Table of Contents
Is my company affected by the new German NIS-2 law starting today?
As of today, December 6, 2025, the grace period regarding the EU NIS-2 Directive has officially expired for German organizations. The “Law Implementing the NIS-2 Directive and Regulating Essential Principles of Information Security Management in the Federal Administration” is now active. Following the publication in the Federal Law Gazette yesterday, this legislation mandates immediate adherence to stricter cybersecurity protocols.
Your organization must act now. The time for preparation has passed; the time for compliance is here.
Understanding the Mandate
The NIS-2 (Network and Information Security) directive establishes a rigorous baseline for cybersecurity across the European Union. It standardizes safety protocols to ensure resilience against cyber threats. This legislation specifically targets operators of critical infrastructure (KRITIS) and other essential entities.
If your organization operates within sectors such as energy, transport, healthcare, or digital infrastructure, you likely fall under this jurisdiction. The law enforces two primary obligations:
- Risk Management: You must implement technical and organizational measures to secure network and information systems.
- Incident Reporting: You are legally obligated to report significant cyber threats and incidents to national authorities promptly.
The Path to Ratification
Germany delayed this implementation significantly. While the European Union required member states to transpose NIS-2 into national law by October 2024, domestic political instability—specifically the collapse of the coalition government in late 2024—stalled the process.
The timeline of the recent expedited ratification is as follows:
- November 13, 2025: The German Bundestag passed the draft law.
- November 21, 2025: The Bundesrat granted approval.
- December 5, 2025: The law was published in the Federal Law Gazette.
- December 6, 2025: The law entered into force.
The EU Commission previously threatened infringement proceedings due to this delay, pressuring German legislators to finalize the act rapidly.
Immediate Action Items for IT Managers
You need to verify your compliance status immediately. The Federal Office for Information Security (BSI) serves as the central authority for this transition.
Conduct an Impact Assessment
Use the BSI’s impact assessment check to determine if your specific infrastructure classifies as an essential or important entity under the new law.
Monitor the Reporting Portal
The BSI is establishing a central portal for reporting security incidents. While registration is not yet open, you must monitor official BSI channels to register as soon as the system goes live.
Consult OpenKRITIS
For detailed breakdowns of affected sectors and specific obligations, refer to the OpenKRITIS repository.
Do not treat this as a bureaucratic formality. This legislation imposes liability on management for non-compliance. Prioritize your security audit today.