- On 13 November 2025, the Bundestag transposed the NIS 2 Directive into German law without transitional periods.
- The BSI Act (BSIG) is comprehensively redrafted: expanded catalogue of obligations, central risk management, supply chain security, and strict reporting duties.
- The scope is greatly expanded and covers significantly more companies, suppliers, and authorities at the federal and state levels.
- Companies must establish processes for risk analyses, reporting chains, documentation, and approvals – a foundation for an ISMS under BSI standards or ISO 27001.
- The new legal framework strengthens the BSI as well as the Federal CISO and creates long-term guardrails for digital stability in government and industry.
On the afternoon of 13 November 2025, the Bundestag took a decision of considerable significance. At 3:45 p.m., the result was announced. The legislator is transposing the European requirements of the NIS 2 Directive into German law, thereby changing the foundations of IT security for companies and federal authorities. The European Union’s implementation period expired more than a year ago, but the political process took longer. With today’s resolution, the Federal Republic is tightening the regulatory framework, without transitional periods or grace periods.
New structure of the IT security architecture
The core of the law lies in the recasting of the BSI Act. The European requirements from NIS 2 call for structural changes, and the German legislator is now fully integrating these requirements into the BSIG. The new catalogue of obligations is considerably more extensive. Risk management becomes a central element in its own right. A catalogue of measures assigns technical and organizational requirements more clearly. Supply chain security is incorporated as its own topic. The reporting obligations for IT security incidents now apply without temporal exceptions. At the same time, executive management is held more directly accountable.
The systematization of the scope changes fundamentally. New sectors fall within it, and previous classifications are dropped. Thresholds are lowered. As a result, the law will affect thousands of companies and suppliers that were previously outside the regulation for operators of critical infrastructure. The nationwide IT security architecture thus gains new breadth. This breadth is not merely an organizational expansion but anchors digital security as a binding component of management activity, technical planning, and administrative procedures.
Implications for government and the economy
The economic impact is substantial. The annual compliance burden for the German economy rises to around €2.3 billion. The sum describes not merely costs, but a structural transformation project. Companies structure their processes, define responsibilities, conduct systematic risk analyses, and realign reporting channels.
The rules also apply to federal authorities. The legislator explicitly includes agencies within the portfolios of the respective ministries. The role of the Chief Information Security Officer for the Federal Government is given its own legal basis. This position will serve as a central coordination and information hub for cybersecurity within the federal administration. The remit includes collecting, consolidating, and disseminating security-relevant information as well as coordinating administrative measures.
The BSI’s role is expanded. The removal of the threshold of 100,000 customers in Section 16 BSIG means that smaller telecommunications providers also fall within scope. The office now issues orders to avert significant threats or initiates remediation orders. Without this addition, a regulatory gap would arise that would hit digital communications infrastructures hard.
The Bundestag added further points during the parliamentary process. Section 3(1) nos. 18 and 20 BSIG now provide for the involvement of the Länder (states). Police and law enforcement authorities thereby gain access to the BSI’s advisory, information, and warning powers. This gives the federal security architecture a coherent form. In addition, Section 41 BSIG creates the basis for excluding critical components from individual manufacturers in particularly sensitive areas. The decision is taken in consultation with the competent ministries and the Federal Foreign Office. The state thus intervenes directly in security-relevant technology areas whenever risks to public order or security exist.
A clarifying addition to the CVD (Coordinated Vulnerability Disclosure) process in Section 5 BSIG ensures more precise procedures for handling vulnerabilities. The rule defines responsibility for reporting, assessment, and coordination. This gives a central process of IT security a binding design in law.
A process perspective as the foundation for NIS 2
With the implementation of the NIS 2 Directive, there is now a binding framework that demands clear structures. The requirements provide guidance on which processes are needed, which workflows require adjustment, and where responsibilities must be depicted more precisely.
Concrete examples include:
- Expansion of scope: The law will apply to significantly more entities (“important” and “essential” entities), including many companies and parts of the public administration.
- New and expanded definitions: Many terms (e.g., near miss, cloud services, critical installations) are newly or more clearly defined to improve clarity and to implement the NIS 2 Directive.
- Risk management obligations: Essential and important entities must implement and document comprehensive technical and organizational risk management measures that cover all IT systems they use.
- Specific requirements for operators of critical installations: These operators must ensure an even higher level of security and are mandatorily required to deploy attack detection systems.
- Reporting obligations: Entities must report significant security incidents without delay; there are clear specifications for the content, deadlines, and procedures of such reports.
- Requirements for information security in the federal administration: The management of each entity is responsible for compliance with statutory and subordinate provisions (including IT-Grundschutz and minimum standards).
- Special rules for federal digitalization projects and communications infrastructures: Dedicated Information Security Officers (ISBs) must be appointed for major IT projects and infrastructures.
Security does not emerge from isolated decisions, but from orderly procedures that make risks visible and keep responses traceable. The implementation of the directive therefore relies on organizational clarity rather than individual technical prescriptions. Without reliable processes, there is no consistent picture of threats, incidents, or internal responsibilities.
Companies are now aligning their operations with these requirements. Risk analysis, reporting chain, documentation, approvals, and control steps form an interconnected system that enables a robust level of security. Structures of this kind also form the basis for an ISMS under BSI standards or ISO 27001. Such a system makes sense once clear role concepts, transparent information flows, and binding decision-making processes are embedded in day-to-day operations.
We support organizations within this framework with experience from process consulting and subject-matter expertise in the field of information security. The work of certified external ISBs provides guidance in interpreting the requirements and ensures confidence in implementation. The goal is an ISMS that meets the requirements arising from the implementation of the NIS 2 Directive while providing practical structures for daily operations.
A new framework for digital stability
With the Bundestag’s decision, Germany moves much closer to the European security framework. The digital infrastructure of government and industry is being realigned. Energy, healthcare, transport, communications, and public administration are aligning workflows, role concepts, and reporting chains. The legislator is opting for a coherent structure that takes both federal and European levels into account.
The state defines clear requirements, restructures responsibilities, and strengthens oversight. Companies organize internal workflows, document risks, and secure communication channels. The country’s digital infrastructure thus receives a foundation that matches the demands of a tense geopolitical situation.
The political process reaches its pivotal point regarding the implementation of the NIS 2 Directive with the Bundestag’s resolution. After the Federal President signs it, publication in the Federal Law Gazette follows. From that moment on, a legal framework applies that sets the direction for the coming years.