Germany
(a) What is the NIS2 implementation status?
The German NIS2 Implementation Act entered into force on 6 December 2025 (official version available here: https://www.recht.bund.de/bgbl/1/2025/301/VO.html).
Following months of political debate and a delayed implementation process, the new cybersecurity framework now significantly expands obligations for in‑scope businesses in Germany. Germany has introduced a controversial deviation from the NIS2 standard by allowing carve‑outs for “negligible” activities.
(b) What is the envisaged NIS2 implementation timeline?
The German NIS2 Implementation Act does not provide for any transitional period. Entities are therefore required to proactively assess whether they fall within the scope of NIS2, as the competent authorities do not notify affected organisations individually.
In‑scope entities are granted a three‑month period for initial registration with the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI). The BSI portal for NIS2 registration and the reporting of significant security incidents has been live since 6 January 2026.
All organisations and institutions subject to NIS2 were required to complete their registration on the BSI portal by 6 March 2026.
(c) What does the NIS2 mean for other national cybersecurity legislation?
The law replaces the first NIS Directive, which has been implemented into multiple national laws (e.g. BSIG Act). The number of regulated entities increases from roughly 4,500 to around 29,000, categorized as “essential” and “important” entities, with harmonized risk management and reporting duties.
(d) Who will be the supervisory authority and how will they exercise their power?
The BSI is the central supervisory authority under the new law. It has extensive powers to audit, inspect, and issue binding instructions. Additionally, the Federal Ministry of the Interior can prohibit the use of high-risk components in critical facilities from non-trusted suppliers after consultation with other ministries. Entities should expect active enforcement and increased scrutiny, particularly in sectors deemed critical for national security and resilience.
(e) What should you be doing/on the lookout for?
With the law in force, immediate action is essential. Entities should confirm whether they fall under the new classifications, register with the BSI, and update cybersecurity governance frameworks. Incident response processes must be adapted to meet the new reporting deadlines. The mandatory management training should be scheduled without delay, and supply-chain risk assessments should be prioritized. Entities should also monitor BSI guidance, as enforcement may now proceed without a transition period.
Contact
Nils Mueller E: nilsmueller@eversheds-sutherland.com
Isabella Norbu E: isabella.norbu@eversheds-sutherland.com
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page