With the promulgation of the Act implementing the NIS 2 Directive, a comprehensive modernisation of German cybersecurity law will come into force tomorrow. The new law regulates key aspects of information security management in the federal administration and at the same time increases the requirements for companies. The aim is to strengthen Germany’s resilience to growing cyber threats in the long term and to make the digital infrastructure future-proof.
The national implementation of the EU directive is being carried out in particular through an amendment to the BSI Act (BSIG). Until now, around 4,500 organisations were regulated, including operators of critical infrastructures (KRITIS), digital service providers and companies of particular public interest. With the NIS 2 Implementation Act, the number of affected entities will rise to around 29,500. Companies operating in certain sectors and exceeding defined thresholds in terms of number of employees, turnover or balance sheet total will in future fall under the categories of ‘important entities’ or ‘particularly important entities’. KRITIS are automatically considered particularly important. These companies are required to register as NIS 2 companies, report significant security incidents to the BSI, and implement and document effective risk management measures.
Federal administration institutions are also affected, including federal authorities, public-law IT service providers and certain public-law corporations, institutions and foundations. They must implement IT risk management measures based on IT baseline protection and comply with the BSI minimum standards. This is the first time that a binding security level for government institutions has been established across the board. BSI President Claudia Plattner emphasises the urgency of the measure: ‘Germany’s cybersecurity situation is tense. Poorly protected areas of vulnerability make the Federal Republic vulnerable. The amended BSI Act is a strong response: it will noticeably and measurably improve our country’s resilience.’
The BSI has a two-stage registration process for affected institutions. First, companies must create a user account with ‘My Company Account’ (MUK) – an OZG-compliant access point for legal entities based on ELSTER certificates. The BSI recommends setting up this account by the end of 2025. Then, from 6 January 2026, registration will take place on the new BSI portal, which will serve as the central reporting point for significant security incidents in future. Until the portal is activated, KRITIS and federal authorities will continue to use their existing reporting channels; other affected institutions will submit incidents via a provided online form.
With the entry into force of the NIS 2 Implementation Act, Germany is entering a new phase of cyber regulation. The requirements for companies and authorities are increasing significantly, while at the same time a uniform, EU-compliant level of security is being created. Affected institutions are now required to register in good time, implement risk management measures and set up reporting processes. This is the only way to ensure that the country’s digital infrastructure remains resilient against the growing threats in cyberspace.
