Cybersecurity - Germany

The NIS-2 Implementation Act (NIS2UmsuCG) recast the BSI Act (BSIG) and entered into force on 6 December 2025, after Bundestag approval on 13 November 2025 and publication in the Federal Law Gazette on 5 December 2025. There is no general transition period.

The BSIG now covers 'important' (wichtige) and 'particularly important' (besonders wichtige) entities plus operators of critical installations across 13+ sectors (energy, transport, health, digital infrastructure, finance, public administration, water, food, manufacturing, waste, etc.), expanding the regulated population from roughly 4,500 to about 29,500 entities.

Significant security incidents must be reported to the BSI in stages: an early warning within 24 hours of awareness, a fuller incident notification within 72 hours, and a final report within one month. Reporting runs through the new BSI portal (online form pre-registration).

In-scope entities must register with the BSI (via the 'Mein Unternehmenskonto'/ELSTER account and the BSI portal, opened in 2026) within three months of falling under the law. The BSI is the competent supervisory authority with audit and enforcement powers.

Management bodies must approve and oversee cybersecurity risk-management measures and can be held personally liable; non-compliance can trigger fines of up to EUR 20 million, making cybersecurity a board-level duty.

The KRITIS-Dachgesetz (transposing the CER Directive 2022/2557, passed by the Bundesrat on 6 March 2026) adds physical/organizational resilience duties for critical entities, with registration via a joint BBK/BSI portal. The financial sector is primarily governed by EU DORA, which acts as lex specialis alongside the BSIG.