ARTICLE
17 December 2025

Cyber Rules For Essential And Important Entities Take Effect In Germany (NIS2 Implementing Law)

MB
Mayer Brown

Contributor

Mayer Brown logo
Mayer Brown is an international law firm positioned to represent the world’s major corporations, funds, and financial institutions in their most important and complex transactions and disputes.
Explore Firm Details
The national law implementing the NIS2 Directive ("NIS2") in Germany entered into force on 6 December 2025. We discussed the key provisions of the NIS2 Directive in our previous Legal Update.
Germany Technology
Ana Hadnes Bruder,Katie Steval,Benjamin Beck
+2 Authors
 Your Author LinkedIn Connections
Ana Hadnes Bruder’s articles from Mayer Brown are most popular:
  • with readers working within the Law Firm industries
Mayer Brown are most popular:
  • within Wealth Management and Intellectual Property topic(s)

The national law implementing the NIS2 Directive ("NIS2") in Germany entered into force on 6 December 2025. We discussed the key provisions of the NIS2 Directive in our previous Legal Update. In-scope entities should be aware of the following registration and incident reporting obligations under the BSI Act ("BSIG"), as they require timely action.

Registration

In-scope entities are required to register with the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) ("BSI") at the latest three months after qualifying as an in-scope entity or offering domain name registration services. The BSI has announced that it will open an online registration and incident reporting portal on 6 January 2026 (the "BSI Portal"). The BSI recommends that in-scope entities create a "My Company" account (Mein Unternehmenskonto) ("MUK") by the end of 2025 to be able to register in the BSI Portal from January 2026.

Incident Reporting

In-scope entities are required to report significant incidents to the BSI at the latest 24 hours from becoming aware of the incident. A second report providing further details should be filed within 72 hours of becoming aware of the incident. Intermediate reports should follow upon request by the BSI, and a final report should be filed within one month of the second report. Until the BSI Portal is open, in-scope entities should report significant incidents via an online form on the BSI website.

Key Differences Between NIS2 and BSIG

BSIG is broadly aligned with NIS2, but the following differences may impact the applicability of the law to some businesses and the obligations that in-scope businesses will need to comply with.

Activities and Size Thresholds

  • In-scope activities are, in some cases, defined more precisely and with reference to applicable German sectoral law. Businesses should carefully review the list of activities to check if they may be in scope of BSIG.
  • Activities that are negligible in relation to the entity's overall business activities may be disregarded in the applicability assessment.
  • Size thresholds are aligned with NIS2; however, data of partner or linked enterprises is to be omitted from the size calculation under Commission Recommendation 2003/361, if the enterprise is independent from its partner or linked enterprises taking into account the legal, economic, and factual circumstances regarding the nature and operation of its information technology systems, components and processes.

Operators of Critical Facilities

  • More onerous provisions apply to a sub-set of entities categorized as "operators of critical facilities" (a peculiarity of German law that already existed under the previous version of the Directive, NIS1). For example, operators of critical facilities face stricter cybersecurity requirements, are obliged to provide additional information to the BSI (such as information regarding critical components), and are required to undergo regular security audits, inspections or cybersecurity certifications.

Cybersecurity Risk Management Measures

  • Obligatory cybersecurity risk management measures are aligned with NIS2, but in-scope entities are required to document their compliance with those measures under BSIG.

Reporting to Service Recipients

  • The BSI can order in-scope entities to inform the recipients of their services about significant incidents. An entity can do so via its website.
  • Entities in certain sectors are required to immediately inform recipients of their services who are potentially affected by a significant cyber threat, and the BSI, of measures to mitigate against a significant cyber threat, if the recipients' interests prevail after weighing the interests of the entity and the recipients.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2025. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

[View Source]
Authors
Photo of Ana Hadnes Bruder
Ana Hadnes Bruder
Photo of Katie Steval
Katie Steval
Photo of Dr. Ulrich Worm
Dr. Ulrich Worm
Photo of Benjamin Beck
Benjamin Beck
Photo of Svenja Schenk
Svenja Schenk
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More