Digital Policy Alert logo

Germany: NIS 2 Implementation and Cybersecurity Strengthening Act entered into force

Policy overview

Description

NIS 2 Implementation and Cybersecurity Strengthening Act entered into force

On 6 December 2025, the NIS 2 Implementation and Cybersecurity Strengthening Act, including security requirements, entered into one day after its official publication. It introduces a minimum set of risk measures, including incident-handling procedures, business continuity requirements, vulnerability management, authentication, cryptographic protection, and supply chain controls. Companies are required to assess their own risks and implement proportionate safeguards. The Act also replaces the single-step reporting model with a three-tier regime requiring reports at 24 hours, 72 hours, and one month.

Original source

Scope

Policy Area
Data governance
Policy Instrument
Cybersecurity regulation
Regulated Economic Activity
cross-cutting
Implementation Level
national
Government Branch
executive
Government Body
central government

Complete timeline of this policy change

Hide details
2024-05-07
under deliberation

On 7 May 2024, the Federal Interior Minister presented the draft NIS 2 Implementation and Cybersecu…

2024-07-24
under deliberation

On 24 July 2024, the draft NIS 2 Implementation and Cybersecurity Strengthening Act, including secu…

2025-06-23
under deliberation

On 23 June 2025, the updated draft Act on the Implementation of the NIS-2 Directive and on the Regu…

2025-07-04
under deliberation

On 4 July 2025, the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) sub…

2025-11-13
under deliberation

On 13 November 2025, the NIS 2 Implementation and Cybersecurity Strengthening Act, including securi…

2025-12-02
adopted

On 2 December 2025, the President signed the NIS 2 Implementation and Cybersecurity Strengthening A…

2025-12-06
in force

On 6 December 2025, the NIS 2 Implementation and Cybersecurity Strengthening Act, including securit…