Many international companies assume NIS2 is an abstract EU framework that applies somewhere in Brussels. Germany's implementation proves otherwise. On 6 December 2025, the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG, short for "NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz") entered into force, amending Germany's Act on the Federal Office for Information Security (BSIG). The result is a set of binding, enforceable obligations that go beyond the directive's floor.

If your company has a subsidiary, branch, or significant operations in Germany and falls within one of the 18 covered sectors, you are in scope - regardless of where your headquarters sits. The common misunderstanding is: "We are a US/UK/Singapore company, so European law does not apply." It does, once the German establishment meets the thresholds.

This guide walks you through every step: who is covered, what happened when, how to register with Germany's Federal Office for Information Security (BSI), what the five core obligations require, how incident reporting works, what fines look like, and how NIS2 relates to Germany's KRITIS regime and to the Digital Operational Resilience Act (DORA). Citations to specific paragraphs of the BSIG (as amended) are included throughout.

Who Is in Scope in Germany?

NIS2 applies across 18 sectors defined in Annex I (highly critical sectors) and Annex II (other critical sectors) of Directive (EU) 2022/2555. Annex I covers energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Annex II covers postal and courier services, waste management, chemicals, food, manufacturing of medical devices and other critical products, digital providers, and research.

Size thresholds follow the EU Commission Recommendation 2003/361/EC definition of medium-sized enterprises: at least 50 employees OR at least EUR 10 million annual turnover. If either threshold is met and the company operates in a covered sector, it is in scope. Some entities are in scope regardless of size - notably top-level domain registries, DNS providers, trust service providers, and telecommunications providers.

The BSIG distinguishes two tiers. "Besonders wichtige Einrichtungen" (particularly important entities, § 28(1) BSIG) are large companies in Annex I sectors (250+ employees or EUR 50 million+ turnover) and certain critical infrastructure operators. "Wichtige Einrichtungen" (important entities, § 28(2) BSIG) are medium-sized companies in Annex I and II sectors and large companies in Annex II sectors. The tier determines the fine ceiling and supervisory intensity.

Non-EU parent companies with German subsidiaries: Scope is determined at the level of the German legal entity or establishment. If your German GmbH employs 80 people and provides digital services, it is an important entity even if the US parent employs 5,000. The parent itself is not directly addressable by the BSI, but the German entity is, and the BSI can hold it accountable.

Supply-chain cascade: § 30(2) No. 4 BSIG requires in-scope entities to impose security requirements on their critical suppliers. This means a supplier to a German in-scope company - even if that supplier is itself below the threshold - will face contractual security demands flowing down from the obligated customer. Use the NIS2 applicability calculator to check your sector and size against all 17 industry-specific configurations.

Key Deadlines and What Has Already Happened

Understanding the timeline helps international companies calibrate urgency. Several deadlines have already passed.

17 October 2024: EU Member States were required to transpose NIS2 into national law. Germany missed this deadline. The European Commission opened an infringement procedure.
6 December 2025: NIS2UmsuCG entered into force in Germany. The BSIG was amended. Obligations became enforceable from this date.
6 March 2026: The three-month registration deadline under § 33 BSIG expired. In-scope entities were required to register with the BSI no later than three months after the Act entered into force.

If you have not yet registered, you are already in breach of § 33 BSIG. Late registration does not eliminate the violation, but it reduces the ongoing risk and demonstrates good faith. The BSI has signaled a grace period approach for the initial registration wave given the volume of newly affected entities, but formal enforcement authority exists. See the NIS2 registration guide for current late-registration instructions.

BSI Registration: A Step-by-Step Walkthrough

Registration happens through the BSI's online portal at portal.bsi.bund.de and requires German authentication infrastructure. This surprises many international companies. Here is what you need and in what order.

Prerequisites

ELSTER-Organisationszertifikat: ELSTER is Germany's electronic tax system. An organisation certificate for the German entity is required to authenticate against government portals. Application is handled at elster.de. The certificate typically arrives by post within five working days. If your German entity does not yet have an ELSTER certificate, request one immediately.
MUK account (Mein Unternehmenskonto): Once you have the ELSTER certificate, you create a company account at service.mein-unternehmenskonto.de. This is the unified government business portal that connects to BSI's system.
IT baseline data: Before starting the registration form, collect IP ranges in CIDR notation for all systems operated by the German entity, DNS domains, and a 24/7 contact point (a person or team reachable around the clock, not just business hours).

The registration process

Navigate from portal.bsi.bund.de and authenticate with your MUK credentials. The form requests the following information: entity name and legal form, German commercial register number, sector classification under Annex I or II, size category (important or particularly important), 24/7 emergency contact details with phone and email, IP ranges in CIDR notation, and DNS domain names.

Estimated time for the form itself is approximately 45 minutes, assuming the ELSTER certificate is already in hand. The ELSTER application is the long-lead item - plan for at least five working days plus postal delivery time.

After submission, the BSI assigns an entity number. Retain this number, as it is required for all future communications including incident reports.

The detailed step-by-step registration guide on Kopexa includes annotated screenshots of each portal screen and a pre-registration checklist.

The Five Core Obligations Under § 30 BSIG

Section 30 of the BSIG (as amended by NIS2UmsuCG) is the operational heart of Germany's NIS2 implementation. It requires in-scope entities to implement appropriate and proportionate technical and organisational measures across five main areas.

1. Risk management system (§ 30(1) BSIG)

You must establish, operate, and continuously improve a risk management system for the security of your network and information systems. "Continuously" means this is not a one-time audit; it requires documented processes for identifying threats, assessing likelihood and impact, treating risks, and reviewing the outcomes. An Information Security Management System (ISMS) aligned with ISO/IEC 27001 covers most of this requirement and is widely accepted by the BSI as evidence of compliance.

2. Incident handling and reporting (§ 30(2) No. 1, § 32 BSIG)

You must have documented incident detection, classification, containment, eradication, and recovery procedures. These feed directly into the reporting chain described in the next section. The key internal requirement is that your on-call team can classify an incident as "significant" within hours of detection - the 24-hour external reporting clock starts from when you knew or should have known.

3. Business continuity and crisis management (§ 30(2) No. 2 BSIG)

You must implement measures to maintain or rapidly restore operations after a significant incident. This includes tested backup procedures with defined Recovery Time Objectives (RTOs), crisis communication plans, and documented business continuity plans. Regular exercises - at minimum annual tabletop simulations - are expected.

4. Supply-chain security - the cascade effect (§ 30(2) No. 4 BSIG)

This obligation has the widest ripple effect for international companies. You must assess and manage security risks posed by your direct suppliers and service providers. In practice: contracts with critical IT suppliers must include security requirements (minimum standards, audit rights, incident notification obligations). Suppliers should be assessed annually.

The cascade runs upstream: if your German entity is NIS2-obligated, your HQ - as a major IT service provider to the German entity - may be required to meet NIS2-equivalent standards under your own supply-chain program. This is how NIS2 reaches non-EU parent companies indirectly.

5. Cryptography, access control, and cyber hygiene (§ 30(2) Nos. 5-8 BSIG)

The law explicitly requires policies on cryptographic methods and where appropriate their use (encryption at rest and in transit). Multi-factor authentication (MFA) is mandatory for access to sensitive systems. Patch management must be systematic and timely. Employee security awareness training must be regular - § 38(3) BSIG imposes a training obligation specifically on management bodies.

Incident Reporting: The 24h / 72h / 30-Day Chain

Section 32 BSIG establishes a three-stage reporting obligation for "erhebliche Sicherheitsvorfalle" (significant security incidents). A significant incident is one that has caused or may cause serious operational disruption or financial loss, or has affected or may affect other natural or legal persons by causing considerable material or immaterial damage.

Stage 1 - Early warning (24 hours): Within 24 hours of becoming aware of a significant incident, you must submit an early warning to the BSI. This initial notification needs only to state that an incident has occurred and, if known, whether it appears to involve criminal intent or could have cross-border impact. No full technical analysis is required at this stage. Reporting is via the BSI's incident portal (portal.bsi.bund.de) using your entity number.

Stage 2 - Full notification (72 hours): Within 72 hours, a substantive report is required. It must include an initial severity assessment, indicators of compromise (if available), and the countermeasures already taken or planned. This maps closely to the GDPR Article 33 timeline for data breach notification to the supervisory authority - if personal data is involved, both notifications must run in parallel, with the GDPR report going to your lead data protection authority (for most large international groups, this is not the German Datenschutzbehörde but the authority in the country of main establishment).

Stage 3 - Final report (30 days): A comprehensive final report is due within one month. It must cover the root cause of the incident, a full technical description, the corrective measures taken, and the impact. Where the incident is still ongoing at 30 days, an interim report is submitted instead, with the final report to follow upon resolution.

The NIS2 Meldepflicht guide provides a ready-to-use reporting template aligned to the BSI's expected format and explains each field in the portal form.

Fines Under § 65 BSIG: The Structured Table

The fine regime under § 65 BSIG is modeled on GDPR enforcement. The BSI is the competent supervisory authority for most sectors; BaFin handles financial entities where DORA does not fully displace NIS2.

Violation	BSIG Reference	Maximum Fine
Failure to register (§ 33)	§ 65(2) No. 6	EUR 500,000
24/7 contact point not reachable	§ 65(2) No. 7	EUR 100,000
Incident reporting violations (§ 32)	§ 65(2) Nos. 4-5	Tier cap (see below)
Risk management failures (§ 30)	§ 65(2) Nos. 2-3	Tier cap (see below)
Non-compliance with BSI supervisory order	§ 65(2) No. 1a	EUR 2,000,000

Tier caps under § 65(5) BSIG:

Important entities: EUR 7 million or 1.4% of total global annual turnover, whichever is higher
Particularly important entities: EUR 10 million or 2% of total global annual turnover, whichever is higher

The "whichever is higher" structure is critical for international companies. A US parent with EUR 2 billion global turnover and a German subsidiary classified as a particularly important entity faces a theoretical maximum fine of EUR 40 million (2% of EUR 2 billion), even if the German entity itself is small. The BSI calculates the turnover base on the consolidated group level, not only the German legal entity.

Personal liability of executives: § 38(4) BSIG enables the BSI to order the temporary prohibition of management body members from exercising management functions if they have repeatedly violated NIS2 obligations and the entity remains non-compliant. This is the personal enforcement lever that has no equivalent under the old IT Security Act. It creates a direct incentive for executive teams of German subsidiaries to escalate NIS2 compliance to their international parent board.

See the full NIS2 fines guide for worked examples and how the BSI's published enforcement guidance affects how fines are calculated in practice.

NIS2 vs. KRITIS in Germany: What International Readers Often Confuse

One of the most common points of confusion for non-German readers is the relationship between NIS2 and KRITIS. These are not synonyms. They are overlapping but distinct regimes.

KRITIS (Kritische Infrastrukturen, critical infrastructure) is defined by the BSI-KritisV (BSI Critical Infrastructure Ordinance), which sets sector-specific thresholds for operators who are critical at a national scale. The thresholds are substantially higher than NIS2. Examples: a hospital must handle at least 30,000 inpatient cases per year to qualify as KRITIS; a data center must have at least 3.5 MW of IT installed load; a food company must process at least 434,500 tonnes per year.

Most NIS2-obligated entities in Germany are NOT KRITIS. The NIS2 thresholds (50 employees or EUR 10 million turnover) capture a much broader population than KRITIS. Think of KRITIS as a subset of NIS2-subject entities, not a parallel system.

Germany's approach after NIS2UmsuCG: every KRITIS operator is also subject to NIS2 obligations (plus the additional requirements in § 39 BSIG), but the converse does not hold. A mid-sized cloud SaaS provider with 100 employees in Hamburg is a NIS2-important entity but is almost certainly not KRITIS.

Why does this matter for international companies? If your German subsidiary operates data center capacity, energy infrastructure, or health services, you may need to assess both tracks independently. The KRITIS track requires biennial security audits with evidence submission to the BSI under § 39 BSIG, which goes beyond the NIS2 baseline.

Use the NIS2 threshold database to check sector-specific numerical thresholds and see worked examples for your industry, including the data center sector calculator.

NIS2 vs. DORA for Financial Entities

The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) entered into force on 17 January 2025 and applies directly across all EU member states without national transposition. It covers banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, and certain other financial entities regulated under EU financial services law.

Lex specialis: Art. 1(2) of Directive (EU) 2022/2555 (NIS2) provides that where a sector-specific EU legal act requires financial entities to take measures to manage ICT risk that is "at least equivalent" to NIS2, those provisions prevail. DORA satisfies this equivalence threshold. Therefore, financial entities directly regulated by DORA are exempted from NIS2's Chapter IV obligations for the scope covered by DORA. In Germany, the BaFin is the lead supervisory authority for DORA, while the BSI leads for NIS2.

Where NIS2 still applies to financial sector actors: ICT third-party service providers to financial entities - SaaS platforms, cloud providers, data analytics vendors - are not themselves directly regulated by DORA (unless designated as "critical third-party providers" under Art. 28 DORA). If such a provider falls within a NIS2-covered sector and meets the size threshold, it is in scope for NIS2. Furthermore, DORA Art. 28 requires financial entities to include contractual provisions in their ICT contracts that align with DORA and, in effect, push NIS2-equivalent requirements downstream to their suppliers.

Authority split: A financial group with a German bank subsidiary (BaFin/DORA lead) and a German IT services subsidiary (BSI/NIS2 lead) must manage two parallel compliance programs with different reporting chains and different fine structures.

For a full side-by-side comparison of obligations, timelines, and reporting requirements, see the NIS2 vs. DORA comparison page.

Timeline: What to Do This Quarter

If you have not yet acted, this is the priority sequence for Q2 2026.

Immediate (this week): Confirm whether your German entity meets the size and sector thresholds. Use the NIS2 applicability calculator. If in scope, start the ELSTER certificate application process today. Five business days plus postal time is the minimum lead.

Within 30 days: Complete BSI registration, even though the deadline has passed. The BSI's enforcement posture toward late registrants who proactively register is materially different from its posture toward companies that never register. Assign a 24/7 contact point. Establish a documented incident classification procedure.

This quarter: Launch your risk management cycle. Document your top 20 information assets, their threats, and existing controls. Close critical gaps (MFA on administrative accounts and remote access, off-site backups with tested recovery). Conduct board-level NIS2 training - § 38(3) BSIG requires it, and it must be documented.

Supply-chain review: Identify your top 10 critical IT suppliers and service providers. Review existing contracts for security clauses. Prioritize suppliers who have no current contractual obligation to notify you of security incidents - those gaps create the highest legal exposure.

The NIS2 5-phase roadmap provides a structured implementation plan with effort estimates and a prioritized action list for each phase.

Frequently Asked Questions

Does NIS2 apply to my German subsidiary if HQ is in the US?

Yes. The NIS2UmsuCG applies to entities that provide services or carry out activities within Germany and meet the sector and size thresholds. The location of the parent company does not exempt the German entity. The BSI can investigate and sanction the German legal entity directly. Fine caps reference global group turnover, so the parent's revenue is relevant to the fine ceiling.

What if we are already ISO 27001 certified?

ISO 27001 certification demonstrates that you operate a structured ISMS and covers a substantial portion (approximately 70%) of NIS2's technical and organisational requirements under § 30 BSIG. However, ISO 27001 does not automatically satisfy all NIS2 obligations. The certification does not cover BSI registration (§ 33), the specific incident reporting chain to the BSI (§ 32), or the executive liability provisions (§ 38). These must be addressed separately. The BSI accepts ISO 27001 certificates as supporting evidence of compliance but does not treat them as equivalent to NIS2 compliance.

What happens if I missed the registration deadline?

Non-registration is an administrative offence under § 65(2) No. 6 BSIG with a fine of up to EUR 500,000. Register as soon as possible. The BSI has not published a formal amnesty but has indicated a pragmatic approach for entities that come into compliance proactively. Continued non-registration is the higher-risk position.

Is the BSI portal available in English?

The portal.bsi.bund.de registration interface is in German. The MUK portal requires authentication via ELSTER, which is also in German. For international companies without German-speaking staff, we recommend engaging a German compliance attorney or a GRC provider familiar with the process to handle the technical registration steps. Kopexa supports customers through the full registration process.

Can we report incidents to the BSI in English?

The BSIG does not specify a language requirement for incident reports. In practice, the BSI's portal forms are in German. For the substantive incident notification, particularly the 72-hour and 30-day reports, the BSI accepts reports in English in practice, though German is preferred. For time-sensitive early warnings (24-hour deadline), using English will not cause a submission to be rejected.

How does NIS2 compare to the US CIRCIA?

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in the United States is still in rulemaking as of 2026, with final rules expected later in 2026. Key structural differences: CIRCIA will cover US-defined critical infrastructure sectors, with a 72-hour reporting deadline for covered cyber incidents and a 24-hour deadline for ransomware payments. NIS2/BSIG requires a 24-hour early warning, with 72-hour full notification. CIRCIA is a federal reporting obligation; NIS2 also imposes affirmative security management requirements. A US-headquartered company with significant German operations may eventually face both regimes simultaneously.

Next Steps and Resources

Check applicability now: NIS2 applicability calculator - enter your sector, employee count, and turnover
Register with the BSI: Step-by-step registration guide - including ELSTER walkthrough and portal screenshots
5-phase implementation roadmap: NIS2 roadmap - phased plan from gap analysis to continuous compliance
Understand the fine structure: NIS2 fines reference - with worked examples for different entity tiers
Sector thresholds: NIS2 threshold database - open data on KRITIS and NIS2 thresholds across all sectors
Kopexa platform: Self-service NIS2 tooling with registration support, risk management workflows, incident reporting templates, and executive training modules - app.kopexa.com

NIS2 Germany: Complete Guide for International Companies (2026)