Cybersecurity Briefing Q4 2025 – NIS 2 implementation in Germany comes into force

The threats emerging in cyberspace remain high, as Germany’s Federal Office for Information Security (“Federal Office”) (Bundesamt für Informationssicherheit) has once again confirmed in its latest status report. Ransomware, AI-based attacks and supply-chain incidents dominate the security landscape. At the same time, the regulatory requirements that companies will have to implement in the coming months are intensifying. Our briefing summarises the most important issues:

Regulatory developments: NIS 2, German Umbrella Act for Critical Infrastructure Protection, CER Directive and CRA

Implementation of NIS 2

On 5 December 2025, the law implementing the German NIS 2 Implementation Act (Gesetz zur Umsetzung der NIS-2-Richtlinie) was promulgated in the Federal Law Gazette in Germany. It therefore entered into force on 6 December 2025, thus ending the lengthy legislative process. Companies should consider now at the latest whether they will be regulated under the German Act on the Federal Office for Information Security (“Information Security Act”) (BSI-Gesetz) in future and take appropriate measures. The measures include a risk analysis, risk management measures including supply-chain security, and training of management. There are no transitional periods.

The Federal Office for Information Security enables affected companies to register under Mein Unternehmenskonto (MUK) (My Company Account).

German Umbrella Act for Critical Infrastructure Protection/CER Directive

The CER Directive is intended to ensure the physical resilience of critical facilities. Germany is implementing the directive with its Umbrella Act for Critical Infrastructure Protection (KRITIS-Dachgesetz) (government draft of 3 November 2025), applicable only to operators of “critical facilities”. They are required to carry out a risk assessment, take physical protection measures and establish evidence management to report to the Federal Office of Civil Protection and Disaster Assistance (Bundesamt für Bevölkerungsschutz und Katastrophenhilfe).

Cyber Resilience Act (CRA)

The Cyber Resilience Act (CRA) has been in force since 11 December 2024 and sets out minimum cybersecurity requirements for connected products (“products with digital elements”) for the first time. It is now clear that the Federal Office for Information Security will act as the market surveillance authority in Germany and may impose fines of up to €15 million or 2.5% of global turnover in the event of infringements.

On 3 December 2025, the European Commission published a website on the CRA including comprehensive FAQs.

Status: complexity of threats is increasing

According to ENISA Threat Landscape 2025 | ENISA, ransomware remains the most impactful threat in cyberspace – with damage in the billions and active groups such as Akira and Safepay. Around 60% of all attacks are carried out via phishing, increasingly automated by AI tools. The sectors most affected are public administration, transport, digital infrastructure, finance and industry. In many cases, not only large corporations but also, and especially, small and medium-sized enterprises (SMEs) are targeted by attackers.

Although the Federal Office’s Status Report 2025 (in German only) states that progress is being made through international law enforcement, it also continues to report over 100 vulnerability exploits every day. There are major differences in terms of cybersecurity between critical infrastructure sectors, with attack detection systems often remaining inadequate. For SMEs, cyber resilience remains one of the key weaknesses in Germany.

Governance & practice: management responsibility, supply chains, risk analysis

The Federal Office for Information Security has now issued several publications on the new Information Security Act under the title #nis2know (in German only), which may briefly be summarised as follows:

Mandatory training for managers

According to section 38(3) of the new version of the Information Security Act, managers must receive regular training in future. This obligation applies every three years and covers four core areas:

• risk identification and assessment
• risk management methods
• assessment of risk impacts
• monitoring implementation

Training should always be customised to the company concerned.

Secure supply chains

According to NIS 2, cyber supply chain security (C-SCRM) is an integral part of risk management. The Federal Office recommends contractually obliging service providers to comply with its standards and systematically establishing supplier audits.

Risk analysis is a key tool

Risk analysis forms the backbone of security management. This includes identifying relevant assets and assessing, dealing with and documenting risks in line with the PDCA cycle. Applying ISO 27001 or the Federal Office’s standards is considered best practice.

Reporting requirements for IT security incidents

Companies affected by NIS 2 should check their reporting processes early on. The Federal Office points out the following deadlines and expects “speed rather than completeness”.

– initial notification within 24 hours,

– follow-up notification within 72 hours,

– final notification within one month.

Case law and supervisory practice

The Federal Office’s practice of imposing fines has been rather cautious up to now. However, GDPR-related practice sets the direction: over 200 decisions on Article 32 GDPR with fines of up to €22 million (more on this in our Case Law Tracker). Cases such as British Airways or Capita make it clear that inadequate technical and organisational measures (TOMs) can be directly sanctioned – a warning signal for all parties subject to obligations under the NIS 2.

Good practice: The Bavarian State Office for Data Protection Supervision (Bayrisches Landesamt für Datenschutzaufsicht) has presented a practical framework in the form of Cyber Fortress Bavaria (in German only). Ten checkpoints, including MFA for administrative accounts, network segmentation and ransomware-proof backups, serve as a blueprint for organisation-wide “defence-in-depth” strategies.

Conclusion

On the one hand, we are observing that many companies are now examining whether they will fall under the Information Security Act in future following the reforms introduced by the NIS 2 Implementation Act. Other companies have already gone one step further and are now looking at management training and supply chain risk. Companies should not see this as a tiresome chore but should instead focus on strengthening their cybersecurity in their own interests, regardless of whether they are NIS 2-relevant or not. The reports by the authorities show that suppliers and/or service providers are involved in a large number of “successful” cyberattacks – a gateway that can and should be shut.