In December 2025, the EU NIS 2 Directive was transposed into national law via the new Act on the German Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik, BSIG). This Act affects around 30,000 businesses – and thus many small and medium-sized enterprises, too. The three-month registration period ended at the beginning of March already; however, only around a third of the affected businesses have actually registered – it would appear that many of them have mistakenly ruled out the possibility that they could be affected. We would recommend taking swift action in order to maybe still avoid the risk of being fined and incurring other penalties.
New BSIG - with a scope of application that has been considerably broadened - ...
The new BSIG defines the responsibilities and powers of the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) and, at the same time, transposes the NIS 2 Directive. It replaces the previous regulation on critical infrastructures (Kritische Infrastrukturen, KRITIS) and considerably broadens the scope of application. Besides the traditional critical infrastructure sectors, such as, energy, transport, healthcare and finance, many other industries are now also considered to be regulated, including chemicals, food, waste management, postal and courier services as well as segments of the mechanical engineering sector.
The previous regulations provided separate technical and organisational security requirements for each of the various sectors. The new version of the regulation has however replaced the sector-specific model. Instead, a uniform set of cross-sectoral minimum requirements now apply - these are binding on all affected facilities.
When is a company deemed to be affected?
The relevant sectors and industries are listed in Appendices 1 and 2 of the BSIG. Businesses have to check:
1. whether they have been assigned to one of the listed sectors and
2. whether they meet the size criteria:
- at least 50 employees, or
- annual revenue or total assets of at least €10m.
If these criteria are met, then the business would be deemed to be an important or an especially important entity and, thus, subject to the legal obligations.
Extensive obligations for businesses
Under the BSIG, affected companies are required to implement extensive precautionary measures in five areas:
1. Registration obligation (Sections 33 and 34 BSIG) - Businesses must determine for themselves whether they fall within the scope of NIS 2. If they are affected, then they would be required to register with the BSI within three months of being classified as an important or an especially important entity. The data that is recorded includes the name and address of the business as well as contact information.
2. Risk management measures (Sections 30 and 31 BSIG) - To minimize or prevent security incidents, all entities must implement appropriate state-of-the-art technical and organisational measures. These include, for example,
- access controls,
- emergency and recovery procedures,
- vulnerability management, and
- security measures in the supply chain.
3. Requirements with regard to implementation, monitoring and training (Section 38 BSIG) - As a result of the new legislation, the executive board will bear considerably more responsibility; the board will have to actively monitor the implementation of appropriate security measures. Moreover, board members will be required to participate in training sessions on risk management practices, on a regular basis, in order to enable them to accurately assess the risks arising from the use of information technology. In the event of a breach of their obligations, the board members risk being held personally liable and, among other things, being barred from holding any management positions.
4. Reporting obligations (Section 32 BSIG) - So-called significant security incidents have to be reported to the BSI. Such an incident would occur where there is a risk of serious operational disruptions, financial losses, or impacts on natural or legal persons. After becoming aware of an incident, it has to be reported using a three-stage procedure with the following fixed timeframes:
- within 24 hours: the initial report to the BSI;
- within 72 hours: the updated report with an initial assessment of the severity and the impacts of the incident;
- within one month: the final report with information about the incident, threat, cause and measures taken.
5. Verification obligations (Sections 39, 61 and 62 BSIG) - Every three years, operators of critical infrastructure must carry out verification tests to evaluate whether the risk management measures have been effectively implemented and, subsequently, submit the results to the BSI. Moreover, the BSI may require important and especially important entities to provide such proof on an ad hoc basis or randomly.
What should businesses do now?
Small and medium-sized enterprises (SMEs), in particular, should once again carefully check to determine if they are affected - even if a previous assessment already exists - in order to avoid being fined and incurring other penalties. If a business is affected then it should promptly:
- register with the BSI,
- assess the risks and derive the necessary security measures and,
- where appropriate, prepare a verification test.
A practical guide to implementation
To ensure effective operational implementation, it would be advisable to establish clear structures and to define responsibilities. A risk register can form the basis for a robust risk assessment and the prioritisation of measures. Subsequently, businesses should, first and foremost, strengthen those measures that shut down the most frequent attack paths, thus, in particular:
- multi-factor authentication,
- clear access and authorisation rules,
- consistent patch and vulnerability management,
- regular backups and
- documentation of a defined incident response process.
