Germany’s cybersecurity regulation strategy is primarily shaped by the “Cybersecurity Strategy for Germany 2021”, which sets the central policy framework through 2026. The strategy frames cybersecurity as a shared responsibility of the State, the private sector and society, reflecting Germany’s highly digitalised economy and its exposure to cyber-risks. It responds to a persistently high threat level, with Germany regarded as a primary target for cyber-attacks.       

The strategy pursues three overarching objectives:

• strengthening digital sovereignty;
• improving the protection and resilience of critical infrastructure; and
• enhancing the State’s and the economy’s ability to prevent, detect and respond to cyber-incidents.

Cybersecurity is thus positioned as a resilience and security issue rather than a purely technical compliance matter.

Core Components of the Strategy

A key element is the strengthening of the Federal Office for Information Security (BSI) as Germany’s central cybersecurity authority. The BSI acts as the main co-ordinating body, develops security standards, facilitates information-sharing and supports both public authorities and private companies in improving cyber-resilience.       

The strategy places strong emphasis on the protection of critical infrastructure, particularly in sectors such as energy, healthcare and transport. Increasing the resilience of these sectors is considered essential to safeguarding public services and economic stability. In parallel, the strategy promotes secure digitalisation, including the development and use of secure digital products and services, complemented by EU initiatives such as the Cyber Resilience Act (CRA).       

The National Cyber Defence Centre is further developed as a co-operation and crisis response platform, enabling co-ordinated action by security authorities during major cyber-incidents. The strategy also addresses the role of business and society, promoting minimum security standards, cybersecurity awareness, education and a broader security culture.       

Legislative Implementation and Scope

Building on this strategic framework, Germany has recently enacted and proposed legislation that increasingly aligns national law with EU-level cybersecurity instruments, most notably through the implementation of NIS2 and related amendments to German IT security law. This legislative approach significantly broadens the scope of cybersecurity obligations beyond traditional critical infrastructure to a wider range of sectors and organisations whose disruption could have economic or societal impact.       

Across sectors, the legislature frames cybersecurity regulation as a risk-based governance task. The focus is on organisational responsibility, management accountability, supply chain security and operational resilience, rather than prescriptive technical requirements. This reflects a deliberate policy choice to create a scalable, cross-sector cybersecurity baseline capable of addressing systemic risks in an increasingly interconnected economy.

Germany’s cybersecurity framework in 2026 is a layered national and EU regime. National law, centred on the role of the BSI, establishes baseline organisational duties, while EU instruments – in particular NIS2, the Digital Operational Resilience Act (DORA), the CRA and the AI Act – introduce harmonised, sector-specific and product-focused cybersecurity and risk management obligations.

National Core Framework

New BSI Act (BSIG) – implementation of NIS2

Subject matter

The central national framework is built around the role of the BSI and organisation-focused cybersecurity duties (risk management, incident handling, and security governance requirements for in-scope entities). The new Act on the Federal Office for Information Security and on Information Security in Institutions (BSIG) has been in force since 2 December 2025. It implements the EU NIS2 Directive into German law and significantly strengthens Germany’s cybersecurity framework. The BSIG substantially expands the scope of cybersecurity regulation and introduces enhanced requirements for risk management, incident reporting and supervisory oversight.       

Who is in scope

The BSIG extends cybersecurity obligations to a much broader range of organisations across additional sectors. Around 30,000 additional entities are brought into scope, classified as “essential” and “important” entities. This represents a fundamental shift from a narrow critical infrastructure focus to a broader, economy-wide baseline.       

Key obligations

In-scope entities must implement minimum cybersecurity measures, including risk management concepts, back-up and recovery mechanisms, encryption and incident-handling processes. A new three-stage incident reporting regime replaces the previous notification system and requires earlier and more structured engagement with the authorities.       

Strengthened role of the BSI

The BSIG significantly expands the supervisory and enforcement powers of the BSI, including broader audit rights and the ability, in certain cases, to require co-operation from manufacturers. The BSI also operates a central online platform for information exchange with affected entities, reinforcing its role as Germany’s central cybersecurity authority.       

Public sector co-ordination

For the federal administration, the BSIG establishes a central co-ordination function through a Federal CISO, strengthening cybersecurity governance within public institutions.       

Territorial reach and background

The BSIG primarily applies to entities operating in Germany but has practical cross-border relevance for international groups with German operations. It is the national implementation of NIS2, adopted in November 2025 and entering into force in December 2025 after a delayed legislative process, with the aim of raising the overall cybersecurity level across the EU.       

IT Security Act 2.0 (IT-SiG 2.0)

The IT Security Act 2.0 strengthens Germany’s national cybersecurity framework by expanding security obligations for operators of critical infrastructure and other particularly relevant entities. It reinforces the role of the BSI, introduces stricter security requirements for certain components and services, and enhances the State’s ability to respond to significant cyber-threats. While partly superseded by the NIS2 implementation, it remains relevant as a structural pillar of German IT security law.       

Critical and essential entities (KRITIS) regulation framework (critical infrastructure)

The German KRITIS framework defines and governs the protection of critical infrastructure, meaning facilities, systems and services whose disruption would have significant consequences for public safety, economic stability or the functioning of society. KRITIS covers sectors such as energy, healthcare, transport, water, food supply, information technology and telecommunications.

Operators are classified as so-called “KRITIS entities” based on sector-specific thresholds and functional relevance. Once in scope, they are subject to enhanced cybersecurity and resilience obligations, including the implementation of appropriate security measures and incident reporting. The KRITIS framework therefore operates as a risk-based identification mechanism, determining which operators are subject to heightened protection requirements.

Even with the broader scope introduced by NIS2 and the new BSIG, the KRITIS regime remains practically relevant. It continues to serve as a reference point for elevated security expectations and supervisory attention, particularly for operators whose failure could cause systemic disruption. KRITIS thus remains a cornerstone of Germany’s approach to safeguarding essential services against cyber-threats.       

Telecommunications and Telemedia Data Protection Act (TTDSG)

The TTDSG complements the General Data Protection Regulation (GDPR) in the context of electronic communications and digital services. It governs the confidentiality and security of communications data and end-user information, particularly for telecommunications providers and certain digital service providers. The TTDSG therefore reinforces cybersecurity expectations in sectors where service availability and data confidentiality are critical.

EU Cybersecurity and Digital Resilience Regulations

CRA

The CRA (EU Regulation 2024/2847) is the first EU regulation that sets minimum cybersecurity requirements for all networked products available on the EU market. The CRA introduces horizontal cybersecurity requirements for products with digital elements, focusing on security-by-design, vulnerability handling and secure life cycle management. It applies to manufacturers and other economic operators placing covered products on the EU market, regardless of their place of establishment. Owing to its product-based approach, the CRA has strong extraterritorial effect and is particularly relevant for software vendors and industrial manufacturers operating in or supplying the EU market. The CRA came into force in December 2024, with the main requirements applying from the end of 2027.       

AI Act

The AI Act (EU Regulation 2024/1689) establishes a risk-based regulatory framework for AI systems, including obligations relating to system security, robustness and risk management. While not a cybersecurity law in the narrow sense, it has significant cybersecurity relevance where AI systems are exposed to manipulation, misuse or operational failure. The Act applies to providers and deployers of AI systems used or placed on the EU market, including those established outside the EU. In practice, it adds an additional security and governance layer for AI-based systems alongside NIS2, DORA and the CRA.              

GDPR

The GDPR (EU Regulation 2016/679) constitutes an important horizontal pillar of cybersecurity law by imposing binding technical and organisational security requirements for the protection of personal data. In practice, many cyber-incidents involve personal data and therefore trigger parallel GDPR security and breach notification obligations. Owing to its broad scope and extraterritorial reach, the GDPR plays a central role in shaping cybersecurity practices across sectors, particularly where data security and cyber-risk intersect.

DORA

DORA (EU Regulation 2022/2554) establishes a sector-specific and highly prescriptive framework for ICT risk management in the financial sector. It covers governance, incident reporting, resilience testing and the management of ICT third-party risks. The regulation applies to a broad range of regulated financial entities and indirectly affects ICT service providers through contractual and supervisory requirements. DORA reflects the EU legislature’s approach of imposing deeper and more detailed cybersecurity obligations where systemic financial stability is at stake.       

Across all regimes, cybersecurity obligations are largely risk-based and technology-neutral in Germany. As a result, guidance, standards and codes of practice play a decisive practical role in shaping compliance expectations. They are particularly relevant in supervisory assessments and audits, in contractual cybersecurity baselining with customers and suppliers, and in post-incident reviews assessing whether security measures were adequate and reasonable. In practice, organisations therefore often treat recognised standards and authority guidance as effectively binding, even where they are not formally mandated by law.       

Germany’s cybersecurity regulatory landscape is characterised by a multi-layered supervisory model, combining a central technical authority with sector-specific regulators and data protection authorities to ensure effective oversight, enforcement and co-ordinated incident response across the economy.       

BSI

The BSI is the central cybersecurity authority in Germany. Its mandate covers the supervision and enforcement of the new BSIG, including the implementation of NIS2, as well as the protection of critical infrastructure and the co-ordination of national cybersecurity efforts.       

The BSI has extensive supervisory and investigative powers, including the right to request information, conduct audits, review security concepts and incident-response measures, and issue binding orders to remedy deficiencies. Under the BSIG, it can also impose sanctions and, in certain cases, require co-operation from manufacturers or service providers. The BSI operates Germany’s national Computer Emergency Response Team (CERT-Bund) and acts as the primary recipient and co-ordinator of cyber-incident notifications from in-scope entities.       

Sectoral Supervisory Authorities

In regulated sectors, cybersecurity supervision is often exercised by sector-specific regulators, either independently or in co-ordination with the BSI. For example, in the financial sector, supervisory authorities such as the Federal Financial Supervisory Authority (BaFin) enforce cybersecurity and ICT risk management obligations under DORA, supported by binding technical standards and supervisory guidance.       

These authorities typically have powers to request information, conduct on-site inspections, require remediation measures and impose administrative sanctions. Sectoral incident response expectations are usually embedded in supervisory frameworks, with close co-ordination between regulators and the BSI where incidents have broader cybersecurity relevance.

Data Protection Authorities

Germany’s federal and state data protection authorities play an important role where cyber-incidents involve personal data. They enforce the GDPR and national data protection law, including security obligations and breach notification requirements. Their investigative tools include audits, information requests and corrective measures, and they may impose significant administrative fines.       

In practice, cybersecurity incidents frequently trigger parallel procedures before cybersecurity and data protection authorities, requiring co-ordinated incident management by affected organisations.

National Cyber Defence and Response Structures

Germany operates a National Cyber Defence Centre (Cyber-AZ), which serves as a co-operation and co-ordination platform for security authorities in serious cyber-incidents. While it does not act as a regulator itself, it enables information-sharing and joint situational awareness among authorities responsible for cybersecurity, intelligence and law enforcement.

CERT-Bund, operated by the BSI, functions as the central national cyber-incident response team, supporting public authorities and private operators with technical analysis, warnings and incident co-ordination. In addition, sectoral or organisational CERTs operate in specific industries and typically liaise with the BSI during significant incidents.

Overall, Germany’s cybersecurity enforcement model combines central technical co-ordination by the BSI with sector-specific supervision and data protection oversight. The authorities’ approach focuses on risk-based supervision, organisational capability and incident readiness, supported by strong investigative powers and co-ordinated response mechanisms. This multi-layered structure reflects the legislature’s view of cybersecurity as a cross-sector and systemic responsibility rather than a purely technical compliance issue.

Cybersecurity for critical and essential entities (KRITIS) in Germany is governed by a layered framework combining national law with EU requirements. At national level, the core pillars are the new BSIG, in force since December 2025, and the long-standing KRITIS framework for critical infrastructure. These regimes are now closely aligned with the EU’s NIS2 Directive, which significantly expands and reshapes the scope of regulated entities.

The overall approach moves away from a narrow focus on traditional critical infrastructure towards a broader resilience model. Cybersecurity obligations are no longer limited to a small group of operators but apply to a wider set of organisations whose disruption could have significant societal or economic effects.

Designation Criteria and Categories of Entities

Germany distinguishes between different categories of in-scope entities, largely following the NIS2 logic. The BSIG classifies organisations as “essential” or “important” entities based on their sector, function and relevance, rather than purely on ownership or public status. Designation criteria typically combine:

• sectoral relevance;
• functional importance for society or the economy; and
• size or materiality thresholds, such as employee numbers or turnover.

This results in a substantial expansion of scope, with many medium-sized companies now subject to formal cybersecurity obligations for the first time.

Covered Sectors and Services

The framework covers a broad range of sectors traditionally associated with critical infrastructure, including:

• energy;
• healthcare;
• transport;
• finance;
• water and food supply; and
• information technology and telecommunications.

In addition, the scope now explicitly extends to digital and technology-driven services, reflecting their systemic importance. This includes certain digital infrastructure providers, data centres, cloud services and operators that play a key role in enabling essential services.       

Managed service providers and other ICT service providers may fall within scope directly if they meet the relevant criteria, or indirectly through contractual and supervisory requirements imposed on their customers. This reflects a clear policy choice to address supply chain and dependency risks as part of critical infrastructure protection.

Cybersecurity Obligations for In-Scope Entities

Entities designated as essential or important are subject to risk-based cybersecurity obligations rather than fixed technical prescriptions. These typically include:

• implementing appropriate risk management measures;
• maintaining incident detection and response capabilities; and
• complying with structured incident-reporting requirements, including the new three-stage reporting regime under the BSIG.

The focus is on organisational capability, governance and preparedness, rather than on compliance with specific technologies.

Role of Authorities and Guidance

The BSI is the competent authority responsible for supervising cybersecurity obligations for KRITIS. It issues guidance, technical recommendations and sector-specific information that play an important practical role in interpreting statutory duties.       

While such guidance is not always formally binding, it is widely treated as authoritative in supervisory practice, audits and post-incident assessments. Recent BSI publications have focused in particular on supply chain security, cloud dependencies and incident-handling processes.

Scope Uncertainties and Practical Clarifications

Despite the more systematic framework introduced by NIS2 and the revised BSIG, uncertainty around the scope of application remains a key practical issue. This particularly affects entities that do not fall within traditional critical infrastructure categories but play an enabling role in digital or industrial ecosystems.       

Uncertainty most commonly arises in relation to digital services and managed service providers. While data centres and certain cloud or network services are explicitly covered, the classification of hybrid or specialised services – such as platform or Software as a Service (SaaS) providers – often requires a functional assessment rather than a simple sector-based test. Similar questions arise for managed service providers, where it is not always clear whether they are directly in scope or primarily affected through contractual obligations imposed by regulated customers.

Further ambiguities result from complex group and cross-border structures, especially where IT or security functions are centralised outside Germany, and from the application of size and materiality thresholds to fast-growing or platform-based business models. In practice, the BSI’s guidance and FAQs play a decisive role in resolving these questions, with supervisory interpretation tending towards a broad and inclusive approach to critical-infrastructure cybersecurity.

Germany’s baseline cybersecurity requirements for critical and essential entities are risk-based and principle-driven. Rather than mandating specific technical controls, the legal framework requires organisations to implement appropriate technical and organisational measures aligned with their risk profile, criticality and dependencies. In practice, supervisory focus lies on governance, incident readiness and demonstrable operational capability.       

Regulators and auditors place less emphasis on formal policies and more on whether organisations can prevent, detect, respond to and recover from cyber-incidents in a timely and structured manner. Documentation, testing and evidence of effective implementation are therefore central.       

Core expectations include clear governance and accountability at management level, auditable policies and controls, and the use of recognised security frameworks to demonstrate state-of-the-art implementation. Organisations must maintain visibility over critical assets and dependencies, perform continuous risk assessments and prioritise controls based on realistic threat scenarios.

Supply chain security is a key focus. Critical suppliers and outsourced services – particularly cloud services – require enhanced governance, contractual security obligations and operational co-ordination, including incident-response alignment.       

Entities are also expected to operate effective vulnerability and patch management, supported by monitoring and detection capabilities. Where technical remediation is limited, compensating controls are required.       

Finally, incident response, business continuity and recovery are central pillars. Authorities expect realistic, tested response plans, robust back-up and recovery capabilities, and resilience planning that addresses systemic and prolonged disruptions. Overall, compliance is measured by operational resilience, not by the absence of incidents.

Incident response and notification obligations in Germany follow a layered and parallel reporting model. The applicable requirements depend on the legal regime in scope, most notably the BSIG (NIS2 implementation), sector-specific regimes such as DORA for financial entities, and the GDPR where personal data is affected. The overall legislative approach prioritises early situational awareness, followed by structured updates and post-incident transparency.       

Rather than relying on a single notification, the framework is designed around graduated reporting, allowing authorities to react early while receiving progressively more detailed information as the incident evolves.       

BSIG (NIS2 Implementation)

Under the BSIG, incident notification obligations are triggered by a significant cybersecurity incident affecting an essential or important entity. Significance is assessed on a risk-based basis, taking into account factors such as the impact on service availability, integrity or confidentiality, the number of affected users, the duration of the incident and its geographical spread. The threshold is deliberately broad and requires organisations to make an early classification even where technical facts are incomplete. The focus is on whether the incident has, or is likely to have, a material operational or societal impact. According to Section 37 BSIG (in conjunction with NIS2), significant security incidents must be reported to the BSI. The deadlines include an early warning (initial report) within 24 hours of becoming aware of the incident, a follow-up report within 72 hours, and a final report within one month.       

Authorities – in particular, the BSI – explicitly accept that early warning/initial reports may be incomplete or based on preliminary assessments. The focus at this stage is on enabling co-ordination, risk assessment and, where necessary, technical support.        

GDPR

Under the GDPR, notification obligations arise where an incident qualifies as a personal data breach and is likely to result in a risk to the rights and freedoms of individuals. The threshold is therefore not operational impact but risk to individuals, such as identity theft, fraud or loss of confidentiality. Notification to the state data protection authority is generally required within 72 hours, and notification to affected individuals may be required where the risk is high. Supervisory authorities expect prompt breach notifications and may request supplementary information as investigations progress. While post-incident reports are not formally labelled as such under the GDPR, authorities routinely require updates and remedial action plans.

In addition to the BSIG and the GDPR, sector-specific German laws may trigger cybersecurity-related incident notification duties.

Financial Sector

Under DORA, financial entities must classify cyber-, ICT- or payment-related incidents according to a harmonised EU framework distinguishing between major and non-major incidents. Classification criteria include the criticality of affected services, financial and operational impact, data losses, reputational effects and cross-border relevance. Reports must be submitted to BaFin, the supervisory authority for the financial sector. Compared to the BSIG, DORA applies more granular and prescriptive thresholds, reflecting the heightened sensitivity of the financial sector. Only incidents classified as “major” trigger full notification obligations. Strict deadlines apply: an initial report must be submitted within four hours of classification (at the latest within 24 hours of detection of the incident), interim reports every 72 hours, and a final report within 30 days. Supervisory authorities use these reports primarily to assess operational resilience and third-party risk management, rather than to sanction early reporting behaviour.

Operators of Critical Infrastructure (KRITIS)

KRITIS operators are subject to heightened incident-reporting obligations under the German IT security framework. Since 1 April 2025, stricter notification requirements apply, including a 24-hour deadline for initial incident notification. Owing to the systemic relevance of critical services, even disruptions with limited immediate impact may trigger reporting duties.       

Telecommunications Providers

Telecommunications providers must report security breaches affecting networks or services pursuant to Section 168 of the Telecommunications Act (TKG). Notifications must be made to both the BSI and the Federal Network Agency (Bundesnetzagentur). These obligations operate alongside, and independently from, GDPR breach notification requirements.

As a result, cybersecurity incidents in Germany frequently trigger parallel notification obligations under multiple legal regimes, each with different classification criteria and timelines. Organisations operating in regulated or critical sectors must therefore assess incidents against several statutory thresholds simultaneously and ensure co-ordinated reporting to avoid delays or inconsistencies.

The German State bears primary responsibility for national cyber-resilience, understood as the ability of public institutions and essential services to prevent, withstand and recover from cyber-incidents. This responsibility is anchored in a co-ordinated federal approach, with cybersecurity treated as a matter of internal security, economic stability and public safety. The State’s role focuses on setting strategic direction, ensuring operational readiness and co-ordinating responses to large-scale or systemic cyber-incidents.       

Operationally, responsibilities are concentrated at the federal level, while state authorities retain roles in specific sectors and enforcement contexts. The overall objective is to maintain continuity of public services and limit cascading effects across society and the economy.

Threat Intelligence and Information Sharing

A central state obligation is the collection, analysis and dissemination of cyber-threat intelligence. This role is primarily fulfilled by the BSI, which gathers information from incident reports, technical analyses and international partners. The BSI issues warnings, situation reports and technical advisories to public authorities and private operators.

Information sharing is structured but largely co-operative. The State encourages early reporting and voluntary information exchange to improve situational awareness and collective defence. While participation is mandatory for in-scope entities under certain regimes, the broader intelligence-sharing framework is designed to support prevention rather than enforcement.

Public–Private Co-Operation

Public–private co-operation is a core element of Germany’s cybersecurity model. The State actively promotes collaboration with industry, recognising that much of the country’s critical digital infrastructure is privately operated. Platforms for co-operation include sector-specific working groups, information-sharing forums and joint response structures co-ordinated by the BSI.       

The National Cyber Defence Centre serves as a co-ordination hub in serious incidents, enabling information exchange between security authorities and, where appropriate, affected private operators. This reflects a policy approach that relies on partnership and shared responsibility rather than purely top-down regulation.

International and EU-Level Engagement

Germany also has responsibilities at EU and international level, contributing to collective cyber-resilience through co-operation with EU institutions, other member states and international partners. This includes participation in cross-border incident co-ordination, alignment with EU cybersecurity initiatives and engagement in international threat intelligence networks.       

Operational resilience in Germany’s financial sector is primarily governed by DORA, which has applied since January 2025. DORA establishes a uniform EU-wide framework for ICT risk management, incident reporting, digital operational resilience testing and the management of ICT third-party risk. It replaces fragmented national approaches with a harmonised regime applicable across the EU.

DORA applies directly and does not require national transposition. In Germany, it is enforced by the competent financial supervisory authorities – in particular BaFin – in co-ordination with EU supervisory bodies.

DORA covers a broad range of supervised financial entities, including:

• credit institutions and payment institutions;
• investment firms and trading venues;
• insurance and reinsurance undertakings; and
• asset managers and other regulated financial market participants.

The framework applies irrespective of the size of the institution, although proportionality principles allow requirements to be calibrated based on the entity’s risk profile, complexity and systemic relevance.

DORA has a strong extraterritorial effect. Although formally addressed to EU-regulated financial entities, its requirements extend to non-EU ICT service providers that support EU financial institutions. Such providers must accept contractual audit, access and co-operation obligations and, if designated as critical, may be subject to direct EU-level oversight. As a result, global technology and cloud providers servicing the EU financial sector must align their security, resilience and incident-handling practices with DORA expectations to remain viable vendors.

In practice, DORA operates alongside horizontal cybersecurity frameworks such as NIS2/BSIG, but applies as a lex specialis for financial entities. Financial institutions must therefore manage operational resilience primarily under DORA, while ensuring consistency with cross-sector governance and reporting duties where applicable.

In Germany, mandatory requirements for ICT and third-party service providers arise mainly under DORA and the BSIG (NIS2 implementation). An ICT service provider is defined broadly and functionally, covering any provider supplying digital or data-related services that support critical or regulated functions, such as cloud services, data centres, software, managed IT services or network infrastructure.       

Criticality and Scope of Oversight

Criticality depends on the importance of the service for operational continuity and security of the financial entity. Under DORA, certain ICT service providers may also be designated as critical at EU level based on systemic relevance, scale, substitutability and dependency risks. Designated providers are subject to direct oversight, while others are indirectly regulated through contractual requirements imposed on supervised entities.

Key Contractual Requirements

Regulated entities must ensure that outsourcing and ICT service contracts include specific minimum contractual safeguards. These commonly cover:

• clearly defined service descriptions and security requirements;
• incident notification and co-operation duties;
• audit, access and information rights for the regulated entity and supervisory authorities; and
• termination and exit rights.

Contracts must allow regulated entities to demonstrate control over outsourced functions and to comply with supervisory expectations throughout the outsourcing life cycle.

Access, Inspection and Audit Rights

A core requirement across regimes is that regulated entities retain effective access, inspection and audit rights. This includes the ability to obtain information, conduct audits or rely on pooled audits, and enable supervisory authorities to exercise their own oversight powers where required.

In practice, these rights must be operationally feasible. Authorities increasingly scrutinise whether audit rights are meaningful in cloud and large-scale service environments, rather than purely contractual in nature.

Subcontracting and Chain Outsourcing

Subcontracting and chain outsourcing are permitted but subject to transparency and control requirements. Regulated entities must be informed of material subcontracting arrangements and retain the ability to assess associated risks. In critical cases, consent or notification mechanisms are required. The key expectation is that risk management extends across the entire outsourcing chain. Regulated entities cannot avoid responsibility by relying on complex subcontracting structures.

Exit Strategies, Data Portability and Substitutability

Exit planning is a central element of third-party risk management. Regulated entities must ensure that contracts provide for orderly termination, including data portability, deletion or return of data, and continued access during transition periods. Organisations are expected to assess substitutability in advance and to avoid excessive dependency on a single provider. For critical services, tested exit strategies and realistic transition plans are increasingly expected.

Data Location and Operational Dependencies

While data localisation is not generally mandated, regulated entities must maintain transparency over data location and processing. This includes understanding where data and services are hosted and how cross-border dependencies affect risk exposure. In practice, regulators focus on whether data location and service architecture support effective incident response, supervision and continuity, rather than on strict geographic requirements. However, providers established in the EU or hosting data within the EU are easier to manage, as they operate under a uniform EU data protection and cybersecurity framework, facilitating supervision, audit rights and enforcement.

Concentration Risk Management

Managing concentration risk is a key supervisory focus, particularly in relation to cloud and large-scale ICT providers. Regulated entities are expected to identify, assess and mitigate risks arising from reliance on a limited number of providers. Mitigation measures may include diversification, multi-vendor strategies, enhanced monitoring and contractual safeguards. Authorities increasingly expect concentration risk to be addressed at strategic level, not merely as a technical procurement issue.

DORA requires senior management of financial entities to take ownership of ICT risk and resilience, including approving the ICT risk strategy, ensuring adequate resources, and embedding operational resilience in the broader risk management and internal control system. In practice, institutions must be able to demonstrate clear roles, escalation paths and decision-making procedures that function under crisis conditions.       

ICT Risk Management (Core Control Expectations)

DORA requires a comprehensive ICT risk management framework covering identification, protection, detection, response and recovery. Practical baseline elements include an up-to-date asset and dependency view, access controls, logging and monitoring, secure configuration, and disciplined vulnerability and patch management. The framework must also address resilience in cloud environments, including operational dependencies and realistic continuity planning.       

Third-party risk is a central pillar. Financial entities must maintain a structured process for assessing and monitoring ICT outsourcing, including concentration risk and the ability to maintain control over outsourced functions. This includes contractual safeguards and operational readiness to manage incidents involving key providers.

Digital Operational Resilience Testing

Financial entities must conduct regular testing of their ICT resilience and security posture. Testing is expected to be risk-based and proportionate but sufficiently robust to validate whether critical functions can withstand and recover from disruptions. For more complex or higher-impact entities, advanced testing expectations apply, and supervisors increasingly look for evidence that tests drive measurable improvements rather than being treated as a formal exercise.       

Testing obligations also influence third-party relationships. Providers supporting critical functions are expected to co-operate with testing and provide information necessary for the institution’s assurance and validation processes.

Incident Management and Reporting

DORA requires financial entities to maintain structured incident detection, classification and response procedures, including internal escalation, containment and recovery. Reporting obligations are triggered for major ICT-related incidents, assessed using criteria such as impact on critical services, number of affected clients or transactions, duration, geographical spread and material financial or data-related impact.       

Major incidents are reported to the competent authority (BaFin) via a staged approach consisting of initial notification, intermediate updates and a final report after resolution. ICT third-party providers are generally not required to report directly under DORA, but must enable timely reporting through contractual co-operation, rapid information sharing and support during incident response.

Interplay With Other Frameworks (Practical Co-Ordination)

In practice, operational resilience programmes are designed to satisfy DORA as the sector “deep regime”, while ensuring consistency, where personal data is affected, with GDPR security and breach handling. The central operational challenge is therefore co-ordination: aligning internal processes, maintaining consistent incident narratives across different reporting channels, and ensuring that third-party contracts and procedures support multi-regime compliance.

DORA creates an EU oversight framework in which a Lead Overseer (within the European Supervisory Authorities’ (ESAs) Joint Committee set-up) conducts supervision of designated critical ICT third-party providers. The ESAs published the first list of designated critical ICT third-party providers on 18 November 2025, which effectively marked the operational “starting point” for direct oversight.

Supervisory Measures and Investigative Tools

For such critical ICT providers, the Lead Overseer has a toolkit designed to overcome classic supervision barriers (lack of access, cross-border service delivery, concentration). In particular, DORA contemplates:

• information and documentation requests (including on subcontracting) and follow-up reporting expectations;
• general investigations and on-site/off-site inspections, backed by formal decisions and procedural safeguards; and
• recommendations following investigations/inspections, which are shared with the competent authorities of the affected financial entities – critical ICT providers must respond within a set period (“follow or explain”). 

A practical “how we will do this” layer is also provided by the ESAs’ Guide on DORA oversight activities (15 July 2025), which (while not legally binding) signals supervisory expectations and process mechanics.

Sanctioning Powers and Typical Penalty Ranges (Critical ICT Providers)

The most distinctive sanctioning tool at EU level is periodic penalty payments to compel co-operation and remediation. DORA allows the Lead Overseer to impose daily penalty payments for non-compliance – up to 1% of the provider’s average daily worldwide turnover, for up to six months (until compliance is achieved). 

Public, provider-specific sanctions against designated critical ICT providers are not yet given (the regime is still early-cycle), but the penalty payment lever is explicitly built for fast escalation where access/co-operation is blocked.

What This Means in Practice

Even if a critical ICT provider is headquartered outside Germany (or outside the EU), the oversight regime is designed to remain enforceable where the provider is systemic for EU financial services (including via “business presence” expectations discussed in the Regulation’s recitals).

Germany does not operate a general cybersecurity-driven data localisation rule comparable to strict “data must stay in-country” requirements. Instead, cross-border data handling is governed primarily by EU data protection law (GDPR) and, in the financial sector, by DORA’s ICT third-party risk framework. In practice, this means that firms can use global providers but must be able to demonstrate control, auditability and recoverability even when services and data are delivered from outside the EU.       

DORA does not ban third-country outsourcing, but it treats location and cross-border dependencies as core resilience factors. A practical lever is the register of information: financial entities must document ICT outsourcing comprehensively, including relevant subcontractors for ICT services supporting critical or important functions. This enables supervisors to identify geographical dependencies and concentration patterns, and it forces firms to understand where their critical ICT services are actually delivered from.       

EU and sectoral outsourcing guidance (commonly used as a benchmark in practice) repeatedly highlights five areas that become more complex when providers or processing are outside the EU: data and system security, data location and processing location, access and audit rights, chain outsourcing, and exit strategies/contingency planning. From a resilience perspective, the “third-country” issue is often less about where the servers sit and more about whether foreign legal constraints (eg, restrictions on disclosure or audit) could undermine supervision, incident response or recovery planning.

A recurring market reality is therefore that EU-hosted/EU-established providers are operationally easier to manage, because a uniform EU legal baseline typically reduces friction around supervisory access, audit execution and enforcement (particularly when combined with GDPR-aligned contractual set-ups).       

Where operational resilience outsourcing involves personal data and the data leaves the European Economic Area (EEA), GDPR transfer rules apply in parallel with DORA/outsourcing governance. The main lawful mechanisms are:

• adequacy decisions (where available for the destination jurisdiction);
• Standard Contractual Clauses (SCCs), often combined with supplementary measures;
• Binding Corporate Rules (BCRs) for intra-group transfers; and
• narrow derogations (eg, Article 49 GDPR) for exceptional cases (not a scalable outsourcing solution).

Supervisory expectations post-Schrems II centre on a documented, case-specific assessment of third-country risks and – where needed – supplementary measures (eg, encryption with key control, organisational and contractual safeguards) to ensure “essentially equivalent” protection.

Germany’s primary “mandatory” threat-led penetration testing (TLPT) regime is DORA (EU-wide). DORA establishes TLPT as an advanced testing requirement for selected financial entities, operationalised through a dedicated Regulatory Technical Standard (RTS) adopted at EU level and aligned with the TIBER-EU methodology.        

In parallel, Germany has an established threat-intelligence-based red teaming framework, TIBER-DE, operated through the Bundesbank as the national competence centre. TIBER-DE is the German national implementation of TIBER-EU and has been used as a high-quality testing standard for the German financial sector.

Entities Required to Perform TLPT

TLPT is not universal for all DORA entities. Competent authorities (in Germany, typically BaFin, and for certain institutions also the ECB within its remit) identify which financial entities must conduct TLPT.

TIBER-DE can be used as a supervisory/oversight tool to test cyber-resilience in the financial sector; participation and timing are generally co-ordinated with the relevant authorities under the TIBER approach.

TLPT Cycles       

Where TLPT is mandatory, the supervisory authority (BaFin) follows a minimum “at least every three years” cycle for TLPT, subject to supervisory expectations and entity-specific risk.       

Tester Requirements

A specific RTS governing DORA TLPT specifies requirements for:

• the use of internal testers (and conditions/standards for doing so);
• the scope and methodology across the TLPT phases; and
• governance around execution, closure and remediation.        

TIBER-EU tests are typically delivered with specialised external threat intelligence providers and red-team testers, with clear expectations around competence and controlled testing on live systems. The Bundesbank provides supporting documentation and procurement guidance references to help entities select suitable providers under the TIBER model.

Recognition of Equivalent Tests From Other Jurisdictions

A key design feature of TIBER-EU is the facilitation of mutual recognition of tests across European jurisdictions, provided the test meets the framework’s mandatory requirements. This is particularly relevant for cross-border groups seeking to avoid duplicative testing and to align evidence of resilience across multiple supervisory audiences.

Cyber-resilience requirements in Germany are governed by a layered framework of EU regulations and national implementing laws, rather than by a single, standalone statute. The regulatory focus has shifted from purely organisational cybersecurity duties towards a broader concept of resilience that also addresses products, services and supply chains.       

At cross-sector level, cyber-resilience is primarily driven by the German implementation of the NIS2 Directive through the new BSIG. This regime targets organisations classified as essential or important entities and emphasises governance, risk management, incident handling and continuity. It does not impose direct security-by-design requirements for individual products, but it indirectly raises security expectations for the systems and services used in critical operations.

Product-focused cyber-resilience is addressed by the CRA, which introduces binding, horizontal security-by-design and security-by-default requirements for products with digital elements placed on the EU market. The CRA clearly covers connected devices, embedded software and standalone software products, regardless of where the manufacturer is established. Its main obligations will apply from 2027 and have a strong extraterritorial effect.       

Purely digital services, including SaaS, are generally not treated as products under the CRA where no software is placed on the market. They are instead primarily regulated through organisational regimes such as NIS2/new BSIG or sector-specific frameworks such as DORA in the financial sector. Overall, cyber-resilience in Germany is regulated across the full life cycle, with product design, service delivery and organisational governance addressed through complementary but distinct legal regimes.

In Germany, binding cyber-resilience obligations at product level are primarily set by the EU’s CRA, which applies directly and is enforced through the EU market surveillance system. Unlike organisational cybersecurity regimes, the CRA establishes security-by-design and life cycle obligations for products with digital elements placed on the EU market. The focus is on preventing vulnerabilities, managing risks over time and ensuring accountability after market entry.

Vulnerability Handling, Patching and Updates

Manufacturers must implement structured vulnerability-handling processes covering detection, assessment, remediation and communication. Security updates must be provided throughout the defined support period, which generally must reflect the product’s expected lifetime. Updates must be made available in a way that allows users to install them effectively, ensuring that vulnerabilities can be mitigated in practice rather than only in theory.

Post-Market Surveillance and Corrective Measures

Cyber-resilience obligations continue after a product is placed on the market. Manufacturers must actively monitor products for vulnerabilities and incidents and take corrective action where non-compliance is identified. Depending on severity, this may range from issuing security updates to withdrawing or recalling products if risks cannot be adequately mitigated.

Conformity Assessment, Marking and Certifications

Before market placement, manufacturers must perform a conformity assessment, prepare technical documentation and issue an EU declaration of conformity. Compliant products must bear CE marking. For certain higher-risk product categories, conformity assessment may involve more stringent procedures, including third-party assessment, affecting development timelines and market access.       

Enforcement and Penalties

Enforcement is carried out by market surveillance authorities – in Germany, primarily the BSI. Authorities may request information, order remediation, restrict market availability or require recalls. Administrative fines can reach up to EUR15 million or 2.5% of global annual turnover, depending on the type and severity of the infringement. Overall, the CRA combines financial sanctions with strong corrective powers to ensure effective cyber-resilience in practice.

Germany’s cybersecurity certification landscape is primarily governed by the BSI. The BSI acts as Germany’s National Cybersecurity Certification Authority (NCCA) under the IT Security Act 2.0 and the EU Cybersecurity Act. In this role, it is responsible for national certification schemes, the implementation of EU-wide certification frameworks and the supervision of recognised bodies and schemes.

The German approach combines nationally established frameworks with emerging EU-wide certification schemes, allowing organisations to demonstrate cybersecurity assurance at product, service and organisational level.

Core National Frameworks

A central pillar of German cybersecurity practice is BSI IT-Grundschutz, a comprehensive methodology for implementing and operating an information security management system (ISMS). IT-Grundschutz is widely regarded as more prescriptive and detailed than purely risk-based standards and is frequently used in the public sector and regulated industries.       

Closely linked to this is ISO/IEC 27001 certification based on IT-Grundschutz, which allows organisations to demonstrate compliance with the international ISO 27001 standard while applying the BSI’s methodology. This certification is voluntary as a matter of law, but it is often a de facto reminder for procurement, outsourcing decisions and regulatory expectations.       

In the automotive sector, cybersecurity assurance is commonly demonstrated through TISAX (Trusted Information Security Assessment Exchange). While TISAX is not a statutory certification, it is effectively mandatory for suppliers that handle sensitive information within automotive supply chains, and plays a key role in market access.

EU Cybersecurity Certification Framework

At EU level, the EU Cybersecurity Act establishes a harmonised certification framework for ICT products, services and processes. Certification schemes under this framework are based on defined assurance levels (basic, substantial and high) and aim to ensure comparability across member states.       

A key scheme for Germany is EUCC (European Common Criteria-based cybersecurity certification), which builds on the well-established Common Criteria methodology and has been operational since February 2025. EUCC is expected to progressively replace or align national Common Criteria schemes, particularly for products with cross-border relevance.

In addition, EUCS, the EU cybersecurity certification scheme for cloud services, is currently under development by ENISA. While not yet applicable, it is expected to become highly relevant for cloud providers and regulated customers once adopted.       

Sector-Specific Security Requirements

Beyond certification schemes, Germany applies sector-specific cybersecurity obligations, most notably for operators of critical infrastructures (KRITIS). These entities are subject to enhanced security and compliance requirements under the German implementation of EU cybersecurity law, supervised by the BSI. While KRITIS rules do not mandate a specific certification, recognised frameworks such as IT-Grundschutz or ISO 27001 are commonly used to demonstrate compliance.

Across all frameworks, cybersecurity certification in Germany is typically voluntary in law but mandatory in practice. Certifications and recognised assessment schemes are frequently required by public-sector customers, regulated entities and large industrial clients as a condition for procurement, outsourcing or supply chain participation. As EU schemes gain traction, organisations that operate cross-border increasingly need to align national certification strategies with EU-wide requirements.       

In Germany, cybersecurity requirements for the processing of personal data are primarily governed by the GDPR, supplemented by the Federal Data Protection Act (BDSG). Organisations must implement appropriate technical and organisational measures based on a risk-based approach, addressing confidentiality, integrity, availability and system resilience.       

The law avoids prescriptive technical standards. Instead, security measures must reflect the nature of the data, the purposes of processing, potential risks to individuals and the state of the art. In practice, this typically includes access controls, encryption, logging and incident-response capabilities.       

Data protection law does not establish a separate cybersecurity regime but integrates cybersecurity into compliance wherever personal data is processed. Cyber-incidents involving personal data often trigger parallel obligations under the GDPR and sector-specific cybersecurity frameworks, requiring aligned governance and escalation processes.       

A personal data breach includes breaches of confidentiality, integrity or availability. Where a breach is likely to result in a risk to individuals, the supervisory authority must be notified within 72 hours of awareness. If a high risk exists, affected individuals must also be informed without undue delay, subject to limited exceptions such as effective encryption.       

Notifications must describe the nature and scope of the breach, its likely consequences and the mitigation measures taken or planned. Where necessary, information may be provided in stages. German authorities actively enforce these obligations and expect demonstrable preparedness, including documented risk assessments and tested incident-response procedures.

In Germany, cybersecurity obligations for AI systems primarily arise from the EU AI Act, which introduces horizontal requirements based on risk classification. Although the AI Act is not a cybersecurity law in the strict sense, it embeds security-by-design and resilience expectations – particularly for high-risk AI systems – as part of its risk management and governance framework.       

For high-risk AI, providers must ensure appropriate levels of robustness and cybersecurity throughout the system life cycle, including protection against manipulation, data poisoning and similar attacks. Security is treated as an inherent quality requirement rather than a purely operational measure.       

The AI Act also addresses supply-chain and component security. Providers remain responsible for risks arising from training data, pre-trained models and third-party components, and must maintain appropriate documentation, traceability and controls proportionate to the system’s risk profile.

High-risk AI systems are subject to post-market monitoring and incident-reporting obligations. Serious incidents or malfunctions must be reported to competent authorities without undue delay. These duties complement existing notification obligations under cybersecurity and data protection law, meaning that a single incident may trigger multiple reporting regimes.       

AI-specific cybersecurity requirements interact closely with general obligations under the GDPR, NIS2/new BSIG and, where applicable, the CRA. Where personal data is processed, GDPR security and breach-notification rules apply in full. In practice, organisations are expected to integrate AI governance into their existing cybersecurity and data protection frameworks to ensure consistent risk management and incident response across regimes.

In Germany, healthcare providers are subject to heightened cybersecurity obligations due to the sensitivity of health data and the critical nature of healthcare services. These obligations arise from a combination of data protection law, sector-specific healthcare regulation and general cybersecurity legislation. Many hospitals and larger healthcare institutions are classified as critical infrastructure (KRITIS) operators and must implement risk-based technical and organisational measures, including incident-response planning and regular security assessments, under BSI supervision.       

Cybersecurity requirements for medical devices are primarily shaped by EU product regulation. Under the Medical Device Regulation (Regulation EU 2017/745 – MDR), manufacturers must address cybersecurity risks throughout the product life cycle. Where devices qualify as products with digital elements, additional horizontal EU cybersecurity requirements may apply, reinforcing security-by-design, vulnerability management and update capabilities.       

Germany’s electronic health record systems and digital health infrastructure are subject to specific statutory security requirements, including access controls, authentication and encryption. Compliance is often linked to certification or approval processes and is a prerequisite for participation in national health IT systems and reimbursement schemes.       

Healthcare entities face overlapping incident-reporting obligations under data protection and cybersecurity law. Short reporting timelines reflect the potential impact on patient safety and service continuity. Cybersecurity certification also plays a key role in healthcare procurement, with recognised standards frequently required for market access and public-sector contracts.