29,000 Companies. No Transition Period.
Germany’s NIS2 implementation law took effect on December 6, 2025. The revised BSI Act (BSIG) is now live. No grace period.
The scope expansion hit hard. Germany went from roughly 4,500 regulated entities under the original NIS directive to approximately 29,000 under NIS2. If your organization operates in any of 18 designated industry sectors and meets the size thresholds, you’re in scope. Right now.
Cybersecurity is no longer an IT department problem. Under the new BSI Act, management bodies carry personal liability for compliance failures. Your CEO and board members can be held directly responsible.
This guide covers the technical requirements, who’s affected, and what to implement in your software systems.
Who Falls Under NIS2?
Two categories of entities, both with mandatory cybersecurity obligations:
Essential entities. Large organizations in critical sectors. Think energy providers, transport companies, healthcare organizations, banking and financial services, digital infrastructure, and water utilities.
The threshold is typically 250+ employees or EUR 50 million+ in annual turnover. Fines: up to EUR 10 million or 2% of global annual revenue.
Important entities. A broader set. Manufacturing, food production, chemicals, waste management, postal services, research institutions. The threshold drops to 50+ employees or EUR 10 million+ in turnover. Same technical requirements. Lower maximum fines, but still substantial.
The 18 sectors
Energy. Transport. Banking. Financial market infrastructure. Health. Drinking water. Wastewater. Digital infrastructure. ICT service management. Public administration. Space. Postal and courier services. Waste management. Manufacturing. Food production and distribution. Chemicals. Research. Digital providers (marketplaces, search engines, social networks).
If you’re reading this and thinking “that’s almost everyone,” you’re not wrong. NIS2 was designed to be broad.
The Technical Requirements
NIS2 doesn’t prescribe specific technologies. It mandates outcomes. Here’s what your systems need to achieve:
Risk analysis and information system security
Continuous risk assessment. Not a one-time audit. Your organization must maintain a current view of threats, vulnerabilities, and potential impacts across all information systems.
Document the methodology and update it when conditions change.
Incident handling
Detection, analysis, containment, and response. You need the ability to detect a security incident, understand its scope, contain the damage, and respond effectively. This isn’t a document on a shelf. It’s operational capability.
The reporting requirements are strict. Within 24 hours of becoming aware of a significant incident, you must submit an initial notification to the BSI.
Within 72 hours, a full report. A final report follows within one month.
Can your team do that today? Most can’t. Only 14% of SMBs have a formal cybersecurity plan. The gap between requirement and reality is enormous.
Business continuity and backup management
Backup strategies that actually work. Not just “we run nightly backups.” Tested recovery procedures.
Defined RTOs (Recovery Time Objectives) and RPOs (Recovery Point Objectives). Crisis management plans that your team has rehearsed.
Supply chain security
You’re responsible for the cybersecurity posture of your vendors and suppliers. Every third-party component in your software stack, every cloud provider, every SaaS tool your team uses. NIS2 requires formal supplier risk assessments and contractual security requirements.
This is the requirement that surprises most organizations. Your security is only as strong as your weakest vendor. For more on this, see our guide on third-party risk management.
Network security and access control
Least-privilege access. Network segmentation. Multi-factor authentication for administrative access. Regular access reviews. These aren’t suggestions under NIS2. They’re requirements.
Encryption
Data in transit and at rest. TLS 1.2+ for all communications, AES-256 for stored data.
Key management procedures and certificate lifecycle management are also required.
Vulnerability management
Regular vulnerability scanning. Patch management with defined SLAs. Teams that maintain sub-30-day remediation for critical vulnerabilities pass compliance audits 94% of the time. Teams that don’t face uncomfortable questions.
Cybersecurity hygiene and training
Regular training for all staff. Not just IT. Everyone who touches a keyboard. Phishing awareness. Password hygiene. Incident reporting procedures. Documented, tracked, measurable.
Architecture Patterns for NIS2 Compliance
Centralized security logging
Every system, every service, every access event feeds into a centralized logging platform. SIEM (Security Information and Event Management) or equivalent.
Correlation rules that flag suspicious patterns. Retention periods that match regulatory requirements.
Without centralized logging, you can’t detect incidents within 24 hours. Period. This is your foundation.
Anomaly detection
Baseline normal behavior. Alert on deviations. This can be as simple as threshold-based alerting on failed login attempts, unusual data access patterns, or unexpected network traffic. Or as sophisticated as ML-powered behavioral analysis.
Start simple. Get visibility first. Sophisticate later.
Zero trust architecture
Don’t trust any connection by default, even from inside your network. Verify every request. Authenticate every user and device. Authorize every action. Log everything.
Zero trust isn’t a product you buy. It’s a design philosophy. Start with identity verification and micro-segmentation. Expand from there.
Network segmentation
Separate critical systems from general-purpose infrastructure. If an attacker compromises a marketing laptop, they shouldn’t be able to reach your production database. VLANs, firewalls, and strict routing rules. Simple concept, frequently ignored.
Immutable audit trails
Logs that can’t be modified or deleted. Write-once storage. Cryptographic hashing for integrity verification. If an attacker can erase their tracks, your incident investigation falls apart.
BSI Registration: Don’t Skip This
Every in-scope entity must register with the BSI within three months of qualifying as a regulated entity. Given that the law took effect December 6, 2025, the deadline for most organizations was early March 2026.
Registration happens via the BSI Portal (bsi.bund.de) using a “My Company” account (MUK) with an Elster organization certificate. You’ll need to provide: company information, sector classification, contact details for security incidents, and a designated point of contact.
If you haven’t registered yet, do it this week. Late registration itself is a compliance gap.
The Penalties Are Real
Essential entities: fines up to EUR 10 million or 2% of global annual revenue. Important entities: fines up to EUR 7 million or 1.4% of global annual revenue.
But the fines aren’t the scariest part. Management liability is. Under the revised BSI Act, executives can be held personally liable for inadequate cybersecurity measures.
Before NIS2, cybersecurity failures were corporate liabilities. Now they’re personal.
Germany is Europe’s number one target for cyberattacks. Only 29% of SMBs rate their cyber defenses as mature. And 55% of SMBs say a cyberattack impact under EUR 50,000 would threaten their business viability.
The regulation isn’t theoretical. The threat landscape isn’t theoretical. The penalties aren’t theoretical.
Implementation Roadmap
Week 1-2: Scope assessment. Determine if you’re in scope. Which category (essential or important)? Register with the BSI if you haven’t already.
Week 3-4: Gap analysis. Assess current capabilities against NIS2 requirements. Where are the gaps? Prioritize by risk.
Month 2-3: Quick wins. Implement MFA for all administrative access. Enable centralized logging. Review and update backup procedures. Conduct initial vulnerability scan.
Month 3-6: Core implementation. Deploy SIEM or centralized log management. Establish incident response procedures and test them. Conduct supply chain security assessments.
Implement network segmentation. Develop and document risk management framework.
Ongoing: Continuous improvement. Regular vulnerability scanning and patching. Annual penetration testing. Quarterly incident response drills. Staff training. Supplier reassessment.
For the broader EU regulatory context, see our pillar guide on EU compliance for software teams. And for embedding security into your development workflow, read Security by Design: Building Software That Passes Compliance Audits.
Need to bring your software systems into NIS2 compliance? Let’s assess your current state. We build security into the architecture from day one.
