Bundestag approves NIS2 implementation law – What companies need to know and do now

The German Bundestag passed the NIS2 Implementation Act yesterday. This implements the EU Directive on measures for a high common level of cybersecurity (NIS2 Directive) into national law, significantly tightens IT security law and considerably expands the circle of affected companies and authorities. For many organizations — far beyond the traditional KRITIS world — binding obligations now arise regarding risk management, incident reporting, governance and supply chain security. Below, we outline the key contents, the practical implications and the next steps.

What does the NIS2 Implementation Act regulate?

The Act introduces a fundamentally revised BSI Act (BSIG). In addition to the BSIG, sector-specific regulations (such as the EnWG and the TKG) are adjusted in order to coherently reflect the NIS2 obligations.

Core elements of the NIS2 Implementation Act are:

• Broad scope of application: The new statutory requirements apply to “particularly important” and “important” entities in various sectors (including energy, transport, healthcare, digital services and infrastructure, waste management, manufacturing). As a rule, an assessment of economic company metrics based on the so-called size-cap rules is decisive (generally from 50 employees or from 10 million euros in annual turnover). In addition, there are sector-specific special facts (e.g., for operators of critical facilities) and exceptions from the scope of application (e.g., in the case of “negligible” business activities). 
• Risk management: Implementation of appropriate, proportionate and effective technical and organizational measures (TOM) to ensure the availability, integrity and confidentiality of network and IT infrastructure. To this end, the NIS2 Implementation Act contains minimum standards in various areas, including risk analysis, incident management, business continuity (including backup and recovery), secure development and vulnerability management, strong access controls and multi-factor authentication, the use of cryptography, supply chain security as well as effectiveness reviews.
• Strict reporting and registration obligations: Active registration and designation of a point of contact as well as a tiered reporting regime for significant security incidents (early warning within 24 hours, interim status/detailed report within 72 hours and a final report within one month).
• Extensive governmental powers: Expanded supervisory powers of the competent supervisory authorities, in particular the BSI within the framework of the BSIG. This includes in particular powers to issue orders, conduct official audits, require evidence and initiate fine proceedings. 

Of practical significance is the considerable expansion of the scope of application. In addition to KRITIS operators, numerous large and medium-sized companies in the affected sectors are now covered. Indirectly, the requirements also increase along the supply chain, because affected companies will demand security and compliance evidence from service providers and suppliers. 

What needs to be done now? 

Companies should proceed in a structured manner without delay. In practice, a two-step approach has proven itself: first clarify the applicability and then steer implementation along a prioritized action plan.

• Applicability analysis and registration preparation: Review of classification as an “important” or “particularly important” entity by sector and size-cap, identification of any special facts. In parallel: preparation of the mandatory registration and designation of a point of contact.
• Gap analysis against the new BSIG: Systematic comparison of the current state with the statutory minimum requirements (risk management, incident response, business continuity/backup/recovery, patch and vulnerability management, secure development, authorization and access management, cryptography, supply chain security, training, effectiveness controls). 
• Establishment or hardening of the information security organization: The required organizational and technical measures necessitate a functioning information security organization within the company, including clear roles and responsibilities (including management responsibility), policy frameworks, risk and action registers, metrics and effectiveness measurement. In practice, the introduction of a robust information security management system (ISMS) based on recognized standards (e.g., ISO/IEC 27001, BSI IT-Grundschutz) is advisable. Another option is the so-called Cyber Fundamentals Framework (CyFun), which is already used as a reference in various EU Member States.
• Operationalize reporting and communication processes: Clear internal and external reporting lines, 24/7 availability, templates for 24h/72h/30-day reports, reliable forensics and decision-making processes, interfaces to the BSI. GDPR and NIS2 reports must be aligned.
• Professionalize business continuity and the crisis team: Updated emergency plans, restart strategies, regular exercises, secured emergency communications and redundancies. 
• Supply chain security and procurement: Contractually fix security requirements (e.g., TOMs, audit and evidence clauses, exit and subcontractor provisions), establish third-party risk management (including a supply chain policy, security assessments), maintain a supplier directory.
• Management accountability and training: Executive management is explicitly responsible. Mandatory training, reporting lines and regular effectiveness controls must be embedded. For “particularly important” entities, increased supervisory and evidentiary obligations apply (regular evidence to the BSI in fixed cycles). “Important” entities are subject to risk-based, event-driven supervision—but the substantive protection obligations are demanding in both categories. 

From when does the NIS2 Implementation Act apply?

With yesterday’s parliamentary decision, the legislative process is now almost complete. The Act enters into force immediately upon promulgation in the Federal Law Gazette. There is no transition period! Companies should therefore promptly review registration, the definition of the point of contact and the central core processes (in particular incident and reporting management, risk and BCM processes, patch/vulnerability management and supply chain security) and close any identified gaps along a prioritized roadmap. 

What happens in the event of breaches of obligations? 

The sanctions regime has been significantly tightened and is based on worldwide group turnover:

• For “particularly important entities,” fines of up to 10 million euros or up to 2 % of worldwide annual turnover may be imposed — whichever amount is higher. 
• For “important entities,” fines of up to 7 million euros or up to 1.4 % of worldwide annual turnover may be imposed — whichever amount is higher. 

In addition to fines, orders, supervisory measures and — in serious cases — personally tangible consequences for management bodies are possible. Violations of reporting obligations (late, incomplete) and a lack of effectiveness of security measures are typical facts giving rise to fines. Also practically significant is the reputational and liability risk in comparison with peers (customers, insurers, financiers). 

Conclusion

Many companies are being directly addressed for the first time. Those who now proceed in a structured way with an applicability check, a robust gap analysis and the swift implementation of core processes reduce fine and liability risks, improve their own resilience and secure their ability to operate within critical supply chains.