Cyber Rules for Essential and Important Entities Take Effect in Germany (NIS2 Implementing Law)
The national law implementing the NIS2 Directive (“NIS2”) in Germany entered into force on 6 December 2025. We discussed the key provisions of the NIS2 Directive in our previous Legal Update. In-scope entities should be aware of the following registration and incident reporting obligations under the BSI Act (“BSIG”), as they require timely action.
Registration
In-scope entities are required to register with the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) (“BSI”) at the latest three months after qualifying as an in-scope entity or offering domain name registration services. The BSI has announced that it will open an online registration and incident reporting portal on 6 January 2026 (the “BSI Portal”). The BSI recommends that in-scope entities create a “My Company” account (Mein Unternehmenskonto) (“MUK”) by the end of 2025 to be able to register in the BSI Portal from January 2026.
Incident Reporting
In-scope entities are required to report significant incidents to the BSI at the latest 24 hours from becoming aware of the incident. A second report providing further details should be filed within 72 hours of becoming aware of the incident. Intermediate reports should follow upon request by the BSI, and a final report should be filed within one month of the second report. Until the BSI Portal is open, in-scope entities should report significant incidents via an online form on the BSI website.
Key Differences Between NIS2 and BSIG
BSIG is broadly aligned with NIS2, but the following differences may impact the applicability of the law to some businesses and the obligations that in-scope businesses will need to comply with.
Activities and Size Thresholds
- In-scope activities are, in some cases, defined more precisely and with reference to applicable German sectoral law. Businesses should carefully review the list of activities to check if they may be in scope of BSIG.
- Activities that are negligible in relation to the entity’s overall business activities may be disregarded in the applicability assessment.
- Size thresholds are aligned with NIS2; however, data of partner or linked enterprises is to be omitted from the size calculation under Commission Recommendation 2003/361, if the enterprise is independent from its partner or linked enterprises taking into account the legal, economic, and factual circumstances regarding the nature and operation of its information technology systems, components and processes.
Operators of Critical Facilities
- More onerous provisions apply to a sub-set of entities categorized as “operators of critical facilities” (a peculiarity of German law that already existed under the previous version of the Directive, NIS1). For example, operators of critical facilities face stricter cybersecurity requirements, are obliged to provide additional information to the BSI (such as information regarding critical components), and are required to undergo regular security audits, inspections or cybersecurity certifications.
Cybersecurity Risk Management Measures
- Obligatory cybersecurity risk management measures are aligned with NIS2, but in-scope entities are required to document their compliance with those measures under BSIG.
Reporting to Service Recipients
- The BSI can order in-scope entities to inform the recipients of their services about significant incidents. An entity can do so via its website.
- Entities in certain sectors are required to immediately inform recipients of their services who are potentially affected by a significant cyber threat, and the BSI, of measures to mitigate against a significant cyber threat, if the recipients’ interests prevail after weighing the interests of the entity and the recipients.
For further guidance on NIS2 compliance, don’t hesitate to reach out to the authors of this Legal Update or to your usual Mayer Brown contacts.
