Germany has implemented the NIS2 Directive into national law, with effect from December 6, 2025 (“German NIS2 Implementation”). The German NIS2 Implementation applied immediately, without a transition period. Organizations operating in or connected to Germany should promptly assess whether they fall within scope and prepare to meet organizational, technical, governance, and reporting obligations that apply from day one. There is a three-month deadline to register with the Federal Office for Information security (“BSI”) by 6 March 2026. Non-compliance with the German NIS2 Implementation may trigger fines of up to EUR 10 million or, for large very important organizations, up to 2% of their annual turnover.
Organizations/industries in scope
The German NIS2 Implementation adopts an intentionally broad scope of the NIS2 Directive that captures a wide range of “critical”, “very important” (NIS2 Directive: essential) and “important” entities across critical and economically significant sectors. Whether an organization is in scope depends on sectoral coverage, and typically size criteria, and/or certain qualitative conditions. Covered sectors include, among others:
- Electricity and gas supply; district heating; fuel and heating oil supply;
- Aviation, rail, maritime, and road transport;
- Banking and financial market infrastructures;
- Healthcare;
- Drinking water and wastewater;
- Digital infrastructure and providers of digital services;
- Space;
- Waste management;
- Chemicals (production, manufacture, and trade);
- Food (production, processing, and distribution); and
- Mechanical engineering; manufacture of motor vehicles; manufacture of medical devices; manufacture of electrical equipment.
For most sectors, the German NIS2 implementation brings entities within scope if they have either an annual turnover of more than EUR 10 million or a workforce of at least 50 employees. Many entities not previously regulated under German or EU IT‑security frameworks may now be in scope due to NIS2’s expanded sectoral coverage and size thresholds, including medium‑sized enterprises in key value chains. Determining status requires a careful analysis of sector definitions, size criteria, and group structures.
Germany’s NIS2 implementation differs in several respects from the EU NIS2 Directive. As a result, the assessment of whether an organization falls within scope may also differ from the approaches taken under other EU Member States’ implementing laws. In particular, the German NIS2 implementation allows business activities that are negligible to be disregarded when determining an entity’s sectoral classification.
Territorial Scope
From a territorial perspective, the NIS2 Directive applies to entities that operate in covered sectors, meet the quantitative thresholds, and provide services in, or carry out activities within, the European Union. As a separate step, in‑scope organizations must identify which national authority or authorities are competent to oversee compliance with the applicable cybersecurity requirements.
IT Security Obligations
Because the law applies without a grace period, in-scope organizations have to comply already now with the NIS2 risk-management, IT-security, supply chain and governance obligations. As a practical matter, organizations should rapidly confirm their classification, map applicable controls, identify gaps against NIS2-aligned security baselines, and prioritize remediation activities. Organizations that have in place robust IT and cybersecurity measures and certifications (such as ISO 27001) very likely meet roughly 70 – 80 percent of the basic IT security requirements under the NIS2 Directive and the German NIS2 Implementation.
Incident Reporting Obligations
The German NIS2 Implementation introduces a layered incident‑reporting obligations upon becoming aware of a significant security incident. A significant security incident is a security event that either has caused or could cause serious disruptions to the provision of services or financial losses for the affected organization, or that has caused or could cause substantial material or non-material harm to other natural or legal persons. An initial notification must be submitted within 24 hours of awareness, followed by a more detailed notification within 72 hours, and a final report no later than one month after the follow‑up notification.
Management Training and Responsibility
The German NIS2 Implementation assigns responsibility for the implementation and oversight of cybersecurity measures to the management body. Management must ensure these measures are adopted and maintained. The law further clarifies that members of the management body may be held personally liable for damages caused by culpable conduct under general principles of corporate law. Management members are also required to participate regularly in training to maintain sufficient knowledge of cyber risks and risk‑management practices and to assess their impacts.
Registration with the BSI by 6 March 2026
Organizations in scope must register with the BSI by 6 March 2026. Registration can be completed online, but requires two steps:
- Organizations first establish a German “Unternehmenskonto” (company account).
- They then submit the registration via the BSI portal.
The BSI provides official guidance on the registration process and related requirements. Organizations should start the process early to mid-February at the latest to get the registration completed on time.
Practical next steps
- Confirm scoping and classification: Perform a high‑level sector and size assessment, then confirm group‑level implications and any overlaps with existing frameworks (for example, KRITIS, DORA, or sectoral regulations).
- Map controls and identify gaps: Align current measures with NIS2‑oriented baselines across risk management, supply‑chain security, vulnerability handling, incident detection and response, business continuity, and crisis communication.
- Address supplier and contracting exposure: Review critical vendors, right‑to‑audit and security obligations.
- Register on time: Establish the Unternehmenskonto, compile required information, and submit registration within the prescribed deadline.
The BSI also offers a free, non-binding online self-assessment tool (German-language) to help organizations preliminarily evaluate whether they may be affected.
How Reed Smith can help
Reed Smith’s Germany‑based Emerging Technologies Team advises on all aspects of German and European Cybersecurity Law, including NIS2 scoping, classification, legal compliance and registration. We support clients across all covered sectors and at every stage, from initial applicability assessments to remediation planning, board briefings, and supervisory engagement.
If you have questions about whether your organization is in scope, how to register with the BSI, or how to implement NIS2‑compliant controls, please contact your usual Reed Smith relationship partner or any member of our Cybersecurity working group in Germany.
Client Alert 2026-007