The implementation of NIS-2 in Germany – What are the deviations from NIS-2?

The NIS-2 Directive (Directive (EU) 2022/2555 (“NIS-2”)) aims to reduce vulnerabilities and strengthens the resilience of entities across 18 sectors against cyber threats and focuses on requirements to ensure their cybersecurity.

Following a half-hour debate on 13 November 2025, the German Parliament approved the Government’s new draft of the NIS-2 transposition law, including the latest changes made by the Interior Committee (“German Transposition Law”). The Federal Council approved this draft of the German Transposition Law on 21 November 2025, and it entered into force on 5 December 2025.

In this insight, we discuss important and significant deviations of the German Transposition Law from NIS-2.

What are important and significant deviations of the German Transposition Law from NIS-2?

Deviations regarding the application scope and regulated entities

The German Transposition Law deviates from the terminology of NIS-2. Regulated entities under NIS-2 are divided into “essential” and “important” entities. The German Transposition Law uses the terms “very important” and “important” entities.

While this is only a deviation in terminology, the German Transposition Law also stipulates that certain business activities of an entity may be left out when assessing its applicability, if they can be classified as “negligible” in relation to the overall business activity of the respective entity. This exception is not provided for under NIS-2 and it is not clear if the German Transposition Law properly transposes NIS-2 in this regard. Furthermore, it will be difficult in practice to reliably assess whether the German Transposition Law is applicable in the specific case, since the explanatory memorandum to the German Transposition Law does not clearly define the term “negligible business activity”.

Furthermore, the German Transposition Law additionally limits the scope of application by determining that the amount of employees, annual turn-over, and annual balance sheet total of “partner and linked enterprises” will not be considered for the above-mentioned thresholds if their IT infrastructure is independent of the entity in question. This too, might be considered an improper transposition of NIS-2 and therefore challenged before courts.

Another point of criticism is that municipal institutions are generally excluded from the scope of application. From the perspective of EU law and from the perspective of citizens, this represents a systemic problem that prevents the regulatory effect of NIS-2 from being fully realized at the state and municipal levels. NIS-2 does not provide for such a restriction of the scope of application.

Finally, the German Transposition Law also introduces the sub-category “critical entities” of “very important” entities. Insofar, Germany will implement NIS-2 beyond the EU’s requirements. The criteria to determine such “critical entities” will be further specified by the Federal Interior Ministry in a separate regulation that will contain additional entities and thresholds. These thresholds will follow the current approach under the existing German framework for critical infrastructures, i.e., the BSI-KritisV. As things stand at present, there will be no substantial changes to regulations regarding the types of critical entities and the thresholds other than necessary to ensure that the BSI-KritisV is aligned with NIS-2.

Federal administrative bodies

In deviation from NIS-2, the German Transposition Law will exempt certain federal authorities, IT service providers of the federal administration organized under public law, and, in some cases, other corporations, institutions, and foundations under public law, as well as their associations, regardless of their legal form, at the federal level (“Federal Administration Bodies”). Federal Administrative Bodies can only be considered very important entities if they qualify as critical entities as further specified by the Federal Interior Ministry in a separate regulation. Nevertheless, some regulations for very important entities, such as the obligation to implement cybersecurity risk management measures according to Section 30 of the German Transposition Law, still apply to Federal Administration Bodies according to Section 29 of the German Transposition Law. However, they are widely privileged. For example, Federal Administrative Bodies are exempt from the implementation, monitoring, and training obligations for the management board in the sense of Section 38 of the German Transposition Law. This raises the critical question of whether there is a consistent level of cybersecurity across the entire federal administration. It would be extremely problematic if security authorities such as the Federal Criminal Police Office (BKA) and the Federal Office for Information Security (BSI) were exempt from mandatory IT baseline protection compliance. This is because these institutions manage sensitive data and play an indispensable role in crisis situations, which is why they need higher security requirements. Industry organizations and other stakeholders have widely criticized this as a serious structural deficit with regard to cybersecurity.

Deviations regarding the duties of covered entities

Cyber risk management measures

The cyber risk management measures that covered entities need to implement according to the German Transposition Law are very similar to the ones of NIS-2. However, it’s important to point out that the Federal Interior Ministry can limit the use of ICT-products, ICT-services, and ICT-processes for (very) important entities to such that are certified under the European Cybersecurity Certificate scheme in the sense of Article 49 Regulation (EU) 2019/881. Additionally, very important entities and their industry associations can propose industry-specific cyber security standards, which will be tested by the Federal Office for Information Security (“BSI”) for no-costs, and then they will have legal certainty that they are fulfilling all relevant cyber risk management measures. A similar regulation exists for critical entities which can also benefit from such industry standards that were tested by the BSI. Such regulatory approach is also unknown to NIS-2 but possible due to its discretion to implement it into national law in this matter.

Notification obligations

The mandatory notification obligations under the German Transposition Law do not differ significantly from those set out in NIS-2 with the following exceptions. In the event of a significant incident, the BSI may order (very) important entities to inform the recipients of their services immediately of this significant incident that could affect the provision of the respective service. Entities from the financial sector, social security institutions, and those responsible for providing basic security for jobseekers, digital infrastructure, or the management of ICT and digital services shall immediately inform potentially affected recipients of their services and the BSI of any measures or remedial actions the recipients can take in response to a significant cyber threat. These entities must also inform the recipients of the cyber threat itself. These obligations only apply if the interests of the recipient outweigh those of the entity. According to the German Transposition Law, the competent authority to which mandatory notifications must be submitted will be set up by the BSI and the Federal Office of Civil Protection and Disaster Assistance (the latter of which, in particular, will be charged with the oversight over the implementation of the German Umbrella Act for Critical Infrastructure Protection, i.e., the German transposition law of the CER Directive).

Conclusion

In some cases, the German Transposition Law may raise the applicability threshold for companies to be subject to the obligations of NIS-2. Such a business-friendly approach is generally welcoming and may relieve certain medium-size companies from additional compliance measures. However, it remains to be seen whether the European Commission will challenge the German Transposition Law in court asserting an unlawful deviation from EU Law for not correctly implementing NIS-2 into national law.

Nevertheless, potentially affected companies must not wait to see if the European Commission will accept such unilateral action. To avoid, among other things, discussion with business partners over supply chain compliance as well as sanctions from German supervisory authorities, affected companies must act now. They should implement the legal requirements in accordance with the German Transposition Law. These requirements will require significant time and organizational resources to implement, so immediate action is necessary.