EN FR
SYAGA Consulting NIS2 Proof, not promises.

NIS2 - Germany

NIS2 in Germany: are you among the 29,500 companies the BSI is waiting for?

Germany's NIS2 transposition law (NIS2UmsuCG) was published on 6 December 2025 and has applied since then, with no transition period. The BSI registration deadline (6 March 2026) has passed, but the BSI granted a grace period until 31 July 2026. Around 29,500 companies across 18 sectors are affected.

The key point: a dated obligation, active right now. If your Microsoft 365 is part of your critical information system, a share of the expected controls plays out there, and you can prove it without exposing your data.

The facts, sourced

What German law says

Law in force. The NIS2UmsuCG was published on 6 December 2025 and applies with no transition period.

BSI registration. The original deadline of 6 March 2026 has passed; the BSI has set a grace period until 31 July 2026. Registration goes through the MUK portal (muk.bsi.bund.de), with ELSTER authentication.

Who is affected. Around 29,500 companies, across 18 sectors (energy, healthcare, waste management, food, etc.), mainly those with more than 50 employees or turnover above EUR 10 million.

Key obligations. BSI registration, notification of significant incidents (24-hour early warning, 72-hour report, final report within 1 month) and risk management measures across 10 areas, including multi-factor authentication.

Penalties. Up to EUR 10 million or 2% of global turnover for essential entities; up to EUR 7 million or 1.4% for important entities.

Where Microsoft 365 comes in

An identity and collaboration building block

Several of the 10 required areas (MFA, access management, email and collaboration security, backup) play out largely within your Microsoft 365 tenant: Entra, Exchange, Teams, SharePoint, Intune. To demonstrate compliance, you need to measure the actual posture of these settings, not just tick boxes.

A caveat: NIS2 covers your entire information system. An audit focused on Microsoft 365 is one building block (identity and collaboration), not overall proof of compliance. We say so plainly.

The trap

An audit that increases your exposure

To produce this proof, many providers demand broad access and take away a copy of your configuration, or even your data. You end up adding exposure at the exact moment NIS2 asks you to reduce it. That's contradictory.

Our approach

The no-copy audit

We measure your Microsoft 365 security posture without ever taking away your data: we read the configuration, not the content, and you verify it yourself in your own Microsoft logs. Method: ZKPA (Zero-Knowledge Posture Assessment), hosted in Europe, open-source building blocks.

Prepare your Microsoft 365 component for NIS2

Frequently asked questions

NIS2 Germany, in brief

Since when has NIS2 applied in Germany?
Since 6 December 2025, with no transition period. The BSI registration grace period runs until 31 July 2026.

Is a Microsoft 365 audit enough to be NIS2 compliant?
No: NIS2 covers the entire information system. The M365 audit covers the identity and collaboration building block, essential but partial.

Can you prove your M365 posture without handing over your data?
Yes: by reading the configuration and proving it in your own logs, without taking away a copy (no-copy audit / ZKPA).