NIS-2 Implementation in Germany: What Management Boards Need to Know in 2026

Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, better known as NIS-2, has been in force since 16 January 2023. Member States were required to transpose it into national law by 17 October 2024. Germany missed that deadline; the implementing act, the NIS2UmsuCG (NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz), is still moving through the federal legislative process and will fundamentally restructure the existing BSI Act (BSIG). For boards and managing directors, the operative question is no longer whether the new obligations apply, but how the evidence should look when the Federal Office for Information Security (BSI) comes knocking.

What NIS-2 changes at its core

NIS-2 dramatically widens the scope of the predecessor directive. Where the previous regime focussed on operators of critical infrastructure, NIS-2 covers a far broader set of sectors and introduces two categories: essential entities and important entities. Classification depends on sector, company size and annual turnover. Current estimates put the number of affected companies in Germany at around 29,500, up from a few thousand under the old rules.

Sectors in scope

The directive distinguishes between sectors of high criticality (Annex I) and other critical sectors (Annex II). Essential entities typically include large companies in energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration and space. Important entities cover postal and courier services, waste management, chemicals, food, manufacturing (including medical devices, computers, machinery, motor vehicles) and providers of digital services (online marketplaces, search engines, social networking platforms).

Reporting obligations: the 24/72/30 rule

The revised BSIG provides for a staggered reporting obligation for significant incidents. The clock starts when the entity becomes aware of the incident:

• Early warning within 24 hours, including an initial assessment of whether the incident is the result of unlawful or malicious acts and whether cross-border impacts are likely.
• Incident notification within 72 hours, updating the assessment and adding information on the nature, scope and known impact of the incident.
• Final report within one month of the incident notification, detailed description, root cause, remediation and any cross-border effects.

In addition, interim reports must be submitted during an ongoing incident at the request of the BSI. The BSI is the central reporting point; for certain sectors, additional sector-specific competent authorities may apply.

Risk management under § 30 BSIG (new version)

Essential and important entities must take appropriate, proportionate and effective technical and organisational measures. The mandatory catalogue tracks the state of the art and covers, among other things, risk analysis policies, personnel security, access control, cryptography and key management, multi-factor authentication, secured communications, backup and crisis management, supply chain cybersecurity and training programmes.

Training obligation for the management body

New and particularly consequential: members of the management body must regularly undergo training to acquire sufficient knowledge and skills to identify and assess risks, and to evaluate cybersecurity risk-management practices. Comparable training must also be offered to employees on a regular basis. This obligation cannot be delegated, it sits with the management body personally.

Registration and evidencing duties

Entities in scope must register with the BSI and provide a set of master data, including name, sector, address, contact details and IP address ranges. The BSIG also introduces periodic evidencing duties: essential entities must demonstrate their risk-management measures to the BSI on a regular basis; for important entities, supervision is triggered by specific cause.

Implementation checklist

1. 1Run a scoping analysis, which group companies fall into which category (essential / important)? Check group structure, headcount, turnover thresholds and sector classification.
2. 2Set up governance, assign responsibility at the management level, fill the Information Security Officer (ISO / ISB) role, define reporting lines and anchor them in the org chart.
3. 3Develop a risk analysis and measures catalogue under § 30 BSIG, gap assessment against BSI IT-Grundschutz or ISO/IEC 27001:2022, remediation plan with owners and deadlines.
4. 4Implement an incident-response and reporting process, dry-run the 24/72/30 workflow, keep templates for early warning, incident notification and final report, and bookmark the BSI reporting portal.
5. 5Address supply-chain security, identify critical ICT suppliers, add contractual security requirements, document vendor assessments.
6. 6Launch the training programme, mandatory management-body training plus employee awareness training, with proof of participation.
7. 7Operationalise evidencing and documentation, audit-ready records for measures, incidents, trainings, and BSI registration.

What to do now

Companies should not wait for the NIS2UmsuCG to enter into force. The substantive obligations follow from the directive itself, and the European Commission has already opened infringement proceedings against Member States, including Germany, that missed the transposition deadline. Teams that start building the documentation base now buy themselves a six-to-twelve-month lead on the competition and meaningfully reduce the personal liability exposure of the management body.