Germany
(a) What is the NIS2 implementation status?
The German NIS2 Implementation Act entered into force on 6 December 2025 (official version here). After months of political debate and a delayed implementation, the new cybersecurity framework now significantly expands obligations and in scope businesses in Germany. Germany has introduced a controversial deviation from the NIS2 standard, by allowing a carve-out for “negligible” activities.
(b) What is the envisaged NIS2 implementation timeline?
The NIS2 Implementation Act does not include a transitional period. Entities must proactively determine whether they fall in scope as authorities will not notify them. For initial registration with the Federal Office for Information Security (BSI), entities are granted a three-month timeframe to complete the required registration to the BSI platform, which also serves as incident reporting platform. While entities must use the interim reporting mechanism, the BSI registration and reporting portal will go live on 6 January 2026.
(c) What does the NIS2 mean for other national cybersecurity legislation?
The law replaces the first NIS Directive, which has been implemented into multiple national laws (e.g. BSIG Act). The number of regulated entities increases from roughly 4,500 to around 29,000, categorized as “essential” and “important” entities, with harmonized risk‑management and reporting duties.
(d) Who will be the supervisory authority and how will they exercise their power?
The BSI is the central supervisory authority under the new law. It has extensive powers to audit, inspect, and issue binding instructions. Additionally, the Federal Ministry of the Interior can prohibit the use of high-risk components in critical facilities from non-trusted suppliers after consultation with other ministries. Entities should expect active enforcement and increased scrutiny, particularly in sectors deemed critical for national security and resilience.
(e) What should you be doing/on the lookout for?
With the law in force, immediate action is essential. Entities should confirm whether they fall under the new classifications, register with the BSI, and update cybersecurity governance frameworks. Incident response processes must be adapted to meet the new reporting deadlines. The mandatory management training should be scheduled without delay, and supply-chain risk assessments should be prioritized. Entities should also monitor BSI guidance, as enforcement may now proceed without a transition period.
Contact
Nils Mueller E: nilsmueller@eversheds-sutherland.com
Isabella Norbu E: isabella.norbu@eversheds-sutherland.com
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page