Germany’s upcoming NIS2UmsuCG (Act on the Implementation of the NIS-2 Directive and on Regulating Essential Principles of Information Security Management in the Federal Administration) marks a major tightening of cybersecurity rules for businesses and public institutions. Based on the EU’s NIS-2 Directive, the law will replace the current BSI Act and extend obligations far beyond the previous KRITIS regime. Instead of affecting just over 800 operators of critical infrastructure, it is expected to apply to up to 30,000 organizations across 18 sectors, including energy, transport, health, digital infrastructure, telecoms, banking, public administration, food, chemicals, waste management, manufacturing, and key digital services.

Under the new framework, entities are classified as “particularly important” or “important” based on sector and size. Large companies in Annex 1 sectors and operators of critical facilities are generally considered particularly important, while medium-sized firms and companies in Annex 2 sectors may be classified as important. Some digital service providers and infrastructure operators are covered regardless of size, where their services are system-critical. Even smaller suppliers, especially IT and managed service providers in the supply chain, can be affected when they access critical systems or sensitive areas. All covered organizations will be required to register with the Federal Office for Information Security (BSI) and demonstrate compliance upon request.

The law introduces extensive duties: companies must establish and maintain a risk-based information security management system; conduct regular risk assessments; implement technical and organizational measures such as vulnerability and patch management, backup and recovery, access control, multi-factor authentication, secure communications, and supply-chain security; and ensure incident detection, reporting, and response. Time-critical reporting obligations apply, including initial notification of serious incidents within 24 hours, a follow-up report within 72 hours, and a final report after one month. Regular effectiveness reviews of risk management will be mandatory, and operators of critical facilities will face BSI-led audits every three years.

Crucially, NIS2UmsuCG is not a “soft” guideline. It provides for significantly stronger enforcement and sanctions, including fines of up to 10 million euros or 2 percent of global annual turnover. Management boards and directors are personally responsible for compliance and may face individual consequences, including bans from management positions, for serious violations. With the law expected to come into force around late 2025 or early 2026 and no long transition periods planned, companies are advised to act now: assess whether they fall into the critical categories, start building or upgrading an ISMS oriented to ISO 27001, involve staff at all levels, and engage suppliers early.

For many organizations, especially those newly brought into scope, waiting until the law is passed will be too late. The message from experts is clear: NIS-2 is not just another compliance exercise, but a structural shift towards more robust cybersecurity across the European economy. Companies that move early can not only avoid sanctions but also strengthen resilience, protect their operations, and build trust with customers and partners in an increasingly hostile cyber environment.