NIS2 in Germany

1. Quick SME Applicability Snapshot in Germany

Does NIS2 apply to SMEs in Germany?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Germany and, in certain circumstances, foreign digital providers serving the German market.

SMEs should evaluate scope under Germany's national cybersecurity regime based on sector classification and statutory thresholds.

2. Overview of NIS2 Implementation in Germany

Germany completed transposition through the NIS2UmsuCG, which entered into force on 6 December 2025 with no transitional period. The act substantially revises the BSI Act (BSIG), expanding scope from approximately 4,500 to 29,000–30,000 entities.

Germany applies three notable national deviations: a "negligible activities" exemption under § 28(3) BSIG, and a stricter "operators of critical facilities" subcategory requiring mandatory attack detection systems and three-yearly compliance evidence.

Management bodies must complete mandatory cybersecurity training at least every three years (BSI guidance recommends approximately four hours per session).

3. Scope of Application in Germany

Germany's sectoral scope reflects Directive minimum categories, integrated within its established critical infrastructure regime.

4. Size Thresholds and SME Applicability in Germany

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria within covered sectors are automatically within scope. Germany introduces a "negligible activities" exemption (§ 28(3) BSIG) — NIS2-relevant activities that are negligible relative to overall business may be disregarded; "negligible" is not legally defined and requires careful documented self-assessment.

Small and micro enterprises may be designated if considered critical to national security, economic stability, or public service continuity.

German authorities retain formal designation powers where systemic risk justifies inclusion.

5. Entity Classification Framework in Germany

Entities are categorized as:

• Essential Entities — Subject to proactive supervision, including audits and structured compliance monitoring.
• Important Entities — Primarily subject to reactive supervision triggered by significant incidents or compliance concerns.

Classification is determined by sector and size. Authorities may reclassify entities where operational impact or risk exposure warrants enhanced supervision.

Germany maintains a structured supervisory model aligned with the Directive's two-tier framework.

6. Cybersecurity Risk Management Requirements in Germany

Germany's national regime aligns with the Directive baseline for cybersecurity risk management. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system protection
• Incident detection and response
• Business continuity and crisis management
• NIS2 supply chain Germany risk controls
• Secure acquisition and development of ICT systems
• Access control and identity management
• Encryption and cryptographic safeguards
• Vulnerability management procedures
• Staff cybersecurity awareness and training

Measures must reflect state-of-the-art standards and organizational risk exposure. Alignment with ISO/IEC 27001 and German cybersecurity guidance is encouraged.

Supply chain oversight includes vendor due diligence and contractual cybersecurity safeguards.

7. Management Liability and Governance in Germany

Management bodies must formally approve cybersecurity risk management measures and oversee implementation.

Under Germany's framework:

• Boards are accountable for compliance oversight.
• Senior leadership must ensure sufficient cybersecurity competence and complete mandatory cybersecurity training at least every three years (BSI guidance ~4 hours per session).
• Administrative sanctions may address governance failures.
• Direct personal liability for management bodies is anchored in § 38 BSIG — under existing corporate law where applicable, otherwise directly under the BSI Act.

NIS2 management liability Germany expectations elevate cybersecurity governance to executive level responsibility.

8. Incident Reporting Obligations in Germany

9. Supervisory Authorities and Enforcement Model in Germany

Primary authority: Federal Office for Information Security (BSI).

Germany operates a centralized supervisory model under BSI, supported by sector regulators where applicable.

Supervisory powers include:

• Requests for information and documentation
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity coordination mechanisms

The enforcement structure aligns with Directive-level cooperation requirements.

10. NIS2 Fines and Sanctions in Germany

Germany applies Directive-aligned administrative penalties.

NIS2 fines Germany enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of certification or authorization
• Direct personal liability for management body members under § 38 BSIG

11. NIS2 Supply Chain and Vendor Security in Germany

Entities must manage third-party cybersecurity exposure through:

• Vendor risk assessments
• Contractual security flow-down requirements
• Continuous ICT supplier monitoring
• Concentration risk analysis
• Incident propagation mitigation

Germany's approach aligns with Directive baseline expectations for supplier risk management.

12. Registration and Self-Identification Duties in Germany

Entities within scope must:

• Self-assess scope and register with BSI via a two-step process: create a Mein Unternehmenskonto (MUK) account using an ELSTER certificate, then register via the BSI portal. The deadline was 6 March 2026 — now passed; non-registered entities should act immediately.
• Provide corporate identification details
• Disclose sector classification
• Maintain updated reporting contacts; report changes within 14 days

The BSI portal serves as both the registration platform and the incident reporting hub. Until registration is complete, entities should use the BSI's online incident reporting form.

Self-identification is mandatory — there is no individual notification by authorities; entities must determine and document their own scope status.

13. Interaction With GDPR and Other Laws in Germany

The General Data Protection Regulation continues to apply concurrently.

Overlap considerations include:

• 72-hour personal data breach notification
• Supervisory authority coordination
• Parallel cybersecurity and data protection investigations
• Sector-specific German cybersecurity legislation

A cyber incident may trigger reporting obligations under both regimes.

14. Cross-Border Applicability

Entities with their main establishment in Germany are supervised by German authorities for cross-border services.

Foreign digital providers offering services in Germany may be subject to national obligations depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving the German market.

15. Implementation Timeline in Germany

• Directive adoption: 2022
• National legislative amendments: NIS2UmsuCG adopted by Bundestag 13 November 2025; approved by Bundesrat; published 5 December 2025
• Entry into force: 6 December 2025 (no transitional period)
• Commission notification: EC reasoned opinion May 2025 (pre-enactment); completeness under review post-6 December 2025
• Compliance milestone: BSI registration deadline 6 March 2026 (passed); BSI portal opened 6 January 2026; management training every 3 years

Germany completed transposition on 6 December 2025 with no transitional period. The BSI registration deadline of 6 March 2026 has passed — non-registered entities should act immediately.

16. Key Takeaways for SMEs in Germany

• Medium-sized entities in covered sectors are automatically within scope.
• Small entities may be designated if critical to national or economic stability.
• Board-level governance oversight is mandatory, with direct personal liability under § 38 BSIG and mandatory 3-yearly cybersecurity training.
• Incident reporting follows 24h / 72h / 1 month deadlines, submitted via the BSI portal (opened 6 January 2026).
• Financial penalties can reach €10 million or 2% of global turnover.
• Vendor risk management is required.
• The BSI registration deadline of 6 March 2026 has passed — non-registered entities should act immediately; the "negligible activities" exemption (§ 28(3) BSIG) requires careful documented self-assessment.

FAQ: NIS2 Germany SME Guide