NIS2UmsuCG: Germany's NIS 2 transposition law
NIS 2 is an EU directive. Article 41 told every member state to write it into national law by 17 October 2024. Germany missed that deadline. The NIS2UmsuCG eventually passed and put the duties into an amended BSIG. The directive is still the source.
The short version
NIS 2 is a directive, not a regulation. Directives bind member states to a result. Each country has to write its own national law that reaches that result. NIS 2 sets one EU-wide standard for cybersecurity duties across 27 transposition laws.
Germany's transposition law is called the NIS2UmsuCG (NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz). It does not exist as a free-standing book. It is a change law that rewrites the BSI Act (BSIG). When German practitioners say 'BSIG' today, they mean the BSIG as amended by the NIS2UmsuCG.
Germany missed the 17 October 2024 deadline that Article 41 NIS 2 set. The NIS2UmsuCG was passed later. As of mid-2026, the law is in force. The duties on essential and important entities sit inside the amended BSIG.
NIS 2 Directive (EU) 2022/2555
This Directive lays down measures that aim to achieve a high common level of cybersecurity across the Union.
NIS 2 is a directive. It was adopted on 14 December 2022 and entered into force on 16 January 2023. It binds every member state to the same standard. The substance of every national NIS 2 law in the EU comes from this text.
Article 41(1) NIS 2
By 17 October 2024, Member States shall adopt and publish the measures necessary to comply with this Directive. They shall immediately inform the Commission thereof. They shall apply those measures from 18 October 2024.
Article 41 is the transposition clause. It set two dates. National laws had to be on the books by 17 October 2024. The duties had to apply from 18 October 2024. Germany missed both. The Commission opened infringement proceedings against the late-transposing member states in November 2024.
NIS2UmsuCG → amended BSIG (Germany)
The NIS2UmsuCG amends the BSI Act to implement Directive (EU) 2022/2555.
The NIS2UmsuCG is the German change law. It rewrites the BSIG. The amended BSIG is what an auditor or the BSI will hold you to in Germany. The wording tracks the directive closely, sometimes word for word.
Scope and the ten measures
§28 BSIG sets out who is in scope: 'particularly important' and 'important' entities, judged by sector (Annex I and II of NIS 2) and size (50+ headcount or €10m+ turnover, with overrides). §30 BSIG lists the ten cybersecurity measures every in-scope entity has to put in place. §30 transposes Article 21(2) of the directive.
Incident reporting and registration
§32 BSIG sets the incident reporting cascade: 24 hours for an early warning, 72 hours for an incident notification, one month for a final report. It transposes Article 23. §33 BSIG requires registration with the BSI. The registration deadline was 6 March 2026. §33 transposes Article 27.
Management body and fines
§38 BSIG holds the management body personally liable for compliance and requires regular training. It transposes Article 20. §65 BSIG sets the fines tiers: up to €10m or 2% of global turnover for particularly important entities, up to €7m or 1.4% for important entities. §65 transposes Article 34.
NIS 2 is the source; the BSIG copies it
The substance of every duty comes from the directive. The NIS2UmsuCG copies Article 21 into §30 BSIG almost word for word. The same holds for Articles 20, 23, 27 and 34. If you want to know what a duty means, read the directive first. Read the BSIG section for the German-specific mechanics (which authority, which portal, which fines tier).
Where they differ, the directive prevails
If the BSIG wording diverges from the directive and the difference matters, the directive wins. That is a general EU law principle: a member state cannot under-implement a directive by writing softer national text. National courts read national law in light of the directive. National authorities cannot enforce against the directive.
NIS2UmsuCG → BSIG, supervised by BSI
The NIS2UmsuCG amends the BSIG. The Bundesamt für Sicherheit in der Informationstechnik (BSI) is the national competent authority. Registration runs through the BSI portal. The BSI also publishes Infopakete and points at IT-Grundschutz as the practical route to implementation.
ENISA transposition tracker
ENISA, the EU's cybersecurity agency, publishes a transposition status overview. It shows which member states have transposed, which are late, and which are still in legislative process. Use it to check the state of any national NIS 2 law, not just the German one.
Equivalent transposition laws
Netherlands: Cyberbeveiligingswet. Austria: NISG. France: ordonnance n° 2024-1184. Belgium: NIS2-Wet. Each one transposes the same directive into its national language and legal style. A duty in §30 BSIG has an exact counterpart in each of these laws. The wording differs; the obligation is the same.
The directive does not bind me, only the BSIG does.
The duties operate through the BSIG, yes. But the BSIG is read in light of the directive. If a national authority or court is interpreting an ambiguous BSIG clause, they look at the directive. For EU-wide questions (cross-border supplier contracts, multi-jurisdiction risk policy) the directive is the right reference. The BSIG is the German implementation, not a closed self-contained code.
We wait for the law to be in force before we comply.
The directive applied from 18 October 2024. Germany's late transposition did not delay your substantive duty. Cyber insurers, large customers and audit bodies started asking for NIS 2 evidence in 2025, before the NIS2UmsuCG was passed. Once the BSIG was amended, the duties became directly enforceable. Late transposition shortened the runway, it did not extend it.
NIS2UmsuCG is unique German law.
Every member state has an equivalent transposition. The duties are the same. Only the wording, the supervising agency and the fines tier differ. If you operate in three EU countries, you do not need three risk frameworks. You need one framework that satisfies the directive, and three short national appendices for the local mechanics (which portal, which deadline format, which authority).
Most Mittelstand operators should read both. The directive for the substance. The BSIG for the procedural specifics. Read NIS 2 Article 21 for what risk management means. Read §30 BSIG for how Germany phrases it and which BSI guidance applies. The two together tell you what you owe.
For multi-country operations, the directive is the working text. Build your risk register, your incident playbook and your supplier contracts against the directive. Then keep a short national appendix per country: which authority you register with, which portal you report through, which fines tier applies. That keeps one substantive framework with thin national wrappers, instead of 27 parallel ones.
We map the directive and the BSIG side by side. Every requirement on the platform shows the NIS 2 article it transposes alongside the §30 / §32 / §33 / §38 BSIG section that operationalises it in Germany. Same obligation, two readings. You read the level that matches what you are doing right now.
If you operate in more than one EU country, the directive view stays constant. The national wrapper (which authority, which portal, which fines tier) changes per country. We extend the same model to other member states (NL, AT, FR) as we add national content.
- Directive (EU) 2022/2555 (NIS 2), Article 41 (transposition) — eur-lex.europa.eu/eli/dir/2022/2555/oj
- NIS2UmsuCG (NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz), Bundestag-Drucksache and Bundesgesetzblatt
- BSI Act (BSIG), §§28, 30, 32, 33, 38, 65 as amended by the NIS2UmsuCG
- European Commission November 2024 infringement package, letters of formal notice for late NIS 2 transposition
- ENISA NIS 2 transposition status overview