New cybersecurity requirements
Germany’s NIS2 implementation law entered into force on Saturday December 6th 2025. It sets out strict IT security requirements and reporting obligations for numerous companies.
If no one at your company has checked whether this is relevant to your business, now would be a really good time to do so.
Estimates suggest that around 30,000 companies in Germany are affected. By comparison, only around 1,000 companies are classified as critical infrastructure under the existing KRITIS legislation.
Does your company belong to one of the following industries or sectors?
- Health
- Manufacture of machinery or vehicles
- Transport & logistics
- Finance
- Water or electricity supply
- Production, processing and distribution of food
- Manufacture of medical devices and in vitro diagnostics
And: Does your company have more than 50 employees? Or, if you have fewer than 50 employees, do you still generate more than 10 million € in turnover?
If one of these two points apply, it is time for an in-depth check on the BSI website (in German language).
If it turns out that your German company falls under NIS2, you must first register with the Federal Office for Information Security (BSI).
The BSI will be responsible for supervising affected companies in future. You can then take care of the next steps gradually.
By the way: Anyone who fails to take action in time despite the existing registration requirement risks a fine after a three-month transition period.
- The BSI’s questionnaire is clear and structured and can be completed in a short amount of time.
- If you wish, we will be happy to assist you and go through it with you: experience shows that this takes no longer than 15 minutes.
We can also assist you in assessing the steps that may need to be taken afterwards (in Germany).
NIS2 implements a European Directive which has been in force since January 2023. Member states had until October 2025 to transpose the NIS2 Directive into national law. It establishes a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU. The current status of the implementation of the directive into local law differs between the EU member states, with ca 17 Member states having adopted local law implementing the directive.
Summary:
Does your company fall under NIS2 requirements? It is best to check quickly and, in Germany, if necessary, register with the BSI in good time. You can then take all further steps gradually.