New Cybersecurity Law Comes into Effect in Germany: A Response to Growing Threats
On December 6, 2025, Germany’s new law for implementing the EU’s NIS-2 directive officially came into force, reflecting the increasing urgency and importance of cybersecurity. The directive, aimed at enhancing cybersecurity measures across the European Union, underscores the serious implications that IT security incidents can have for the population at large. One notable example of this was witnessed last autumn when a cyberattack on an airport service provider impacted several airports throughout Europe. The assault particularly crippled electronic systems at Berlin Brandenburg Airport (BER), affecting both passenger and baggage handling operations.
This incident starkly illustrated how critical infrastructure is susceptible to cyber threats, highlighting the necessity for stricter regulations and compliance protocols to safeguard essential services.
Surge in Registrations Before Deadline
In the week leading up to the deadline for compliance with the new regulations, there was a significant surge in registrations, with over 4,000 new entries reported by the Federal Office for Information Security (BSI). A spokesperson for the BSI expressed optimism about the general readiness of entities to meet the new standards. "The significant increase in registrations in recent days indicates that numerous additional registrations are likely in the near future," they stated in response to inquiries from the Deutsche Presse-Agentur.
Further details regarding sector-specific data—especially concerning critical infrastructure entities like major energy suppliers, banks, and IT service providers—are expected to be released by the BSI at a later date. The data set aims to clarify the compliance landscape and underline the sectors that are most affected by these new regulations.
A Three-Month Compliance Window
The newly enacted German law mandates specific obligations for companies. Organizations must report significant security incidents within 24 hours, provide updated information within 72 hours, and submit a final report within one month. In the event of severe breaches, businesses could face substantial fines, making compliance a high-stakes endeavor.
Determining whether these requirements apply to businesses is not a one-size-fits-all proposition; the relevance of the guidelines largely depends on factors such as the business field, size, and revenue. The German government estimates that approximately 29,850 companies will find themselves subject to these new regulations. To assist organizations in assessing their responsibilities, the BSI has made an online self-assessment tool available.
BSI’s Support for Affected Companies
Recognizing the complexities and challenges that may arise during the compliance process, the BSI is aware that evaluations and the two-stage registration process can be demanding. "The BSI knows that determining compliance requirements and the subsequent registration can be time-consuming for individuals and organizations," the agency stated. In response, they plan to release additional guidelines shortly aimed at offering support for corporate registrations and the registration of critical components.
This initiative reflects the BSI’s commitment to ensuring that institutions navigate the challenging landscape of cybersecurity compliance effectively and efficiently. The increase in registrations combined with the provision of support services indicates a proactive approach that stands to fortify Germany’s critical infrastructure against future cyber threats.
In summary, Germany’s implementation of the NIS-2 directive comes against a backdrop of rising cybersecurity risks, particularly following impactful incidents of cyberattacks on critical infrastructure. With regulatory obligations now firmly in place, the focus shifts toward achieving compliance, enhancing security protocols, and protecting vital services essential to the daily lives of citizens. The collaboration between regulatory bodies and affected organizations will be pivotal in cultivating a robust cybersecurity framework in the coming years.