KI-Sicherheit.jetzt
← Back to overview
December 21, 2025 Cybersecurity / Regulation 5 min read

NIS2 Is Here – What German Companies Need to Know Now

The NIS2 Implementation Act came into force on December 6, 2025 – with no transition period. Around 29,500 companies in Germany are affected and must act immediately.

What is NIS2?

  • EU directive to strengthen cybersecurity
  • Replaces the previous NIS Directive from 2016
  • Significantly expanded scope: from approx. 4,500 to 29,500 companies
  • Goal: Uniform European security standards

Who is affected?

Two criteria must be met:

1. Sector

Companies from one of the 18 designated sectors:

  • Energy, Transport, Banking, Financial Markets
  • Healthcare, Drinking Water, Wastewater
  • Digital Infrastructure, ICT Services
  • Public Administration, Space
  • Postal, Waste, Chemicals, Food
  • Manufacturing, Digital Services, Research

2. Size

  • From 50 employees OR
  • Over EUR 10 million annual turnover
Important: Companies must check themselves whether they are affected – there is no notification from authorities!

What must affected companies do?

Immediately

  • Self-assessment: Am I affected? (Use BSI impact assessment)
  • Register with "Mein Unternehmenskonto" (MUK) – recommended by December 31, 2025

Within 3 months (by March 2026)

  • Registration with BSI portal (goes online January 6, 2026)

Ongoing obligations

  • Risk management measures implement and document
  • Reporting obligation for cyber incidents:
    • Early warning within 24 hours
    • Detailed report within 72 hours
    • Final report within 1 month
  • Supply chain security: Contractually obligate service providers to security standards
  • Regular training for management

Executive Liability

New and important: Management is personally liable!

  • Obligation to approve AND monitor cybersecurity measures
  • Obligation for own training in cybersecurity
  • In case of violations: Personal liability possible

Penalties

Essential entities Up to EUR 10 million or 2% of global annual turnover
Important entities Up to EUR 7 million or 1.4% of global annual turnover

Connection to AI Regulation

NIS2 also affects companies that use or develop AI systems:

  • AI infrastructure must be included in risk management
  • Cloud-based AI services (ChatGPT, Copilot, etc.) are part of the supply chain
  • Data protection and cybersecurity are interlinked

Next Steps – Checklist

  • Conduct impact assessment (BSI tool)
  • Inform management (liability issue!)
  • Register with MUK (by December 31, 2025)
  • Gap analysis: What measures are missing?
  • Define reporting processes
  • Review supplier contracts

Sources

How does your company stand with AI and digitalization?

Our AI Status Report provides you with a structured overview – including action recommendations and funding program overview.

Start Report Now Learn more
← Back to overview