German Bundestag passes NIS2 Implementation Act: What Entities Need to Know

Broad Scope of Application

The NIS2 Implementation Act will significantly expand the range of entities subject to cybersecurity obligations. While previous German rules primarily targeted critical infrastructure, the new Act will apply to a much wider set of sectors, including health, transport, digital services, and parts of manufacturing.

SMEs are generally exempt from the scope of application. Accordingly, an entity must either (i) employ more than 50 employees or (ii) have an annual turnover and balance sheet total exceeding EUR 10 million to fall within scope. As a rule, thresholds of partnered and linked enterprises must also be included to the calculation, unless the entity exercises decisive influence over the nature and operation of the IT systems, components, and processes that the enterprise uses to provide its services.

Germany will also introduce a significant deviation by introducing the criterion of negligible business activities.

Highlights of the NIS2 Implementation Act

For affected entities, compliance will require a thorough review of structures, processes and governance across the organisation. Key provisions of the NIS2 Implementation Act include:

• Registry: Within three months of falling under the law’s scope, entities will need to register with the Federal Office for Information Security (BSI). Any changes to the provided information must be updated within 14 days.
• High-risk component restrictions: The Federal Ministry of the Interior is entitled to prohibit the use of high-risk components in critical facilities. This German peculiarity exceeds the NIS2 baseline harmonisation and underscores the German regulators' increasing focus on supply chain security.
• Incident reporting: Entities must report incidents to the BSI by submitting an initial report within 24 hours of becoming aware of an incident, a detailed report within 72 hours, and a final report within 30 days. These timelines demand robust internal processes and clear escalation paths to avoid regulatory breaches.
• Management body oversight: Management body must approve risk management measures, continuously oversee their implementation and take part in mandatory NIS2 trainings. This shift reflects a broader trend where cybersecurity is no longer seen as a purely technical issue but as a governance priority.

Enforcement and Penalties

The Act will give the BSI extended supervisory powers, including the ability to conduct audits and issue binding instructions. Entities that fail to comply may face severe consequences. This may not only include fines of up to €10 million or 2% of global annual turnover, but also personal liability of the management body. Beyond financial penalties, organisations risk reputational damage and operational disruption if they fail to meet the new standards.

Preparing for Compliance

With the law now passed by the Bundestag, entities should act immediately. The obligations will take effect shortly after publication in the Federal Law Gazette, leaving entities with limited time to prepare and requiring proactive measures to avoid non-compliance.

The first step is to determine whether your organisation qualifies as an essential or important entity under the NIS2 Implementation Act. From there, entities should conduct a subsequent gap assessment and review internal processes, risk management measures and supply chain vulnerabilities. The management body should complete NIS2 compliance training to ensure it is capable of fulfilling its oversight responsibilities.

The NIS2 Implementation Act is part of a broader regulatory trend towards resilience and accountability. A separate implementation law on the CER Directive is expected to follow, adding another layer of obligations for critical entities.

Companies that invest early in compliance will not only avoid penalties but also strengthen their operational resilience in an increasingly volatile threat landscape. Please reach out to your Eversheds Sutherland team to discuss your next steps around NIS2, its implementation and our NIS2 management training offering.