Germany's NIS2 transposition — formally the Gesetz zur Umsetzung der NIS-2-Richtlinie (NIS2UmsuCG) — entered into force on 6 December 2025, more than a year after the EU's October 2024 transposition deadline. The Commission's reasoned opinion of 7 May 2025 had escalated infringement proceedings, and the final political compromise dropped the multi-year transition period that earlier drafts contained. The law applies immediately. In-scope entities must register with the Bundesamt für Sicherheit in der Informationstechnik (BSI) by 6 March 2026, and the BSI has expanded supervisory powers in Sections 61-62 of the rewritten BSI Act, including personal liability for senior management.
What changed in German law?
The NIS2UmsuCG rewrites large parts of the BSI Act (BSIG) rather than creating a standalone statute. Three structural changes matter most for supply chain teams. First, the scope expands dramatically: the BSI's own impact assessment estimates the number of regulated entities will grow from approximately 4,500 under the old KRITIS regime to roughly 29,000 under NIS2. Second, the two-tier categorisation under NIS2 — "essential" and "important" entities — is translated into German law as "besonders wichtige Einrichtungen" and "wichtige Einrichtungen," each with distinct registration, incident reporting, and supervisory obligations. Third, Section 38 BSIG (in its new numbering) imposes a personal duty on members of management bodies to approve and oversee cybersecurity risk-management measures, and to participate in training — with personal civil liability for failure to do so.
The law applied immediately from 6 December 2025 with no general transition period for compliance, although registration with the BSI was given a three-month window to 6 March 2026.
Who is in scope?
NIS2 sets a baseline of 18 sectors. Germany's transposition does not derogate from those sectors in any major way, but it does take a broad reading of "size cap": any entity meeting the medium-enterprise threshold (50 employees or €10m turnover and €10m balance sheet) operating in an in-scope sector is regulated by default, with several exceptions for entities of any size, such as DNS providers, qualified trust service providers, and managed security service providers.
The 29,000 figure cited by the BSI breaks down approximately as follows, based on impact assessment data:
| Sector cluster | Estimated entities | |---|---| | Manufacturing (including chemical, electrical, machinery) | ~11,500 | | ICT service management (managed services, MSSPs, data centres) | ~3,800 | | Digital infrastructure and providers | ~2,200 | | Health (hospitals, manufacturers of devices, pharmaceuticals) | ~2,100 | | Energy (electricity, gas, district heating, hydrogen) | ~1,900 | | Waste / water / wastewater | ~1,500 | | Public administration (Bund- and Länder-level entities) | ~1,400 | | Transport (air, rail, road, water) | ~1,200 | | Other regulated sectors | ~3,400 |
Self-identification is the default model: entities must determine their own status and register with the BSI through the new entity-registration portal. The BSI does not pre-publish a list.
What does the BSI Act now require?
Section 30 BSIG (new numbering) translates the NIS2 Article 21 "ten measures" almost verbatim into German law. Risk-management measures must address policies on risk analysis and information system security, incident handling, business continuity and crisis management, supply chain security including direct supplier and service provider relationships, security in network and information system acquisition and development, vulnerability handling and disclosure, basic cyber hygiene and training, cryptography and where appropriate encryption, human resources security and access control, and use of multi-factor authentication.
Incident reporting is three-stage and mirrors NIS2 Article 23: an early warning to the BSI within 24 hours of becoming aware of a significant incident, an incident notification within 72 hours, and a final report within one month. The BSI has clarified in guidance issued December 2025 that "becoming aware" begins when management has confirmed knowledge of a significant incident, not when a SOC analyst first triages an alert.
Supply chain security receives unusually granular attention. Section 30(2) BSIG requires that risk-management measures take account of vulnerabilities specific to each direct supplier, the overall quality of the products and cybersecurity practices of suppliers and service providers, and the results of coordinated risk assessments at Union level under NIS2 Article 22 — including the 5G toolbox-style assessments that ENISA is preparing for managed services and cloud.
What are the penalties?
The NIS2UmsuCG sets out a tiered penalty regime in Section 65 BSIG:
- For besonders wichtige Einrichtungen (essential entities), fines up to €10 million or 2% of total worldwide annual turnover of the preceding financial year, whichever is higher.
- For wichtige Einrichtungen (important entities), fines up to €7 million or 1.4% of worldwide turnover, whichever is higher.
- Additional administrative measures, including binding orders, mandatory audits, and in extreme cases the temporary suspension of certifications or — for individuals — the prohibition from exercising management functions.
The BSI is empowered to inspect premises, request documentation, and conduct on-site audits. The Section 38 duty creates personal liability for management board members, and the law allows civil claims by the regulated entity itself against directors who breach this duty — a structure modelled on German corporate law's Section 93 AktG but extended explicitly to cybersecurity.
How are companies responding?
The compressed timeline produced a registration scramble in January and February 2026. By mid-February, the BSI reported that approximately 9,400 entities had registered — well below the 29,000 expected. Industry associations including BITKOM and the VDMA published joint guidance pressing for an "indulgence period" through Q2 2026, which the BSI declined formally but acknowledged in supervisory practice: it has not opened enforcement files against entities making demonstrable progress.
Three patterns emerged in the first 90 days:
- Manufacturing groups with deeply nested supply chains are rebuilding TPRM programmes from scratch to capture all tier-1 ICT suppliers and their security postures. Many discovered that they did not previously track suppliers' incident response capabilities in any structured form.
- Healthcare entities, particularly hospitals, are struggling with the combination of NIS2 and the parallel medical device cybersecurity expectations under EU Regulation 2017/745, with the BSI and BfArM working out coordination protocols.
- ICT service providers including MSSPs are over-reporting to the BSI, treating ambiguous incidents as significant. The BSI's December 2025 guidance is explicit that this is acceptable while reporting practices mature, but it creates noise.
What should defenders do now?
For any organisation operating in Germany or supplying critical services to German entities, four steps cover most of the immediate gap:
- Conduct a binary scope determination — yes/no on essential vs. important — and document the reasoning, because the BSI will ask for it in any audit.
- Register with the BSI portal even if scope is uncertain. The registration includes a self-classification field and can be amended.
- Build a directly-relevant supplier inventory mapped to the Section 30(2) factors, and store it in a system the BSI can read in an audit.
- Stand up an incident-reporting playbook that produces the 24/72/30-day artefacts in a structured form, with a named board-level approver per the Section 38 duty.
How Safeguard Helps
Safeguard generates and maintains SBOMs for software products and services, satisfying the Section 30 obligation to "assess the quality of products and cybersecurity practices of suppliers" with continuous evidence rather than annual questionnaires. TPRM workflows score each direct ICT supplier against the NIS2 Article 21 ten-measure baseline and flag drift, so when the BSI requests a supply-chain risk assessment, the data is already structured. Policy gates can block deployment of dependencies that have not produced a CSAF VEX statement or whose vendor has failed to provide a CRA self-declaration, closing the feedback loop between procurement and engineering. Griffin AI reachability filters incident triage so the 24-hour clock starts on real exploitation paths and not noise. The compliance automation module produces audit-ready evidence packages aligned to the BSI's December 2025 inspection guidance, including the supplier-risk register that the BSI is expected to request in its first round of audits.