Germany's NIS2 Law Is Now in Force: What Startups and SMBs Need to Do

Germany's NIS2 Law Is in Force: Here's What It Means

On December 6, 2025, Germany's NIS2 Implementation Act (NIS2UmsG) entered into force, transposing the EU's NIS2 Directive into national law more than a year after the original deadline. The Act substantially revises the BSI Act (BSIG) and expands the scope of regulated entities from roughly 4,500 to around 29,500, a sevenfold increase that pulls thousands of medium-sized companies into the supervision of the Federal Office for Information Security (BSI) for the first time.

Small businesses with fewer than 50 employees and under €10 million in turnover generally remain exempt. Midsize startups and SMBs above those thresholds operating in in-scope sectors, including digital services, manufacturing, health, transport, and data processing, are very likely covered and should act now.

Are You in Scope? Two New Categories to Know

The revised BSI Act classifies regulated organizations into two tiers, mirroring the NIS2 Directive:

• Particularly important entities (besonders wichtige Einrichtungen), equivalent to NIS2's "essential entities."
• Important entities (wichtige Einrichtungen), equivalent to NIS2's "important entities."

Classification is based on a combination of sector and size. If your company has more than 50 employees or exceeds €10 million in both annual turnover and balance sheet total, and operates in one of the sectors named in Annexes 1 or 2 of the BSI Act, you are likely in scope. Companies must self-assess and document their applicability, the BSI does not notify you.

What NIS2 Requires of In-Scope Companies

• Risk management measures. You must implement a formal cybersecurity risk management framework covering policies, incident handling, business continuity, supply chain security, access control, training, and vulnerability management. Adopting an ISO 27001-aligned information security management system (ISMS) covers most of these requirements and significantly simplifies compliance.
• Mandatory BSI registration. In-scope entities had to register via the BSI portal (live since January 6, 2026) by March 6, 2026. If you missed that deadline, register immediately, supervisory authorities can request evidence of self-assessment at any time.
• Incident reporting on a strict timeline. Significant incidents must be reported to the BSI within 24 hours of becoming aware of them, followed by an update within 72 hours and a final report within 30 days. You need an incident response plan and monitoring in place now.
• Leadership accountability. Management bodies must approve and oversee cybersecurity measures. Executives are required to complete cybersecurity training at least every three years. Where corporate law liability rules exist, managers can be held personally liable for compliance failures. Cybersecurity is now a boardroom responsibility, not just an IT concern.
• Enforcement and penalties. Fines reach up to €10 million or 2% of global annual turnover, whichever is higher. The BSI has audit powers and can issue binding instructions to fix deficiencies.

Why the Clock Is Already Ticking

Unlike most EU regulations, the NIS2 Implementation Act came into force with no transition period. Obligations apply immediately. The March 6, 2026 registration deadline has passed, meaning any in-scope company that hasn't yet registered, self-assessed, and started implementing risk management measures is already non-compliant.

How Secfix Gets You NIS2-Ready Fast

Meeting NIS2 from a standing start is demanding, but it doesn't require hiring a team of consultants. Secfix is Europe's end-to-end security compliance platform, built specifically for startups and SMBs navigating frameworks like NIS2, ISO 27001, SOC 2, and TISAX. In fact, companies become compliant up to 90% faster with Secfix.

With Secfix you get:

• An automated platform that maps NIS2 requirements to concrete tasks, evidence, and controls, so you know exactly what to do next.
• A built-in ISO 27001-grade ISMS that covers the majority of NIS2 technical and organizational measures.
• Ready-made policy templates, continuous monitoring, and centralized evidence storage that keep you audit-ready year-round.
• CISO-as-a-Service support to guide your management team through training obligations, risk decisions, and incident response planning.
• Dashboards and reports that demonstrate due diligence to your leadership, auditors, and the BSI.

Don't Wait! Talk to Our Team

Enforcement is live, deadlines have passed, and the BSI is now actively supervising tens of thousands of companies that have never dealt with regulatory cybersecurity before. Get ahead of it. Book a free Secfix demo today and see how quickly we can get your company NIS2-compliant.