Germany’s NIS-2 Implementation Law enters into force

With the Dec. 6, 2025 promulgation of the “Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Regelung wesentlicher Grundzüge des Informationssicherheitsmanagements in der Bundesverwaltung”, Germany’s modernized cybersecurity framework took effect. The law implements the EU NIS2 Directive that should have been implemented by Germany over a year ago.  It substantially revises the BSI Act (BSIG) and expands its scope from about 4,500 regulated organizations to roughly 29,500 supervised entities. Companies must self-assess NIS‑2 applicability and, if in scope, are categorized as “important” or “essential” based on sector and statutory size thresholds (employees, turnover, balance sheet). 

The law is not targeted at artificial intelligence systems but applies to AI systems used by organizations that are subject to NIS2 / the NIS2 Directive. These are: medium and large companies (50+ employees/€10m+ turnover) in "essential" (Annex 1) and "important" (Annex 2) sectors, including energy, transport, banking, health, digital infrastructure (cloud, DNS, CDN), water, space, public admin, postal/courier, waste management, chemicals, food production, and manufacturing (vehicles, electronics, medical devices). It covers suppliers to these entities, digital service providers (even outside the EU), and can apply to smaller companies if they provide sole critical services, significantly broadening the scope beyond NIS 1. 

In-scope entities face three core duties: (1) registration with the BSI, (2) prompt reporting of significant security incidents, and (3) implementation/documentation of risk management measures. KRITIS operators are deemed essential by law.

 Affected entities register in two steps: first, create an organization account via “Mein Unternehmenskonto” (MUK) using ELSTER certificates; second, register in the new BSI portal from 6 January 2026, which will serve as the incident‑reporting hub. The BSI recommends setting up the MUK account by the end of 2025. Until portal registration is complete, NIS‑2 entities should use the BSI online form for significant incidents. Further official guidance is available on the BSI website.