On 13 November 2025, the German Bundestag passed new cybersecurity compliance regulations, marking the first of many such regulations in German law. These regulations implement the NIS2 Directive (EU) 2020/255 of the European Union. These new regulations aim to counter cyber threats, providing a more cohesive standard of security across the European Union.
A new compliance roadmap for businesses
NIS2 became operational in January 2023, requiring EU Member States to impose national laws by October 2024. The German Bundestag’s failure to implement new frameworks resulted in a cascade of legal lawsuits, providing great uncertainty for businesses operating in important sectors. The German Bundestag’s NIS2 Implementation Act closes this legal void and provides a new compliance roadmap for thousands of businesses.
The new law considerably broadens the range of entities that will be required to comply with new cybersecurity compliance regulations. Previous German compliance regulations concentrated on the operators of critical infrastructure units.
NIS2 expands the compliance regulations to extend to operators
Now, NIS2 will expand the compliance regulations to extend to operators within the sectors of energy, health, transport, digital services, and portions of manufacturing. Significantly, many of the law’s first requirements will be met by medium-sized businesses.
Entities are considered in scope if they employ more than 50 people or have an annual turnover and balance sheet total exceeding €10 million. These thresholds also account for linked enterprises unless their influence over IT systems is negligible. The expansion reflects the EU’s goal to enhance resilience across the entire digital economy, not just essential service providers.
New compliance requirements under the act
Under the NIS2 Implementation Act, companies now face new compliance requirements, which need to be implemented as soon as possible.
- Registrations with BSI: When falling under the scope of the legislation, they have 3 months to register with BSI, and registration details must be updated within 14 days of any change.
- Incident Reporting: There is a new obligation for entities to report significant incidents promptly. This includes an initial report within 24 hours, a detailed report within 72 hours, and a final report within 30 days. These timelines will require internal processes to support the timely escalation of incidents.
- Management oversight: If there are changes to the responsibilities of the management body, managers are now responsible for the approval of risk management initiatives, the oversight of their implementation, and attending NIS2 training, which is now compulsory.
- Supply chain security: The Federal Ministry of the Interior is now allowed to bar the use of certain high-risk components in key facilities. This is also a signal to Germany’s focus on supply chain security.
The law amends other sector-specific laws apart from amending the BSI Act
The BSI Act will not only amend sector-specific laws, but it will also amend other laws, such as the Energy Industry Act (EnWG) and the Telecommunications Act (TKG). The goal is to achieve a unified cybersecurity policy in a way that digital resilience becomes a business norm instead of an isolated compliance activity.
For compliance to happen, several companies will need to conduct a thorough review of their governance (e.g., IT security, locks, incident response). There may be more scrutiny on reporting, emergencies, and supply chain gaps. There would be meaningful consequences, such as fines for management bodies, for negligence.
The importance of streamlining operations in Germany cannot be overstated. To avoid greater compliance, cost, and regulatory risk, companies should assess their compliance status, update their risk defense posture, and lead threat practice from the top. Given the expected increase in enforcement, companies should prioritize the ability to withstand future regulatory compliance and cyber risk to their systems.