On December 5, 2025, the Act on the Implementation of the NIS-2 Directive and the Establishment of Fundamental Standards for Information Security Management within the Federal Administration was officially promulgated. Just one day later, on December 6, this comprehensive reform of German cybersecurity law came into force. The new regulations tighten security requirements for both federal authorities and numerous private-sector organizations.
Organizations are required to independently assess whether they fall within the scope of the NIS-2 Directive.
This may make them part of the approximately 29,500 entities that will be subject to BSI supervision and face new IT security obligations. Previously, only around 4,500 organizations were subject to the regulations of the BSI Act – primarily KRITIS operators, digital service providers (DSP), and entities of particular public interest (UBI).
Through the NIS-2 Implementation Act, the scope of application of the BSIG (Federal Office for Information Security) has been significantly expanded: Organizations operating in specific sectors and meeting the legally defined thresholds for number of employees, annual turnover, and balance sheet total will in future be classified as “important entities” and “particularly important entities.”
When Does Your Company Fall Under NIS-2?
A company is subject to NIS-2 regulations if two conditions are met simultaneously: First, it must operate in one of the sectors defined in § 28 and Annex 1 of the NIS-2 Implementation Act.
Second, it must meet or exceed certain size thresholds.
The size thresholds are based on the EU recommendation for the definition of micro, small, and medium-sized enterprises. A company is considered medium-sized and thus falls under NIS-2 if it has at least 50 employees or has an annual turnover or annual balance sheet total of at least 10 million euros. It is sufficient if one of these two financial criteria is met.
Companies that do not meet these thresholds generally do not fall under NIS-2 obligations. However, there are exceptions for particularly critical areas. KRITIS operators must always be classified as particularly important entities regardless of their size. Certain providers of digital services may also be covered regardless of thresholds if their services are particularly relevant to society or the economy.
Affected Sectors and Providers
The new regulations cover, among others, operators of online marketplaces. Additionally, the following providers fall within the scope: DNS service providers, TLD name registries, cloud computing providers, data center service providers, content delivery network operators, managed service providers, managed security service providers, search engine providers, social media platforms, and trust service providers.
Indirect Impact on Software Providers
Software providers that supply solutions to NIS-2-regulated companies should also pay particular attention to the new regulations. Although they may not be directly subject to the NIS-2 Directive themselves, they may become relevant as an integral part of, for example, a KRITIS company. In this context, they will be considered during audits or risk assessments of the regulated entity. In such cases, software providers must also be able to provide all relevant documentation and evidence.
Core Obligations for Affected Companies
Affected organizations must fulfill three main obligations:
Registration requirement: There is a legal obligation to register as an NIS-2-regulated organization.
Reporting requirement: Significant IT security incidents must be reported to the BSI.
Risk management: Implementation and documentation of risk management measures is required.
Operators of critical infrastructure are automatically assigned to the category of “particularly important entities.”
Registration Process: Special Importance of BSI Portal Registration
The BSI is introducing a two-stage registration (BSI explains) procedure for NIS-2-obligated organizations with a German tax identification number. First, companies must register via “Mein Unternehmenskonto” (MUK – My Business Account). This serves as a central user account for digital administrative services and is technically based on ELSTER. Existing ELSTER certificates can be used for this purpose.
The BSI recommends completing registration in MUK by the end of 2025. From January 2026, registration will then take place in the new BSI portal, which launches on January 6, 2026. This portal will be used to report relevant security incidents, among other things. Until registration in the BSI portal, incidents can be reported via an online form. KRITIS operators and federal agencies will continue to use their existing reporting channels.
Definition of Significant Security Incidents
According to the BSI Act, a significant security incident exists when an event significantly disrupts or damages an organization’s operations or finances – or when it can significantly affect other persons materially or immaterially (§ 2 No. 11 BSIG).
For certain digital services (e.g., cloud providers, data centers, online marketplaces, search engines, social networks, managed service providers), EU Regulation 2024/2690 applies additionally. According to this regulation, an incident is considered significant if, for example:
- financial damage exceeding €500,000 or 5% of annual turnover is threatened or occurs,
- business secrets are leaked,
- people die or are seriously injured,
- a successful, malicious hacker attack with severe operational disruptions occurs,
- or other specifically named impacts in the regulation occur.
Planned maintenance and announced outages are explicitly not considered significant security incidents.
What Companies Should Do Now
Companies should first assess whether they fall under the NIS-2 Directive. Then they should register with “Mein Unternehmenskonto” in 2025. Registration in the BSI portal should be prepared from January 6, 2026 onward. In parallel, companies must implement risk management measures and carefully document all measures taken. Additionally, they must ensure they can detect and properly report security incidents.
Further information can be found on the BSI website.
We support you in implementing the new NIS2 requirements:
- Applicability check: Determining whether your company falls under NIS2.
- Gap analysis: Assessing the difference between your current security level and NIS2 requirements.
- Implementation roadmap: Creating a concrete plan with priorities, actions, and timelines.
- Training: Workshops for management and staff on NIS2 obligations and reporting processes.
Secure a free 30-minutes consultation with Legal Living Hub
