The new German NIS2 implementation act (BSIG) has been in effect since December 6, 2025. Approximately 29,000 German companies are affected by NIS2, many for the first time: in addition to companies in the energy and healthcare sectors, this includes, for example, small and medium-sized enterprises in IT, mechanical engineering, medical technology, and research. Companies will need to assess on their own whether they need to comply with NIS2 - no official notification will be sent.
The law distinguishes between “essential” and “important” entities, depending on size, industry, or systemic relevance. For both, management bears personal liability. This includes mandatory training, at least every three years, with proper documentation.
The obligations are extensive: technical and organizational measures, supply chain due diligence, and comprehensive documentation. In the event of significant incidents, the clock is ticking - initial report to the BSI within 24 hours, full reporting after 72 hours, final report after one month. Fines: up to 10 (in individual cases even 20) million euros or 2 percent of global group revenue.
A properly implemented information security management system can help meet these obligations. A folder full of policies won’t stop an attacker or meet a 24-hour deadline. What matters are systems in practice - clear responsibilities, automated detection, tested reporting channels, and carefully selected and contractually secured suppliers.
Our recommendation: Start with an honest assessment of your status quo. Where are processes in place, and where are there only documents? The regulator does not conduct audits from day one, but tangible progress in implementing NIS2 is expected. More information on NIS2 obligations and implementation is available here.
