Cybersecurity regulation in Germany (2026)

Germany's first cross-sectoral law for the physical and organizational resilience of critical facilities, transposing the EU CER Directive (2022/2557); operators must adopt resilience plans, report incidents to BBK and BSI, and register by 17 July 2026. It complements the cyber-focused NIS2 regime with all-hazards (sabotage, natural disaster, terrorism) protection.

Germany transposed the EU NIS2 Directive, comprehensively amending the BSIG and expanding regulated entities from roughly 4,500 to about 29,000 across 13 sectors, with management liability, 24-hour incident reporting and fines up to EUR 10 million or 2% of global turnover. The BSI registration portal opened 6 January 2026 with no general transition period.

A ransomware group encrypted the servers of municipal IT provider Südwestfalen IT, knocking out finance, residents' registration, vehicle and registry-office systems across more than 70 municipalities, mostly in North Rhine-Westphalia. It became one of Germany's most disruptive attacks on local-government infrastructure, underscoring KRITIS supply-chain risk.

Interior Minister Nancy Faeser removed the head of the Federal Office for Information Security after media allegations of links to a cybersecurity association connected to Russian intelligence; a court later found the central accusations to be unfounded. The episode triggered scrutiny of BSI's independence and leadership amid heightened post-invasion threat levels.

The Federal Cabinet adopted a five-year strategy with 44 objectives across four guidelines, replacing the 2016 strategy and emphasizing digital sovereignty, security as a shared state-business-society task, and—for the first time—transparent implementation monitoring. It frames the policy direction underpinning subsequent legislation.

A ransomware attack crippled the district administration serving ~157,000 residents, halting welfare payments and vehicle registration and prompting the first-ever official cyber disaster declaration in Germany. It became a defining demonstration of municipal vulnerability driving stronger KRITIS rules.

The most comprehensive pre-NIS2 expansion of the BSIG: it introduced the 'companies in special public interest' (UBI) category, mandatory state-of-the-art attack-detection systems for KRITIS operators (applicable from May 2023), a component ban for critical components, and fines up to EUR 20 million. It significantly strengthened BSI's supervisory and enforcement powers.

Germany transposed the EU's first Network and Information Security Directive (2016/1148), extending BSI oversight and creating wholly new obligations for digital service providers while building on the existing KRITIS framework. It aligned German law with the EU's first common cybersecurity baseline.

Germany's foundational cybersecurity statute introduced the KRITIS regime, requiring critical-infrastructure operators to implement 'state of the art' security and report significant incidents to BSI, with biennial proof of compliance (BSIG §8a). It established the regulatory architecture that all later acts build on.

A new BSI Act came into force on 20 August 2009, laying the legal foundation for the BSI as it exists today and giving the office expanded powers to protect federal networks. It is the statutory basis later amended by the IT Security Acts and the NIS2 implementation.

The BSI began work on 1 January 1991 under the BSI Establishment Act, evolving from the cryptographic department of the BND intelligence service into Germany's central federal cybersecurity authority. It is the institutional cornerstone of every subsequent German cybersecurity law.