Get ready: NIS2 Implementation Act in Germany in force!

With today's announcement of the NIS2 Implementation Act, the long-awaited implementation of the NIS2 Directive into German law is finally happening after a long delay. The law will take effect immediately on December 6, 2025, raising the level of protection for both the federal administration and a greatly expanded number of private undertakings, and establishing new cybersecurity obligations.

Key points at a glance

The amended BSI Act (BSIG), as a central component of the NIS2 Implementation Act, significantly expands the scope of application: In the future, a large number of companies and organizations will be subject to the provisions of the BSIG. The sectors defined by the law and – depending on the area of activity – the respective legally defined thresholds for number of employees, turnover, and balance sheet total are decisive.

Affected companies are subject to extensive cybersecurity obligations. These include, in particular: registration, implementation, and documentation of information security risk management, as well as reporting of significant security incidents. See also the further information on our expertise website.

In addition, the NIS2 Implementation Act also brings changes to various other laws, such as the Energy Industry Act (EnWG).

What further steps need to be taken now?

The NIS2 Implementation Act does not provide for a transition period. This means that the new requirements will apply immediately from December 6, 2025. In particular, this means:

• Impact assessment: Companies are required to independently assess whether they fall within the scope of the NIS2 Implementation Act. The impact assessment should be clearly documented so that it can be submitted to the supervisory authorities if necessary.
• GAP analysis and implementation: Affected companies must check whether and to what extent they already comply with the legal requirements, in particular the new reporting obligations and the risk management requirements. Any missing measures and process gaps must be closed or adjusted as quickly as possible to ensure the necessary compliance. Verifiable documentation must be ensured here.
• Registration: The BSI provides for a two-stage registration process. According to this, an account must first be created in the digital service "Mein Unternehmenskonto" (MUK). The new BSI portal will then be activated on January 6, 2026. This will serve in particular as a registration and reporting point for significant security incidents. Registration must be completed within three months of the law coming into force.

If a significant security incident occurs before registration on the BSI portal, it must be reported using a provided online form. This ensures that reporting obligations can be fulfilled seamlessly, even if the portal infrastructure is still under construction.

Conclusion

With the NIS2 Implementation Act, German lawmakers have significantly tightened cybersecurity requirements in Germany. The organizational effort involved – from impact assessment and registration to operational implementation – should not be underestimated.

Companies that do not yet fully comply with the new legal requirements should therefore address this issue without delay. The following approach is recommended:

In the short term, the focus should be on assessing the impact, planning the registration process, and ensuring that incidents can be reported. At the same time, risk management should be reviewed and any necessary adjustments made.