations are, and when you need to act.

Who is affected?

According to the German regulator, BSI, NIS2 affects around 30,000 organisations in Germany. Whether your company is affected is determined based on area of business, number of employees, and annual turnover/balance sheet.

You can check whether you are affected by going through BSI’s impact assessment tool. The following flow chart will give you some idea whether you may be affected. If your company is in the energy, finance & insurance, health, water, infrastructure, or space sectors, you need to check in Appendix 1 to see if you are directly affected.If you operate in the waste management, chemical industry, food distribution & production, manufacture of goods, digital service providers, or research sectors, you need to check in Appendix 2 to see if you are directly affected.If you are in the transport & traffic sector, you need to check both Appendixes.

How does this affect health companies?

Within the health sector, only 5 types of company or organisation are listed. These are:

1. Providers of health services according to Directive 2011/24/EU
2. Reference laboratories according to Art 15 EU Regulation 2022/2371
3. Companies doing R&D on medical products according to §2 of AMG
4. Companies manufacturing pharmaceuticals according to §C.21 of NACE rev 2
5. Companies manufacturing critical medical devices during a health emergency according to Art 22 of EU Regulation 2022/123

While this is a relatively limited list, NIS2 will actually impact many more health companies. This is thanks to the strict supply chain management rules it introduces. That means, for instance, any digital health company selling services to a hospital or insurance company will now be hit with new obligations around cybersecurity. This in turn will lead to more companies needing ISO 27001.

What are the requirements?

Companies fall into one of four categories, each with different requirements:

1. Not affected by NIS2. Clearly, in this case you don’t need to fulfill any of the NIS2 requirements. However, if your business grows, or you have a very good financial year, you might subsequently fall under NIS2. It’s important to keep track of this as the law is very unforgiving if you don’t realise you are affected.
2. Important companies (wichtige Einrichtungen or wE). These companies are only subject to notification requirements (see below). This is less onerous than the higher levels, but still requires a significant resource investment.
3. Particularly important companies (besonders wichtige Einrichtungen or bwE). These companies are subject a a raft of new requirements including: registration with BSI, notification, supply chain monitoring, audits, and more. If you are affected, you need to rapidly take steps to make sure you comply with NIS2.
4. KRITIS companies (companies falling under Germany’s critical infrastructure regulations). These must continue to comply with the KRITIS regulation, but they are also subject to new requirements, such as the need for 2 factor authentication and stricter reporting obligations.

Incident reporting

All organisations and companies who fall under NIS2 are subject to very onerous incident reporting obligations.

• You must notify BSI within 24 hours of any suspected serious cybersecurity incident. This means things like ransomware attacks, data leaks, or other significant security breaches
• BSI may require you to submit an interim update detailing the steps you have taken to respond to the incident.
• 1 month after the incident, you must submit a detailed report to BSI explaining what happened, how you responded, and what the outcome was.
• If the incident is still ongoing at that stage, you will need to submit further reports.

Companies and organisations who fall into the following sectors are also obliged to inform their customers immediately about any incident:

• Finance
• Social security benefits and basic income support for job seekers,
• Digital infrastructure,
• Management of ICT services and Digital services

This notification to users must also include details of any actions the users should do to protect themselves from the effects of the incident. This is a significant extension of the equivalent breach notification requirements in GDPR.

Registration

All bwE organisations must register with BSI by March 5th, 2026. The BSI is still setting up the portal for formal registration and expect to complete this work by early in the new year. Meanwhile, you should create an account on the BSI MUK system (Mein Unternehmenskonto). This also applies to wE organisations as well.

Risk management (technical and organisational measures)

NIS2 imposes a whole set of requirements designed to reduce the risk from external bad actors. These include:

• Risk & Policy: conduct risk analysis and put in place robust security policies
• Incident Handling: establish and test incident management procedures
• Business Continuity: create disaster recovery and business continuity plans including secure backups
• Supply Chain Security: monitor your supply chain for potential security risks. This includes virtual services such as cloud or SaaS providers.
• Secure Development: set up policies to secure all development work including secure coding, vulnerability handling, and disclosure policies
• Effectiveness monitoring: put in place policies to monitor and assess the effectiveness of all security measures, including pen testing.
• Cyber Hygiene: ensure you follow best practices for things like password strength and patching code vulnerabilities. Put in place mandatory cybersecurity training for all staff.
• Cryptography: protect sensitive data and sustems using strong encryption both at rest and in transit
• Access Control: implement strict human resource security, access control and asset management policies
• Authentication/Comms: mandate the use of multi-factor authentication, and only use secure communications systems. Where relevant, set up a secure emergency internal communication system.

Management obligations

There are significant new obligations imposed on senior management. These are:

• Establish formal oversight: The relevant management body (e.g. Board of Directors) must formally approve and monitor all cybersecurity measures.
• Mandatory training: All members of management must receive regular cybersecurity training so that they acquire an appropriate level of knowledge to .
• Personal liability: Management can be held personally liable for any culpable failures in their duty of care.
• Resource allocation: Managers must ensure there are sufficient resources to meet the security requirements.

What are the timelines?

NIS2 took full effect in Germany on 6th December, 2025. That means you should already be compliant with all technical and organisational measures. Moreover, any cybersecurity incident must already be reported to BSI within 24 hours.

For bwE companies, you have until March 5th, 2026 to register your organisation with BSI. If you miss this deadline, you could already be subject to enforcement action.

BSI’s recommended action plan is as follows:

1. Define the responsible person(s) in your company
2. As the leader, take responsibility and start getting the necessary training
3. Take an (initial) inventory of your cybersecurity compliance and try to identify any gaps you need to fix
4. Continuously improve your security posture and make sure the whole team understands the importance of cybersecurity
5. Fulfill your reporting obligations and prepare to receive warnings and situation reports

Which enforcement actions might you face?

NIS2 carries potentially steep fines. There is a detailed list of fines based on the nature and seriousness of the breach. At the lowest level these are €100k. But they can be up to €10M. For the largest organisations (those with >€500M annual turnover) the fines can even be up to 2% of total global turnover.  This is lower than some other EU legislation but it is still steep enough to hurt.

However, NIS2 gives BSI enforcement powers that are potentially far more damaging than the fines. If you are willfully negligent and repeatedly fail to meet your obligations, BSI has the power to revoke any operator’s licenses and to restrict your right to do business until you remedy the situation. In other words, they can put you out of business if you don’t comply with the rules!

‍

Need help figuring it out? We’re here to help!

Chino.io is the one-stop shop for solving all privacy and security compliance aspects.

As a partner of our clients, we combine regulatory and technical expertise with a modular IT platform that allows digital applications to eliminate compliance risks and save costs and time.

Chino.io makes compliant-by-design innovation happen faster, combining legal know-how and data security technology for innovators.

To learn more, book a call with our experts.