The NIS 2 Directive became binding in Germany on 6 December 2025, transposed through the NIS2UmsuCG. Unlike some EU regulations, it arrived without a transition period. If your organisation is in scope, the obligations apply now.
Management can be held personally liable for compliance failures under the NIS2UmsuCG. This is written into the law.
Are you in scope?
NIS 2 applies to organisations operating in covered sectors with at least 50 employees or annual turnover exceeding EUR 10 million. Covered sectors include energy, transport, healthcare, digital infrastructure, IT service providers, managed security services, manufacturing, and food production.
The NIS2UmsuCG applies different obligation levels to essential entities and important entities. Your classification determines both the measures required and the potential penalties for non-compliance.
What the law requires
Article 21 measures include: risk analysis policies, incident handling procedures, business continuity and crisis management, supply chain security, security in system acquisition and development, cryptography policies, human resources security, access control, and multi-factor authentication.
Incident reporting
Significant incidents must be reported to the BSI within 24 hours of becoming aware of them. A full notification follows within 72 hours. A final report is due within one month. These are enforceable deadlines, not targets.
What to do first
The starting point is entity classification. Determine whether your organisation falls into the essential or important category and confirm which specific measures apply. A structured gap analysis against Article 21 measures will identify what is in place and what is missing.
AuditVantage provides NIS 2 classification support, gap analysis, and implementation roadmaps for organisations across Germany and the EU. Get in touch to arrange a discovery call.