NIS-2 Implementation Act in Germany: Affected organisations, obligations, business continuity management

What is NIS-2? What does the NIS-2 Implementation Act mean for Germany?

The NIS-2 Directive is the second EU directive on network and information security. It obliges significantly more organisations than before to systematically improve their IT and information security and report cyber incidents. It also makes cyber security a mandatory task at management level and supplements existing requirements such as the GDPR, ISO standards or BSI specifications – with significantly stricter sanctions for violations.

NIS-2 has been a binding legal act of the European Union at EU level since 2023. It is transposed into national law in the member states – in Germany via the NIS-2 Implementation Act (NIS-2-UmsuCG). The law came into force on 6 December 2025. There is no general transition period, i.e. affected organisations and companies must fulfil their obligations immediately after entry into force.

Check NIS-2 compliance: These organisations must act

In Germany, an estimated 29,500 new critical entities ("wichtige Einrichtungen" – wE) or particularly critical entities ("besonders wichtige Einrichtungen" – bwE) are affected. The decisive factor in determining whether an organisation is affected is whether it belongs to a certain sector or not, as well as the number of employees, annual turnover and annual balance sheet total.

The organisations affected include:

• KRITIS ("Kritische Infrastrukturen" – automatically classified as bwE)
• natural or
• legal entities or
• legally dependent organisational units of a local authority,
• that offer goods or services to other natural or legal persons in return for payment and
• that are assigned to one of the sectors concerned and
• that have at least 50 (wE) or at least 250 employees (bwE). at least 250 employees (bwE) or
• have an annual turnover of more than 10 (wE) or 50 (bwE) million euros and
• an annual balance sheet total of more than 10 (wE) or 43 (bwE) million euros.

The affected sectors include energy, transport, banking and healthcare, digital and financial market infrastructure, drinking water and wastewater, management of ICT services, public administration and space. Also affected are postal and courier services, waste management, production, manufacture and trade of chemicals, production, processing and distribution of food, manufacturing and production of goods, digital service providers and research.

NIS-2 obligations: Registration, risk management and reporting obligations

Affected organisations face extensive new requirements. The most important obligations of the German NIS-2 Implementation Act at a glance:

Registration obligation

Important and particularly important institutions are obliged to register with the registration body no later than three months after they are affected by NIS-2 for the first time or again. The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI) is the supervisory authority for affected organisations in Germany.

Risk management

In accordance with § 30 BSIG-new (BSI Act), affected organisations must implement and document suitable, effective and proportionate risk management measures. Risk management is intended to prevent disruptions and minimise the impact of security incidents. A key factor for organisations affected by NIS-2 is the improvement of cyber security, including incident management and business continuity management.

Mandatory reporting

The BSI must be notified of serious operational disruptions or security incidents that could lead to significant material or immaterial damage for third parties. There is a defined reporting process for this.

What are the penalties for NIS-2 violations?

For violations of the NIS 2 Implementation Act, affected organisations face severe penalties that go well beyond previous regulations. Violations include a lack of risk management, inadequate security measures or failure to comply with reporting obligations – in other words, not only security breaches but also organisational failures. The amount of the fines depends on whether the organisations in question are important or particularly important. They can amount to up to 10 million euros or 2 % of annual global turnover. There is also the threat of injunctions, coercive measures and reputational damage.

In § 38 of BSIG-new, management boards are expressly obliged to implement and monitor risk management measures and are also subject to a regular training obligation. Management boards are personally liable if they violate their implementation and monitoring obligations.

Business continuity management: obligation and success factor for NIS-2 compliance

NIS-2 is aimed at the resilience of organisations: They must remain capable of acting even in the event of cyber attacks, IT failures or crises. As NIS-2 requires critical business processes to be maintained, business continuity management (BCM) plays a central role in fulfilling the NIS-2 implementation law.

In the event of an emergency, specific measures must be defined and documented in order to be able to react immediately in crisis situations. Against the backdrop of increasing cyberattacks, one thing is crucial for a continuous ability to act: being able to continue to communicate and collaborate in teams. EVAC by mailbox provides a reliable secondary communication infrastructure when primary systems fail.