NIS2 in Germany: all you should know

Cybersecurity is no longer a niche concern. It’s a national and economic priority — especially in Germany, where digital infrastructure plays a key role in critical sectors like energy, health, manufacturing, and public services.

To meet rising threats, the European Union introduced the NIS2 Directive. All Member States, including Germany, must now transpose this directive into national law. For German companies, this means new legal obligations, stricter oversight, and a shift toward a more proactive approach to cybersecurity.

This article will explain what the NIS2 Directive is, how Germany is implementing it, and what companies can expect. We’ll also link to official sources for deeper insights. The goal is to make the topic accessible, even if you’re not a cybersecurity expert.

What is NIS2?

The NIS2 Directive (Directive (EU) 2022/2555) replaces the original NIS Directive from 2016. It is part of the EU’s broader strategy to strengthen digital resilience across Member States.

Compared to its predecessor, NIS2:

• Covers more sectors and services
• Applies to a wider range of organizations
• Imposes stricter cybersecurity and governance requirements
• Introduces tighter deadlines for incident reporting
• Allows for tougher penalties

NIS2 affects both essential and important entities across sectors such as energy, digital infrastructure, manufacturing, healthcare, financial services, and public administration. Its goal is to raise the overall level of cybersecurity in the EU by creating a consistent legal framework.

If you want to read more about the NIS2 Directive, don’t miss our blog post.

For the full legal text, you can consult the directive here:

🔗 NIS2 Directive on EUR-Lex

How Germany is implementing NIS2

Germany is transposing the NIS2 Directive through an updated national cybersecurity law known as NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG). This new law builds on Germany’s existing IT-Sicherheitsgesetz (IT-SiG) and the BSI-Gesetz (BSIG) — the key legal frameworks that regulate cybersecurity in Germany.

The German government published a draft law (Referentenentwurf) in early 2024. As of mid-2025, the final version is expected to be adopted soon, with the transposition deadline for all EU Member States being October 17, 2024.

Key Authorities in Germany

• BSI (Federal Office for Information Security): Primary regulator and contact point for NIS2.
• BMI (Federal Ministry of the Interior and Community): Oversees national cybersecurity strategy.
• UP KRITIS: A public-private cooperation platform for critical infrastructure.

Who Is Affected by NIS2 in Germany?

The German implementation of NIS2 will affect thousands more organizations than the previous law. Here’s how entities are categorized:

1. Essential Entities (Wesentliche Einrichtungen)

These include:

• Energy providers
• Water and waste management services
• Financial institutions
• Healthcare and hospitals
• Public administration

2. Important Entities (Wichtige Einrichtungen)

This group includes:

• Digital services and platforms
• Postal and courier services
• Food production
• Chemical and manufacturing industries
• Research and development centers

Any organization in one of these sectors with over 50 employees or a turnover of more than €10 million will likely fall under NIS2.

NIS2 is ready also in Italy. Make sure to read the article if you are interested to know more.

What Does NIS2 Require from German Businesses?

The upcoming German law aligns closely with the EU Directive but adapts specific procedures to the national context. Here are the key obligations for affected organizations:

1. Cyber Risk Management and Security Measures

Companies must establish appropriate and proportionate measures to manage cybersecurity risks. These include:

• Secure system architecture
• Access control
• Encryption and authentication
• Backup and recovery plans
• Network monitoring and patch management

These measures must be documented and regularly reviewed.

2. Incident Reporting Obligations

Under the NIS2UmsuCG draft:

• Major cyber incidents must be reported to the BSI within 24 hours
• A follow-up detailed report must be submitted within 72 hours
• A final report is required within one month

Failure to report in time may result in significant fines and reputational damage.

3. Governance and Accountability

Executives and board members now bear personal responsibility for cybersecurity compliance. They must:

• Oversee cybersecurity strategy
• Undergo regular training
• Ensure appropriate risk management and budgeting

This marks a big cultural shift — cybersecurity is no longer just the IT department’s job.

4. Supply Chain Security

Organizations must assess the cybersecurity readiness of their supply chains. This includes:

• Risk-based due diligence on third-party vendors
• Contractual clauses for security compliance
• Monitoring for vulnerabilities across the ecosystem

Especially in Germany’s heavily industrial economy, this is a major area of concern.

Penalties for Non-Compliance

The new German law will introduce tougher sanctions for companies that fail to meet NIS2 obligations. These include:

• Fines up to €10 million or 2% of global annual turnover (whichever is higher)
• Legal liability for senior executives
• Public disclosure of violations

Compliance is not optional — it’s a legal and reputational necessity.

How to Prepare for NIS2 in Germany

Getting ready for NIS2 can feel daunting, but preparation can be broken into manageable steps:

Step 1: Identify Your Status

Check if your organization qualifies as an essential or important entity under German law. Refer to BSI’s published guidance for clarity.

Step 2: Conduct a Gap Analysis

Evaluate your current cybersecurity posture. What controls do you have in place? Where are the vulnerabilities?

Step 3: Create a Cybersecurity Strategy

Define your risk management approach, establish internal policies, and align with standards like ISO 27001 or BSI Grundschutz.

Step 4: Train Executives and Staff

Everyone from the C-suite to front-line workers should understand their role in cybersecurity.

Step 5: Prepare for Incident Reporting

Set up internal processes and escalation paths to meet the strict 24- and 72-hour reporting deadlines.

Step 6: Engage with the BSI

Make use of the BSI’s resources and consultation opportunities. They regularly publish guidance and checklists.

‍

If you want to tackle NIS2 in other EU states, don't miss this blog post.

‍

Need help figuring it out? We’re here to help! 🙋

Chino.io is the one-stop shop for solving all privacy and security compliance aspects.

As a partner of our clients, we combine regulatory and technical expertise with a modular IT platform that allows digital applications to eliminate compliance risks and save costs and time.

Chino.io makes compliant-by-design innovation happen faster, combining legal know-how and data security technology for innovators.

To learn more, book a call with our experts.