NIS-2 Implementation Act Adopted in Germany: What Equipment Manufacturers and Production Facilities Need to Know Now
Deutschland steht weiter unteGermany remains under heavy cyber pressure. The latest situation report¹ from the Federal Office for Information Security (BSI) describes a landscape where attack surfaces are growing and professional attacker groups systematically exploit vulnerabilities. In this context, the German Bundestag adopted the act to implement the EU NIS-2 directive on 13 November 2025. The law fundamentally modernizes national IT security legislation. It was published in the Federal Law Gazette on 5 December 2025 and has been in force since 6 December 2025.
Decision and Starting Signal: What NIS-2 Means for Equipment Manufacturers and Production Facilities
At the core of the reform is a clear allocation of roles. The Federal Office for Information Security will supervise companies that fall under NIS-2. Within the federal administration it coordinates cybersecurity as the CISO Bund. This is the central authority of the federal government for information security. It defines requirements, consolidates responsibilities and monitors implementation.
For companies in equipment manufacturing and for factory operators this is helpful because there is a clear point of contact that explains requirements, offers support and checks compliance.
Which Equipment Manufacturers and Production Facilities Are in Scope of NIS-2?
NIS-2 covers not only classic infrastructures but also parts of industrial production, including computers and electronics, electrical engineering, machinery and equipment, motor vehicles and other means of transport. As a rule, obligations apply from 50 employees onward. Revenue and balance sheet total also matter. In particularly sensitive areas the rules apply regardless of company size.
As a result the number of covered entities in Germany rises from around 4,500 to about 30,000 companies and organizations. This includes many mid sized machinery and plant manufacturers that previously did not fall under critical infrastructure (KRITIS) but operate important parts of supply chains.
If your company falls under NIS-2, you must register within three months after you become in scope. The joint registration office of the BSI and the Federal Office of Civil Protection and Disaster Assistance (Bundesamt für Bevölkerungsschutz und Katastrophenhilfe, BBK) is responsible. The BBK contributes its role in civil protection and crisis management. Together with the BSI it operates the central contact point for registration and incident notifications.
For registration you should have company master data, contact persons and your internal reporting path ready so that the process runs without last minute stress.
What Changes in Practice for Equipment Manufacturers and Production Facilities?
The law raises the security level onto a binding, verifiable foundation. It requires effective risk management, clear processes for closing vulnerabilities and applying patches, tested incident response and recovery plans, end to end logging and monitoring, strong access control with multi factor login and rules for cooperation with suppliers and service providers. These minimum measures are taken directly from the EU directive into German law.
In practice, for machines and plants this means: control systems and gateways need a planned update path, distributed device fleets require documented approval and rollback, remote access is managed restrictively and the supply chain needs reliable proof of components used. Top management is responsible and must keep decisions and training traceable.
What You Must Do in Case of a Security Incident
In the event of a significant security incident a three step process applies. You must file an initial report within 24 hours, an update after 72 hours and a final report after one month. The notification goes to the joint office of BSI and BBK. On request additional interim reports may be required.
To reliably meet these deadlines you need a trained process that links production, IT, information security and communications with clear roles, deputies, reachable contacts and prepared wording. From the beginning you should collect evidence such as logs, the timeline, affected systems, measures taken and an initial assessment of the impact.
Violations can be expensive. For essential entities fines can reach up to 10 million euros or up to 2 percent of global annual turnover. For important entities they can reach up to 7 million euros or up to 1.4 percent. The exact amount depends on the individual case and the severity of the violation. Good preparation reduces the risk of outages and penalties.