#BGBl. 2025 I Nr. 301Act on the Implementation of the NIS2 Directive and on Regulating the Essential Principles of Information Security Management in the Federal Administration
AI-generated summary for informational purposes only. Not legal advice. See the original source for the authoritative text.
This German federal law transposes the EU NIS2 Directive into national law. It significantly expands the scope of entities required to implement cybersecurity risk management and reporting obligations. The Act establishes uniform minimum standards for information security management systems (ISMS) across federal government bodies and critical infrastructure operators. It introduces stricter incident reporting timelines, mandatory supply chain security measures, and enhanced supervisory powers for the Federal Office for Information Security (BSI). The law also modernizes penalties and creates new governance structures for cybersecurity in both public administration and essential private sectors.
AI-generated summary. May contain errors. Refer to official sources for legal decisions.
Key Changes
- Transposition of EU NIS2 Directive (Directive (EU) 2022/2555) into German law
- Significant expansion of regulated entities including new sectors beyond previous KRITIS
- Mandatory implementation of risk management measures and ISMS for federal authorities
+ 3 more changes with Pro
Obligations
What this law requires
Implement and maintain an Information Security Management System (ISMS) meeting uniform minimum standards established by this Act
Report cybersecurity incidents to competent authorities within mandatory timelines as specified in the Act
Implement and maintain supply chain security measures for information technology and critical systems
Comply with supervisory audits, inspections, and information requests issued by the Federal Office for Information Security (BSI)
Establish governance structures for cybersecurity management within federal administration bodies