view all news & events
11/14/2025

German Bundestag passes NIS 2 Implementation Act – companies should become NIS 2 compliant now

The German NIS 2 Implementation Act was finally passed by the Bundestag yesterday, 13 November 2025 (see here). The next step will be for the Bundesrat to deal with the law. The announcement in the Federal Law Gazette and the entry into force of the law are expected by the beginning of 2026 at the latest (!).

Companies that have so far relied on the German legislature to proceed slowly with the legislative process (which, incidentally, is contrary to European law) should therefore address NIS-2 now at the latest and begin implementation. 

With our team, which has supported numerous NIS 2 implementation projects in recent months, we are available to assist companies with all legal issues relating to IT security. We also have a network of technical service providers with whom we can provide interdisciplinary support and implementation for your NIS 2 project as required. We would also like to refer you to our comprehensive white paper, which is available here: see here.

Three points we would like to point out to companies once again: 

  • Companies must check for themselves whether they are affected by the law. The specific applicability check is a legal matter. Contrary to what has been widely reported, the BSI will not publish a list of affected companies. This is essential for management to make the right decision and avoid liability. Our NIS 2 impact tool, which is available here, can serve as an initial assessment: see here.
  • There are no transition periods. Once the law comes into force, all obligations apply, in particular those relating to the implementation of cyber risk management measures, registration with the BSI and the reporting of relevant security incidents to authorities and other bodies. 
  • Even if your company is not directly subject to the NIS2 rules, there is a significantly higher probability that one or more of your customers are subject to them and therefore (must) require all suppliers to be able to document that they are fulfilling their part of cyber resilience. Very few companies are already prepared for such requests, even though they are very important for competitiveness.

For further information, please feel free to contact our team at any time.

    Share

  • LinkedIn
  • XING

Find out today what the legal world will be talking about tomorrow.

Subscribe to newsletter