Move supplier assurance off spreadsheets. Private pilot opening soon.→ Join the pilot
SHARDSCybersecuritySupply Chain Assurance · NIS2
Back to the NIS2 overview
NIS2 · Germany

NIS2 in Germany — transposition status and what’s changed

Germany transposed NIS2 via the NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG), which entered into force on 6 December 2025 with no transition period — affected entities had to comply immediately. The law amends the BSI Act (BSIG) and brings cybersecurity governance to a board-level statutory issue. The BSI (Bundesamt für Sicherheit in der Informationstechnik) is the supervisory authority and operates the entity-registration portal that opened on 6 January 2026, with the in-scope registration deadline of 6 March 2026. Coverage expands the German regulated population from approximately 4,500 entities to around 30,000 — a significant jump that drives mid-market German entities into scope alongside their suppliers.

National competent authority
BSI — NIS-2

Authoritative source for Germany-specific NIS2 guidance, registration, and incident reporting.

5.0 / Next step

Where are you with NIS2 supplier work in Germany?

Two ways to find out fast — a five-minute self-assessment, or a practitioner-walked exposure picture in two to three weeks.

Take the readiness checkSee the Exposure Assessment

Detailed Germany guide in development — get notified

We’re writing a longer practitioner guide on NIS2 in Germany: thresholds, registration timelines, and what regulators are starting to ask suppliers for. Drop your email and we’ll send it when it lands.

We use your address only for this — no marketing list, no resale.

Back to the NIS2 overviewSee how Supply Chain Assurance helps with NIS2 supplier work