NIS-2 Implementation and Cybersecurity Enhancement Act What do companies need to prepare for?

published on 14 October 2025 | reading time approx. 2 minutes

On July 25, 2025, the latest and current draft bill from the Federal Ministry of the Interior (BMI) on the NIS2 Implementation Act (NIS2UmsuCG) was published. Originally, the implementation of the law in Germany was planned for October 17, 2024. The legislative process has been delayed due to the early federal elections and the subsequent formation of a new government, and is now expected to be completed by the end of 2025. Potentially affected companies should already have started implementing the NIS2 requirements for good reason. On the one hand, no significant changes to the draft law are expected. On the other hand, unlike previous IT security legislation, there will be no transition periods for implementing the requirements of the law.

Current legislation

The NIS2 legislation can be understood as a logical further development of the German KRITS legislation (or IT Security Act = ITSig).

The ITSig dates back to 2015. Its primary goal was and is to protect critical infrastructures in Germany (KRITIS facilities), divided into eight sectors. This affects approximately 1,200 KRITIS operators of over 2,000 KRITIS facilities.

The current NIS2 legislative process is based on the EU's NIS2 Directive. This requires all EU member states to implement the directive into national legislation. It defines 10 additional sectors, bringing the total to 18, for which a minimum level of information security must be implemented.

Impact

According to recent surveys, approximately 30,000 companies in Germany will be affected by the NIS2UmsuCG. As a rule of thumb, companies with more than 50 employees or more than EUR 10 million in revenue could be affected by the NIS2UmsuCG.

Requirements to be implemented

Companies must, if affected, be able to demonstrate that they have implemented the following categories of measures:

Information security management in accordance with an established standard, such as ISO/IEC 27001, which covers the associated topics, including information security risk management, security incident management, secure IT service management processes, and emergency management.
State-of-the-art security measures.
Reporting office to the BSI (Federal Office for Information Security).

Sanctions and liability of management: Violations of the law are punishable by fines of up to €10 million or 2% of global annual turnover, depending on the size of the company and the severity of the violation. Under certain circumstances, management may also be liable to the company.

Conclusion

Many companies may need to take action when it comes to information security. Due to the changing political situation, this topic is becoming increasingly important. In this context, the responsible Federal Office for Information Security (BSI) is increasingly becoming a central authority in the German administration. Companies should therefore clarify as soon as possible whether they are affected by the NIS2UmsuCG and, if necessary, take the necessary measures.