What Companies Need to Know and Do Now
Both chambers of the German legislature – the Bundestag (lower house) and Bundesrat (upper house representing the federal states) – have adopted the act implementing the EU NIS2 Directive. Its core element is a comprehensive revision of the German Cybersecurity Act (“BSI Act”). The law has been in force since 6 December. No transition periods are planned.
What is the German NIS2 Implementation Act?
The NIS2 Implementation Act is Germany’s national law transposing the EU NIS2 Directive , which sets mandatory cybersecurity requirements for “essential” and “important” entities across 18 sectors such as healthcare, mobility, energy, manufacturing, and digital infrastructure.
Key points:
- The German act largely consists of a complete overhaul of the existing BSI Act (BSIG) – Germany’s core cybersecurity legislation.
- The BSI (Bundesamt für Sicherheit in der Informationstechnik) is the Federal Office for Information Security, Germany’s national cybersecurity authority.
- The revised BSI Act defines:
- which companies fall under NIS2,
- their cybersecurity duties,
- supervisory powers, and
- sanctions for non-compliance.
- On 5 December 2025, the law was published in the Federal Law Gazette and has been in force since 6 December 2025. No transition periods are planned.
What are “negligible activities”?
A notable feature of the German implementation is an exemption for “negligible activities” under Section 28(3) of the revised BSI Act.
- What does this mean?
When determining whether a company qualifies as an “essential” or “important” entity under NIS2, minor business activities can be excluded, if including them would disproportionately trigger NIS2 obligations.This is relevant because German law defines NIS2 applicability based on sectoral activities listed in two annexes of the BSI Act (e.g., healthcare, manufacturing, transport, digital services). These definitions have not been adjusted during the legislative process. - What counts as negligible?
- A very small number of employees assigned to the activity
- Minimal turnover generated in that area
- What does not count as negligible?
Activities explicitly listed in:- the articles of association,
- shareholder agreements, or
- other foundational company documents.
Those must always be considered relevant.
What should companies do now?
- Update the NIS2 impact assessment: Due to the rigid sector definitions, some uncertainties remain. The exemption for negligible activities gives companies more flexibility in evaluating their own applicability.
However: Cybercriminals do not limit their attacks based on legal definitions. Excluding activities too aggressively may leave security vulnerabilities unaddressed. - Prepare for mandatory registration with the BSI: All “important” and “essential” entities must register via a BSI online portal. Significant cybersecurity incidents must be reported to the authority without delay.
- Implement the required NIS2 security measures: Companies should now begin implementing NIS2-compliant measures on both the technical and organisational level. This includes:
- risk management,
- supply-chain security,
- handling IT security incidents,
- governance and documentation.
The EU Cyber Resilience Act (CRA) should also be considered where relevant, as it introduces product-related cybersecurity obligations.
How reuschlaw supports NIS2 implementation
reuschlaw assists companies by:
- assessing whether they fall under NIS2,
- identifying and mapping the resulting obligations,
- supporting implementation and documentation, and
- helping build a sustainable cybersecurity compliance management system.
For technical measures, reuschlaw works with specialised partners, ensuring companies meet the tightened legal requirements and are well prepared for audits and supervisory reviews.
back