Germany's NIS2 transposition law entered force on December 5, 2025. BSI registration deadlines arrive in March 2026. This guide covers everything CISOs, IT Directors, and compliance officers need to know: who must comply, what the obligations are, what penalties look like, and how to build a practical compliance roadmap.
The NIS2 Directive (Directive (EU) 2022/2555) replaces the original NIS Directive of 2016, which was widely regarded as insufficient in scope and enforcement. It dramatically expands coverage from ~10,000 entities under NIS1 to an estimated 160,000+ entities across the EU.
NIS2 was designed to address three fundamental weaknesses: inconsistent transposition across Member States, limited scope covering only narrow sectors, and weak enforcement with penalties too low to drive change.
In Germany, the NIS2UmsuCG (NIS2 Implementation and Cybersecurity Strengthening Act) entered into force on December 5, 2025. The BSI is the designated supervisory authority, and registration deadlines begin March 6, 2026.
NIS2 shifted from a designation-based approach to a size-cap mechanism. Organisations are automatically in scope if they meet sector and size criteria.
| Sector | Examples |
|---|---|
| Energy | Electricity, oil, gas, hydrogen, district heating |
| Transport | Air, rail, water, road transport |
| Banking | Credit institutions |
| Financial market infrastructure | Trading venues, central counterparties |
| Health | Hospitals, laboratories, pharma, medical devices |
| Drinking water | Supply and distribution |
| Wastewater | Collection, disposal, treatment |
| Digital infrastructure | IXPs, DNS, TLD registries, cloud, data centres, CDNs |
| ICT service management (B2B) | MSPs, MSSPs |
| Public administration | Central government entities |
| Space | Ground-based infrastructure operators |
| Sector | Examples |
|---|---|
| Postal and courier services | Postal service providers |
| Waste management | Collection, transport, treatment |
| Chemical manufacturing | Production, distribution |
| Food production | Processing, distribution (large-scale) |
| Manufacturing | Medical devices, electronics, machinery, vehicles |
| Digital providers | Marketplaces, search engines, social networks |
| Research | Research organisations with significant impact |
Certain entities are in scope regardless of size: qualified trust service providers, TLD registries, DNS providers, telecommunications providers, public administration, and sole providers of essential services.
| Aspect | Essential Entities | Important Entities |
|---|---|---|
| Supervision | Proactive (ex-ante) | Reactive (ex-post) |
| Max fine | €10M or 2% of global turnover | €7M or 1.4% of global turnover |
| Audits | Regular, mandatory | On evidence of non-compliance |
| Security requirements | Identical | Identical |
The security obligations are the same for both tiers. The difference lies only in supervision intensity and penalty caps.
| Deadline | Requirement | Purpose |
|---|---|---|
| 24 hours | Early warning to CSIRT | Signal that a significant incident occurred |
| 72 hours | Incident notification with assessment | Severity, impact, indicators of compromise |
| 1 month | Final report | Root cause analysis, impact, mitigation measures |
Article 20 requires management bodies to approve cybersecurity measures, undergo training, and bear personal responsibility. Under Germany's NIS2UmsuCG, executives face personal fines and potential temporary suspension from management roles. This liability cannot be fully delegated.
Beyond fines, authorities can issue binding instructions, order cessation of activities, require public disclosure of non-compliance, suspend certifications, and — for essential entities — temporarily prohibit management functions for responsible individuals.
For a company with €1 billion revenue, the maximum essential entity fine is €20 million. D&O insurance policies should be reviewed for coverage gaps — personal liability cannot be fully insured away.
| Date | Milestone |
|---|---|
| Dec 27, 2022 | NIS2 published in the Official Journal of the EU |
| Jan 16, 2023 | NIS2 enters into force |
| Oct 17, 2024 | Transposition deadline for all Member States |
| Dec 5, 2025 | Germany: NIS2UmsuCG enters into force |
| Mar 6, 2026 | Germany: BSI registration deadline |
| Oct 17, 2027 | European Commission reviews NIS2 functioning |
March 2026 registration is weeks away. Identify compliance gaps before you register.
Start Free NIS2 Scan →ISO 27001 provides a strong foundation but NIS2 adds specific requirements: mandatory incident reporting timelines (24h/72h/1 month), personal liability for management, and detailed supply chain security obligations. Certification alone does not guarantee compliance.
KENSAI continuously scans your external attack surface — domains, subdomains, IPs, cloud services, exposed APIs — and maps assets against your NIS2 scope. Real-time inventory of what you need to protect.
With 332,000+ CVEs, KENSAI identifies known vulnerabilities and correlates them with NIS2 requirements. Each finding is prioritised by CVSS score, NIS2 relevance, and remediation urgency based on threat intelligence.
AI maps your security posture against all Article 21 requirements: compliance score, gap report, prioritised remediation, and evidence documentation suitable for regulators and auditors.
Scan suppliers' external infrastructure to identify exposed services, vulnerabilities, certificate issues, DNS misconfigurations, and data breach history — the supply chain visibility NIS2 demands.
Starter: €990/month — Medium enterprises entering NIS2 scope. Professional: €1,490/month — Complex infrastructure and supply chains. Enterprise: €2,490/month — Full-scope compliance automation with dedicated support.
The EU's updated cybersecurity regulation (Directive (EU) 2022/2555) replacing the original NIS Directive. It establishes mandatory risk-management measures, incident reporting, and supply chain security requirements across 18 critical sectors.
Organisations in 18 designated sectors meeting medium enterprise (50+ employees or €10M+ turnover) or large enterprise (250+ employees or €50M+ turnover) thresholds. Certain entities like DNS providers and telecoms are covered regardless of size.
Essential entities: up to €10M or 2% of global turnover. Important entities: up to €7M or 1.4% of global turnover. Plus binding instructions, public disclosure, suspension of certifications, and personal management liability.
Three stages: early warning within 24 hours, incident notification within 72 hours, final report within 1 month.
Article 20 requires boards to approve cybersecurity measures, undergo training, and bear personal responsibility. Under Germany's law, executives face personal fines and potential temporary suspension.
Generally no (under 50 employees / €10M turnover are excluded). Exceptions exist for trust service providers, TLD registries, DNS providers, and telecoms.
Significant overlap, but NIS2 adds mandatory incident reporting timelines, personal management liability, and detailed supply chain requirements. ISO 27001 certification alone doesn't guarantee NIS2 compliance.
NIS2 focuses on network/system security; GDPR on personal data protection — both may apply to a cyber incident. DORA takes precedence for financial entities under the lex specialis principle.
This guide is for informational purposes and does not constitute legal advice. Consult qualified legal and cybersecurity professionals for your specific NIS2 obligations.
See your compliance gaps in minutes. AI-powered scanning with NIS2, DSGVO, and DORA mapping built in.
Start Free Scan →Security is not optional.
🗡️ The KENSAI Team