NIS-2

Implementation Act Now In Force - Are You Prepared?

The NIS-2 Directive

The NIS-2 Directive (Network and Information Security 2, NIS-2) obliges all EU member states to ensure a uniformly high level of cybersecurity for critical and important facilities. With the new directive, the EU is focusing its cyber security offensive on other "essential and important facilities" in addition to critical infrastructures.

Now that the NIS-2 Implementation Act (NIS2UmsuCG for short) and the amended BSIG are in force in Germany, preparation has given way to obligation. Companies covered by the NIS‑2 Directive must now fully comply with all requirements. Organizations that are not yet ready face immediate pressure, as reporting processes, risk management, and technical security measures have become mandatory.

We are at your side throughout this process. We support you in completing the implementation of NIS‑2 requirements and in critically reviewing measures that are already in place, so you can move forward with confidence and clarity.

When Did the NIS-2 Implementation Act Come Into Force?

The German implementation act for the NIS-2 Directive came into force on December 6, 2025. The first step for affected companies is to register as an NIS-2 entity with the BSI via the new BSI portal by March 6, 2026, at the latest. Subsequently, the extended requirements for risk management and reporting obligations for significant security incidents subject to BSI supervision will apply.

What Requirements Must Companies Fulfill?

Companies affected by NIS-2 are obliged to operate a verifiable information security management system (ISMS). Based on this, they must take appropriate technical, operational and organizational measures to control cyber security risks, prevent security incidents and minimize potential impacts. The requirements of NIS-2 apply to the entire company, not just to individual systems or services classified as critical.

Which Companies Are Affected?

The NIS-2 Directive covers 13 sectors that are of crucial importance to the economy and society. It applies to companies with 50 or more employees or an annual turnover and an annual balance sheet total of 10 million euros.

What Do Companies Need to Know When Reporting Security Incidents?

Companies that are subject to NIS-2 report significant security incidents to the BSI via the central BSI portal. The previous KRITIS reporting channels (MIP/MIP2) no longer apply to NIS-2 companies. These reporting channels are only used by KRITIS operators and federal authorities on a transitional basis or, in exceptional cases, if a report is necessary before registering on the portal. The legal reporting system has three stages: the initial report within 24 hours, the follow-up report within 72 hours, and the final report no later than one month after the initial report.

More Insights on NIS-2