Germany has transposed the NIS 2 Directive by amending the BSI Act (BSIG), the main legal framework governing cybersecurity for infrastructures and organizations. This transposition increases the number of regulated entities from approximately 2,000 to about 30,000. Supervision is carried out by the Bundesamt für Sicherheit in der Informationstechnik (BSI). Germany presents several important specificities, including the integration of the existing KRITIS framework and a strong reliance on BSI technical standards, including those related to physical security. The following steps summarize the key elements required to achieve NIS 2 compliance in Germany.
1. Identification and registration of entities
The first step is to determine whether the organization falls within the scope of NIS 2. This qualification is based on:
- the sector of activity
- the size of the organization (number of employees and turnover)
- the potential operation of a critical infrastructure
Organizations concerned must then:
- confirm their regulatory status
- register with the BSI
- implement the required security measures
- report significant incidents
Important: Unlike other Member States, Germany distinguishes between the company (legal entity) and the critical installation (site or infrastructure).
An organization may therefore be regulated:
- either at the company level
- or at the level of a specific critical site
This approach originates from the national framework for the protection of critical infrastructures. NIS 2 qualification is based on the company’s primary activity and may exclude certain marginal activities. This approach, combined with the continued application of the national KRITIS framework, may lead to differences in interpretation compared with other Member States.
2. Categories of entities
German law distinguishes several categories of regulated organizations. Wichtige Einrichtungen = important entities These are generally medium-sized organizations operating in sectors listed under NIS 2. Besonders wichtige Einrichtungen = particularly important entities (essential entities) These organizations have a higher potential impact in case of incident and are subject to stronger supervisory requirements. KRITIS = critical infrastructures The KRITIS framework is a pre-existing national system now articulated with the NIS 2 and CER directives (Directive on the resilience of critical entities). It concerns installations whose disruption would have a major impact on society or the economy. This classification does not constitute a strict legal hierarchy but helps to understand the increasing level of security requirements and supervision.
3. Compliance frameworks
German regulation does not mandate a single mandatory compliance framework. It relies on the principle of Stand der Technik (state of the art), and several frameworks may be used to demonstrate compliance.
International frameworks
- ISO/IEC 27001
- NIST Cybersecurity Framework
These frameworks cover a large portion of NIS 2 requirements, but a gap analysis is required to address German regulatory obligations.
German frameworks and standards
IT-Grundschutz
The BSI IT-Grundschutz framework is the primary methodological reference. It defines:
- risk management
- organizational security measures
- technical security measures
- physical protection of infrastructures
It relies in particular on the following standards:
- BSI Standard 200-1 – ISMS
- BSI Standard 200-2 – IT-Grundschutz methodology
- BSI Standard 200-3 – Risk analysis
- BSI Standard 200-4 – Business continuity
Cryptographic recommendations
The BSI also publishes technical guidelines defining the state of the art. For example: BSI TR-02102 for cryptographic algorithms and key lengths.
4. Physical security and access control
The NIS 2 regulation is based on a risk management approach. In practice, this includes the physical protection of infrastructures and critical installations. BSI frameworks explicitly integrate:
- building protection
- security of server rooms and technical infrastructures
- physical access control to sensitive areas
This approach follows an increasing criticality logic. By combining recommendations found in IT-Grundschutz modules INF.1, INF.2 and INF.5, BSI standards and KRITIS guidance, security objectives can be summarized as follows:
Important entities
- identification of sensitive areas
- access control to technical rooms
- visitor management
- protection of IT rooms
Essential entities
- formalized physical zoning
- named access control
- monitoring of sensitive access points
- periodic review of access privileges
Critical infrastructures
- defense in depth for installations
- continuous monitoring of physical access
- detection of intrusion or sabotage
- enhanced traceability of physical access
Conclusion
The implementation of NIS 2 in Germany builds on an ecosystem already structured around the BSI and the KRITIS framework. Organizations must therefore combine:
- the obligations of the NIS 2 Directive
- the requirements of the German national framework
- the technical standards issued by the BSI
Additional operational details are expected in future implementing texts and technical guidelines. Subscribe to receive the necessary updates.
Useful links:
- BSI portal – NIS 2 registration and reporting
- KRITIS – critical infrastructures (BSI)
- BSI IT-Grundschutz – national cybersecurity framework
- BSI Standards 200-1 to 200-4
Need support? Do not hesitate to contact our members providing services and solutions designed to support your NIS 2 compliance.
