Supply chain
How evidence obligations travel through contracts.
Supply chainNIS2 overview
NIS2: scope, duties and evidence.
NIS2 at a glance
| Question | Short answer |
|---|---|
| In force since (DE)? | NIS2UmsuCG since 06 Dec 2025, no transition period |
| Who is affected? | ~30,000 entities directly; many more via the supply chain |
| Important threshold | from 50 employees or > €10m turnover |
| Essential threshold | from 250 employees or > €50m turnover & > €43m balance sheet |
| Core duties | BSI registration, §30 measures, incident reporting, training |
| Fines | up to €10m / 2% of global annual turnover |
| Liability | personal, for the management body (§38 BSIG / Art. 20) |
Who is affected?
NIS2 distinguishes essential and important entities by sector, size and turnover. Even companies outside direct scope may become evidence-bound through OEM contracts.
Which duties apply?
The core: ten risk-management measures under §30 BSIG, incident reporting for significant incidents, and registration with the BSI.
Going deeper.
Consulting
What you can prepare yourself.
ConsultingChecklist
Core duties as a starting point.
ChecklistDeadlines
DACH dates with sources.
DeadlinesGlossary
Terms and definitions.
GlossaryFAQ
Since when does NIS2 apply in Germany?
The NIS2 Implementation Act has applied since 6 December 2025, with no transition period.
From what size am I affected?
Important entities from 50 employees or over €10m turnover; essential entities from 250 employees or over €50m turnover and €43m balance-sheet total.
What happens on non-compliance?
Fines up to €10m or 2% of global annual turnover, plus personal management-body liability under §38 BSIG.