After Drafts, Amendments, and Hearings, the NIS2UmsuCG Will Officially Enter Into Force in Germany on 06.12.2025

The NIS-2 Directive became binding in the EU at the beginning of 2023 in order to ensure a consistently high level of protection for critical and important services in all member states. The first step for the states was to implement the directive into national law.

In Germany, the BSI Act (BSIG) is to be comprehensively amended in accordance with the “Act Implementing the NIS-2 Directive and Regulating Essential Features of Information Security Management in the Federal Administration” (NIS2UmsuCG for short). After intensive drafting phases and hearings, interrupted by a change of government, the current Bundestag approved the law on November 13, 2025. With the approval of the Bundesrat and publication in the Federal Law Gazette, the final date is now set: 06.12.2025

From this date onwards, affected companies must comply with the new requirements without a transition period.

We summarize the most important information about NIS-2 for you as follows

Which companies are affected?

NIS-2 is addressed to companies in 13 sectors, including energy, transport, health, digital infrastructure, finance and insurance, public administration, recycling, food, manufacturing, and other critical industries.
The general rule for affected companies is:

• At least 50 employees or
• annual turnover or balance sheet total of at least €10 million,
• and operating in one of the relevant sectors.

With the NIS2UmsuCG, the BSI Act is being revised (“BSIG-neu”). The key point is the introduction of the following categories:

• "Essential Entities (or specially important entities)“ (u. a. including operators of critical facilities, large companies in highly critical sectors).
• "Important Entities“ (other companies in the sectors listed in Annexes I & II).

The main difference lies not so much in the activities themselves, but in the type of supervision: particularly important institutions are monitored regularly, while important institutions tend to be monitored on an ad hoc basis.

What are the most important obligations for companies?

• Registration: Affected companies must register with the BSI as “ important” or “particularly important” entities within the specified time frame, providing details of their essential services and contact persons, among other things, and keeping this information up to date in the event of changes. The registration page is not yet available and is expected to be published shortly.
• Governance & responsibility: Management bears overall responsibility for cybersecurity, must approve risk management measures, monitor their implementation, undergo regular training, and is personally liable for serious violations.
• Risk management: Companies must establish and develop appropriate risk management, define clear roles and decision-making processes, and systematically identify and assess risks to their network and information systems.
• Technical and organizational measures (TOM): Appropriate technical and organizational security measures must be implemented: from incident and emergency management to supply chain security, secure development, effectiveness controls, training, cryptographic concepts, and access control to strong (multi-factor) authentication. It is important that the measures taken are proportionate, take into account the state of the art and internationally accepted standards, and are based on a cross-risk approach.
• Reporting requirements & sanctions: Significant security incidents must be reported in a timely process in three stages. Violations are subject to heavy fines (similar to the GDPR) and further intervention by the BSI, including the imposition of measures or restrictions on management functions.

What else has changed recently?

In June 2025, our experts had already examined the NIS-2 draft bill and summarized and classified the most important points. Since then, two points have been further adapted:

• Scope clarified rather than simply expanded: The scope of application has been tailored more specifically. Companies in which critical activities account for only an insignificant share of business are not automatically considered (particularly) important institutions.
• Critical components - New reporting requirements and expanded rights of intervention: For critical components, the originally planned reporting requirement prior to initial use and a formal guarantee of trustworthiness from manufacturers have been dropped. Instead, operators now report the types of components used as part of the registration process, while the BMI has been given significantly expanded powers under the new BSIG to prohibit the use of certain components or manufacturers on a risk-based basis. This also applies to existing components.

What does the Commission Implementing Regulation mean for companies in certain industries?

In addition to the NIS-2 Directive, there is also the Commission Implementing Regulation (EU) 2024/2690, which specifies in detail how certain NIS-2 requirements are to be implemented in practice. This applies in particular to risk management measures and the classification of “significant” security incidents. Unlike the directive itself, this regulation does not first have to be transposed into German law, but applies immediately and uniformly in all EU member states upon the entry into force of the respective country-specific NIS-2 laws. It is primarily aimed at digital infrastructure providers and digital services (e.g., DNS services, cloud, data centers, online marketplaces, social networks, managed service providers) and defines very detailed minimum technical and organizational requirements for them.

Final word: It's time to take action

With the entry into force of the NIS2UmsuCG and, accordingly, the new BSIG, the transition phase for preparing for NIS-2 has come to an end. Affected companies must now comply with the requirements in full and without exception. Those who are not yet prepared are under pressure to act: reporting processes, risk management, and technical measures are mandatory.

Do you need support with the final implementation of requirements and/or the review of measures taken? We will support you in this process. Get in touch with us.