NIS2

NIS2 in Germany: BSI Implementation Guide

4 min readUpdated 10 June 2026

Germany is one of the largest NIS2 markets in the EU and has one of the most developed national cybersecurity regulatory frameworks. The NIS2 transposition is implemented through the IT-Sicherheitsgesetz (IT Security Act) framework, supervised by the Bundesamt für Sicherheit in der Informationstechnik (BSI). For companies with German operations, understanding the BSI's specific requirements and enforcement approach is essential.

Germany's NIS2 Transposition: KRITIS-DachG

Germany transposed NIS2 into national law through the KRITIS-DachG (Kritis-Dachgesetz) — the Federal Law on Critical Infrastructures. This law implements both NIS2 and CER (Critical Entities Resilience) Directive requirements.

Key features of the German implementation:

  • Expanded scope: Germany applied NIS2 to a broader set of entities than the directive's minimum, including additional manufacturing and logistics sectors
  • Lower size thresholds in some sectors: Germany designated specific facilities as KRITIS (critical infrastructure) regardless of headcount or turnover
  • BSI as primary authority: The BSI is the central competent authority for NIS2 in Germany, with sector-specific co-regulation in energy (BNetzA), finance (BaFin), and transport

BSI Registration

All NIS2-in-scope entities operating in Germany must register with the BSI. Registration includes:

  • Company name, legal form, registered address
  • Contact person for cybersecurity matters (name, email, phone)
  • Sector classification under German KRITIS-DachG
  • Description of the services provided
  • Technical identifiers (IP ranges for internet-facing systems)

The BSI's registration portal is accessible at the BSI website. Registration is mandatory — failure to register is a violation enforceable with fines.

BSI Security Requirements: The IT-Grundschutz Framework

The BSI publishes the IT-Grundschutz (IT Baseline Protection) methodology — Germany's national information security standard. For NIS2-compliant German entities, the IT-Grundschutz is the recommended framework for implementing required security measures.

IT-Grundschutz Compendium provides:

  • Standard security measures (Basisabsicherung) for general-purpose systems
  • Core protection (Kernabsicherung) for high-value/high-risk systems
  • Full protection (Standard-Absicherung) for the full range of systems

For NIS2 purposes, the Standard-Absicherung level is expected for essential entities. The BSI audits compliance against this standard.

ISO 27001 with BSI certification: The BSI offers ISO 27001 certification based on IT-Grundschutz — this is a German-specific certification that demonstrates BSI-aligned security management. It is considered strong evidence of NIS2 compliance in Germany.

Incident Reporting to the BSI

German entities must report significant incidents to the BSI:

24-hour early warning: A preliminary notification to the BSI within 24 hours.

72-hour report: A detailed incident notification within 72 hours — using the BSI's standardised reporting format (available on the BSI website).

Final report: Within one month of the incident.

The BSI operates a 24/7 incident reporting hotline for critical infrastructure incidents. Contact details are provided during registration.

Sector-specific additional requirements:

  • Energy incidents: also notify BNetzA
  • Financial incidents: also notify BaFin
  • Healthcare incidents: also notify regional health authorities

BaFin's NIS2 Application for Financial Services

Germany's financial regulator BaFin applies NIS2 requirements alongside DORA. German banks, payment institutions, and financial market infrastructure operators must comply with:

  • NIS2 security measures
  • DORA operational resilience requirements
  • BaFin's own circulars on IT risk management (Bankaufsichtliche Anforderungen an die IT, BAIT)

BAIT requirements largely overlap with NIS2 — companies compliant with BAIT are well-positioned for NIS2 in the financial sector. But DORA adds specific requirements (ICT risk framework, third-party register, TLPT) that go beyond both.

German Data Protection and NIS2 Intersection

Germany has strong data protection culture and enforcement through both the federal Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) and 16 state data protection authorities (Landesdatenschutzbehörden).

When a NIS2 incident involves personal data, two separate notifications may be required:

  • BSI for the NIS2 incident
  • Relevant data protection authority for the GDPR breach

For large enterprises, the state DPA (e.g., Berliner Beauftragte für Datenschutz und Informationsfreiheit, LfDI Baden-Württemberg) is typically the lead authority for GDPR in Germany. Both notifications must be made within their respective timeframes.

Key Contacts and Resources

  • BSI: bsi.bund.de — registration, incident reporting, IT-Grundschutz documentation
  • BNetzA: bundesnetzagentur.de — energy and telecoms sector NIS2
  • BaFin: bafin.de — financial sector NIS2 / DORA
  • IT-Grundschutz Compendium: Available on the BSI website, updated annually

ComplyOne determines your NIS2 entity classification and generates the required security documentation.

Check your NIS2 compliance →

Related guides

Does NIS2 Apply to My Company?

NIS2 — the EU's revised Network and Information Security Directive — expanded its scope dramatically compared to its predecessor.

NIS2 for Data Centres

Data centres are explicitly named in NIS2 Annex I as essential entities under the digital infrastructure sector.

NIS2 Entity Classification: Essential vs Important

NIS2 divides in-scope entities into two categories: essential entities and important entities.

View all guides in this module