The NIS2 Directive (Directive (EU) 2022/2555) significantly raises the bar for cybersecurity across the EU. In Germany, its implementation is set to take shape through the NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG). Although the legislative process was interrupted by the snap elections, the obligations arising from the EU Directive are active in principle – and will apply immediately (without a grace deriod) once the law enters into force.

The German government expects around 29,000 organisations to be affected: ranging from digital service providers and utilities to healthcare, finance, logistics, manufacturing, and beyond.

So what exactly will be required? Here’s a breakdown of the key obligations organisations need to prepare for now, and how Black Cell can help make that process structured and manageable.

Changes in organisational scope

The new rules significantly expand the scope of cybersecurity obligations. While the previous NIS regime focused mainly on operators of critical infrastructure (KRITIS), the NIS2 Directive introduces two broader categories:

• Wesentliche Einrichtungen (wesE) – essential entities
• Wichtige Einrichtungen (wE) – important entities

The German government estimates that around 29,000 organisations will fall under the scope. This includes entities in sectors such as energy, transport, health, finance, manufacturing, digital services, and more. Both categories are subject to extensive cybersecurity, incident response, and reporting requirements.

Core obligations

Organisations in scope will be required to:

• Designate a 24/7 reachable NIS2 contact point (Kontaktstelle), able to receive and act on BSI alerts
• Implement risk-based technical and organisational security measures (TOMs), including supply chain risk management
• Establish or enhance their Information Security Management System (ISMS), aligned to the “state of the art”
• Prepare for incident reporting, including:
  • Initial alert within 24 hours
  • Follow-up report within 72 hours
  • Final report within 30 days

NIS2 contact point

Each in-scope organisation must appoint a 24/7 reachable contact point (Kontaktstelle) for cybersecurity matters. This point of contact must:

• Be reachable via a monitored functional mailbox at all times
• Be technically and organisationally embedded to respond to alerts from the BSI
• Be capable of forwarding relevant information internally and escalating incidents

The contact point does not need to be a single person—this can be a role, a team, or even an external partner. However, the function must be documented, tested, and known internally. Black Cell’s Fusion Center can act as a technical extension of your contact point, or help establish the process with tooling and SOPs.

Risk management activities

All essential and important entities must implement “appropriate and proportionate” technical and organisational measures (TOMs) to manage cybersecurity risks. These measures must be:

• Tailored to the size, sector, risk exposure, and threat landscape of the organisation
• Documented, regularly updated, and demonstrably effective

Minimum requirements include:

• Risk analysis and information system security policies (for example based on BSI Standard 200-3)
• Incident response processes
• Business continuity and crisis management planning
• Supply chain and third-party risk management
• Secure development, system hardening, and vulnerability management
• Access control, including strong authentication and MFA
• Staff training and awareness
• Use of encryption and secure communications

Black Cell Compliance assesses your compliance against sector-specific and generic control catalogues such as ISO/IEC 27001:2022 to align your policies, systems, and contracts with the directive.

Incident reporting obligations

Perhaps the most operationally critical piece of NIS2 compliance is the obligation to report significant security incidents to the BSI (incidents that result in financial loss, serious operational disruptions, or any kind of damages to third parties) – with a new multi-step process:

• Initial notification within 24 hours of becoming aware of a significant incident
• Follow-up report within 72 hours, including indicators of compromise, impact, and early analysis
• Final report within 30 days, with detailed root cause, remedial actions, and cross-border impact

All reporting is done via the BSI portal. If your contact point fails to meet the deadlines or the reports are incomplete, regulatory consequences may follow. The BSI also has the authority to instruct you to notify affected customers or the public.

Black Cell’s Fusion Center team supports real-time incident detection, triage, and structured reporting – mapped to NIS2 timelines and formats.

Leadership accountability

For the first time, management bodies (Geschäftsführung, Vorstand) are personally responsible for:

• Overseeing the implementation of cybersecurity measures
• Attending regular cybersecurity training
• Ensuring sufficient resources are allocated for information security purposes

This includes a duty to supervise, and liability in cases of gross negligence or inaction. It’s not something that can be outsourced or delegated entirely.

Registration with the BSI

Organisations must register with the BSI within three months of falling under the scope. Registration via the planned BSI portal will include:

• Entity details
• Sector classification according to Annex I/II of NIS2
• Names and contacts of responsible individuals and contact points

Failure to register can itself result in penalties and increased regulatory scrutiny.

The obligations under NIS2 are extensive—but they’re also an opportunity to operationalise security, reduce risk, and build trust. The expectation is clear: security must be more than just documentation – it must be embedded into the way systems, suppliers, and services operate. Whether you’re an essential entity preparing to build a full ISMS, or a digital infrastructure provider needing to meet minimum standards, now is the right time to get started.

Useful BSI links:

• NIS2 impact assessment
• NIS2 FAQ