NIS2 Implementation now in Affect: What german Companies Need to Know
Table of Contents
The good news: The NIS2 implementation law has finaly been in force since December 6, 2025. The bad news: There are no transition periods. around 30,000 companies in Germany now have to act: registration with the BSI, stricter reporting requirements and personal liability of management have now made cybersecurity a central compliance issue.
NIS2 Implementation Will Take Place in Phases
the EU directive on network and facts security (NIS2,EU 2022/2555) came into force at EU level on December 16,2023.Germany clearly missed the implementation deadline of October 17, 2024. After months of delays and infringement proceedings by the EU Commission, the NIS2 Implementation Act was announced on December 5, 2025 and came into force on December 6, 2025.
The implementation takes place in several phases:
- From December 6,2025,the registration and reporting obligations as well as managing director liability apply.
- Affected companies must register with the BSI within 3 months (until the beginning of March 2026).
- Proof of the security measures must be provided within 2 years (by December 2027).
Expanded Scope Covers 30,000 Companies
The NIS2 Directive distinguishes between Essential Entities and Significant Entities in 18 sectors. In addition to classic KRITIS areas such as energy, health and transport, this now also includes postal and courier services, waste management, food production and digital services such as cloud providers and data centers.
Especially important institutions are subject to regulation if they have more than 250 employees or an annual turnover of over 50 million euros. Critically important institutions are already subject to the directive if they have 50 employees or an annual turnover of 10 million euros. Certain sectors of the digital infrastructure are affected regardless of size.
Reporting Obligations and Registration with the BSI
A central element is the stricter reporting requirements for security incidents in three stages:
- early warning within 24 hours of becoming aware of it
- Specific report within 72 hours with details of the type and countermeasures
- Final report after 30 days with root cause analysis and long-term remedial action
Affected companies must register via the platform NIS2-MUK.
Worth a look