As Europe actively reshapes its digital landscape through the Data Act and the AI Act, the underlying security architecture is being systematically reinforced. The NIS2 Directive marks a significant transition, moving the EU from a fragmented patchwork of security rules to a harmonised, high-level standard. Germany has now transposed this into national law via the NIS2‑Umsetzungs‑ und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG), effectively amending the BSI Act (BSIG). For tech companies, this confirms that cybersecurity has shifted from a technical safeguard to a core element of corporate governance.
The most immediate impact of the Nis2UmsuCG is the significant expansion of its personal and material scope. Previously, regulations were focused primarily on operators of critical infrastructure (KRITIS). The new legal framework applies to a much broader range of entities. The regulatory objective has expanded from the primary protection of the population against disruptions in essential services to the comprehensive protection of the entire supply chain against cyberattacks, increasing the number of regulated entities in Germany from approximately 4,500 to an estimated 30,000.
Companies operating in sectors such as digital providers or infrastructure, energy, finance, or manufacturing will generally fall into one of two new categories based on the following thresholds:
Essential Entities (Besonders wichtige Einrichtungen - § 28 I BSIG): Enterprises with at least 250 employees or an annual turnover exceeding EUR 50 million and a balance sheet total of more than EUR 43 million. This category also includes specific high-criticality sectors regardless of size (e.g., DNS service providers).
Important Entities (Wichtige Einrichtungen - § 28 II BSIG): Enterprises with at least 50 employees or an annual turnover and balance sheet total exceeding EUR 10 million.
For many tech-driven companies, these thresholds are reached quickly, making an early assessment of the specific "size cap" rules essential. Group companies should consider that employees, turnover and balance sheet of partner enterprises generally count against these thresholds as well.
It is also important to note that the German implementation of the NIS2 Directive brought with it a Germany-specific exemption: When assessing whether a company operates in an in-scope sector, business activities that only make up a negligible amount of the overall business may be disregarded (vernachlässigbare Geschäftstätigkeiten - § 28 III BSIG). While this can potentially provide a much-needed limitation of the very broad scope, its vagueness makes it very hard and risky for Companies to self-assess their possible exemption.
A passive approach to compliance is no longer sufficient. The legislation imposes immediate duties that require operational restructuring:
Registration and the ‘MUK’ Portal: The regulatory framework requires affected entities to proactively register with the Federal Office for Information Security (BSI). This is facilitated through a two-step process on the "My Business Account" (MUK) digital service. The BSI strongly recommended completing this registration by the end of 2025 to ensure full operational readiness.
Risk Management & Management Liability: Compliance is pursuant to § 38 BSIG now a primary C-suite responsibility that requires regular documented trainings. § 30 BSIG mandates the implementation of appropriate technical and organisational measures (TOMs) to manage security risks, including the security in connection with direct suppliers and service providers (§ 30 II No. 4 BSIG). Crucially, management bodies (e.g., Managing Directors) are explicitly responsible for approving and overseeing these measures and their implementation. Failure to do so can result in direct personal liability – a regulatory mechanism designed to ensure cybersecurity is treated with the same rigour as financial auditing.
The Multi-Stage Reporting Obligations: The timeline for reporting of significant incidents has been drastically compressed to ensure rapid threat intelligence sharing across the EU.
Initial Notification: Must be submitted within 24 hours of becoming aware of a significant incident.
Situation update: A detailed assessment is due within 72 hours.
Final Report: A comprehensive analysis must be submitted within one month.
The BSI has been granted expanded supervisory powers, including the authority to order technical audits and impose operational restrictions. Financially, the stakes are high: § 65 BSIG establishes a tiered sanctions regime with fines reaching up to EUR 10 million or 2% of the total worldwide annual turnover, whichever is higher, for severe breaches.
Navigating the transition from an unregulated entity to an "Important Entity" requires legal precision and technical understanding. A "wait and see" strategy carries significant liability risks for businesses and management bodies. Our practice specialises in guiding high-growth tech companies through this regulatory shift. We provide support with:
Applicability Assessments: A definitive legal verification of whether your specific business model and size fall under the new Nis2UmsuCG /NIS2 scope.
Gap Analysis & Roadmaps: Reviewing existing security standards and processes against the new statutory requirements to identify key areas requiring attention.
Governance & MUK Support: Assistance with mandatory Management Board Risk Resolution and guidance through the "My Business Account" registration process.
Supplier and service provider management: Assistance with drafting and negotiating contract addenda to ensure obligations are passed down throughout the supply chain.
Incident Response Playbooks: Development of legal workflows to ensure adherence to the strict 24-hour and 72-hour reporting deadlines.
For high-growth tech companies, NIS2 compliance is not merely a legal hurdle; it is a prerequisite for participating in the premium B2B supply chain. Enterprise clients will increasingly require NIS2 compliance from their vendors as part of their own supply chain security obligations. We can help you transform this regulatory requirement into a competitive advantage based on trust and integrity.