Since yesterday, new rules for cybersecurity have been in effect in Germany – without a transition period. Around 30,000 companies must now meet stricter security standards. Anyone who doesn’t play along risks fines worth millions and personal liability for management.
The NIS 2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), published in the Federal Law Gazette on Friday, implements the corresponding EU directive into national law. The message to Germany’s economy is unmistakable: cybersecurity is now a top priority – with immediate effect.
“Companies need to be compliant from day one,” says an analysis by the Chino.io platform. This “cold start” hits small and medium-sized companies particularly hard. The number of affected companies is increasing from 4,500 to around 30,000 – including, for the first time, areas such as manufacturing, the food industry and waste management.
The Federal Office for Information Security (BSI) is given extensive powers. In the future, the authority will be able to issue binding instructions, order security audits and, in extreme cases, even suspend business licenses or ban managing directors from their activities.
Advertisement
Related to the topic of cybersecurity: Many managing directors underestimate the new obligations imposed by the NIS 2 law – and risk high fines and personal liability. Our free e-book summarizes the most important protective measures, priorities for risk management and concrete first steps for rapid compliance. Ideal for medium-sized businesses and IT managers who need to prepare now. Download the free cybersecurity guide for business leaders
Registration is ongoing: Portal starts in January
Table of Contents
Affected companies now face concrete obligations to take action. The BSI has provided for a two-stage registration process:
Immediate action: Companies should immediately set up an account on the “My Company Account” (MUK) platform. The actual BSI reporting portal opens on 6 January 2026 at the start – but if you prepare early, you avoid stress.
Reporting requirements: In the future, a strict three-step plan will apply to significant security incidents: early warning within 24 hours, detailed report after 72 hours, final report after one month. Anyone who misses these deadlines or does not even register will face the same sanctions as for technical violations.
Managing director is personally responsible
The paradigm shift: Cybersecurity is no longer just an IT issue, but rather a non-delegable task for management. Managing directors and board members are personally liable if they do not implement appropriate risk management measures.
The law expressly prohibits companies from waiving this liability or insuring against fines imposed. In this way, the legislature breaks the traditional liability protection of legal entities – management is also liable for cybersecurity violations.
The financial risks are significant: “Essential” facilities must face fines of up to 10 million euros or 2 percent of global annual sales calculate – whichever is higher. For “important” facilities is the limit 7 million euros or 1.4 percent of sales.
Medium-sized businesses in a domino effect
Although the law is aimed directly at medium-sized companies (usually with 50 employees or 10 million euros in sales), smaller companies are also feeling the pressure. In the future, regulated companies will have to check the cybersecurity of their suppliers.
This creates a cascade effect: Small software providers, logistics service providers and IT companies that work with customers subject to NIS 2 are already receiving requests to prove their cyber resilience. “Even if an SME is not directly regulated, it may actually be forced to meet the standards – otherwise it will lose its major customers,” observe industry experts.
Support for medium-sized businesses
The Federal Ministry of Economics has launched offers of help: The “FitNIS2 Navigator” and the “ISMS workshop” are intended to help smaller companies analyze gaps. The project “SME.competent.safe” the University of Paderborn offers targeted training for medium-sized businesses.
Germany is catching up on the delay
The adoption ends an embarrassing delay: Germany has exceeded the EU implementation deadline of October 17, 2024 by over a year. The rapid entry into force after parliamentary approval on November 13, 2025 shows Berlin’s urgency to avoid further EU infringement proceedings.
Particularly explosive: the inclusion of the manufacturing industry is drawing Germany’s middle class heartland into a regulatory world that was previously reserved for energy companies and telecom providers.
What happens now
In the coming weeks, the BSI will publish detailed guidelines and industry-specific requirements. Companies should carry out vulnerability assessments by the end of December and prepare for the portal opening on January 6th.
For 2026, experts expect that the first fines will initially be imposed for registration violations. Medium-sized companies also have to prepare for increased audit requests from their major customers – supply chain reviews are expected to gain momentum in the first quarter of 2026.
The era of voluntary cybersecurity is over. Digital resilience is now the law in Germany.
Advertisement
PS: Do you want to strengthen your company’s cyber resilience quickly and cost-effectively? The free e-book “Cyber Security Awareness Trends” explains practical measures, audit checklists and a priority model that medium-sized companies can use to prepare for BSI guidelines and the registration portal. Includes immediately actionable steps for business leaders and IT leads. Request your free e-book ‘Cyber Security Awareness Trends’ now
