The implementation of the NIS-2 Directive in Germany – What are the deviations from the NIS-2 Directive?

Germany’s NIS-2 Act is in force now narrowing scope and adding a ‘critical’ tier compared to the NIS-2 Directive. With no grace period, companies should prepare now.

On 5 December 2025, the German law transposing the NIS-2 Directive (Directive (EU) 2022/2555 (“NIS-2 Directive”) into national law (“German NIS-2 Act”) entered into force and is thereby immediately applicable. Purpose of NIS2 is to reduce vulnerabilities and strengthens the resilience of entities across 18 sectors against cyber threats and focuses on requirements to ensure their cybersecurity.

In this insight, we discuss important and significant deviations of the German NIS-2 Act from the NIS-2 Directive.

What are important and significant deviations of the German NIS-2 Act from the NIS-2 Directive?

Deviations regarding the application scope and regulated entities

The German NIS-2 Act deviates from the terminology of the NIS-2 Directive. Regulated entities under the NIS-2 Directive are divided into “essential” and “important” entities. The German NIS-2 Act uses the terms “very important” and “important” entities.

While this is only a deviation in terminology, the German NIS-2 Act also stipulates that certain business activities of an entity may be left out when assessing its applicability, if they can be classified as “negligible” in relation to the overall business activity of the respective entity. This exception is not provided for under the NIS-2 Directive and it is not clear if the German NIS-2 Act properly transposes the NIS-2 Directive in this regard. Furthermore, it will be difficult in practice to reliably assess whether the German NIS-2 Act is applicable in the specific case, since the explanatory memorandum to the German NIS-2 Act does not clearly define the term “negligible business activity”.

Furthermore, the German NIS-2 Act additionally limits the scope of application by determining that the amount of employees, annual turn-over, and annual balance sheet total of “partner and linked enterprises” will not be considered for the above-mentioned thresholds if their IT infrastructure is independent of the entity in question. This too, might be considered an improper transposition of the NIS-2 Directive and therefore challenged before courts.

Another point of criticism is that municipal institutions are generally excluded from the scope of application. From the perspective of EU law and from the perspective of citizens, this represents a systemic problem that prevents the regulatory effect of the NIS-2 Directive from being fully realized at the state and municipal levels. The NIS-2 Directive does not provide for such a restriction of the scope of application.

Finally, the German NIS-2 Act also introduces the sub-category “critical entities” of “very important” entities. Insofar, Germany implements the NIS-2 Directive beyond the EU’s requirements. The criteria to determine such “critical entities” will be further specified by the Federal Interior Ministry in a separate regulation that will contain additional entities and thresholds. These thresholds will follow the current approach under the existing German framework for critical infrastructures, i.e., the BSI-KritisV. As things stand at present, there will be no substantial changes to regulations regarding the types of critical entities and the thresholds other than necessary to ensure that the BSI-KritisV is aligned with the NIS-2 Directive.

Federal administrative bodies

In deviation from the NIS-2 Directive, the German NIS-2 Act exempts certain federal authorities, IT service providers of the federal administration organized under public law, and, in some cases, other corporations, institutions, and foundations under public law, as well as their associations, regardless of their legal form, at the federal level (“Federal Administration Bodies”). Federal Administrative Bodies can only be considered very important entities if they qualify as critical entities as further specified by the Federal Interior Ministry in a separate regulation. Nevertheless, some regulations for very important entities, such as the obligation to implement cybersecurity risk management measures according to Section 30 of the German NIS-2 Act, still apply to Federal Administration Bodies according to Section 29 of the German NIS-2 Act. However, they are widely privileged. For example, Federal Administrative Bodies are exempt from the implementation, monitoring, and training obligations for the management board in the sense of Section 38 of the German NIS-2 Act. This raises the critical question of whether there is a consistent level of cybersecurity across the entire federal administration. It would be extremely problematic if security authorities such as the Federal Criminal Police Office (BKA) and the Federal Office for Information Security (BSI) were exempt from mandatory IT baseline protection compliance. This is because these institutions manage sensitive data and play an indispensable role in crisis situations, which is why they need higher security requirements. Industry organizations and other stakeholders have widely criticized this as a serious structural deficit with regard to cybersecurity.

Deviations regarding the duties of covered entities

Cyber risk management measures

The cyber risk management measures that covered entities need to implement according to the German NIS-2 Act are very similar to the ones of the NIS-2 Directive. However, it’s important to point out that the Federal Interior Ministry can limit the use of ICT-products, ICT-services, and ICT-processes for (very) important entities to such that are certified under the European Cybersecurity Certificate scheme in the sense of Article 49 Regulation (EU) 2019/881. Additionally, very important entities and their industry associations can propose industry-specific cyber security standards, which will be tested by the BSI for no-costs, and then they will have legal certainty that they are fulfilling all relevant cyber risk management measures. A similar regulation exists for critical entities which can also benefit from such industry standards that were tested by the BSI. Such regulatory approach is also unknown to the NIS-2 Directive but possible due to its discretion to implement it into national law in this matter.

Notification obligations

The mandatory notification obligations under the German NIS-2 Act do not differ significantly from those set out in the NIS-2 Directive with the following exceptions. In the event of a significant incident, the BSI may order (very) important entities to inform the recipients of their services immediately of this significant incident that could affect the provision of the respective service. Entities from the financial sector, social security institutions, and those responsible for providing basic security for jobseekers, digital infrastructure, or the management of ICT and digital services shall immediately inform potentially affected recipients of their services and the BSI of any measures or remedial actions the recipients can take in response to a significant cyber threat. These entities must also inform the recipients of the cyber threat itself. These obligations only apply if the interests of the recipient outweigh those of the entity. According to the German NIS-2 Act, the competent authority to which mandatory notifications must be submitted will be set up by the BSI and the Federal Office of Civil Protection and Disaster Assistance (the latter of which, in particular, will be charged with the oversight over the implementation of the German Umbrella Act for Critical Infrastructure Protection, i.e., the German transposition law of the CER Directive).

Conclusion

In some cases, the German NIS-2 Act may raise the applicability threshold for companies to be subject to the obligations of the NIS-2 Directive. Such a business-friendly approach is generally welcoming and may relieve certain medium-size companies from additional compliance measures. However, it remains to be seen whether the European Commission will challenge the German NIS-2 Act in court asserting an unlawful deviation from EU Law for not correctly implementing the NIS-2 Directive into national law.

Nevertheless, potentially affected companies must not wait to see if the European Commission will accept such unilateral action. To avoid, among other things, discussion with business partners over supply chain compliance as well as sanctions from German supervisory authorities, affected companies must act now. They should implement the legal requirements in accordance with the German NIS-2 Act. The implementation of these requirements will require significant time and organizational resources, so immediate action is necessary.