Implementation and Entry into Force of the NIS 2 Directive in Germany

With its publication in the Federal Law Gazette (Bundesgesetzblatt), the “NIS-2-Umsetzungsgesetz” (NIS2UmsuCG), which transposes the EU NIS 2 Directive into german law, entered into force on December 6th 2025. As a result, German cyber security law has been comprehensively revised: in addition to federal public authorities, numerous private-sector companies are now subject to significantly stricter IT security requirements than before.

Since no transition or grace periods were provided when the law came into force, all affected companies are already under binding legal obligations. These obligations apply immediately, in particular to their IT and OT environments. Companies must not only determine whether they fall within the scope of NIS 2, but also whether they qualify as a “wichtige” (important) or “besonders wichtige” (essential) entity under the NIS2UmsuCG.

This gives rise to a range of obligations, in particular:

• the requirement to register as a relevant entity, which must be fulfilled within the next three months following the enforcement,
• notification obligations for significant security incidents, and
• requirements regarding risk management and the technical and organisational design of information security.

Our company provides technical support for implementing NIS 2. If you would like an assessment of the impact on your business activities in Germany and the wider EU, or assistance in developing concrete measures, we will be happy to arrange a consulting appointment with you.

Further information will be published on our website in the coming days.