NIS2 implementation is coming: German government aims for entry into force by early 2026

Specific timeframe for NIS2 implementation in Germany

According to media reports, plans to implement the EU's NIS2 Directive into German law in the form of the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) are taking shape.

Claudia Plattner, President of the Federal Office for Information Security (BSI), told the German Press Agency:

"I am hopeful that we will be able to enact it at the beginning of 2026."

This finally provides a realistic target date for the NIS2 Implementation Act to take effect nationally. Preparations are already underway at the Federal Ministry of the Interior, and the first associations and federal states have been consulted.

The EU Commission is also exerting pressure; on 28 November 2024, it initiated infringement proceedings against Germany due to the delay in implementing the directive.

This was followed on 7 May 2025 by an official reasoned opinion. Germany was asked to respond within two months; otherwise, it will face financial sanctions or referral to the European Court of Justice.

More companies will be affected than ever before

The implementation of NIS2 will dramatically increase the number of organisations affected, from around 4,500 to around 29,000. According to Plattner, many companies are still unaware of their future responsibilities. She therefore urges them to address the issue at an early stage.

What should companies do now?

The requirements of the NIS2 Directive are complex, but can be met through early planning. The following steps will help you get started:

1. Clarify whether you are affected

Whether your company falls under the NIS2 Directive depends on various factors, such as industry, company size, and turnover. In many cases, this can be determined by answering a few questions, for example using our online check.

2. Define responsibilities

Who is responsible for NIS2 in your company? Initial responsibilities could lie with management, IT management or the compliance team, for example. Clarity at an early stage saves a lot of time later on.

3. Create an orientation

Get an overview of the typical requirements that NIS2 will impose on you. These include, among other things:

• Risk analyses and risk management
• Appropriate technical and organisational security measures
• Reporting obligations in the event of security incidents.

Do you require assistance with NIS2 implementation?

If you require assistance with any of these steps, we would be pleased to discuss your requirements with you personally. Now is the right time to prepare – before NIS2 becomes law.