On 5 December 2025, the Act Transposing the NIS 2 Directive and Regulating Key Aspects of Information Security Management in the Federal Administration (Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Regelung wesentlicher Grundzüge des Informationssicherheitsmanagements in der Bundesverwaltung (“NIS2UmsG”) (see here, in German only) became binding in Germany. According to the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik (“BSI”) (see here, in German only), roughly 29,500 companies will have to comply with the increased cybersecurity requirements adopted by the NIS2UmsG.

Background

While the EU Member States should have transposed the NIS 2 Directive[1] (see here) into national law by 17 October 2024 and should have applied these measures from 18 October 2024, Germany and a number of other Member States failed to meet this deadline. With a delay of more than a year, Germany has now passed the NIS2UmsG, a so-called “article law“ (Artikelgesetz), that changes a number of existing German laws. Most of these changes concern the German Act on the Federal Office for Information Security and on Information Security in Institutions (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik und über die Sicherheit in der Informationstechnik von Einrichtungen (as changed by the NIS2UmsG, the “new BSIG”) (see here, in German only).

Affected Establishments

General

The most important changes concern the scope of establishments that are now regulated by the new BSIG: (1) Particularly important establishments (besonders wichtige Einrichtungen) and (2) important establishments (wichtige Einrichtungen) (§ 28 (1) and (2) new BSIG). While both categories of establishments have to fulfill the same requirements, the BSI can take ex ante supervisory and enforcement actions only against particularly important establishments (see below).

Particularly Important Establishments

Particularly important establishments are:

  1. operators of critical facilities (§ 28 (1) No. 1 new BSIG);
  2. qualified trust service providers, top-level domain name registries, or DNS service providers (§ 28 (1) No. 2 new BSIG);
  3. telecommunication service providers that aa) employ at least 50 people or bb) have an annual turnover and annual balance sheet total of more than 10 million euros each (§ 28 (1) No. 3 new BSIG); and
  4. establishments that fall under one of the sectors specified in Annex 1 of the new BSIG, and aa) employ at least 250 people or bb) have an annual turnover of more than 50 million euros and an annual balance sheet total of more than 43 million euros (§ 28 (1) No. 4 new BSIG).

Important Establishments

Important establishments are:

  1. trust service providers (§ 28 (2) No. 1 new BSIG);
  2. telecommunication service providers that aa) employ fewer than 50 people and bb) have an annual turnover or annual balance sheet total of 10 million euros or less (§ 28 (2) No. 2 new BSIG); and
  3. establishments that fall under one of the sectors specified in Annex 1 or 2 of the new BSIG, and aa) employ at least 50 people or bb) have an annual turnover and an annual balance sheet of more than 10 million euros each (§ 28 (1) No. 3 new BSIG).

Annexes 1 and 2 of the new BSIG

Annex 1 and Annex 2 of the new BSIG cover the following sectors: Energy, transport/traffic, finance, health, water, digital infrastructure, space (Annex 1), and postal/courier, waste management, chemicals, food, manufacturing, digital services, research (Annex 2).

Key Requirements

Risk-Management (§ 30 new BSIG)

§ 30 new BSIG requires particularly important establishments and important establishments to implement appropriate, proportionate and effective technical and organizational measures to prevent disruptions to the availability, integrity, and confidentiality of the information technology systems, components, and processes they use to provide their services and to minimize the impact of security incidents. These encompass, amongst other things, at least:

  • Policies on risk analysis and information system security;
  • incident handling;
  • business continuity, such as backup management and disaster recovery, and crisis management;
  • supply chain security, including security-related aspects concerning the relationships between each establishment and its direct suppliers or service providers;
  • security in the acquisition, development and maintenance of information technology systems, components and processes, including vulnerability handling and disclosure;
  • policies and procedures to assess the effectiveness of risk-management measures in the field of information technology security;
  • basic training and awareness-raising measures in the field of information technology security; as well as
  • development of policies for human resources security, access control, and the management of ICT systems, products, and processes.

Incident Reporting (§ 32 new BSIG)

Pursuant to § 32 new BSIG, particularly important and important establishments must follow strict reporting requirements in the event of a significant security incident. In particular, they must submit certain information to a notification portal established by the BSI and the Federal Office for Civil Protection and Disaster Assistance (Bundesamt für Bevölkerungsschutz und Katastrophenhilfe) (the portal is available here, in German only, “BSI-Portal”) without undue delay, but no later than 24 hours after becoming aware of the significant security incident. This first report shall indicate whether unlawful or malicious acts or cross-border impacts are suspected.

A second report, confirming or updating this information must be filed without undue delay, but no later than 72 hours after becoming aware of the significant security incident. This report must also contain an initial incident assessment, including its severity and impact, and, where applicable, the indicators of compromise.

The BSI can request further interim reports providing updates at any time.

A final report, due within one month after submission of the second report, must contain:

  • A detailed description of the security incident, including its severity and impact;
  • information on the nature of the threat or underlying cause that is likely to have triggered the security incident;
  • information on the mitigation measures taken and ongoing;
  • where applicable, the cross-border impact of the security incident.

If the security incident is still ongoing one month after submission of the second report, the establishment shall submit a progress report instead and shall submit a final report after the security incident has been conclusively processed.

In the event of a significant security incident, the BSI can order particularly important and important establishments to inform the recipients of their services without undue delay about this significant security incident, pursuant to § 35 new BSIG.

Establishments from the sectors of finance, social security benefits and basic security for job seekers, digital infrastructure, ICT services management and digital services shall notify the recipients of their services who are potentially affected by a significant cyber threat and the BSI of any measures or mitigation measures that these recipients can take in response to this threat.

Implementation, monitoring and training obligations for the management (§ 38 new BSIG)

§ 38 new BSIG imposes implementation, monitoring and training obligations regarding the risk-management measures on the management bodies (Geschäftsleitung) of particularly important and important establishments. If they fail to fulfill these obligations, they will be liable to the respective establishment for any damage caused through their fault in accordance with the relevant corporate law. In order to acquire sufficient knowledge and skills, they must regularly participate in training courses.

Registration (§ 33 new BSIG)

Particularly important and important establishments shall register with the BSI no later than three months after first or again qualifying as particularly important or important establishment, § 33 new BSIG. This registration includes, amongst other things:

  • The name of the establishment, including its legal form and, if applicable, its commercial register number;
  • address and current details, including email addresses, public IP address ranges, and telephone numbers; and
  • the relevant sector as specified in Annex 1 or 2 of the new BSIG or, if relevant, the industry.

Establishments shall use the BSI-Portal for registrations.

Supervisory and Enforcement Measures
(§§ 61, 62 new BSIG)

To verify compliance with the requirements of the new BSIG, the BSI is entitled to take certain supervisory and enforcement measures, pursuant to §§ 61, 62 new BSIG. Regarding important establishments, the BSIG can take these measures only if there are facts that justify the assumption that it is not or is not correctly implementing specific obligations, pursuant to the new BSIG (ex post), but with respect to particularly important establishments, then BSI can take these measures also in the absence of such facts (ex ante), § 61 new BSIG.

The measures include, amongst other things:

  • Audits, inspections, or certifications by independent bodies for individual particularly important establishments;
  • the requirement of providing evidence of compliance;
  • entering business and operating premises and requesting the presentation of relevant records, documents, and other materials in an appropriate manner, providing information, and granting the necessary assistance; and
  • order to take the necessary appropriate, proportionate and effective technical and organizational measures to prevent or remedy a security incident or deficiency in consultation with the competent supervisory authority and to submit a suitable plan for remedying the deficiency and suitable evidence that the deficiency has been remedied.

If an establishment fails to comply with an order, the BSI may, as a last resort, temporarily

  • Suspend the license granted to this establishment in accordance with the relevant specialist law; and
  • prohibit unreliable management from exercising the activity for which they are appointed.

Specific Obligations for Operators of Critical Facilities

The new BSIG generally sets higher requirements for so-called operators of critical facilities that are defined in § 2 No. 22 new BSIG. These must comply with stricter obligations, e.g., regarding risk-management measures, reporting and registration. Furthermore, they are subject to additional requirements, e.g., the potential prohibition of using critical components from a specific manufacturer by government order.

Forecast

While the new BSIG adopts enhanced cybersecurity standards and information security resilience across several branches, the implementation and maintenance of which will pose challenges for the establishments affected. According to the legal reasoning of the NIS2UmsG (see here, in German only), the German government estimates an increase of annual compliance costs by roughly EUR 2.3 billion for the national economy. In addition, they expect one-time implementation costs of roughly EUR 2.2 billion. Establishments can use the impact assessment tool of the BSI (see here, in German only) to conduct a first check whether and if so, to what extent they are impacted by the NIS2UmsG.

[1] 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).

Photo of Moritz Hüsch Moritz Hüsch

Moritz Hüsch is partner in Covington’s Frankfurt office and co-chair of Covington’s Technology Industry Group as well as the Artificial Intelligence (AI) and Internet of Things (IoT) Practice Groups. His practice focuses on complex technology- and data-driven licensing deals and cooperations, outsourcing, commercial…

Moritz Hüsch is partner in Covington’s Frankfurt office and co-chair of Covington’s Technology Industry Group as well as the Artificial Intelligence (AI) and Internet of Things (IoT) Practice Groups. His practice focuses on complex technology- and data-driven licensing deals and cooperations, outsourcing, commercial contracts, e-commerce, m-commerce, as well as privacy and cybersecurity.

Moritz is regularly advising on issues and contracts with respect to IoT, AV, big data, digital health, and cloud-related subject matters. In addition, he regularly advises on all IP/IT-related questions in connection with M&A transactions. A particular focus of Moritz’s practice is on advising companies in the pharmaceutical, life sciences and healthcare sectors, where he regularly advises on complex licensing, data protection and IT law issues.

Moritz is regularly listed as one of the best lawyers in the areas of IP, IT, and data protection, among others, by Chambers, Legal 500, Best Lawyers in cooperation with Handelsblatt, and Wirtschaftswoche.

Read more about Moritz Hüsch
Show more Show less
Photo of Lars Lensdorf Lars Lensdorf

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, cloud-services, digitalization/ industry 4.0, IT related bank regulatory matters, IT-compliance, incl. cybersecurity and data protection.

Furthermore, Lars is also focused on interfaces to other practice areas to the…

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, cloud-services, digitalization/ industry 4.0, IT related bank regulatory matters, IT-compliance, incl. cybersecurity and data protection.

Furthermore, Lars is also focused on interfaces to other practice areas to the extent that IT related matters are affected, e. g. regulatory requirements for banking and financial services as well as public procurement law.

Read more about Lars Lensdorf
Show more Show less
Photo of Clemens Jaaks Clemens Jaaks

Clemens Jaaks is an associate in Covington’s IP/IT team in Frankfurt. He focuses on IT law, outsourcing, cloud-services, digitalization/industry 4.0, technology and data driven licensing deals, e-commerce and data protection.

Read more about Clemens Jaaks