Germany is advancing the national implementation of the EU NIS2 Directive, substantially expanding cybersecurity obligations across the digital economy. Scope, timeline, and enforcement posture have changed — and so has the exposure profile for any technology company operating within the EU market.
Germany's implementation of the EU NIS2 Directive marks the most significant expansion of cybersecurity obligations in the European digital economy in a decade. The Federal Government has publicly confirmed the advancement of the national transposition, and the Federal Office for Information Security (BSI) has released an official assessment tool that allows companies to determine whether they fall within the new scope. For technology companies — whether established in Germany, elsewhere in the EU, or operating into the Union from outside — the question is no longer whether to engage with NIS2, but how quickly a structured compliance response can be operationalised.
The NIS2 Directive (Directive (EU) 2022/2555, "NIS2") replaces the first-generation NIS Directive of 2016 and expands the Union's cybersecurity regime across three structural dimensions: the range of sectors in scope, the specificity of risk-management obligations, and the severity of enforcement consequences. In contrast to NIS1, which primarily addressed traditional critical-infrastructure operators and a small number of digital service providers, NIS2 covers a wide range of entities across 18 sectors — including cloud computing services, data centres, content-delivery networks, digital marketplaces, online search engines, social networking platforms, managed service providers, and managed security service providers.
Germany's national implementation is carried out through the NIS2 Implementation and Cybersecurity Strengthening Act ("NIS2UmsuCG"), which amends the BSI-Gesetz and adjacent statutes. The transposition deadline under Union law was 17 October 2024; Germany's domestic process is in an advanced phase, and entry into force is expected during the course of the national legislative finalisation.
NIS2 distinguishes two categories of regulated entities, both of which trigger substantive obligations: essential entities (Annex I sectors, including energy, transport, banking, health, drinking water, digital infrastructure, and ICT service management) and important entities (Annex II sectors, including digital providers, postal services, manufacturing of certain critical products, and research). The division is not primarily a function of sector alone, but of the combination of sector and company size.
Large entities in high-criticality sectors. Typically > 250 employees, or turnover > €50m, or balance sheet > €43m.
Medium-size entities in other critical sectors, and large/medium entities in digital & manufacturing sectors where Annex I thresholds are not fully met.
Certain entities are in scope regardless of size — for example, providers of public electronic communications networks, trust service providers, and domain-name registration services. For technology companies offering services into Germany, the assessment turns on (i) the sector classification, (ii) whether the size thresholds are met, and (iii) whether any size-independent scoping criterion applies. Since the assessment is layered and fact-specific, the BSI has published a formal affected-party assessment tool that structures the analysis.
Article 21 NIS2 requires regulated entities to implement appropriate and proportionate technical, operational, and organisational cybersecurity risk-management measures. This is not a generic "state-of-the-art" clause: the provision specifies a minimum catalogue of ten measure categories that every essential and important entity must implement.
Article 23 NIS2 imposes a multi-stage incident-reporting regime. A significant incident must be reported to the national computer security incident response team (CSIRT) — in Germany, the BSI — in three stages: (i) an early warning within 24 hours of becoming aware of the incident; (ii) an incident notification within 72 hours, including an initial assessment and, where applicable, indicators of compromise; and (iii) a final report within one month, containing a detailed description and the mitigation measures taken. The timelines are short and do not await completion of internal forensic analysis.
The enforcement regime under NIS2 is materially stricter than under NIS1. Article 32 NIS2 grants the competent authorities — in Germany, the BSI — extensive supervisory powers, including on-site inspections, targeted audits, ad-hoc audits, requests for information, and the power to issue binding orders to bring an entity into compliance. Article 34 NIS2 establishes the administrative-fine framework: up to €10 million or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for essential entities; up to €7 million or 1.4% of worldwide annual turnover for important entities.
Article 20 NIS2 introduces a point that is sometimes overlooked but deserves particular attention: management-body liability. The management bodies of essential and important entities are required to approve the cybersecurity risk-management measures, to oversee their implementation, and can be held liable for breaches by the entity of its obligations under Article 21. The provision explicitly requires members of management bodies to undergo training to acquire sufficient knowledge to identify risks and evaluate cybersecurity practices. In German corporate-liability terms, this construction brings NIS2 obligations squarely into the domain of §§ 93 AktG / 43 GmbHG directors' duties.
Given the structural complexity of the scoping analysis — multiple Annexes, size thresholds, size-independent criteria, and sector-specific carve-outs — the single most efficient first step for any technology company operating in or into Germany is a structured affected-party assessment.
The German Federal Office for Information Security (BSI) has released an official online assessment tool that guides companies through the scoping analysis step by step. The tool identifies whether, and in which category, a given entity falls under the German NIS2 implementation — covering Annex I essential-entity criteria, Annex II important-entity criteria, size thresholds, and the size-independent scoping rules. It is the authoritative starting point for any NIS2 exposure assessment.
Access the BSI NIS-2 Assessment Tool →The tool generates an initial scoping result, but it does not substitute for legal qualification where edge cases arise — for example, where an entity operates across multiple sectors, where affiliated-entity aggregation applies, or where the cross-border provision-of-services rules under Article 26 NIS2 require additional analysis for non-German or non-EU providers. In those cases, the tool's output is the starting point; legal qualification of the facts against the statutory framework is the next step.
A structured response to NIS2 involves four layers that can be executed in parallel rather than sequentially:
1. Scoping. Determine whether the entity (and any affiliates aggregated for NIS2 purposes) falls within the scope of the German implementation. The BSI tool provides the official pathway; legal qualification resolves ambiguities.
2. Gap analysis. Against the Article 21 minimum measure catalogue, identify which of the ten measure categories are already implemented, which are partially implemented, and which are absent. Document the assessment — documentation itself is an element of the compliance duty.
3. Incident-reporting readiness. Establish and test the internal processes necessary to meet the 24-hour / 72-hour / one-month reporting cadence. Most internal incident-response workflows that were designed for NIS1 or purely for internal notification timelines do not yet meet the NIS2 cadence.
4. Governance and management-body engagement. Bring the cybersecurity risk-management framework to the approval stage at board or management-body level, and organise the required training. Document the approval and the training delivery — both will be the first items reviewed under any supervisory inspection.
Technology companies operating into Germany from outside the EU should additionally consider the interaction with other EU digital-regulation regimes: NIS2 applies in parallel with the Digital Services Act (DSA), the AI Act, the Data Act, the GDPR, and sector-specific regulation such as DORA for financial entities. A cross-regime coherence analysis — identifying where incident-reporting, risk-management, and supervisory regimes overlap — is the most efficient way to avoid duplicative compliance expenditure.
Kanzlei Theo Funk — NIS2 and EU Cybersecurity Compliance Advisory
Rechtsanwalt Theo Funk advises international technology companies on NIS2 scoping, gap analysis against Article 21 risk-management obligations, incident-reporting readiness, and cross-regime coherence with the DSA, AI Act, GDPR, and DORA. Where the BSI's affected-party assessment indicates scope or edge-case exposure, the firm provides the legal qualification and structured response framework that translates the assessment into an operational compliance posture. We are available for an initial consultation to review the BSI-tool output and scope the engagement.
Get in touch → office@kanzlei-theofunk.de1. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2 Directive), OJ L 333, 27.12.2022, p. 80.
2. Federal Government of Germany, NIS-2-Richtlinie: Deutschland stärkt Cybersicherheit, bundesregierung.de.
3. Federal Office for Information Security (BSI), Betroffenheitsprüfung NIS-2, official affected-party assessment tool: betroffenheitspruefung-nis-2.bsi.de.
4. Art. 21 NIS2 (cybersecurity risk-management measures); Art. 23 NIS2 (incident reporting); Art. 20 NIS2 (governance and management-body liability); Arts. 32, 34 NIS2 (supervisory powers, administrative fines).
5. German NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), amending the BSI-Gesetz and adjacent statutes.