If you would read the nearly 100 pages of Germany’s NIS2 implementation law draft—officially titled NIS2-Umsetzungs- & Cybersicherheitsstärkungsgesetz (NIS2UmsuCG)— you’d realize it’s not just another regulatory update. It’s a seismic shift, one that quietly redefines how thousands of German companies must approach cybersecurity governance, risk, and incident response. With the scope expanding nearly tenfold, and regulatory fines climbing to eye-watering levels, even mid-sized manufacturers and local utility firms now find themselves firmly in the NIS2 crosshairs.
Without further ado, let’s explore how Germany is implementing the NIS 2 Directive, what this means for regulated entities, and what you should be doing right now to prepare for a NIS2 compliance audit—even before the law officially takes effect.
Where Germany stands on NIS 2 transposition
The German government’s response to the NIS 2 Directive is encapsulated in a comprehensive legislative draft known as NIS2UmsuCG—short for NIS2-Umsetzungs- & Cybersicherheitsstärkungsgesetz. It doesn’t just amend but completely rewrites the existing BSI-Gesetz, marking one of the most significant cybersecurity legal overhauls in German history.
Yet, progress has been rocky. The draft law was adopted by the Federal Cabinet on 24 July 2024 and passed its first Bundestag reading in October. However, it has been stuck in the parliamentary committee stage ever since, largely due to the early federal elections in February 2025. This delay means Germany missed the official NIS2 transposition deadline of 17 October 2024, exposing it to EU infringement proceedings.
Here’s a closer look at the timeline:
NIS 2 implementation timeline in Germany
| Date | Milestone | Status |
| Jan 2023 | EU Directive (EU 2022/2555) enters into force | Implemented EU-wide |
| Jul 24, 2024 | Federal Cabinet adopts NIS2UmsuCG draft | Completed |
| Oct 11, 2024 | First Bundestag reading, referred to Interior Committee | Completed |
| Dec 2024 | Committee hearings and feedback from industry | Completed |
| Feb 2025 | Bundestag dissolved for snap elections | Delayed |
| Q4 2025 (est.) | Law enters into force post second/third reading and Bundesrat approval | Pending |
This delay creates a regulatory gap, especially since neighboring countries like France and the Netherlands have already enacted their transposition laws.
Technical structure of the German NIS2 law
Germany’s draft law retains the KRITIS model (for critical infrastructure) but adds two new categories for broader coverage: besonders wichtige Einrichtungen (“very important entities”) and wichtige Einrichtungen (“important entities”). This expansion boosts the number of regulated entities from 4,000 under IT-SiG 2.0 to around 30,000—many of them midsized manufacturers now unexpectedly swept under the regulatory umbrella.
Each class comes with distinct expectations. Here’s a breakdown of the draft structure:
Structure of the NIS2UmsuCG draft law
| Chapter | Description |
| §§1–7 | Definitions and scope—adopts EU Annex I/II, retains KRITIS definitions for key sectors |
| §28 | Classification rules based on size and function |
| §§30–32 | Risk management requirements—14 controls including supply chain security and MFA |
| §33 | Mandatory registration within 3 months of falling under the scope |
| §§34–37 | Multi-step incident reporting and user notification responsibilities |
| §§42–46 | Enforcement authority for BSI including audits and binding orders |
| §65 | Penalties and fines, including for negligent management |
For more detail on scope and controls, visit OpenKRITIS or the NIS2 Navigator.
Note: The BSI (Federal Office for Information Security) is the primary supervisory authority for NIS2 compliance, while the BLE (Federal Office for Agriculture and Food) plays a supporting role for food sector entities.
Penalties and board-level accountability
The new law is unambiguous: non-compliance comes with steep consequences, including significant financial penalties and personal liability for executives. The size-based fine structure is directly inspired by GDPR, scaling to a percentage of global turnover.
Penalties and liability
| Entity classification | Maximum fine |
| Very Important | €10 million or 2% of global turnover (whichever higher) |
| Important | €7 million or 1.4% of global turnover |
Beyond fines, board members are held personally accountable. The proposed §66 BSIG-E explicitly states that failure to adopt state-of-the-art cybersecurity measures constitutes a breach of fiduciary duty—and indemnity clauses won’t shield directors. Tools like BSI’s reporting portal are central to managing this new liability regime.
Sector-specific impact across Germany
Industries that once operated outside formal cybersecurity oversight now find themselves in NIS2’s scope. Sectors like food & beverage and waste management face first-time regulatory exposure, while tech-heavy domains like space operations and digital infrastructure must meet heightened standards.
Impact on key German industries
| Sector | Newly Introduced Requirements |
| Manufacturing | OT/IT segmentation, ISO 27001 compliance, supplier risk programs |
| Food & Beverage | HACCP integration with cyber resilience; BLE incident coordination |
| Waste & Recycling | Mandatory security protocols, 24h reporting, cyber hygiene training |
| Space & Satellite | Encryption of telemetry, BSI audits, round-the-clock monitoring |
| Digital Infrastructure | SOC requirements, software bill of materials (SBoM), tighter audit readiness |
Even public administration isn’t immune, although only federal and highest state authorities fall under NIS2. Local and municipal bodies will instead be addressed under a future KRITIS-Dachgesetz, which also integrates CER Directive obligations.
What German companies should do right now
With full implementation expected by late 2025, German organizations can’t afford to wait. Many compliance elements require months of preparation, especially for companies unfamiliar with cybersecurity frameworks.
Here’s what immediate action should look like:
Preparatory steps for compliance
| Task | Description |
| Scoping analysis | Match your entity’s size and function to §28 classifications |
| Risk control gap assessment | Align with Article 21 controls—especially in supply chain and OT security |
| Registration readiness | Gather entity legal data and register with BSI upon enactment |
| Incident response rehearsal | Prepare internal processes for 24h → 72h → 30d reporting flow |
| Board documentation | Ensure management approval and oversight is recorded in official minutes |
Are you prepared for the next incident?
Germany’s NIS2 journey is a case study in both ambition and administrative inertia. The delay in passing the German NIS2 implementation law risks exposing entities to fragmented enforcement, while the upcoming compliance requirements demand significant organizational shifts—especially for companies new to regulatory scrutiny.
But delay doesn’t mean inaction. Whether you’re managing cybersecurity for a multinational manufacturer or heading compliance at a federal agency, the time to build your roadmap is now. Start small, iterate fast, and don’t wait for the ink to dry on the Bundesgesetzblatt.
With the NIS2 Germany transposition nearing reality, the question isn’t whether your organization will be affected—it’s whether it’ll be ready.
