heise PlusAbo
Anzeige

On St. Nicholas Day: NIS2 Implementation Act Comes into Force

The NIS2 Implementation Act was pushed through institutions at breakneck speed. It takes effect tomorrow, tightening IT security for 30,000 companies.

listen Print view
Blue flag with stars and a judge's gavel

(Image: Marian Weyo / Shutterstock.com)

3 min. read
Security
By
Contents

One day after its publication in the Federal Law Gazette, the German NIS2 Implementation Act will come into force on St. Nicholas Day. Then, approximately 30,000 companies and other institutions, instead of the previous less than 5,000, will fall under the tightened and revised IT security requirements. The supervision of compliance will be primarily the responsibility of the Federal Office for Information Security (Bundesamt fĂĽr Sicherheit in der Informationstechnik), which is already tasked with enforcing a large part of the IT security requirements for critical infrastructures and operators of critical facilities.

The re-regulation also changes the classification of critical services: thresholds and affected areas have been adjusted, and the circle of entities that will have to fulfill at least basic IT security and incident reporting obligations in the future has been significantly expanded. The implementation of the NIS2 Act will noticeably and measurably change the IT security situation, expects BSI President Claudia Plattner.

Eligibility Check Provides Initial Orientation

Whether your organization falls under the requirements can be determined in advance using the NIS2 Checker provided by the BSI at https://betroffenheitspruefung-nis-2.bsi.de/ – however, this information is not legally binding. Anyone who is considered likely to be obligated should definitely take this as an opportunity to examine the matter more closely.

If a company falls within the scope of the NIS2 requirements, it must then register with the BSI. According to the Bonn-based authority, this requires registration via "Mein Unternehmenskonto Online". From the beginning of 2026, registration in the BSI portal based on this will be possible, which currently does not yet exist; before that, IT security-relevant incidents must still be reported via a classic reporting form.

Videos by heise

Sanctions Possible

Since Germany first politically delayed the implementation and then suspended it due to new elections, there are no transitional periods for companies anymore, after the Bundestag finally reached an agreement in November. If obligated companies do not comply with the provisions of the law now promulgated, penalties are foreseen. "Depending on the type of violation, fines of up to ten million euros or up to two percent of total turnover may be imposed," explains Stefan Hessel from the specialized law firm Reuschlaw. The higher amount in each case would form the upper limit. "However, for now, fines are only to be expected in extreme cases, as the BSI aims for a business-friendly implementation." The liability for management has been significantly mitigated compared to earlier draft laws, Hessel describes. Here, the general rules for managing director liability would apply.

Next Wednesday: NIS-2 Webinar at heise

To get things moving before the Christmas break, heise security is offering interested parties a webinar on the topic next Wednesday, December 10th, lasting about two hours. "NIS-2 is coming – Implement legally compliant IT security" with lawyer Karsten U. Bartels will explain, among other things, the eligibility check, obligations, and liability risks.

(mack)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten