Logo
  • Home
  • Service
  • About LLH
  • FAQ
  • Contact
  • Русский

  • Cybersecurity Regulations Overhauled: NIS-2 Launches in Germany

    08.12.2025

    On December 5, 2025, the Act on the Implementation of the NIS-2 Directive and the Establishment of Fundamental Standards for Information Security Management within the Federal Administration was officially promulgated. Just one day later, on December 6, this comprehensive reform of German cybersecurity law came into force. The new regulations tighten security requirements for both federal authorities and numerous private-sector organizations.

    Organizations are required to independently assess whether they fall within the scope of the NIS-2 Directive.

    This may make them part of the approximately 29,500 entities that will be subject to BSI supervision and face new IT security obligations. Previously, only around 4,500 organizations were subject to the regulations of the BSI Act – primarily KRITIS operators, digital service providers (DSP), and entities of particular public interest (UBI).

    Through the NIS-2 Implementation Act, the scope of application of the BSIG (Federal Office for Information Security) has been significantly expanded: Organizations operating in specific sectors and meeting the legally defined thresholds for number of employees, annual turnover, and balance sheet total will in future be classified as “important entities” and “particularly important entities.”

    When Does Your Company Fall Under NIS-2?

    A company is subject to NIS-2 regulations if two conditions are met simultaneously: First, it must operate in one of the sectors defined in § 28 and Annex 1 of the NIS-2 Implementation Act.

    Second, it must meet or exceed certain size thresholds.

    The size thresholds are based on the EU recommendation for the definition of micro, small, and medium-sized enterprises. A company is considered medium-sized and thus falls under NIS-2 if it has at least 50 employees or has an annual turnover or annual balance sheet total of at least 10 million euros. It is sufficient if one of these two financial criteria is met.

    Companies that do not meet these thresholds generally do not fall under NIS-2 obligations. However, there are exceptions for particularly critical areas. KRITIS operators must always be classified as particularly important entities regardless of their size. Certain providers of digital services may also be covered regardless of thresholds if their services are particularly relevant to society or the economy.

    Affected Sectors and Providers

    The new regulations cover, among others, operators of online marketplaces. Additionally, the following providers fall within the scope: DNS service providers, TLD name registries, cloud computing providers, data center service providers, content delivery network operators, managed service providers, managed security service providers, search engine providers, social media platforms, and trust service providers.

    Indirect Impact on Software Providers

    Software providers that supply solutions to NIS-2-regulated companies should also pay particular attention to the new regulations. Although they may not be directly subject to the NIS-2 Directive themselves, they may become relevant as an integral part of, for example, a KRITIS company. In this context, they will be considered during audits or risk assessments of the regulated entity. In such cases, software providers must also be able to provide all relevant documentation and evidence.

    Core Obligations for Affected Companies

    Affected organizations must fulfill three main obligations:

    Registration requirement: There is a legal obligation to register as an NIS-2-regulated organization.

    Reporting requirement: Significant IT security incidents must be reported to the BSI.

    Risk management: Implementation and documentation of risk management measures is required.

    Operators of critical infrastructure are automatically assigned to the category of “particularly important entities.”

    Registration Process: Special Importance of BSI Portal Registration

    The BSI is introducing a two-stage registration (BSI explains) procedure for NIS-2-obligated organizations with a German tax identification number. First, companies must register via “Mein Unternehmenskonto” (MUK – My Business Account). This serves as a central user account for digital administrative services and is technically based on ELSTER. Existing ELSTER certificates can be used for this purpose.

    The BSI recommends completing registration in MUK by the end of 2025. From January 2026, registration will then take place in the new BSI portal, which launches on January 6, 2026. This portal will be used to report relevant security incidents, among other things. Until registration in the BSI portal, incidents can be reported via an online form. KRITIS operators and federal agencies will continue to use their existing reporting channels.

    Definition of Significant Security Incidents

    According to the BSI Act, a significant security incident exists when an event significantly disrupts or damages an organization’s operations or finances – or when it can significantly affect other persons materially or immaterially (§ 2 No. 11 BSIG).

    For certain digital services (e.g., cloud providers, data centers, online marketplaces, search engines, social networks, managed service providers), EU Regulation 2024/2690 applies additionally. According to this regulation, an incident is considered significant if, for example:

    • financial damage exceeding €500,000 or 5% of annual turnover is threatened or occurs,
    • business secrets are leaked,
    • people die or are seriously injured,
    • a successful, malicious hacker attack with severe operational disruptions occurs,
    • or other specifically named impacts in the regulation occur.

    Planned maintenance and announced outages are explicitly not considered significant security incidents.

    What Companies Should Do Now

    Companies should first assess whether they fall under the NIS-2 Directive. Then they should register with “Mein Unternehmenskonto” in 2025. Registration in the BSI portal should be prepared from January 6, 2026 onward. In parallel, companies must implement risk management measures and carefully document all measures taken. Additionally, they must ensure they can detect and properly report security incidents.

    Further information can be found on the BSI website.

    We support you in implementing the new NIS2 requirements:

    • Applicability check: Determining whether your company falls under NIS2.
    • Gap analysis: Assessing the difference between your current security level and NIS2 requirements.
    • Implementation roadmap: Creating a concrete plan with priorities, actions, and timelines.
    • Training: Workshops for management and staff on NIS2 obligations and reporting processes.

    Secure a free 30-minutes consultation with Legal Living Hub

    Contuct us

  • CRA vs AI Act: A Guide to Regulatory Overlap

    13.11.2025

    Introduction

    With the adoption of the Cyber Resilience Act (CRA, Regulation (EU) 2024/2847) and the Artificial Intelligence Act (AI Act, Regulation (EU) 2024/1689), the European Union has created two landmark legislative acts that will fundamentally shape the digital landscape.

    For companies developing products that contain both digital elements and AI components, a crucial question arises:

    How do these two regulations interact with each other?

    Executive Summary

    In brief: The AI Act generally takes precedence. However, products with digital elements that fall within the scope of the CRA and are simultaneously classified as high-risk AI systems within the meaning of Article 6 of the AI Act must additionally fulfill the essential cybersecurity requirements of the CRA.

    If these high-risk AI systems meet the cybersecurity requirements set out in Annex I Parts I and II of the CRA, they are presumed to also fulfill the requirements under Article 15 of the AI Act.

    By way of exception, the CRA takes precedence for products classified as “important” or “critical” products with digital elements according to Annex III or IV of the CRA. However, this precedence applies exclusively with regard to cybersecurity requirements.

    The Central Interface: Article 12 CRA

    The main provision for coordination between both regulations is found in Article 12 of the CRA (“High-risk AI systems”). This is supplemented by Recitals 63 to 65 and Article 52(14) CRA on market surveillance.

    The legislator has recognized that many products may simultaneously fall under both regulations – particularly when dealing with high-risk AI systems that also qualify as products with digital elements.

    The Principle of Conformity Presumption

    Dual Applicability

    Products that fall within the scope of both the CRA and are classified as high-risk AI systems according to Article 6 AI Act must, in principle, comply with both regulatory frameworks. However, the CRA establishes an important facilitation through the principle of conformity presumption.

    The Conformity Presumption in Practice

    When a high-risk AI system:

    • meets the essential cybersecurity requirements in Annex I Part I of the CRA, and
    • the procedures established by the manufacturer comply with the requirements in Annex I Part II of the CRA,

    it is automatically presumed that the cybersecurity requirements according to Article 15 AI Act are also fulfilled. This compliance must be documented in the EU declaration of conformity issued under the CRA.

    Practical Note: This provision avoids duplicate compliance work and creates legal certainty for manufacturers.

    Enhanced Risk Assessment for AI Systems

    AI-Specific Threat Scenarios

    When conducting the risk assessment required under the CRA, manufacturers of high-risk AI systems must pay special attention to AI-specific cyber threats:

    • Data Poisoning: Manipulation of training data to corrupt AI behavior
    • Adversarial Attacks: Targeted inputs to deceive the AI system
    • Model Extraction: Unauthorized access to the trained model
    • Manipulation of system behavior and performance

    Fundamental Rights Protection as Assessment Criterion

    It is particularly noteworthy that the risk assessment must also consider potential impacts on fundamental rights according to the AI Act. This establishes a direct connection between technical cybersecurity and legal fundamental rights protection.

    The Conformity Assessment Procedure: A Complex Regulatory System

    General Rule: Priority of the AI Act

    As a general rule, the conformity assessment procedure under the AI Act takes precedence. This means:

    • The procedure provided in Article 43 AI Act also applies to the assessment of CRA cybersecurity requirements
    • Notified bodies under the AI Act are also responsible for CRA conformity, provided they meet the requirements of Article 39 CRA

    The Exception: Priority of the CRA

    However, CRA conformity assessment procedures take precedence when all of the following conditions are cumulatively met:

    1. Product classification under CRA:
      • The product is classified as an “important product with digital elements” (Annex III CRA) and is subject to the procedures under Article 32(2) and (3) CRA, or
      • The product is classified as a “critical product with digital elements” (Annex IV CRA) and requires a European cybersecurity certificate or is subject to Article 32(3) CRA
    2. Simultaneously: The conformity assessment procedure under the AI Act is based on internal control according to Annex VI AI Act

    Important: In these exceptional cases, CRA priority applies only to cybersecurity aspects. All other AI Act requirements continue to be assessed according to the internal control procedure of the AI Act.

    Synergies and Practical Benefits

    AI Regulatory Sandboxes

    An important advantage for innovators: Manufacturers of products falling under both regulations can participate in AI regulatory sandboxes according to Article 57 AI Act. This enables controlled testing environments for innovative developments.

    Coordinated Market Surveillance

    Market surveillance is conducted in a coordinated manner:

    • AI Act authorities are also responsible for CRA aspects of high-risk AI systems
    • Close cooperation with CRA market surveillance authorities, CSIRTs, and ENISA
    • Information exchange about relevant findings between authorities

    Practical Recommendations

    1. Early Classification: Determine early whether your product falls under both regulations
    2. Integrated Compliance Strategy: Develop a holistic compliance strategy that considers both regulatory frameworks
    3. Documentation: Utilize the conformity presumption through careful documentation of CRA compliance
    4. Risk Management: Implement comprehensive risk management covering both classical cybersecurity and AI-specific threats

    Legal Living Hub provides you with modern data protection consulting and AI compliance on an equal footing.

    Secure a free 30-minute initial consultation

    Conclusion

    The overlap provisions between CRA and AI Act demonstrate the European legislator’s commitment to creating practical solutions despite complex regulation. The conformity presumption and coordinated market surveillance are important instruments for avoiding duplicate burdens.

    At the same time, practical application remains complex and requires careful analysis on a case-by-case basis. Companies should seek legal advice early and align their compliance processes accordingly.

    Successfully navigating this regulatory landscape is increasingly becoming a competitive advantage – both in terms of legal certainty and regarding the trust of customers and partners in the security and legal compliance of offered products.

    This article provides initial guidance on the overlap provisions between CRA and AI Act. For specific legal advice on your particular case, we recommend consulting specialized legal advisors.

    Date: November 2024
    Legal Basis: Regulation (EU) 2024/2847 (CRA), Regulation (EU) 2024/1689 (AI Act)

Copyright 2024

  • Imprint
  • Privacy Notice
Cookie Consent
Legal Living Hub uses cookies to ensure the website functions reliably and to collect information for statistical analysis. You can change your cookie settings at any time in the footer of the website. For more information, please refer to our privacy notice.