ImplementedNIS2
NIS2 in Germany
Germany transposed NIS2 via the NIS2UmsuCG (KRITIS-Dachgesetz + BSI-Gesetz update). BSI is the primary supervisory authority with fines up to €10 million.
Transposition law
NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG)
In force
17 October 2024
Competent authority
Federal Office for Information Security (BSI)
Max fine (Essential)
€10 Mio. oder 2 % des weltweiten Jahresumsatzes
Max fine (Important)
€7 Mio. oder 1,4 % des weltweiten Jahresumsatzes
Full enforcement
March 2025
Key Deadlines
Law in force
17 October 2024
Self-registration deadline
17 January 2025
Full enforcement begins
1 March 2025
Competent Authority
Federal Office for Information Security (BSI)
Primary NIS2 supervisory authority for most sectors
https://www.bsi.bund.de ↗The BSI conducts proactive inspections for Essential Entities and reactive (complaint-driven) oversight for Important Entities. Organisations must self-register via the BSI portal.
Registration Process
Register via the BSI's MELDEPLATTFORM portal at meldeplattform.bsi.bund.de. You will need your company registration number (Handelsregisternummer), sector classification, and a designated security contact.
📊 Quick Test
Check NIS2 Scope →Find out if your company is in scope
Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?
Key Requirements
- 1Self-registration with BSI within 3 months of becoming in-scope
- 2ISMS based on ISO 27001 or BSI IT-Grundschutz recommended
- 324-hour early warning to BSI for significant incidents
- 472-hour full notification with impact assessment
- 5Monthly final report within 1 month
- 6Management board personal liability for compliance
- 7Supplier / supply chain risk assessments mandatory
- 8Multi-factor authentication required for remote access
National Additions
★KRITIS-Dachgesetz introduces physical resilience requirements for critical infrastructure operators alongside NIS2 cybersecurity obligations
★Germany extended NIS2 scope to include certain mid-sized energy and water sector operators below EU thresholds
★Federal agencies (Bundesbehörden) are included under the German NIS2 implementation
FAQ: NIS2 in Germany
Does Germany require ISO 27001 certification?
ISO 27001 is not legally mandatory under NIS2UmsuCG, but it is strongly recommended by the BSI as a way to demonstrate compliance with Article 21 security measures. IT-Grundschutz (BSI's own framework) is an equally accepted alternative.
Who must register with the BSI?
All Essential and Important Entities falling under NIS2UmsuCG must self-register. This includes operators in energy, transport, water, digital infrastructure, health, banking, and financial market sectors meeting the size thresholds.
Are smaller German companies affected?
The standard thresholds apply (250+ employees or €50M+ turnover for Essential Entities; 50+ employees or €10M+ for Important Entities). However, Germany extended scope for some energy and water sub-sectors below these thresholds.
Ready to assess your NIS2 compliance?
Use our free tools to check your NIS2 scope and run a gap assessment.