MEOK.AI
Sign inStart Free
Features
Pricing
Blog
About
🚀 Activate your agent

Free forever · No credit card

← All posts
NIS2 · 27 April 2026 · 6 min read

NIS2-UmsuCG Germany — entity classification by 17 October 2026

The Umsetzungs- und Cybersicherheitsstärkungsgesetz transposes EU NIS2 (Directive 2022/2555) into German federal law. Roughly 30,000 German companies are now in scope — most don't know it yet. Registration with the BSI is required by 17 October 2026, and the penalty ceilings are real.

Two entity tiers

Essential entities (Art. 28 NIS2-UmsuCG)

Threshold: ≥250 employees OR >€50M turnover, in any of the 18 sectors listed in Anhang 1:

  • Energy (electricity, oil, gas, hydrogen, district heating)
  • Transport (air, rail, water, road)
  • Banking (CRR credit institutions)
  • Financial market infrastructure
  • Health (hospitals, EU reference labs, medical devices, pharmaceuticals)
  • Drinking water + wastewater
  • Digital infrastructure (IXPs, DNS, TLD registries, cloud, data centres, CDN, trust service providers, electronic communications)
  • ICT service management (B2B)
  • Public administration (federal + state, with carve-outs)
  • Space

Penalty ceiling: €10M or 2% global turnover, whichever is higher.

Important entities (Art. 29 NIS2-UmsuCG)

Threshold: ≥50 employees OR >€10M turnover, in any of these additional sectors (Anhang 2):

  • Postal + courier
  • Waste management
  • Manufacture/distribution of chemicals
  • Production, processing, distribution of food
  • Manufacture of medical devices, in vitro diagnostics, computers/electronics, electrical equipment, machinery, motor vehicles, other transport equipment
  • Digital providers (online marketplaces, search engines, social networks)
  • Research

Penalty ceiling: €7M or 1.4% global turnover, whichever is higher.

What you must do by 17 October 2026

  1. Register with BSI — Bundesamt für Sicherheit in der Informationstechnik. Single point of contact for incident reports + supervisory communication.
  2. Implement Art. 30 measures — risk analysis + information security policies, incident handling, business continuity + crisis management, supply chain security, system acquisition / development / maintenance, policies + procedures for cryptography, HR security, access control, multi-factor auth, secure communications.
  3. Article 32 incident reporting — early warning within 24 hours, incident notification within 72 hours, final report within 1 month for significant incidents.
  4. Management body training + accountability — board-level sign-off on cyber risk management. Personal liability for directors.
  5. Supply chain risk assessment — Annex IV plus your contracts with critical suppliers must include security clauses.

How to classify yourself in 5 minutes

  1. Count headcount (FTE-equivalent, including parent + subsidiary if grouped).
  2. Look up most recent annual turnover (consolidated, group level).
  3. Check sector against Anhang 1 (Essential) and Anhang 2 (Important).
  4. If Essential thresholds met AND Anhang 1 sector → Essential entity. Done.
  5. If not Essential, check Important thresholds (≥50 emp OR >€10M) AND Anhang 2 sector → Important entity.
  6. If neither → still review supply-chain dependencies. You may not be in scope but your customers are, and they'll push obligations down through contract.

Need the classifier + register template?

£499 self-serve kit: NIS2-UmsuCG entity classifier wizard, BSI register submission template, Art. 30 measures checklist, incident-reporting workflow template. HMAC-signed evidence per check.

£499 NIS2-DE Kit →

Source: Directive (EU) 2022/2555 · NIS2-UmsuCG (German federal law) · MEOK AI Labs · CSOAI LTD · UK Companies House 16939677