Skip to content
NIS-2 und BSIG-E: Neue Sicherheitspflichten für Unternehmen

Key Obligations and Cybersecurity Requirements for Companies under the NIS-2 Directive and the BSIG-E

In earlier times, major outages of critical infrastructure were mostly theoretical or served, as in “Die Hard 4.0”, as plot devices for entertaining action movies. The large-scale power outage that occurred on April 28, 2025, on the Iberian Peninsula showed that the dark fantasies of screenwriters and reality are not far apart in a real emergency.

On that day, shortly after noon, Spain’s and Portugal’s power grids largely collapsed within a very short time. Trains and subways across the peninsula came to a halt, traffic lights and control systems failed, and internet, telephone, and mobile networks stopped functioning, just as supermarket cooling and payment systems did. Cash withdrawals from ATMs were no longer possible. Due to the power outage, households had no electricity for lighting or for operating devices such as climate control, televisions, or radios. Electrically powered water and sewage systems were also affected, as were hospitals, which could only continue operating in a limited capacity and for a short time using any available emergency generators.

In the end, 60 million people were directly or indirectly affected by this incident, which lasted several hours. According to official reports, it was not the result of a cyberattack targeting network or information systems.

However, such attacks carry significant potential for damage, as more recent incidents demonstrate. For example, in 2021, the Anhalt-Bitterfeld district had to declare a state of emergency because its IT infrastructure had been almost completely paralyzed by a ransomware attack. As a result, the district was unable to fulfill its statutory duties, such as processing social welfare and maintenance payments. Dozens of gigabytes of important, sometimes sensitive personal data were exfiltrated during the attack, and large amounts of critical data were irretrievably lost. Restoring the systems, where possible at all, took months and cost millions.

Administrations, public and private companies, and institutions – referred to in NIS-2 jargon as “essential and important entities” – are increasingly becoming targets of cyberattacks aimed at their information and network technology. Such attacks can have serious consequences not only for the organizations themselves but also for those dependent on them. Even a fatality has now been linked to a cyberattack. After ransomware almost completely disabled the IT systems of Düsseldorf University Hospital, the emergency department could no longer operate. A critically ill patient had to be transported to a more distant hospital, where it is assumed that the delayed start of treatment led to her death.

Current Legal Situation

Against this background and with these prospects, the EU has dedicated an entire set of regulations to the area of “cybersecurity.” Each of these legal acts, with its specific focus, aims to increase the resilience of critical infrastructure against existing risks and to mitigate the consequences of incidents that occur.

NIS 2 Directive

The best-known directive is likely Directive 2022/2555 on measures for a high common level of cybersecurity in the Union, better known as NIS‑2.

Its prominence is largely due to the fact that, unlike, for example, the regulation covering only the financial sector – Regulation (EU) 2022/2554 on digital operational resilience in the financial sector (Digital Operational Resilience Act, or DORA) – NIS‑2 alone affects around 30,000 entities in Germany across nearly 20 sectors that are crucial for the functioning of modern societies. This makes NIS‑2 significantly broader in scope than the previous NIS‑1 directive.

Whereas NIS‑1 applied to entities in seven sectors – energy, transport, banking, financial market infrastructures, healthcare, drinking water supply, and digital infrastructure – that provided services essential for maintaining critical societal and/or economic activities, the NIS‑2 directive now imposes obligations on a wide range of entities in the sectors:

  • Energy

  • Transport

  • Banking

  • Financial market infrastructures

  • Healthcare

  • Drinking water

  • Wastewater

  • Digital infrastructure

  • ICT service management

  • Public administration

  • Space

  • Postal and courier services

  • Waste management

  • Production

  • Manufacture and trade of chemicals

  • Food production, processing, and distribution

  • Manufacturing/production of goods

  • Providers of digital services

  • Research

Regardless of size, at least the following entities are subject to the obligations of the NIS‑2 directive:

  • Providers of public electronic communication networks

  • Providers of publicly available electronic communication services

  • Providers of trust services

  • Top-level domain name registries

  • Providers of domain name system (DNS) services

  • Providers of domain name registration services

This is logical, as these services form the backbone of modern societies, in which nothing functions without information processing (servers, computers, smartphones, apps, emails) and the transmission of information through networks (especially via the Internet).

As a result, even micro-enterprises in these areas may have obligations under NIS‑2. Otherwise, the directive includes a so-called “size cap,” excluding companies with fewer than 50 employees and an annual turnover or balance sheet total not exceeding EUR 10 million from its scope.

BSIG-E in the NIS2UmsuCG

As a directive, NIS-2 requires implementation by the national legislators. This was required of the member states by no later than October 17, 2024. Germany is (as of the end of October 2025) behind schedule in its implementation. The draft of the NIS-2 Implementation and Cybersecurity Enhancement Act (simply referred to as NIS2UmsuCG), submitted for the implementation of the directive into the legislative process, has not yet been formally enacted as law, even in its latest iteration of July 25, 2025.

The draft is a so-called “article law,” through which the legislator intends to bring German law into alignment with the requirements of NIS-2 by amending more than 20 laws. Whether this will succeed remains to be seen. In certain points, the German legislator deviates from the specifications set by NIS-2, which could result in at least partial non-compliance with European law. Unfortunately, this particularly concerns the concrete implementation of the size caps. As a result, it could be difficult for some entities to assess whether they fall under the obligations of NIS-2.

The vast majority of the draft implementation law is taken up by the proposed revision of the Act on the Federal Office for Information Security and on the Security of Information Technology of Entities (shortly BSI Act or BSIG) (BSIG-E).

Essential obligations in NIS-2 and BSIG-E

In the future BSIG, the essential obligations imposed on the entities falling within the scope of the NIS-2 Directive will be regulated. These are:

  • Risk management,

  • Reporting obligations, and

  • Implementation, monitoring, and training obligations for management, as described under “governance” in the NIS-2 Directive.

In addition, an entity may also be required to register with the competent authorities, provide proof of measures taken, and inform the recipients of its services about any security incidents, among other things.

Risk Management

Within the framework of risk management, essential and important entities are required to take appropriate technical, operational, and organizational measures to control the security of the network and information systems used for their services and to prevent or, if such incidents occur despite these measures, minimize the impact of security incidents. The entity is not required to implement every conceivable or available measure; in other words, it does not have to “use a sledgehammer to crack a nut.” Measures can be limited to those that are proportionate. A measure can be considered proportionate if, taking into account the entity’s risk exposure and size, the likelihood of security incidents occurring, and their severity—particularly their societal and economic impact—according to the state of the art and/or existing standards and norms, the cost of implementation does not appear unreasonably high.

Entities that have not previously dealt with cybersecurity do not need to start from scratch when identifying appropriate measures. The future BSIG and the NIS-2 Directive themselves list a range of measures and aspects that entities must consider, including:

  • Concepts regarding risk analysis and information system security,

  • Management of security incidents,

  • Business continuity, such as backup management and recovery after emergencies, and crisis management,

  • Supply chain security, including security-related aspects of relationships between entities and their immediate suppliers or service providers,

  • Security measures during the acquisition, development, and maintenance of network and information systems, including vulnerability management and disclosure,

  • Concepts and procedures to assess the effectiveness of cybersecurity risk management measures,

  • Basic cyber hygiene procedures and cybersecurity training,

  • Concepts and procedures for the use of cryptography and, where applicable, encryption,

  • Personnel security, access control concepts, and asset management, and

  • Use of multi-factor or continuous authentication solutions, secured voice, video, and text communication, and, where necessary, secured emergency communication systems within the entity.

Additionally, the Implementing Regulation (EU) 2024/2690 explicitly lists further measures for certain entities, which they must implement, including:

  • DNS service providers,

  • TLD registries,

  • Cloud computing providers,

  • Data center service providers,

  • Content delivery network operators,

  • Managed service providers,

  • Managed security service providers,

  • Online marketplace providers,

  • Online search engines and social networking service platforms, and

  • Trust service providers.

Operators of critical infrastructures are also required to implement intrusion detection systems.

Some of these measures are almost self-evident. For instance, every entity should have the capability and resources to identify and analyze existing risks, if only to assess the proportionality of other measures. Likewise, entities should have considered how to manage security incidents and have created plans and concepts to maintain operations during crises or resume them as quickly as possible. Since a ransomware incident can quickly destroy a business, backup and recovery management plans are likely already a standard part of organizational culture.

Those wondering why supply chain security and measures during the acquisition, development, and maintenance of networks and information systems are important should recall the consequences of carelessly purchased pagers or the Stuxnet malware incident. After Microsoft inexplicably blocked the email account of the Chief Prosecutor of the International Criminal Court (ICC), every authority and company should consider whether it can operate without (Microsoft-administered) email and for how long, if necessary.

Just as handwashing is a simple hygiene measure that keeps us healthy, there are cyber hygiene measures that keep IT and networks safe from threats or at least reduce “infection risks.” These include, for example:

  • Software and hardware updates,

  • Password changes,

  • Management of new installations,

  • Restricting administrator-level accounts, and

  • Data backups.

Risks arising from employees – usually due to lack of knowledge – should be minimized through training. Such training raises awareness of cyber threats, cybersecurity practices, phishing, and social engineering techniques.

In practice, entities often rely on requirements and implementation guidance set out in established standards such as ISO 27001/27002 or BSI Basic Protection.

Reporting and Notification Obligations

It is particularly important not only to implement risk management measures but also to behave correctly in the event of a security incident that occurs despite all precautions.

If an event occurs that affects the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data, or the services offered or made accessible by the organization via network and information systems, and this could cause significant material or immaterial damage to others (natural or legal persons), the organization must act immediately. Specifically:

  • Within 24 hours of becoming aware of the incident, an early initial report must be submitted (under the BSIG-E to a joint reporting office set up by the Federal Office and the Federal Office for Civil Protection and Disaster Assistance). The report must indicate whether there is suspicion that the significant security incident was caused by unlawful or malicious actions or could have cross-border effects.

  • Within 72 hours of becoming aware of the incident, the organization must submit a follow-up report confirming or updating the initial report. This report must confirm or update the information provided in the initial report and provide a first assessment of the incident, including its severity and impact, and, where applicable, compromise indicators.

  • One month after submitting the follow-up report, the organization must submit a final report, which must include:

    • A detailed description of the security incident, including its severity and impact.

    • Information on the type of threat or its underlying cause that likely triggered the security incident.

    • Details of remedial measures taken and ongoing mitigation efforts.

    • If applicable, cross-border impacts of the security incident.

Similar to the GDPR, where under certain circumstances both the supervisory authority and affected parties must be informed of a security incident, an organization may not only be obliged to report the security incident to the reporting office but also to immediately inform recipients of its services. Under the BSIG-E, however, this requires a corresponding order from the BSI.

If the incident occurs at an organization in sectors such as finance, social security institutions, basic unemployment benefits, digital infrastructure, management of IT services, or digital services, the organization may also be required to immediately inform potentially affected service recipients and the BSI about all measures or remedial actions that these recipients can take in response to the threat.

Governance

To ensure that cybersecurity within organizations does not depend on chance, the NIS‑2 Directive and the future BSIG (assuming the current draft is enacted into law) impose obligations on the governing bodies of organizations. These obligations aim to make cybersecurity a topic that is actively practiced, taken seriously, and, most importantly, understood within the organization.

The chosen approach is to assign direct responsibility for cybersecurity to the governing bodies. In the future, they must approve the measures taken by the organization, more precisely, by the responsible specialists within the organization, and then oversee their implementation. To enforce these duties, the NIS‑2 Directive stipulates that governing bodies can be held personally accountable for damages resulting from lapses. Whether only the organization itself can seek recourse from its governing body or whether external parties may also hold the governing bodies liable remains to be seen. The wording of the NIS‑2 Directive supports both interpretations, while the BSIG‑E appears to favor the first.

To ensure that governing bodies have the expertise needed to fulfill these responsibilities, they must participate in regular training to acquire sufficient knowledge and skills to identify and assess risks and risk management practices in IT security, as well as to evaluate the impact of risks and risk management practices on the services provided by the organization.

Unfortunately, the BSIG‑E does not include the NIS‑2 requirement that organizations provide employees with opportunities to participate in corresponding training. Instead, employee training is treated as a simple risk management measure, leaving it to the discretion of each organization. How effective this will be, and whether the omission of employee training is legally defensible, will become clearer based on the frequency and causes of future cybersecurity incidents as well as supervisory practice.

Fines

In numerous cases where an entity fails to meet its obligations, the current draft of the BSIG foresees substantial fines. These can reach up to €10 million for particularly critical entities and €7 million for important entities. For organizations with annual revenues exceeding €500 million, the fine framework – similar to what is already known from the GDPR – is to be calculated as a percentage of the revenue, with a maximum of 2% for particularly critical entities and 1.4% for important entities.

The highest fines apply to entities that fail to take the necessary measures to prevent disruptions to the availability, integrity, and confidentiality of the information technology systems, components, and processes they use to provide their services, and to mitigate the impact of security incidents. This is logical, as such violations carry the highest risks for all parties involved.

It is also subject to fines if an entity does not document its implemented risk management measures or fails to report security incidents to the competent authority through the required initial, update, and final reports.

In addition, there are numerous other grounds for fines linked to violations of the many other obligations imposed on entities by the NIS‑2 Directive and the BSIG‑E.

Conclusion

The NIS‑2 Directive and the forthcoming BSIG‑E mark a turning point in cybersecurity regulation in Germany and Europe. For the first time, numerous medium-sized and public entities are required to bring their technical, organizational, and personnel security structures up to a uniformly high standard. Cybersecurity thus becomes a management responsibility, accompanied by clear liability risks for executive leadership.

Those who establish effective risk management, clear reporting processes, and regular training early on are not only prepared for future legal obligations but also strengthen their own resilience against cyberattacks.

Our law firm has recognized expertise in IT law and data protection law and supports companies in preparing in a timely and legally compliant manner for the new requirements, thereby investing effectively in their own cybersecurity today.

Contact us if you would like to determine whether your company is affected by the NIS‑2 Directive and which concrete steps you can already take to ensure compliant implementation.

Questions?

Feel free to contact us regarding this or any other subject.
Contact Us
Logo 25 Jahre Rickert Rechtsanwaltsgesellschaft