NIS 2 Directive Transposed in Germany – Time to Register with the BSI

After some delay, the NIS 2 Directive has now been transposed into German law and is binding as of 6 December 2025. The key legislation is the Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik und über die Sicherheit in der Informationstechnik von Einrichtungen, BSIG). The BSIG, which previously transposed the first NIS Directive, has now been substantially revised under the German NIS 2 Implementation Act.

With the BSIG now in effect and the Cyber Resilience Act on the horizon, cybersecurity compliance requires close collaboration between IT teams, R&D, business units, and the legal department – not only to strengthen cyber resilience but also to ensure full legal compliance. In the following, we provide an overview of the BSIG and the key actions that entities should now take.

 

What Is the NIS 2 Directive?

The NIS 2 Directive is a cornerstone of the EU’s Digital Decade strategy (for more information on the EU Digital Decade please refer to: Navigating the EU Digital Decade). It significantly expands the scope of regulated entities and imposes obligations to:

• implement structured cybersecurity risk management;
• adopt technical, organizational, and operational security measures;
• report incidents within strict deadlines;
• ensure management bodies assume expanded responsibilities; and
• maintain ongoing compliance documentation.

 

The German NIS 2 Implementation Act

Effective 6 December 2025, the German NIS 2 Implementation Act adapted various laws, most notably the BSIG. According to the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI), the BSIG now applies to more than 29,500 companies in Germany. This means that approximately five times as many companies are within the scope of the new BSIG as were under the former BSIG. This is primarily due to the fact that new sectors are now covered by the BSIG, such as ‘Manufacturing’, a sector in which many German companies traditionally operate.

It is important to note that there is no transition period. All entities within the scope of the BSIG must comply with its requirements by 6 December 2025.

 

Entities in scope of the BSIG – German specifics

Unlike the NIS 2 Directive, which distinguishes between “essential” and “important” entities, the BSIG uses “very important” (besonders wichtige) and “important” entities. When assessing whether entities fall within the scope of the BSIG, Section 28(1) BSIG refers to specific thresholds. However, other than the NIS 2 Directive, Section 28(3) BSIG stipulates that business activities that are “negligible” in relation to the entity’s overall business activity must not be considered when calculating thresholds. As there is no official guidance on what constitutes a negligible business activity, companies must carefully consider whether to rely on this criterion, which may require a risk-based approach.

 

Registration obligations with the BSI

Entities within the scope of the BSIG must register with the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI). The BSI registration portal is available since 6 January 2026: [Link]

The registration requirement is set out in Sections 33 and 34 BSIG and must be fulfilled as follows:

• within three months from 6 December 2025 for entities already in scope;
• within three months of becoming in scope for new entrants.

Operators of critical facilities and digital infrastructure may face additional requirements.
Changes to registered information must be reported without undue delay, and no later than two weeks after awareness.

Failure to register within the statutory deadline may expose companies to administrative fines and enforcement measures. Registration is not a mere formality – it is a legal prerequisite for compliance and failure to register may result in sanctions.

 

Notification obligations with the BSI and service recipients

Sections 32 and 35 BSIG stipulate that entities must report cyber incidents to the BSI, and, in some cases, to their service recipients.

The notification obligations towards the BSI are generally in line with the requirements under the NIS 2 Directive:

• notification must be made within 24 hours (early warning),
• incident notifications must be made within 72 hours, and
• within one month of making the incident notification either a final report, or progress report if the incident is ongoing.

In general, notifications must be submitted via the BSI portal, which launched on 6 January 2026.

According to Section 35 BSIG, in the event of a significant incident, the BSI may require “very important” or “important” entities to immediately inform their service recipients if the incident could affect service provision. Entities operating in certain sectors may be required to immediately inform the BSI and their service recipients of any measures or remedial actions that the recipients can take in response to the incident.

 

Immediate Action Points

Compliance with BSIG requirements is not a one-off obligation – it must be embedded as an ongoing process. The following key actions should be prioritized immediately:

• Conduct an Applicability Assessment
  Determine whether the BSIG applies to entities operating in Germany and assess obligations under national transposing laws for entities in other EU Member States.
• Complete Registration with the BSI
  Initiate the registration process immediately and ensure completion within the mandatory three-month deadline.
• Review Incident Response Processes
  Evaluate existing incident response procedures and update them as necessary to meet BSIG standards and the requirements of other applicable laws, such as the GDPR.
• Implement Robust Cybersecurity Measures
  Introduce appropriate technical, organizational, and operational risk management measures where current controls are insufficient or absent.
• Assess Supply Chain Risks
  Review the entire supply chain to identify and mitigate cybersecurity vulnerabilities.

 

Conclusion

With the revised BSIG, the obligations of the NIS 2 Directive have become a binding reality in Germany. Companies must act swiftly to avoid penalties and strengthen cyber resilience. And with the Cyber Resilience Act already on the horizon, one thing is clear: cybersecurity compliance is no longer just regulatory – it is strategic.

Our experienced advisors are here to support you in addressing cybersecurity from a legal perspective, working closely with your team.