Germany
(a) What is the NIS2 implementation status?
On 13 November 2025, the German Bundestag adopted the NIS2 Implementation Act, advancing the long-delayed transposition of Directive (EU) 2022/2555 into national law. After months of political debate and pressure from Brussels, Germany now has a cybersecurity framework that significantly expands obligations for businesses. Once entered into force, the law will apply with no transitional grace period, meaning entities must comply without delay.
(b) What is the envisaged NIS2 implementation timeline?
The NIS2 Implementation Act does not include a transitional period and will take effect the day after its promulgation. For initial registration with the Federal Office for Information Security (BSI), entities are granted a three-month timeframe to complete the required notification, with a limited exception for operators of critical facilities who were already subject to verification obligations under the previous legal framework.
(c) What does the NIS2 mean for other national cybersecurity legislation?
The law will replace the NIS1 Directive, which has been implemented into multiple national laws (e.g. BSIG Act).
(d) Who will be the supervisory authority and how will they exercise their power?
The BSI is the central supervisory authority under the new law. It has extensive powers to audit, inspect, and issue binding instructions. Additionally, the Federal Ministry of the Interior can prohibit the use of high-risk components in critical facilities from non-trusted suppliers after consultation with other ministries. Entities should expect active enforcement and increased scrutiny, particularly in sectors deemed critical for national security and resilience.
(e) What should you be doing/on the lookout for?
With the law now passed by the Bundestag, immediate action is essential. Entities should confirm whether they fall under the new classifications, register with the BSI, and update cybersecurity governance frameworks. Incident response processes must be adapted to meet the new reporting deadlines. Management training should be scheduled without delay, and supply-chain risk assessments should be prioritized. Entities should also monitor BSI guidance and component lists, as enforcement will begin quickly and without a transition period.
Contact
Nils Mueller E: nilsmueller@eversheds-sutherland.com
Isabella Norbu E: isabella.norbu@eversheds-sutherland.com
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page