Current status of implementation


The German NIS Directive Implementation Act, will come into effect on 30 June 2017. The provisions on providers of digital services only apply as of 10 May 2018.

Implementation Act


Implementation Act (Federal Law Gazette, BGBl. I 2017 of 29 June 2017, p. 1885) amends the Act on the Federal Office for Information Security ("FOIS Act"), Atomic Energy Act, Energy Industry Act, Social Insurance Code V, and the Telecommunication Act.

Determination of operators of essential services (Art. 5 NIS)

In accordance with Art. 5 of the NIS Directive, the German regulator has specified the criteria to identify operators of the following essential services: a) Finance and insurance, b) health, c) transportation and traffic (all identified as per ordinance of June 2017), d) energy, e) IT and telecommunication, f) water, g) food (all identified as per ordinance of May 2016).
Reporting obligations


Operators of critical infrastructures must immediately report to the Federal Office for Information Security (FOIS) (i) disruptions [and (ii) significant disruptions] of the availability, integrity, authenticity and confidentiality of their IT systems that have led [might lead] to a failure or significant impairment of the operability of the critical infrastructure (Section 8b para. 4 of the FOIS Act).

Providers of digital services must immediately report to the FOIS any security incident that has significant impact on the provision of the digital service provided the EU (Section 8c para. 3 of the FOIS Act). The term "significant" is defined in the implementing acts pursuant to Art. 16 para. 8 of NIS Directive. No report is required if the provider does not have sufficient access to information as may be necessary to evaluate the impact of the security incident.

Sanctions regime


Section 14 of the FOIS Act provides for administrative fines of up to EUR 50.000, in particular in the following cases:

Operators of critical infrastructures wilfully or negligently

  • fail to properly implement appropriate technical and organisational measures to prevent disruptions of availability etc. in a timely manner
  • fail to properly designate a point of contact in a timely manner
  • fail to properly report as described above.

Providers of digital services wilfully or negligently

  • fail to implement technical and organisational measures to tackle risks for the security of the network and information systems
  • fail to properly report as described above.

Infringements of providers of digital services are only sanctioned by the German authorities, if the provider (i) has no main establishment in another EU member state, or (ii) where it has no establishment in another EU member state, has appointed a representative there and offers the digital services in that EU member state.

Further, the Implementation Act amends the sanction rules under the Atomic Energy Act, Energy Industry Act, Social Insurance Code V and Telecommunication Act, whilst the administrative fines remain as before:

  • up to EUR 50.000 under the Atomic Energy Act;
  • up to EUR 5.000.000, or in specific cases up to 10% of the total worldwide annual turnover of the preceding financial year, under the Energy Industry Act;
  • up to EUR 50.000 under the Social Insurance Code V; and
  • up to EUR 500.000 under the Telecommunication Act.
Competent authorities

The FOIS is competent authority for information security at a national level, including the prosecution and control of administrative offences (Section 1 and 14 para. 3 of the FOIS Act). The FOIS operates under the authority of the German Federal Ministry of the Interior.
Jurisdictional applications


Operators of critical infrastructure are subject to German law if the infrastructure is located in Germany.

The reporting obligations do not apply to providers of digital services that have their main establishment in another EU member state or have appointed a representative in another EU member state, in which they offer the digital services. Consequently, other obligations (e.g. to implement appropriate TOMs) apply to providers even though their main establishment is outside Germany (provided, of course, that information security in Germany is concerned, see "competent authorities").

Remarks (if any)

The key requirements set out in the NIS Directive ("Directive") are already part of the German 2015 IT Security Act ("ITSA"). Accordingly, the ITSA had a front-runner role for the Directive. In light of the ITSA, the changes required to German law resulting from the Directive were relatively small.


Last reviewed 28.02.2018