Immediate considerations for “important” and “essential” entities
On Dec. 5, 2025, the German act implementing the EU NIS 2 Directive was published. The centerpiece of the German implementation is the newly revised Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik – BSI Act, BSIG), which redefines security-related requirements for companies and public bodies across Germany and fundamentally modernizes the regulatory framework for IT security. The number of regulated entities may increase from approximately 4,500 to around 29,000. For these entities, the new requirements will generally apply from the day after publication in the Federal Law Gazette; there is no general transitional period. In practice, this means that cybersecurity may no longer be viewed primarily as a technical task for the IT department, but becomes an immediate, liability-exposed leadership responsibility of a company’s management body.
1. Background: From NIS to NIS 2 – and Now to the New BSI Act
The NIS 2 Directive (Directive (EU) 2022/2555) is intended to harmonize the level of cybersecurity within the EU and strengthen the digital resilience of critical sectors (for more information, please see our previous GT Alert on the EU NIS 2 Directive). Compared to the original NIS Directive of 2016, it significantly broadens the scope of application – both in terms of the sectors covered and the number of entities affected. Germany, like some other Member States, did not meet the transposition deadline of Oct. 17, 2024. The recently adopted NIS2 Implementation Act (NIS2UmsG) and the associated revision of the BSI Act – as well as corresponding amendments to sector-specific legislation – now close this gap. The obligations set out in the new BSI Act are directly applicable and constitute the concrete legal basis for supervision, reporting channels, and sanctions in Germany.
The German implementing act shapes the EU framework in two main ways. First, it specifies sectoral competences and supervisory powers, for example in relation to telecommunications undertakings and operators of critical installations. Second, it reorganizes the federal administration by designating the Federal Office for Information Security (BSI) as the “Federal CISO” (CISO Bund), tasked with defining minimum requirements for federal authorities. This public-sector security layer exists in parallel to the economic regulation and particularly affects authorities that were previously not within the scope of the BSI Act.
2. Scope of Application: Who Is in Scope?
For private-sector actors, the new BSI Act applies to so-called “essential entities” and “important entities” within the meaning of the NIS 2 framework. Classification follows a combined system based on sector and size. A wide range of sectors are covered, including energy, transport, financial services, health, and digital infrastructure, but also areas such as waste management, mechanical engineering, and research. Where a company’s activities fall within one or more of the “types of entities” listed in Annexes 1 and 2 to the BSI Act, the so-called size-cap rule then looks at the company’s number of employees, turnover, and balance sheet total. In addition, certain operators are in scope regardless of their size, such as operators of critical installations, qualified trust service providers, DNS service providers, and top-level domain registries, as well as providers and operators of public electronic communications networks and services.
As a result, many entities will be regulated for the first time – in particular IT service providers, manufacturers in the machinery and electronics sectors, and research institutions. There is no individual notification by the authorities; entities must determine and document their status themselves. For the management body, this classification thus becomes a leadership task, not merely a formal compliance requirement.
For the purposes of the size-cap rule, what matters is not only the turnover or balance sheet total generated in the relevant type of activity, but the company’s overall turnover and balance sheet total. Consequently, entities whose primary business lies outside the explicitly listed “critical” areas may still fall within scope. One example would be real estate companies that operate photovoltaic installations on their own properties and supply tenants with “tenant electricity” generated from those installations. Against this background, the BSI Act allows activities to be disregarded for classification purposes where they are “negligible” in the context of the entity’s overall business. However, the Act does not define when this threshold is met. It also remains unclear, in group structures where the relevant thresholds are exceeded only on a consolidated basis, whether the assessment of “negligibility” should refer to the importance of the activity at group level or at the level of the individual group company carrying out the relevant activity. Entities should therefore carefully substantiate and document any position that a potentially critical activity is negligible.
Sector-specific security obligations – for example under telecommunications or energy legislation – remain in force and are supplemented by NIS 2 requirements. The new BSI Act does not displace these rules; rather, it establishes an overarching, horizontal security framework while, to avoid double regulation, clarifying that sectoral legislation takes precedence where it regulates the same subject matter in more detail. In practice, however, implementation may require parallel compliance efforts.
3. Core Obligations under the New BSI Act: Risk Management, Supply Chain, Documentation
The central substantive provision is section 30 BSI Act, which requires in-scope entities to implement appropriate, effective, and proportionate technical and organizational measures to ensure the availability, integrity, and confidentiality of their IT systems. In functional terms, this equates to establishing a systematically managed information security management system that continuously assesses risks, implements measures, and regularly reviews their effectiveness.
Already at this level, the law clearly broadens the perspective. The focus is not on a specific security product or individual technical solution, but on a holistic governance approach that integrates corporate governance, operational processes, and technical infrastructure.
Particular regulatory attention is given to the supply chain. Entities must not only implement measures internally, but also ensure that essential service providers and suppliers comply with adequate security standards. This includes careful selection and ongoing oversight of external providers, contractual security obligations, alignment of incident response processes, and regular reviews of the business relationship. The supply chain thus becomes a distinct risk factor, whose assessment and control are integral elements of the overall compliance regime.
Documentation also plays a central role. Entities must be able to demonstrate decisions, risk analyses, the implementation of measures, and their effectiveness in a comprehensible manner in order to provide robust evidence to the BSI in case of audits or investigations. Documentation is therefore not merely an administrative byproduct but the cornerstone of regulatory accountability.
In addition, certain minimum technical requirements are further specified through EU-level instruments. The NIS 2 implementing act (implementing regulation) sets out detailed requirements that will indirectly guide the interpretation of German law, particularly regarding mandatory attack-detection capabilities and cryptographic protections. For operators of critical installations, additional restrictions may apply to the use of specific components where their deployment entails security risks.
4. Incident Reporting: 24 Hours, 72 Hours, 1 Month
Significant security incidents will be subject to a structured and time-critical reporting process to the BSI. Within 24 hours of becoming aware of an incident, entities must submit an initial notification enabling the authority to obtain a rapid situational overview. Within 72 hours, this must be supplemented with detailed information, including an initial root-cause analysis, affected systems, and potential impacts. No later than one month after the initial report, a final report must be submitted, documenting mitigation measures, an in-depth analysis of the incident, and derived preventive steps. The BSI may also request interim reports.
This regime goes beyond the familiar GDPR personal data breach notification model, as it does not primarily focus on personal data, but on the functioning and integrity of critical systems. To meet the deadlines, entities need not only technical detection mechanisms, but also clearly defined internal escalation paths, clear allocation of responsibilities and decision-making powers, and a consistent interplay between IT, the CISO function, legal, compliance, and corporate communications.
Where entities are already subject to incident reporting obligations under sector-specific regimes such as the GDPR or telecommunications law, a multi-layer incident reporting framework may emerge. The BSI Act does not fully harmonize these obligations, but expects entities to comply with them in parallel. In practice, this calls for integrated reporting processes that avoid duplication and delays.
5. Management Body in the Spotlight: Personal Responsibility and Liability
One of the most significant shifts compared to the previous regime concerns the management body. The BSI Act expressly codifies responsibility at this level and does not rely solely on the formal corporate organ structure, but on de facto managerial responsibility within the entity. This means that CFOs, general partners, and other senior executives with strategic decision-making powers may fall within the scope of these duties.
Under section 38 BSI Act, the management body must not only approve the necessary security measures but actively monitor their implementation and ensure that it remains sufficiently qualified to assess the associated risks. The legislative materials envisage training at least every three years. According to the BSI, a simple certificate of attendance will not suffice; instead, detailed records must be kept of participants, content, trainers, and duration.
Particular importance attaches to personal liability. The Act links obligations to individual members of the management body and clarifies that responsibility cannot be completely delegated. Operational tasks may be assigned, but the overarching responsibility for key security-related decisions remains, in principle, with the management body. The extent to which internal delegations may have a liability-mitigating effect will depend on the entity’s concrete organizational structure and the emerging supervisory practice. Failures may trigger personal liability, particularly where inadequate risk assessments, deficient oversight of the supply chain, or late reporting lead to damage.
For entities, this means that allocation-of-responsibility schemes, management body bylaws, internal reporting lines, and indemnity arrangements should be reviewed and, where necessary, adjusted. Entities may wish to define who takes which security decisions, how risks are assessed, and how internal control systems are structured in governance documents such as managing director service agreements, articles of association, and organizational policies. Existing D&O insurance coverage may likewise need to be revisited, including with regard to exclusions for breaches of strategic leadership duties.
The provision therefore operates in two directions. It increases personal pressure on members of the management body while compelling entities to implement a clear, documented, and auditable security governance architecture that interlinks risk assessments, selection decisions, incident response processes, and supply chain security.
6. Sanctions: Turnover-Based Fines at Group Level
The BSI Act introduces a significantly stricter sanctions regime. Administrative fines are tied to the worldwide group turnover of the previous financial year, with the higher of a fixed amount and a percentage of turnover being decisive. For essential entities, the maximum fine is 10 million euros or 2% of worldwide annual turnover; for important entities, it is seven million euros or 1.4% of turnover. As a result, even medium-sized entities might face substantial fines if they fall within scope.
In parallel, the BSI is granted broad audit and intervention powers, ranging from ordering specific security measures and assessing organizational and technical arrangements to prohibiting the use of certain components. This increases the importance of robust compliance documentation and consistent governance structures.
In addition to fines, the BSI Act empowers the Federal Ministry of the Interior to prohibit the use of certain IT components where their deployment would adversely affect public security. This may also have retroactive effect and is particularly relevant for components supplied by manufacturers subject to foreign state influence. For affected entities, this may necessitate the replacement of core infrastructure components.
7. Immediate Applicability Without a General Transitional Period
As a rule, the obligations under the BSI Act apply from the day after publication in the Federal Law Gazette. There is no general transitional period. The BSI has, however, made it clear that it does not intend to begin extensive enforcement action on day one. Nevertheless, it expects to see demonstrable implementation progress from the entry into force. Entities that continue to “wait and see,” pointing to the previous draft status or the complexity of the framework, risk not only criticism from supervisory authorities, but also a weaker position in any subsequent liability proceedings.
8. Considerations for Companies
First, entities should determine whether they qualify as essential or important entities. This assessment should be documented and revisited regularly, especially in light of changes to the business model or corporate structure. In parallel, governance structures and allocation of responsibilities should be reviewed and, where appropriate, adapted so that responsibility for risk management, supply chain security, incident reporting, technical security, and training is clearly assigned and subject to transparent reporting obligations.
Taking stock of existing technical and organizational security measures may also be necessary, forming the basis for a concrete implementation roadmap for an information security management system under section 30 BSI Act. Particular emphasis should be placed on assessing the supply chain, given that external service providers and suppliers often operate critical systems or components. Depending on the outcome, measures may range from risk analysis and contract amendments through to replacing key service providers.
Companies may also wish to design incident reporting processes and incident response procedures so that significant security incidents can be detected, assessed, and reported within the statutory deadlines. In addition, entities should consider establishing a structured training program for the management body and key personnel that covers both legal requirements and practical decision-making, with appropriate documentation.
In groups with cross-border operations, further coordination is required where subsidiaries in different Member States are subject to different national NIS 2 implementing acts. As the NIS 2 Directive does not provide for full harmonization, divergences may be expected, for example in reporting deadlines, registration procedures, and supervisory approaches. Implementing group-wide measures might therefore require careful mapping against local requirements.
Beyond the substantive security obligations, the BSI Act introduces a mandatory registration obligation with the BSI (sections 33 et seq. BSI Act). The BSI has announced a two-step process for this. First, entities must set up a corporate account (Mein Unternehmenskonto (MUK)), which serves as the authentication layer and is based on ELSTER organization certificates. The BSI recommends creating this account by the end of 2025. From Jan. 6, 2026, entities must then register via the new BSI portal, which will serve both as the platform for fulfilling registration obligations and as the reporting channel for significant security incidents. Entities that suffer a significant security incident before completing portal registration must use the BSI’s interim reporting channels until the portal goes live.
Not every entity is required to implement every technically conceivable security measure. The legislature does not demand a maximum security level, but an appropriate and proportionate one. What matters is that the management body documents a considered engagement with the requirements, conducts a risk–benefit assessment, and takes conscious decisions on which measures are necessary — and why certain measures are not implemented for reasons of proportionality or lack of relevance. Such a reflected and well-documented decision-making basis is central to meeting supervisory expectations and to providing a defensible position in any liability context.
9. Conclusion: Regulatory Burden or Strategic Opportunity?
Taken together, the NIS2UmsG and the BSI Act establish a broad and demanding cybersecurity framework in Germany that no longer targets only traditional critical infrastructures, but large parts of the economy. The requirements are far-reaching and complex and are coupled with significant supervisory and liability risks. At the same time, they provide entities with an opportunity to anchor cybersecurity as a core leadership responsibility, professionalize internal security standards, and position themselves vis-à-vis customers, partners, and authorities as resilient market participants.
For some entities, implementation may not only be a regulatory burden, but also an opportunity to modernize governance structures and embed security processes sustainably. Those that act early may not only reduce risk, but may also be able to realize strategic advantages — particularly in sectors where supply chain security and compliance are becoming decisive competitive factors.
The interaction between the NIS 2 Directive, national implementing legislation, and sector-specific regimes creates a multi-layered regulatory framework spread across different normative levels and therefore requiring a systematic approach. Within this framework, the BSI Act is the central legal instrument in Germany. It does not replace other EU-level requirements — for example, on the security of specific products and services under the EU Cybersecurity Act — nor sector-specific security obligations, but complements them.