NIS2 in Germany: What Multinationals Must Actually Do Under BSIG 2.0 — BSI Registration, KRITIS Overlap, and Penalty Exposure

Germany missed the EU’s October 2024 NIS2 transposition deadline by over a year. When the revised BSI Act (BSIG 2.0) entered into force on December 6, 2025, it applied immediately — no transitional period, no phase-in. For multinationals with German operations, the BSI registration deadline fell on March 6, 2026: three months after enactment. Entities that became in-scope after that date face the same three-month clock from the date they first qualify.

Germany’s implementation is also one of the most demanding in Europe. It layers a third entity tier on top of the EU directive’s two, introduces personal management liability that exceeds what NIS2 Article 20 requires, and creates an ICT component prohibition power that no other EU member state has enacted. For compliance teams managing EU-wide NIS2 programmes, Germany requires dedicated country-level treatment — the base directive overview at NIS2 directive is a necessary starting point, but insufficient on its own.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

What Germany’s BSIG 2.0 Actually Changes

The EU NIS2 Directive established a two-tier framework — essential entities and important entities — with corresponding obligations and penalties. Germany did not simply copy that structure. The legislature amended the existing BSI Act (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik) to add a third regulated layer on top of the existing KRITIS (Kritische Infrastrukturen) framework, producing a more complex regulatory architecture than the directive requires.

Three German provisions go beyond the EU baseline:

A third entity tier for KRITIS operators. Entities already designated as critical infrastructure operators under Germany’s KRITIS methodology automatically qualify as the highest regulatory tier — “operators of critical facilities” — with obligations beyond standard NIS2 entities. Around 29,500 companies now fall within scope compared to approximately 4,500 under the former BSIG, a five-fold expansion driven primarily by new sectors including manufacturing, IT services, and research organisations.

Personal management liability exceeding Article 20 of the directive. The EU directive requires management bodies to “approve” cybersecurity risk management measures. Germany’s Section 38 BSIG requires management to “implement” them — a materially higher legal standard with personal civil liability attached to individual executives.

An ICT component prohibition power. The Federal Ministry of the Interior can order regulated entities to cease using or replace specific ICT components where their deployment endangers public order or national security. The prohibition has retroactive effect on existing deployed infrastructure and expressly targets components from manufacturers subject to foreign state influence. No equivalent power exists in any other EU member state’s NIS2 implementation.

Germany’s law also includes a “negligible activity” exemption under Section 28(3) BSIG, allowing entities to exclude genuinely ancillary business activities from threshold calculations. No official BSI guidance has defined “negligible,” making this provision a compliance risk rather than a reliable safe harbour until interpretive guidance is published. Any reliance on this carve-out requires documented legal analysis.

BSI and CERT-Bund: Germany’s Enforcement Architecture

The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) serves as Germany’s primary NIS2 competent authority. Under Sections 61 and 62 of the new BSIG, the BSI’s supervisory powers expanded substantially — including broad inspection rights, authority to issue binding orders, and power to impose operational restrictions on regulated entities.

Germany’s implementation also designates the BSI as “CISO Bund” (Federal CISO), creating a parallel public-sector security layer governing federal authorities alongside its economic regulation of private-sector entities. This dual role makes the BSI one of the most powerful national cybersecurity regulators in Europe.

CERT-Bund, operating within the BSI, functions as Germany’s designated CSIRT (Computer Security Incident Response Team) under NIS2. CERT-Bund maintains 24-hour on-call emergency response, coordinates incident analysis across federal systems, and issues threat warnings through its Warning and Information Service (WID). For regulated entities, CERT-Bund is the operational point of contact for incident coordination — distinct from the BSI’s supervisory and enforcement role.

A critical enforcement distinction shapes compliance strategy: the BSI can take proactive, ex ante supervisory action — including unannounced audits and binding orders — against particularly important entities only. For important entities, the BSI acts reactively, following a complaint or incident report. This gap in enforcement intensity is a concrete operational difference that multinational compliance teams should factor into entity-level prioritisation across their German footprint.

Does Your Company Fall Under German NIS2? Three-Tier Classification

Scope determination works through three tiers in sequence. Scope attaches to the German legal entity providing services in Germany — not to the group parent. A multinational whose German subsidiary meets the applicable thresholds must register the subsidiary independently with the BSI. The parent cannot register on the subsidiary’s behalf.

Tier	BSIG Classification	Key Thresholds	Supervisory Intensity
1 — Critical Facility Operator	Particularly important entity (highest)	KRITIS methodology: infrastructure supplying ≥500,000 persons in Germany	Proactive BSI audits; mandatory SzA; triennial compliance evidence from 2027
2 — Essential Entity	Particularly important entity	≥250 employees OR €50M+ turnover AND €43M+ balance sheet; Annex 1 sectors	Proactive BSI supervisory action
3 — Important Entity	Important entity	≥50 employees OR €10M+ turnover AND €10M+ balance sheet; Annex 2 sectors	Reactive BSI action only (complaint or incident triggered)

Tier 1 — Critical Facility Operators (KRITIS): Entities operating energy, water, transport, healthcare, food, finance, or digital infrastructure at a scale supplying at least 500,000 persons in Germany are typically already registered under the former KRITIS framework. Under BSIG 2.0, they carry over automatically as critical facility operators — the highest regulated tier — with additional obligations beyond standard NIS2 entities.

Tier 2 — Essential Entities: Your organisation qualifies if it operates in a high-criticality sector listed in BSIG Annex 1 — energy, transport, banking, financial markets, health, drinking water, wastewater, digital infrastructure, ICT service management, federal public administration, or space — AND meets the size threshold. Certain entity types qualify regardless of size: DNS service providers, TLD registries, cloud computing providers, data centre operators, content delivery networks, managed service and security service providers, and qualified trust service providers.

Tier 3 — Important Entities: Entities in Annex 2 sectors — postal services, waste management, chemicals, food production, manufacturing of medical devices, electronics, vehicles, and machinery, digital providers, and research organisations — qualify if they meet the medium-enterprise threshold of at least 50 employees or €10 million in both annual turnover and balance sheet total.

The “negligible activity” carve-out under Section 28(3) may allow a German entity to exclude a minor business activity from threshold calculations where that activity is genuinely ancillary to the organisation’s core purpose. For a broader understanding of how NIS2 defines entity scope across the EU, see our NIS2 scope guide.

The BSI Registration Process: Step by Step

Registration is a two-phase process that requires German digital authentication infrastructure before the BSI portal can be accessed — a practical barrier for foreign multinationals that is frequently underestimated in compliance timelines.

Phase 1 — Create a Mein Unternehmenskonto (MUK) account. The MUK (My Company Account) system uses ELSTER-based organisation certificates — the same digital authentication infrastructure used for German tax filings. Foreign multinationals without an existing ELSTER presence must obtain these certificates through a German tax authority representative or a legal-entity-based application process. Allow two to three weeks for certificate issuance and account setup; this step cannot be completed on the day of registration.

Phase 2 — Register via the BSI portal. The BSI portal opened January 6, 2026, and serves as both the registration platform and the incident reporting interface. Entities must provide:

• Legal name, registered address, and legal form
• Sector classification (Annex 1 or Annex 2)
• Security contact point — must be reachable 24 hours a day, seven days a week
• IP address ranges used in German operations
• Scope of EU operations
• For critical facility operators: additional infrastructure-specific data and ICT component disclosures

The initial registration deadline was March 6, 2026 for entities in scope at the time of enactment. For entities that become in-scope after that date — through growth, acquisition, or sectoral reclassification — the three-month registration deadline runs from the date they first qualify. Any changes to registered information must be reported to the BSI within two weeks of the entity becoming aware of the change.

Failure to register exposes entities to administrative fines under Section 65 BSIG. Registration is a legal prerequisite for compliance, not a procedural formality — the BSI can enforce the registration obligation independently of any security incident.

Management Liability Under Section 38 BSIG

Section 38 BSIG creates personal liability for management body members in ways that exceed what the EU directive requires — and that distinction has direct implications for multinationals who appoint executives as legal representatives of German subsidiaries.

The EU’s Article 20 requires management bodies to “approve” cybersecurity risk management measures and oversee their implementation. Germany’s Section 38 requires management to “implement” those measures directly and demonstrate active, ongoing supervision. The BSIG codifies that responsibility cannot be fully delegated: executives may assign operational tasks to IT security or compliance teams, but core security decisions remain with management personally.

Who is personally liable: The BSIG’s definition encompasses CFOs, general partners, and any individual with management authority — not merely the CEO or formally designated board members. In Germany’s two-tier board structure, only the executive board (Vorstand) is captured under this provision; supervisory board members (Aufsichtsrat) are not personally liable under Section 38.

Specific personal liability triggers:

• Inadequate or absent cybersecurity risk assessments
• Deficient supply chain security oversight — including vendor selection, contractual security obligations, and ongoing monitoring
• Late or incomplete incident reporting to the BSI
• Failure to document implemented security measures to a standard sufficient for BSI audit

Training requirement: Management members must attend documented cybersecurity training at a minimum every three years. The training record must capture participants, curriculum content, trainer details, and duration — specific evidentiary requirements that apply directly to BSI audit readiness.

For multinationals appointing country managers or regional directors as legal representatives of German subsidiaries, this provision creates direct personal exposure for those individuals. D&O insurance structures and indemnification arrangements should be reviewed against the BSIG’s personal liability scope before assignment.

Security Obligations and KRITIS-Specific Requirements

The core security obligations under Germany’s BSIG mirror the NIS2 directive’s Article 21 framework: an all-hazards, risk-proportionate approach covering access control, cryptography, supply chain security, network segmentation, incident handling, business continuity, and related domains. Section 30 BSIG codifies the standard as “appropriate, effective, and proportionate technical and organisational measures” ensuring the availability, integrity, and confidentiality of information systems.

One practical difference from the EU baseline: Germany requires entities to document measure implementation to a level sufficient for BSI audit, with documentation that maps specifically to the BSIG’s control framework. Existing ISO 27001 certifications are generally insufficient to demonstrate compliance — additional Germany-specific documentation is required even where the underlying security controls are equivalent.

Critical facility operators (KRITIS tier) face three additional obligations beyond standard NIS2 requirements:

1. Attack detection systems (Systeme zur Angriffserkennung, SzA). Continuous attack detection is mandatory for KRITIS-tier operators. This requirement predates NIS2 — introduced under Germany’s IT Security Act 2.0 — and the BSIG 2.0 retains and extends it. Standard essential and important entities are not required to deploy SzA unless they also qualify as critical facility operators.

2. Triennial compliance evidence. Critical facility operators must provide documented evidence of security measure implementation to the BSI by 2027, with repeat submissions every three years thereafter. Standard important entities face risk-based BSI sampling rather than mandatory audit cycles — a meaningfully lower compliance burden.

3. Service recipient notification. Under Section 35 BSIG, regulated entities must immediately notify service recipients when a significant incident materially affects service delivery. This is a German addition with no direct equivalent in other EU member state implementations — it applies at the point of discovery, before the BSI reporting deadlines complete.

Incident reporting timelines are consistent across all entity tiers: 24-hour early warning to BSI upon becoming aware of a significant incident; 72-hour detailed notification including initial root-cause assessment; and a final report within one month of the 72-hour notification. All three submissions are made through the BSI portal.

Penalties Under Section 65 BSIG

Germany’s penalty structure implements the NIS2 directive framework from Article 34 of the directive, with fines calculated against worldwide group turnover:

Entity Tier	Maximum Administrative Fine
Particularly important entities (essential)	€10,000,000 or 2% of total worldwide annual turnover — whichever is higher
Important entities	€7,000,000 or 1.4% of total worldwide annual turnover — whichever is higher

The worldwide turnover basis is the critical multiplier for multinationals. For a group with €5 billion in global revenue, the maximum fine for an essential entity breach reaches €100 million — calculated against the group’s consolidated revenue, not the German subsidiary’s standalone figures. This is consistent with the directive’s Article 34 intent and applies regardless of the subsidiary’s local revenue scale.

The BSI signalled it does not intend to initiate extensive enforcement action immediately following the law’s entry into force — but this is operational discretion, not a legal transitional period. Entities demonstrating active implementation progress face measurably lower supervisory risk than those that have taken no action. Failure to register by the March 2026 deadline is itself a sanctionable breach under Section 65, independent of any security incident.

The ICT Component Prohibition — A Risk Unique to Germany

Section 41 BSIG grants the Federal Ministry of the Interior authority to prohibit regulated entities from deploying or continuing to use specific ICT components where their use “endangers public order or national security.” No equivalent power exists in any other EU member state’s NIS2 implementation.

The prohibition expressly targets components from manufacturers “subject to foreign state influence” — language widely interpreted to encompass hardware and software from vendors operating under mandatory state cooperation laws. The provision applies to any ICT component deployed in BSIG-covered systems, not only equipment used in critical infrastructure operations.

Two features make Section 41 particularly significant for multinationals operating standardised global IT infrastructure in Germany:

Retroactive effect. Prohibition orders apply to existing deployed components, not only future acquisitions. An entity that receives a prohibition order must cease using or replace the affected component within a Ministry-set deadline. There is no grandfather clause for previously approved or legacy deployments — the order applies regardless of when the component was procured or installed.

Immediate compliance obligation. Prohibition orders take effect as issued. The Ministry sets the replacement timeline, which may be significantly shorter than normal hardware refresh cycles — a serious operational risk for embedded industrial control systems, core networking infrastructure, and telecommunications equipment where replacement requires months of planning and testing.

For multinational compliance teams, the practical implication is a targeted supply chain audit of ICT components deployed in Germany-based operations. Any hardware or software from manufacturers with significant state-government relationships — particularly in networking, telecommunications, and operational technology — should be assessed for Section 41 exposure proactively. Waiting for a prohibition order converts what could be a planned replacement programme into an emergency with a Ministry-dictated deadline.

For reference on how another EU member state approaches NIS2 country-specific implementation, see our Ireland NIS2 country guide.

Frequently Asked Questions

Does NIS2 apply to my company if we are headquartered outside Germany?

Yes. The German BSIG applies to any legal entity providing services in Germany that meets the applicable sector and size thresholds. The regulated entity is your German subsidiary or branch, not the group parent. That entity must register with the BSI independently — registration cannot be completed by the parent on the subsidiary’s behalf.

What is KRITIS and how does it relate to NIS2 essential entity status?

KRITIS (Kritische Infrastrukturen) is Germany’s pre-existing critical infrastructure framework, predating NIS2 by over a decade. Under BSIG 2.0, KRITIS operators automatically qualify as “operators of critical facilities” — the top tier, with additional obligations beyond standard essential entities, including mandatory attack detection systems (SzA) and triennial compliance audits. Operators already registered under KRITIS carry over automatically without needing to re-qualify under the new law.

Is ISO 27001 certification sufficient for NIS2 compliance in Germany?

No. ISO 27001 certifications are generally insufficient to demonstrate BSIG compliance. Germany requires documented evidence of measure implementation that maps specifically to the BSIG’s control framework. An ISO 27001 programme is a useful foundation but requires supplementary Germany-specific documentation for any BSI audit to proceed successfully.

How does Germany compare to other EU member states implementing NIS2?

Germany has one of the most demanding NIS2 implementations in Europe: three entity tiers instead of two, personal management liability exceeding the EU directive standard, mandatory attack detection for KRITIS operators, and a unique ICT component prohibition power. Implementation timelines and enforcement intensity also differ significantly across member states — compare the Ireland guide linked above for a different national approach.

Sources

1. Germany Implements NIS2: Immediate Effect, Broad Scope, Near-Term Registration, Reed Smith (December 2025)
2. Flipping the NIS2 Switch: What Germany’s Implementation Means for 2026 Compliance, Morrison Foerster (December 2025)
3. NIS2 Implementation in Germany, OpenKRITIS
4. Germany’s Implementation of NIS2: Scope, Liability, and Documentation, Taylor Wessing (November 2025)
5. Germany’s NIS2 Implementation Act, YPOG (February 2026)
6. NIS2 Directive Article 34 — Administrative Fines, nis-2-directive.com (linked inline above)
7. CERT-Bund — Germany’s national CSIRT, EU CSIRTs Network, ENISA (linked inline above)
8. Germany Implements NIS2: Registration Portal Will Open on January 6, 2026, Privacy World (December 2025)