diamond_full diamond diamond_half diamond_euro search-icon menu chat-icon close-icon envelope-icon smartphone-call-icon
Blog & News

NIS-2 Is Here – What Now?

Impact assessment, registration process, and concrete action steps: What organizations need to know about NIS-2 implementation.

December 17, 2025

#NEWS #COMPLIANCE
preview-image for NIS-2 Is Here – What Now?

With the entry into force of the NIS-2 Implementation Act (NIS2UmsuCG) on December 6, 2025, a significant turning point has been reached for many organizations in Germany. Significantly more organizations than before must now comply with the new cybersecurity regulations. The requirements are comprehensive: from clear reporting obligations for security incidents to detailed provisions for risk management.

Many decision-makers are now asking themselves the same question: Does NIS-2 apply to my organization and what do I need to do specifically?

What Organizations Need to Consider in 2025 Regarding the NIS-2 Implementation Act

The implementation of the NIS-2 Directive is not simply a new law in the Federal Law Gazette, but a fundamental realignment of cybersecurity in Germany. The BSI (Federal Office for Information Security) and other supervisory authorities are establishing a framework that extends far beyond traditional KRITIS sectors. The scope of application has been deliberately expanded. Not only operators of critical facilities, but also numerous important and particularly important entities, regardless of their size, now fall under the new regulations. Organizations that have not previously operated in the critical infrastructure environment must now assess whether they are among the affected entities. And those who are affected must respond within a short timeframe.

What does this mean in practice? Organizations must prepare for information security to be more heavily regulated, more strictly monitored, and more closely integrated with other requirements such as the Digital Operational Resilience Act (DORA) in the future. The legislator aims to achieve genuine harmonization, not only between the NIS-2 Implementation Act and the KRITIS Umbrella Act, but across all sectors.

Am I an “Important” or “Particularly Important” Entity?

As part of the implementation of the NIS-2 Directive and the planned NIS-2 Implementation Act, organizations must assess whether they fall within the scope of NIS2. Key factors include the sector (critical infrastructure, digital infrastructure, commerce, managed services) as well as thresholds such as employee count, annual revenue, and size of the entity. A detailed list of affected sectors can be found in Annexes 1 and 2 of the corresponding BSI publications. Regardless of their size, certain operators of critical facilities or critical infrastructure organizations can be classified as particularly important entities.

Organizations already classified as KRITIS organizations are automatically classified as particularly important entities through harmonization with the KRITIS Umbrella Act. Affected organizations receive support in classification and implementation of NIS-2 Directive requirements, as well as in implementing essential principles of information security management for both federal government entities and private sector organizations.

If you are unsure whether your organization falls under the NIS2 Implementation Act or is among the affected entities, now is the right time to conduct an impact assessment. The official NIS-2 impact assessment from the BSI can be used for this purpose. For further questions or support needs, our experts at SCHUTZWERK are happy to provide advisory assistance.

What Obligations Now Apply to Organizations Under NIS-2

With the entry into force of the NIS-2 Implementation Act, affected entities face several key obligations. These include, in particular, reporting obligations for security incidents:

  • Registration with the digital service “Mein Unternehmenskonto” (MUK) as the central access point to digital government services.
  • Registration in the newly developed BSI portal, which will be activated from early January 2026 and serves, among other things, as a reporting point for significant security incidents.
  • Introduction, documentation, and compliance with risk management measures as well as technical and methodological requirements for information security management.

These obligations complement existing standards such as ISO 27001, IT-Grundschutz, as well as industry-specific security measures and requirements. Supervisory authorities establish reporting obligations and can impose sanctions for non-compliance. Management is responsible for ensuring compliance.

The New Registration Process: MUK and BSI Portal

For all affected organizations in Germany, NIS-2 registration begins with a two-step process that covers both identification and reporting of security incidents. A prerequisite is a German tax number, which is used to apply for the required ELSTER organization certificates.

Step 1: Registration with “Mein Unternehmenskonto” (MUK)

MUK serves as the central access system to digital government services for affected organizations in Germany and is based on the proven ELSTER technology. Every organization with a German tax number must apply for ELSTER organization certificates for its employees to log in securely and comply with the requirements of the NIS2 Directive and the NIS2 Implementation Act.

Activation occurs in two steps: via email and a postal activation letter, which is typically delivered within five business days. The first user automatically assumes the role of administrator, can invite additional users, and assign access rights and roles within the information security management framework.

Step 2: Registration in the New BSI Portal from January 2026

With the activation of the BSI portal on January 6, 2026, all NIS-2 regulated entities must register mandatorily. The portal will later also serve as the central reporting point for significant security incidents. If an incident occurs before registration, reports can temporarily be submitted via an online form. Operators of critical facilities (KRITIS) and federal agencies will initially continue to use their existing reporting channels.

This two-step registration process forms the formal basis for reporting security incidents and complying with NIS-2 obligations. The actual implementation of risk management measures and all technical and methodological requirements for information security remains the responsibility of the affected organizations.

What Affected Organizations Should Prepare Now

The first months after the entry into force of the NIS-2 Implementation Act are crucial for ensuring sustainable compliance and stable information security within the organization. Organizations should now systematically assess whether they are among the affected entities and what measures are required to meet the requirements of the NIS2 Implementation Act and the NIS2 Directive.

It is advisable to designate at least two responsible persons to coordinate information security. These individuals should be capable of monitoring and documenting risk management measures, incident response, and backup and recovery processes. Management will in future be explicitly responsible for risk management and compliance with legal reporting obligations. Training and awareness at the management level are therefore essential to strengthen the resilience of digital infrastructure and ensure that information technology security measures are implemented efficiently. For many organizations, this is the first practical step. Depending on the size of the entity and sector, an individual approach may be appropriate.

Systematically Developing Information Security

NIS2 requirements go far beyond formal registration obligations. Organizations must continuously optimize the following areas, among others:

  • Risk management and systematic evaluation of the effectiveness of security measures
  • Incident response and crisis management
  • Backup and recovery processes
  • Supply chain security and integration of security measures in acquisition, development, and maintenance
  • Secure software and system development as well as technical and methodological requirements for information security management
  • Training and regular awareness-raising for employees
  • Access and authorization concepts that protect digital resources
  • Reliable processes for alerts and situation reports, ensuring security-relevant communications can be received and processed around the clock

Through these measures, organizations not only increase the resilience of their digital infrastructure but also simultaneously meet the legal requirements of the NIS2 Implementation Act, strengthen information technology security, and significantly reduce the risk of security incidents.

Start Now to Secure Cybersecurity in the Long Term

NIS-2 is more than just another compliance topic. The revised NIS-2 Implementation Act aims to sustainably strengthen the digital resilience of organizations and critical infrastructure in Germany. For organizations, this means: plan early, clarify responsibilities, establish structures for information security, and document risk management measures.

We are happy to support you in assessing whether your organization is affected and conducting a maturity level analysis . This ensures that all reporting obligations for security incidents, risk management measures, and information security requirements are met.

Contact us to plan the next steps for your organization together and ensure long-term security of your digital infrastructure.

Free Consultation