Key Takeaways
- The EU’s NIS2 Directive (2023) has been transposed into German law via the NIS2UmsuCG act, amending the BSIG and creating cyber‑security obligations for certain REACH‑registered manufacturers and importers.
- Under German implementation, a company is classified as an “important entity” if it has ≥ 50 employees or both annual turnover > €10 million and balance‑sheet total > €10 million; meeting just one criterion suffices.
- German law ties the cyber‑security requirements directly to existing REACH‑registration obligations, simplifying self‑assessment but diverging from the EU rule by excluding REACH distributors.
- Non‑compliance can attract fines of up to €7 million or 1.4 % of global annual turnover—substantially higher than penalties under chemicals law.
- No transitional period was granted; affected firms must already have implemented measures, and the BSI offers a free “affectedness check” to help first‑timers assess their status.
Overview of the NIS2 Directive and German Transposition
The NIS2 Directive, adopted by the European Union in 2023, establishes a harmonised framework to raise the level of IT security and resilience of critical and important entities across member states. Because EU directives require national transposition, Germany enacted the NIS2UmsuCG act, which amends the IT‑Security Act (BSIG) to embed the directive’s requirements into domestic law. The legislation entered force on 6 December 2025 without a grace period, meaning that obligations became immediately enforceable.
Linking IT Security to REACH Obligations
At first glance, cyber‑security and chemicals regulation appear unrelated, yet the revised BSIG creates a direct interface. Manufacturers and importers that are registered under REACH are now subject to specific cyber‑security duties because the German legislature chose to anchor the NIS2 requirements to the already‑existing REACH‑registration framework. This linkage ensures that firms already familiar with REACH thresholds can more easily determine whether they fall under the new IT‑security regime.
Criteria for Classification as “Important Entities”
Section 28(2) No. 3 of the BSIG, read together with Annex 2, Sector 3.1.1, defines the threshold for being labelled an “important entity.” A company qualifies if it employs at least 50 people or if it records both an annual turnover and an annual balance‑sheet total exceeding €10 million each. The use of “or” means that satisfying only one of these two financial or size‑based tests is sufficient for classification, thereby widening the pool of affected firms compared with a stricter “and” condition.
National Implementation Specifics
Germany’s approach diverges from the pure EU text by directly coupling the cyber‑security obligations to REACH‑registration duties rather than creating a separate set of criteria. This design leverages familiar REACH thresholds, simplifying self‑assessment for manufacturers and importers. However, it also narrows the scope relative to the EU directive: REACH‑defined distributors are excluded from the German definition of important entities, even though they could be caught by NIS2 in other member states. Consequently, the application of cyber‑security rules across the EU is not fully harmonised, creating potential unevenness for companies operating in multiple jurisdictions.
The Intersection of Chemicals Law and IT Security
By embedding NIS2 requirements within the BSIG, the German legislator has forged a connection between two hitherto separate legal domains. Firms that have long focused on REACH compliance must now also address network security, incident reporting, risk management, and supply‑chain safeguards. This linkage may escape notice, especially among smaller enterprises that view REACH primarily as a chemical‑safety matter, yet the consequences of overlooking the cyber‑security side are significant, ranging from regulatory penalties to heightened exposure to cyber‑threats.
Financial Burden versus Added Value
Registering a substance under REACH already entails considerable administrative effort and cost—dossier preparation, data‑access fees, ECHA charges, and often leads firms to seek alternatives to avoid registration. The additional BSIG‑imposed cyber‑security measures introduce further organisational, personnel, and financial demands, such as implementing security controls, conducting regular audits, training staff, and possibly appointing a dedicated information‑security officer. While these steps raise immediate expenses, they also deliver protective value: robust cyber‑defences can mitigate the rising tide of cyber‑crime, which in Germany alone caused estimated damages of over €200 billion in 2024—a roughly 20 % increase from the previous year.
Sanctions for Non‑Compliance
The stakes are high. For entities deemed “important,” violations of the NIS2‑derived obligations can trigger fines of up to €7 million or 1.4 % of the company’s total global annual turnover, whichever is greater. These penalties far exceed those typically imposed under German chemicals law, underscoring the legislature’s intent to treat cyber‑security breaches as serious infractions with substantial financial repercussions.
Absence of a Transition Period
Despite the growing threat landscape and the delayed national implementation, German lawmakers chose not to grant a transitional phase. Consequently, affected companies were expected to be compliant from the moment the act took effect on 6 December 2025. This lack of a lead‑time places pressure on firms that have not yet begun adapting their IT‑security posture, especially those that only recently became aware of the REACH‑linked cyber‑security duty.
Practical Steps for Affected Companies
For organisations confronting these requirements for the first time, the Federal Office for Information Security (BSI) provides a helpful starting point: a non‑binding, free “affectedness check” accessible on its website. By completing this self‑assessment, a firm can confirm whether it meets the important‑entity thresholds and thus determine the extent of its NIS2‑related obligations. Following the check, companies should embark on a systematic risk assessment, establish baseline security controls, develop incident‑response procedures, and ensure ongoing monitoring and reporting in line with both BSIG and REACH compliance timelines.
Conclusion
The integration of NIS2 cyber‑security requirements into German law via the NIS2UmsuCG act has created a notable overlap with REACH registration obligations. Manufacturers and importers that satisfy either the employee threshold or the financial‑size criteria are now classified as important entities and must implement robust IT‑security measures—or face steep penalties. While the national approach simplifies identification by leveraging familiar REACH thresholds, it also introduces divergences from the EU directive, particularly the exclusion of REACH distributors. Given the absence of a transition period and the escalating cost of cyber‑crime, affected firms are urged to act promptly, using tools such as the BSI’s affectedness check to verify their status and to build a resilient security framework that protects both their chemical‑business interests and their broader corporate assets.