Germany NIS2 Cybersecurity Law Implementation Deadline

JD Supra Trade Law

Published December 1st, 2025

Detected March 6th, 2026

Summary

Germany's implementation law for the NIS2 Directive, effective December 2025, expands cybersecurity requirements to new sectors including digital services and manufacturing. Covered entities must register with the BSI by March 6, 2026, and comply with new security and incident reporting obligations.

View original document View source feed page

What changed

Germany has implemented the NIS2 Directive into national law, effective December 2025, significantly expanding the scope of cybersecurity regulations beyond traditional critical infrastructure. The new law, which amends the BSI Act, now includes sectors such as cloud computing services, data center operators, managed service providers, online marketplaces, search engines, social networks, chemical production, food industry, and various manufacturing areas. While a de minimis exemption exists for negligible activities, covered entities must register on the BSI platform by March 6, 2026.

Covered entities face new obligations including implementing appropriate IT security measures, reporting significant security incidents immediately, and fulfilling training requirements. Management is held liable for damages in case of violations. Non-compliance can result in fines of up to EUR€500,000. Companies are advised to thoroughly assess their applicability and compliance obligations.

What to do next

Assess applicability of the NIS2 Directive to your company's operations.
Register with the BSI platform by March 6, 2026.
Implement required cybersecurity measures and incident reporting procedures.

Penalties

Fines of up to EUR€500,000 for violations.

Source document (simplified)

March 5, 2026

New Cybersecurity Regulations in Germany—Registration Requirement Expires on 6 March 2026

Dr. Ulrike Elteste, Dr. Thomas Nietsch K&L Gates LLP + Follow Contact LinkedIn Facebook X Send Embed

After a delay of more than a year, the German implementation law for the NIS2 Directive (Directive (EU) 2022/2555) came into force in December 2025 (Law on the Implementation of the NIS 2 Directive and on the Regulation of Essential Features of Information Security Management in the Federal Administration). The law provides for significant changes and revisions to various cybersecurity laws, in particular the BSI Act.

Many more companies than before now fall within the scope of the BSI Act. Previously, the BSI Act only regulated traditional critical infrastructure such as transport and traffic, energy, finance, health, research, and the telecommunications industry. Now, the digital sector is also covered, in particular cloud computing services, data center operators, managed (security) service providers, and providers of online marketplaces, online search engines, and social networks. The production and trade of chemical substances, the production, processing, and distribution of food, and various areas of the manufacturing industry (production of goods) are also affected. Lists of the sectors and activities covered are available here and here. The BSI offers an impact assessment on its website.

Although not provided for in the directive, the German implementation law provides for a de minimis exemption if an activity that is generally covered is negligible in relation to the overall activity of a company. In these cases, the requirements of the BSI law do not apply.

Covered entities must register on the platform provided by the BSI by 6 March 2026. This requires an ELSTER organization certificate.

Violations are punishable by a fine of up to EUR€500,000. Regardless of this, however, companies should thoroughly check whether they fall within the scope of the law and what obligations this entails for them.

Other obligations of covered companies include, in particular:

Taking appropriate measures to prevent and remedy disruptions to the availability, integrity, and confidentiality of their information technology systems;
Immediately reporting significant security incidents to a single reporting center;
Training obligations Management is liable to their company for damages in the event of violations of these obligations.

Send Print Report

Latest Posts

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
Attorney Advertising.

Written by:

K&L Gates LLP Contact + Follow Dr. Ulrike Elteste + Follow Dr. Thomas Nietsch + Follow more less

What do you want from legal thought leadership?

Please take our short survey – your perspective helps to shape how firms create relevant, useful content that addresses your needs:

Take the survey now »

Published In:

Compliance Dates + Follow Critical Infrastructure Sectors + Follow Cybersecurity + Follow Data Security + Follow EU + Follow EU Directive + Follow Germany + Follow New Legislation + Follow New Regulations + Follow Penalties + Follow Registration Requirement + Follow Regulatory Oversight + Follow Regulatory Reform + Follow Regulatory Requirements + Follow Reporting Requirements + Follow Risk Management + Follow Administrative Agency + Follow International Trade + Follow Science, Computers & Technology + Follow more less

K&L Gates LLP on:

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra: Sign Up Log in ** By using the service, you signify your acceptance of JD Supra's Privacy Policy.* - hide - hide