Implemented

Germany has completed the transposition of the NIS2 Directive.

The NIS2 Implementation Act ("NIS2UmsuCG") was promulgated in the Federal Law Gazette on 2 December 2025 ("BGBl. 2025 I No. 301") and entered into force on 6 December 2025. The Act applies in full as of its entry into force. No (de jure) transitional periods are provided. The NIS2UmsuCG primarily revises and restructures the German Act on the Federal Office for Information Security ("BSIG") to implement the requirements of the NIS2 Directive.

The German implementation broadly follows the structure and approach of the NIS2 Directive but contains notable national specifications, in particular regarding the determination of scope.

Size-cap rule and scope determination

While the NIS2 Directive relies on a general size-cap rule based on employees, turnover and balance sheet totals, the German legislator applies a more differentiated, activity-based approach.

Pursuant to Section 28 (3) BSIG, when assigning an entity to the sectors listed in Annexes 1 and 2, business activities that are negligible in relation to the entity’s overall business activities may be disregarded. The assessment of scope, therefore, focuses on the material relevance of NIS2-related activities within the undertaking, rather than automatically taking the undertaking as a whole into account. This materiality-based determination of scope constitutes a notable deviation from the standard scope logic of the NIS2 Directive, which does not expressly provide for such an exclusion of negligible activities.

Sector definitions

Certain sector definitions and classifications under German law differ in detail from the wording of the NIS2 Directive.

Critical infrastructure framework

The NIS2 implementation does modify the German critical infrastructure regime. Critical installations remain subject to obligations under the BSIG and are to be assessed under the updated Critical Infrastructure Ordinance ("KRITIS").

6 December 2025