Cybervize – Cybersecurity Beratung
All articles

NIS2 Implementation Act Passed: What You Need to Do Now

Alexander Busse·November 13, 2025
NIS2 Implementation Act Passed: What You Need to Do Now

NIS2 Implementation Act: Germany's Bundestag Has Decided

Germany's Bundestag has passed the NIS2 Implementation Act. This marks a decisive milestone on the path to binding cybersecurity regulation in Germany. Following the pending approval by the Bundesrat, the law will become legally binding, and companies must prepare for a new era of IT security and compliance.

The message is clear: Transition periods are virtually non-existent. Anyone who hasn't yet started preparing is already falling behind. For IT leaders, CISOs, and executive management, this means immediate action is required.

A Remarkable Development: Federal Administration Is Included

A particularly noteworthy detail of the final version: The scope of application has been extended to the entire federal administration. This is a long-overdue signal that finally creates a level playing field between the public sector and private industry.

For years, private businesses had to meet stricter cybersecurity requirements while government agencies were often subject to less rigorous standards. With the NIS2 implementation, the state now subjects itself to the same rules. This not only strengthens the credibility of the regulation but also increases the overall security of Germany's digital infrastructure.

Key Points of the NIS2 Implementation Act

For those responsible for cybersecurity (or in official German terminology: IT security), the law brings three essential innovations:

1. Stricter Reporting Obligations with a 3-Tier Regime

The new law introduces a three-tier reporting system for cybersecurity incidents:

  • Initial report: Within 24 hours of becoming aware of a significant security incident, an initial report must be submitted to the BSI (Federal Office for Information Security).
  • Second report: Within 72 hours, a detailed report with initial assessments and measures is required.
  • Final report: After completing the incident response, a final report must be submitted.

These tiered reporting obligations require clear processes and responsibilities within the organization. Companies must ensure that incident response teams are ready at all times and that communication channels to the BSI are established.

2. Extended Powers for the BSI

The Federal Office for Information Security receives significantly expanded control and intervention rights under NIS2. These include:

  • Comprehensive information and audit rights regarding affected entities
  • Authority to conduct on-site inspections
  • Power to order specific security measures
  • Ability to impose substantial fines for violations

The BSI is thus evolving from an advisory agency to a genuine supervisory and enforcement authority. Companies should view the BSI as a partner and proactively seek dialogue rather than waiting for inspections.

3. Personal Liability of Management

A particularly important aspect that hasn't yet sufficiently registered in many boardrooms: The NIS2 Implementation Act focuses on the personal liability of management.

The governing bodies are now explicitly responsible for ensuring that:

  • Risk management measures are implemented
  • The organization is adequately prepared for cybersecurity incidents
  • Training and awareness measures are conducted
  • Reporting obligations are met

In case of violations, not only the company faces fines, but executives and managing directors also face personal consequences. This should provide sufficient motivation to make cybersecurity a top management priority.

Indirect Impact: The Supply Chain in Focus

An often underestimated aspect of NIS2: Even companies not directly covered by the regulation will be indirectly affected. Those acting as suppliers for critical or important sectors will find that customers demand compliance throughout the entire supply chain.

Specifically, this means:

  • Contractual requirements: Clients will include NIS2 compliance clauses in contracts
  • Audits and evidence: Suppliers must be able to demonstrate that they have implemented appropriate cybersecurity measures
  • Supply chain risk management: Supply chain security becomes a central selection criterion for business partners

Even smaller companies should therefore examine whether and how they might be affected by NIS2, either directly or through their business relationships.

Act Now: Three Concrete Steps for IT Leaders and CISOs

The Bundestag's decision should be used as leverage for budget and personnel discussions. There are no more excuses for postponing the necessary investments in cybersecurity. The following three points should immediately be on the agenda:

1. Finalize Impact Assessment

Clearly determine: Does your company fall under the category of "essential entity" or "important entity"? The distinction is crucial, as it determines different requirements and obligations.

Consider:

  • Industry affiliation (critical sectors such as energy, healthcare, transport, finance, etc.)
  • Company size (thresholds: 50+ employees and €10 million+ annual revenue)
  • The type of services provided

2. Review Governance: Is Information Security a C-Level Matter?

NIS2 requires that information security be organizationally positioned directly under the C-level. Check:

  • Does the CISO or IT security officer report directly to executive management?
  • Is cybersecurity a regular topic in board meetings or executive management meetings?
  • Are there clear responsibilities and escalation paths?
  • Are budget and resources adequate?

If information security is still buried deep within the IT department, now is the time for organizational realignment.

3. Conduct Gap Analysis: Where Do You Really Stand?

Conduct an honest gap analysis: Where does your organization stand today, and what does NIS2 require? Typical areas that should be examined:

  • Risk management: Is there a systematic approach to identifying and assessing cybersecurity risks?
  • Incident response: Are processes and teams for managing security incidents established and tested?
  • Business continuity: Do plans exist for maintaining operations in crisis situations?
  • Supply chain security: Are security risks in the supply chain systematically assessed?
  • Awareness and training: Are employees regularly trained on cybersecurity topics?
  • Technical measures: Are basic security measures such as multi-factor authentication, encryption, and network segmentation implemented?

Document the gaps and prioritize the necessary measures by risk and implementation effort.

Conclusion: Those Who Start Now Are Already Late

The NIS2 Implementation Act has been passed. The time for waiting is over. Anyone just starting preparations now risks not being compliant when the law comes into force, thereby exposing themselves to significant risks.

The good news: Cybersecurity is not rocket science, but primarily a matter of systematic approach, proper prioritization, and sufficient resources. Use the political momentum that NIS2 provides to push through long-overdue investments.

The combination of personal liability for management, extended powers for the BSI, and strict reporting obligations should provide sufficient motivation to finally make cybersecurity a strategic priority.

Act now. Don't wait for publication in the Federal Law Gazette. Conduct the impact assessment, review your governance structures, and identify gaps in your cybersecurity. Time is running out.

For companies that need support with implementation, early collaboration with experienced consultants and experts is recommended. Professional guidance can not only ensure compliance but also help set the right priorities and deploy resources efficiently.

NIS2 is not a threat but an opportunity to elevate cybersecurity in German companies to a new level, thereby sustainably strengthening digital sovereignty and competitiveness.

Back to all articles