The NIS 2 Directive

A few months ago, the law implementing the NIS 2 Directive came into force. The aim of the NIS 2 Directive is to ensure the security of network and information systems (NIS) against cyber security threats at European level. By transposing it into the national BSIG, Germany is playing its part in safeguarding the digital single market. The new provisions affect just under 30,000 companies and public bodies and involve a significant implementation burden. Companies need to know whether they fall within the scope of the NIS 2 Directive and, if so, which substantive requirements they must meet.

History of cybersecurity legislation

In Germany, the IT Security Act has provided a uniform legal framework for cooperation between the state and businesses in the field of critical infrastructure since 2015, which included, among other things, registration and reporting obligations to the Federal Office for Information Security (BSI).

In the European Union, the first NIS Directive ‘on measures to ensure a high common level of security of network and information systems’ was published in 2016. This directive was intended to establish EU-wide cybersecurity capabilities. The aim was to mitigate threats to network and information systems (NIS) and ensure their continuity in the event of security incidents. European directives are binding on the Member States of the European Union but must still be transposed into national law. As the NIS Directive was implemented very differently across the Union and the cyber threat landscape worsened, a revision of this directive became necessary. 

Accordingly, the NIS 2 Directive was published in 2022. The new regulations were intended to raise the level of cybersecurity through a coordinated legal framework and an expansion of the BSI’s powers. Cooperation between the state and industry was to be strengthened, and remedial and enforcement measures were to be regulated. In addition, the list of affected sectors and activities was updated. The deadline for transposition into national law was October 2024. The transposition bill was originally passed by the Federal Cabinet in Germany on schedule in July 2024. However, the parliamentary legislative process could not be completed due to the early elections. Ultimately, the provisions of the NIS 2 Directive were transposed during the new legislative period into the Act on the Federal Office for Information Security and on Information Security in Institutions (BSIG), which was passed in December 2025 – after the transposition deadline had expired.

Scope

The scope of the NIS 2 Directive covers important facilities, particularly important facilities and – as a sub-category of particularly important facilities – operators of critical infrastructure (KRITIS). At national level, the scope is regulated in Section 28 of the BSIG.

According to Section 2 No. 22 of the BSIG, a critical facility is a facility that is essential for the provision of a critical service. A critical service is defined as a service for the supply of the general public and the provision of basic security for the sectors and industries listed in Section 2 No. 24 of the BSIG, the failure or disruption of which would lead to significant supply bottlenecks or threats to public safety. KRITIS are, at the same time, always a particularly important entity. 

Other particularly important facilities include certain IT services – such as qualified trust service providers, top-level domain name registries and DNS service providers, as well as providers of publicly accessible telecommunications services and the associated networks above certain thresholds. Furthermore, the scope of application is extended, with the inclusion of Annex 1 of the BSIG, to companies and other forms of organisation if they employ at least 250 staff or achieve a turnover of € 50 million with a minimum balance sheet total of € 43 million. The annex lists various types of facilities, broken down by sector and industry.

For critical entities, the scope of the NIS 2 Directive is significantly expanded to include additional trust service and telecommunications providers. For entities listed in Annex 1, lower thresholds apply: 50 employees or an annual turnover of € 10 million with a corresponding balance sheet total. Additionally, further types of entities listed in Annex 2 are covered provided the thresholds are exceeded. 

An exception applies under Section 28 (3) of the Federal Security Act (BSIG) for business activities that are negligible in relation to the organisation’s overall business activities. However, classification as a secondary activity is unlikely to be sufficient. Furthermore, federal government bodies are exempt provided they are not classified as KRITIS.

Substantive requirements

The NIS 2 Directive imposes various requirements on affected organisations, although no distinction is generally made between the different types of organisations. 

Registration and reporting requirements

Under Section 33 (1) of the Federal Information Security Act (BSIG), affected organisations must register with the Federal Office for Information Security (BSI) and the Federal Office for Civil Protection and Disaster Assistance (BKK). This is done via a joint registration portal using the ELSTER organisation certificate. Operators of critical infrastructure and organisations belonging to the digital services and digital infrastructure sectors are subject to a separate registration requirement. Should any changes occur to the data provided during the registration process, these must be reported to the BSI without delay, and at the latest within two weeks.

If a significant security incident has occurred, it must be reported to the BSI using a joint reporting and information portal (MIP). According to the legal definition in Section 2 No. 11 of the BSIG, a security incident is significant if it has caused or is likely to cause serious operational disruptions to the services or financial losses for the organisation concerned. Furthermore, a security incident is significant if it affects or is likely to affect other natural or legal persons through significant material or immaterial damage.

Risk management measures

Under Section 30 of the BSIG, affected organisations are obliged to take appropriate, proportionate and effective technical and organisational measures to prevent disruptions to the availability, integrity and confidentiality of the information technology systems, components and processes they use to provide their services, and to minimise the impact of security incidents as far as possible. In doing so, the directive adopts a cross-threat approach. This means that companies must decide on a case-by-case basis, depending on the risk to the security of network and information systems, which measures should be taken. Section 30 of the BSIG contains a specific catalogue of measures, which is not exhaustive but establishes a minimum standard. Furthermore, the management is obliged to attend annual training courses on cyber security.

Cooperation and exchange of information

Section 6 of the BISG allows organisations to exchange relevant cybersecurity information on a voluntary basis. This applies not only to the organisations concerned, but also, where appropriate, to other organisations not covered by the scope of the Act.

This exchange of information must take place by means of an agreement on the exchange of information and must take into account the potentially sensitive nature of the information exchanged. The content of the agreement may include operational arrangements – such as the use of specific platforms for information and communication technology and automation tools, as well as the content and conditions of the information exchange. 

The exchange may then, for example, concern information on cyber threats, near-miss incidents, vulnerabilities, techniques and procedures, indicators of compromise, adversarial tactics, threat-specific information, cybersecurity alerts and recommendations for the configuration of cybersecurity tools to detect cyber attacks. This voluntary exchange of information aims to prevent, detect, respond to or recover from security incidents, or to mitigate their consequences, and to enhance the level of cybersecurity. The exchange raises awareness of cyber threats and curbs or prevents the ability of such threats to spread. Furthermore, it supports a range of defence capabilities, the elimination and disclosure of vulnerabilities, techniques for detecting, containing and preventing threats, containment strategies, and response and recovery phases. The exchange of information is also intended to promote joint research into cyber threats between public and private institutions.

Conclusion

The NIS 2 Directive, aimed at raising the level of cybersecurity across Europe, was transposed into national law at the end of last year, albeit after the deadline had passed.

The scope distinguishes between important facilities, particularly important facilities and KRITIS. This addresses different sectors and industries – such as IT services and telecommunications services – and provides for different thresholds. For critical infrastructure, the threshold is at least 250 employees or a turnover of € 50 million with a minimum balance sheet total of € 43 million, whilst important infrastructure is covered from a threshold of 50 employees or a turnover of € 10 million with a corresponding minimum balance sheet total.

The organisations concerned are then required to register with and report to the BSI and the BKK. With the aim of preventing disruptions to the NIS in use and minimising the impact of security incidents, affected organisations are required to implement risk management measures. Under Section 30 of the BSIG, affected organisations are obliged to take appropriate, proportionate and effective technical and organisational measures to prevent disruptions to the availability, integrity and confidentiality of the information technology systems, components and processes they use to provide their services, and to minimise the impact of security incidents as far as possible. Furthermore, organisations should be able to exchange relevant cybersecurity information on a voluntary basis following the conclusion of appropriate agreements. As a first step, companies should check whether they fall within the scope of the legislation. They should then assess which measures may already have been implemented and which still need to be taken. It is also advisable to establish internal procedures and processes for handling security incidents.