Flipping the NIS2 Switch: What Germany's Implementation Means for 2026 Compliance

Introduction

Germany’s Act implementing the NIS2 Directive ((EU) 2022/2055) is finally a reality. Well over a year after expiry of the Directive’s deadline for Member State implementation (see our EU-wide NIS2 implementation tracker and our previous alert on the German implementation), the Act’s entering into force on December 6, 2025 marks the completion of a legislative package that anchors the country’s updated cybersecurity framework, including the substantially revised BSI Act, and triggers the statutory registration timelines.

For many organizations operating in Germany, the Act introduces broad new compliance obligations, most notably mandatory registration with the Federal Office for Information Security (BSI) and extensive operational and governance requirements. Below we highlight key elements of the amended BSI Act that deviate from or further specify important aspects of the NIS2 Directive. We also provide insights into the key changes made in the Act’s wording during the parliamentary process.

General structure of the German NIS2 Implementation Act

Germany integrates the European framework into its longstanding cybersecurity architecture revolving around the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) and provides for additional requirements, such as mandatory disclosure of certain ICT components (addressed below). Like NIS2, the Act employs a tiered system of regulated entities, distinguishing between “particularly important entities” (besonders wichtige Einrichtungen) and “important entities” (wichtige Einrichtungen) under Section 28 of the BSI Act. These categories mirror the Directive’s “essential” (wesentlich) and “important” (wichtig) entities.

However, unlike some other EU Member States, Germany did not adopt a standalone law to implement the NIS2 Directive. Instead, it amended the existing BSI Act, which already served as the transposition instrument for the original NIS Directive and its concept of “critical” entities (KRITIS). As a result, the revised BSI Act layers the new NIS2 categories on top of the pre-existing KRITIS framework, which includes the separate classification of “critical entities,” resulting in a more granular scoping model than the one envisaged at the EU level and more stringent substantive requirements. For NIS2 purposes, all entities designated as “critical” under the BSI Act will automatically be reclassified as “particularly important entities.”

Scope of application: Ancillary activity exemption

As a general rule, an entity falls within scope of the NIS2-equivalent rules of the BSI Act if:

• It operates in one of the sectors provided for by the Act, such as energy, transportation, digital infrastructure, manufacturing, communications, or data processing and storage services (including managed services); and
• It qualifies at least as a medium-sized enterprise, meaning it has (i) more than 50 employees or (ii) annual turnover and annual balance sheet totals exceeding €10 million.

Certain categories of entities, particularly in the digital, data processing, and telecommunications sectors, may be covered irrespective of size.

One of the most significant German deviations from the NIS2 Directive is the exemption in Section 28(3) of the BSI Act for ancillary activities. Based on this exemption, companies will not be subject to the BSI Act if the degree to which they engage in  covered activities is considered to be “negligible.” The Act, however, does not define “negligible,” and the explanatory memorandum offers only non-binding indicators, including quantitative elements (e.g., turnover and headcount) and qualitative factors (e.g., references in corporate documents), ultimately requiring a holistic case-by-case assessment. The exemption may be useful for companies whose core business does not concern NIS2-relevant activities but is otherwise anticipated to still leave some legal uncertainty.

Moreover, there is a question as to the compatibility of the exemption with EU law generally. Since the exemption is not provided for by the NIS2 Directive itself, it may very well be a violation of the minimum harmonization standard of Article 3 of the Directive.

Registration of in-scope entities

Section 33 of the BSI Act provides that in-scope entities must proactively register with a reporting office jointly established by the BSI and the Federal Office for Civil Protection and Disaster Assistance (Bundesamt für Bevölkerungsschutz und Katastrophenhilfe, BBK) within three months of the BSI Act taking effect.

Registration, however, is not yet possible and any further details regarding the registration process are yet to be defined and published by the authorities on their websites.

Powers to prohibit ICT components

The German legislator maintained its extensive ICT component framework for critical entities now anchored in Section 41 of the BSI Act. This means that for critical entities, the Federal Ministry of the Interior may prohibit the use of certain components if their deployment is likely to endanger public order or national security. Such a prohibition leads to immediate compliance obligations, including:

• Mandatory cessation or replacement of the affected components within deadlines set by the Ministry;
• Extensive cooperation duties, including an explicit obligation to provide all relevant information and evidence; and
• Anticipatory compliance, as the Ministry may extend prohibitions to additional components or impose sector-wide bans.

To facilitate this review by the Ministry, critical entities must now also disclose the specific types of critical components they deploy when making their registration with the competent authority (Section 33(2) of the BSI Act).

Enforcement and governance

Expanded BSI powers and sanctions

The BSI is awarded with substantially expanded supervisory and enforcement powers under Sections 61 and 62 of the BSI Act, including broad inspection rights, binding orders, and strengthened sanctioning authority. Entities are required to maintain detailed, demonstrable documentation of their cybersecurity methods.

The sanctions regime under Section 65 of the BSI Act is elevated to bring it up to par with the NIS2 Directive:

• Particularly important entities” are exposed to fines up to €10 million or 2% of global annual turnover; and
• “Important entities” can incur fines up to €7 million or 1.4% of global turnover.

Personal liability of management bodies

Implementing Article 20(1) of the NIS2 Directive, the BSI Act also introduces personal liability for members of management bodies under Section 38 of the BSI Act.

Under NIS2, management bodies of in-scope entities must approve their entity’s cybersecurity risk-management measures and oversee their implementation. The wording of Section 38 of the BSI Act goes far beyond that, requiring the management bodies to “implement” such measures instead of merely approving them. This is likely an editorial mistake, also considering that explanatory memorandum for the German implementation merely talks about “approval.” In any event, the BSI Act adds to that obligation by allowing management bodies of relevant entities to be held personally responsible for failures to implement and oversee required measures.

In this context, Section 2(13) of the BSI Act provides a detailed and clear definition of “member[s] of management bodies,” identifying them as the natural persons who, by virtue of law, articles of association, or partnership agreement, are appointed to manage and represent a particularly important entity or important entity. With that definition, German law covers only the executive powers of an organization, but not its supervisory powers, meaning that in a two-tier structure of supervisory board and executive board only the latter would be captured.

Outlook for 2026

The adoption of the NIS2 Implementation Act represents a decisive shift toward a more mature and harmonized cybersecurity regulatory landscape in Germany.

In-scope organizations will want to mind the registration deadline of three months after the BSI Act enters into force, i.e., by April 2026.

In addition, companies that weren’t previously subject to KRITIS or sector-specific cybersecurity regimes will want to pay attention to bridging the potential gaps between their current cybersecurity programs and the new requirements under the BSI Act.