NIS2 in Germany and cybersecurity in life sciences

Most of the NIS2 Germany coverage I have read in the last six months came from law firms or IT consultancies. Much of it treats NIS2 as a standalone cybersecurity programme.

It treats NIS2 as a brand new compliance discipline. It isn't. For life sciences organizations, NIS2 is not GxP, but it can be managed using familiar GxP operating logic: risk-based controls, documented procedures, supplier qualification, training, incident handling, management review, internal audit, and continual improvement.

The legislator borrowed the architecture you already use every day: a risk-based approach (ICH Q9(R1)), a documented quality system (ICH Q10), supplier qualification (EU GMP Chapter 7, Annex 11 §3.1), change control, internal audit (EU GMP Chapter 9), management commitment (EU GMP Chapter 1), and training records (EU GMP Chapter 2). If you run an effective QMS, much of the management system architecture is already familiar. You just need to extend the scope.

That said, the German implementation has teeth. The NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) overhauled the Federal Office for Information Security Act (BSIG). Of the roughly 29,500 entities now obliged to register with the Bundesamt für Sicherheit in der Informationstechnik (BSI) by the 6 March 2026 deadline, 18,000 missed the window. The BSI has already started issuing formal notices.

In this post I walk you through what the updated BSIG actually requires, how to extend your existing QMS to cover it, where to focus first, and the traps to avoid.

I close the article with how Scilife fits as your cloud-based eQMS sitting inside your NIS2 supply chain.

Recommended learning:

Internal audit compliance: A 7-step guide to best practices.

NIS2 directive summary

The NIS2 directive replaces the 2016 NIS rules. It applies to medium and large entities across 18 critical sectors. It raises the floor on risk management. It cuts incident reporting to 24 hours. It pushes accountability onto the management body, with personal liability attached. It tightens supply chain duties. NIS2 in Germany is now in force. France is still drafting, and faced a reasoned opinion from the European Commission in May 2025.

What is the NIS2 directive?

The NIS2 directive (Directive (EU) 2022/2555) is the EU's most demanding cybersecurity directive to date.  It applied across the EU from 18 October 2024. Each Member State had to transpose it into national law by that same date. Many missed. Germany was over a year late.

The NIS2 cybersecurity directive is not optional. The fines match GDPR. The duties are now enforceable through national law.

NIS2 key security requirements (and where they already live in your QMS)

The statutory risk management measures under § 30 Abs. 2 BSIG list ten minimum requirements that every in-scope entity must implement.

Here is the mapping every QA leader should keep on the desk:

1. Risk analysis and IT security policies (§ 30 Abs. 2 Nr. 1 BSIG): This is a direct extension of your Quality Risk Management (QRM) framework. The same logic you use under ICH Q9(R1) for product and patient safety, applied to the availability, integrity and confidentiality of your IT systems. For medical device makers, ISO 14971 risk files must reflect cybersecurity risks that could affect patient safety, per MDCG 2019-16.

2. Incident handling (§ 30 Abs. 2 Nr. 2 BSIG): Same workflow as your deviation procedure and CAPA cycle. Triage, classification, root cause, corrective action. EU GMP Chapter 8 covers complaints and recalls with the same logic. A security event is just a new trigger. Business continuity and crisis management (§ 30 Abs. 2 Nr. 3 BSIG). Backup management, disaster recovery, crisis comms. Your business continuity plan needs an IT layer if it does not already have one.

3. Business continuity and crisis management (§ 30 Abs. 2 Nr. 3 BSIG): Backup management, disaster recovery, crisis comms. Your business continuity plan needs an IT layer if it does not already have one.

4. Supply chain security (§ 30 Abs. 2 Nr. 4 BSIG): It’s supplier qualification. The same questionnaires, audits and SLAs you mandate for raw materials and contract manufacturers now extend to your eQMS, LIMS, ERP, MES and cloud providers, in line with EU GMP Chapter 7 and Annex 11 §3.1. GAMP 5 risk-based supplier assessment fits this section perfectly.

5. Security in IT acquisition, development and maintenance (§ 30 Abs. 2 Nr. 5 BSIG): Treat this as strict Change Control. Any software development, deployment, or system modification must flow through your existing approval workflows under EU GMP Annex 11 and Annex 15, applying GAMP 5 categories and lifecycle.

6. Effectiveness assessment (§ 30 Abs. 2 Nr. 6 BSIG): Self-inspection. Add a cybersecurity scope to your EU GMP Chapter 9 audit programme. ICH Q10 already asks for continual improvement of the system.

7. Training and awareness (§ 30 Abs. 2 Nr. 7 BSIG): Your GxP training matrix under EU GMP Chapter 2 and Annex 11 §2 gets cybersecurity competencies layered in by role.

8. Cryptography (§ 30 Abs. 2 Nr. 8 BSIG): New technical content. Define an encryption policy for data at rest and in transit, key management responsibilities, and crypto-agility planning. ISO/IEC 27001:2022 Annex A controls and the ISO/IEC 27002:2022 implementation guidance are the obvious references.

9. HR security, access control and asset management (§ 30 Abs. 2 Nr. 9 BSIG): Joiner-mover-leaver, role-based access, least privilege, and asset inventory. These already live in your Annex 11 §12 access controls and your IT asset register.

10. MFA, secured comms and emergency comms (§ 30 Abs. 2 Nr. 10 BSIG): Multi-factor authentication on privileged and remote access, encrypted internal channels, and a fall-back comms plan for incidents.

Do not commit the classic compliance error of building a parallel management system. You need an extension of the QMS you already own, not a second one bolted next to it.

NIS2 in Germany: the updated BSI Act (BSIG)

Germany transposed NIS2 through the NIS2UmsuCG, the NIS2 Implementation and Cybersecurity Strengthening Act.

The act took effect on 6 December 2025. It revises the BSI Act (BSIG) and amends 32 other laws and regulations.

The BSI (Bundesamt für Sicherheit in der Informationstechnik) is the national competent authority for NIS2 Germany. It opened its registration portal on 6 January 2026.

NIS2 directive scope in Germany explained

The NIS2 Germany implementation expanded the regulated population from about 4,500 KRITIS operators to roughly 29,500 entities (split by the BMI's own estimate into around 8,250 particularly important entities and 21,600 important entities). For life sciences, the scope reaches into four distinct populations.

• Annex 1 of the BSIG (Sektor Gesundheitswesen, particularly important entities) catches healthcare service providers under Directive 2011/24/EU, EU reference laboratories under Regulation 2022/2371, pharmaceutical R&D companies under § 2 AMG, pharmaceutical manufacturers under NACE C.21, and manufacturers of medical devices listed as critical during a public health emergency under Regulation 2022/123.

• Annex 2 of the BSIG (Sektor Verarbeitendes Gewerbe, important entities) catches all MDR (Regulation 2017/745) and IVDR (Regulation 2017/746) manufacturers not already pulled in by Annex 1.

The threshold for most entities under § 28 BSIG is 50+ employees, or annual turnover and balance sheet total exceeding €10 million. KRITIS operators count as particularly important regardless of size.

One clarification many companies miss is that the substantive duties for Annex 1 and Annex 2 entities are nearly identical. The difference is the supervision model, not the rulebook.

• A note for MDR and IVDR makers: the BSIG governs the cybersecurity of your business operations and IT estate. It does not replace your product cybersecurity duties under MDR Annex I §§ 17.2, 17.4 and 18.8, MDCG 2019-16 Rev. 1, IEC 81001-5-1 and your ISO 14971 risk file. You will run both tracks. They overlap on training, supplier oversight and incident handling, but they are legally distinct. The Cyber Resilience Act (Regulation 2024/2847) adds a third layer for connected products from 11 December 2027.

• Important note to avoid: Germany added a “negligibility exemption” under § 28(3) BSIG. If your in-scope activity is a tiny side-line to your main business, you may exclude yourself. Do not self-classify without legal review. The BSI does not define “negligible”. The risk of being wrong is higher than the cost of registering.

No grace period

Most laws give you a transition period. The NIS2 directive Germany has implemented did not. The day the law came into force, every obligation under it became enforceable.

For life sciences, this is the most painful structural choice the German legislator made. You cannot phase in NIS2 the way you phased in MDR or GDPR. The BSI is looking for evidence of concrete implementation now, not in 12 months.

Tip: if you are behind, prioritize three things that show concrete effort:

• Register first.

• Run a documented IT risk assessment using your existing ICH Q9(R1) framework.

• Schedule the management training.

Those three actions give the BSI something to see if it comes knocking next week.

Registration with the BSI

Every in-scope entity had to register with the BSI within three months of the law entering force (§§ 33 and 34 BSIG). That deadline was 6 March 2026. Only 38.5% made it.

Registration runs through the BSI portal in two steps. First, set up a Mein Unternehmenskonto (MUK) account using an ELSTER organization certificate. Then complete registration in the BSI portal itself.

• The ELSTER trap: non-German entities run into a wall here. ELSTER requires a German tax presence. If your company operates in Germany through a sales office or contract structure without a German legal entity, registering takes longer than the three-month deadline allows. Engage a German tax adviser or a local representative early. This is a process bottleneck, not a technical one.

Missing the registration deadline is its own offence under § 65 BSIG, fineable up to €500,000. That sits separate from the substantive penalties for failing the risk-management or incident-reporting duties.

If you are not yet registered under NIS2 Germany, treat this as your first action this week.

Security measures and documentation

§ 30 BSIG is the heart of NIS2 Germany. § 30 Abs. 1 sets the risk-based, all-hazards obligation. § 30 Abs. 2 specifies the ten minimum measures already listed. The Act requires every in-scope entity to apply measures that meet “state of the art” and take relevant European and international standards into account.

For QA leaders, that “state of the art” hook is your route in. The BSI accepts ISO/IEC 27001:2022 as an ISMS reference. ENISA's NIS2 Technical Implementation Guidance, published in June 2025, maps the ten measures onto ISO/IEC 27001:2022 and the NIST Cybersecurity Framework. Pair that with GAMP 5 for any GxP system and you have a defensible baseline.

Documentation is non-negotiable. § 30 Abs. 1 Satz 3 BSIG requires entities to document compliance. The BSI does not want to hear you have done the work. It wants the evidence. Apply ALCOA+ principles to your cybersecurity records the same way you apply them to batch records. EU GMP Chapter 4 and Annex 11 §4 give you the documentation framework: attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, available. Your 21 CFR Part 11-compliant electronic record controls do the heavy lifting if you operate in the US too.

• Tip from QA practice: do not create a new "NIS2 documentation set". Annex it into your existing SOP architecture: It is your QRM SOP that gets a cybersecurity scope addition. Your deviation SOP gets a security-incident trigger. Your supplier qualification SOP adds an IT-security questionnaire annex. Your change control SOP picks up IT system changes. Your management review SOP gets a cybersecurity section.

Three advantages follow. Your auditors already know how to read it. Your team already knows how to use it. And it survives ownership changes: when responsibility moves from IT to QA to a CISO, the SOPs stay put.

Supply chain security under § 30 Abs. 2 Nr. 4 BSIG is the part most often missed. Your direct suppliers, cloud providers, eQMS, LIMS, MES and any SaaS dependency falls inside your scope of oversight. Vendor qualification just got teeth.

Incident notification in Germany

§ 32 BSIG sets a three-stage reporting cascade for any significant incident:

1. An early warning within 24 hours, flagging whether malicious intent or cross-border impacts are suspected.

2. A detailed notification within 72 hours with an initial impact assessment, severity metrics, and known indicators of compromise.

3. A final root cause and remediation report within one month.

A significant incident is one that causes or could cause serious operational disruption, material financial loss, or significant damage to third parties. A ransomware event halting your QMS during a batch release qualifies. A failed login attempt does not.

If your company already runs Pharmacovigilance (PV) reporting or Medical Device Vigilance under MDR Articles 87 to 92 (or the equivalent IVDR provisions), you already have the muscle for this. Vigilance teams are masters of rapid triage, tight regulatory deadlines, and structured interaction with competent authorities. The clock is faster for cybersecurity, but the workflow logic is the same. Ask your PV or Regulatory Affairs head to walk your IT-security lead through the rapid-escalation playbook. You will save weeks of process design.

A second clock to watch: if the same incident exposes personal data, GDPR Article 33 obliges you to notify the supervisory authority within 72 hours. The two clocks run in parallel, not in sequence. Build one workflow that triggers both reports off the same incident classification step.

The threat is not theoretical. In 2020, German biotech Miltenyi Biotec was hit by ransomware that disrupted its supply chain for COVID-19 vaccine research. On 28 October 2024, Bavarian pharmaceutical wholesaler AEP had its IT systems partially encrypted, putting medicine deliveries to over 6,000 German pharmacies at risk. Both incidents would now trigger NIS2 reporting duties within 24 hours of the company becoming aware.

Management liability and training

§ 38 BSIG is the section that gets boards' attention. Members of the Leitungsorgan (management body) must approve the cybersecurity risk management measures (§ 38 Abs. 1), oversee their implementation (§ 38 Abs. 1), and complete training to assess IT security risks (§ 38 Abs. 3). The explanatory memorandum recommends training at least every three years.

The BSI defines the management body broadly under § 2 Nr. 13 BSIG. It is not restricted to your registered Geschäftsführer or Vorstand. It extends to anyone with management authority over critical operations: CFOs, general partners, and quality directors with formal decision rights documented in the company's articles of association. Qualified Persons under Directive 2001/83/EC may also be caught depending on the corporate setup. Check who is named.

The duty cannot be delegated to the CISO. Members of the management body are personally liable under § 38 Abs. 2 BSIG, drawing on existing German corporate law principles for a GmbH or AG. For life sciences boards, cybersecurity has joined product liability, data integrity and the QP's release duty as a top tier personal exposure topic.

• Tip from management review: fold the management training into your annual management review under EU GMP Chapter 1 and ICH Q10. You already have the board there. You already have an agenda covering quality risk, deviations, audit findings and CAPA effectiveness. Add a 30-minute cybersecurity briefing slot. Document four data points in the minutes: participants, speaker, content covered, and duration. That is the documentation specification the BSI looks for in an audit.

Recommended learning:

Corrective and Preventive Action (CAPA) guide for life sciences.

Penalties and enforcement in Germany

The NIS2 Germany penalties under § 65 BSIG are calibrated to bite. Particularly important entities (pharma R&D, pharma manufacturers, EU reference laboratories, KRITIS operators) face up to €10 million or 2% of global annual turnover, whichever is higher. Important entities (most MDR and IVDR manufacturers) face up to €7 million or 1.4%. Late registration on its own is a separate offence, up to €500,000.

Particularly important entities face proactive BSI supervision (§ 61 BSIG). The BSI can audit them at will. Important entities face ex-post supervision, which sounds gentler until something goes wrong. The substantive duties are the same; the trigger for the audit is different.

The BSI is already acting. It sent 47 formal notices to non-registered entities in Q4 2025 and entered the operational enforcement phase in May 2026. The grace window has closed.

Conclusion: how Scilife supports NIS2 compliance in a shared responsibility model in a cloud environment

For NIS2 Germany, no single party carries the entire compliance picture. § 30 BSIG sits in a three-layer shared responsibility model:

• The infrastructure layer (owned by AWS): Provides physical security, hardened data centres, network redundancy, and environmental controls that meet the "state of the art" under § 30 Abs. 1 BSIG. AWS holds ISO/IEC 27001, ISO/IEC 27017 for cloud security, ISO/IEC 27018 for protection of personal data in the cloud, and SOC 2 Type II. Cloud sectoral requirements sit in Commission Implementing Regulation (EU) 2024/2690.

• The application and platform layer (owned by Scilife): We secure the eQMS workspace, run a validated software development lifecycle, manage granular access controls, and produce the audit trails and validation evidence you need to satisfy both your GxP file and your NIS2 documentation. When you map § 30 onto your QMS, Scilife is the system that proves itself in your supplier qualification step under EU GMP Chapter 7 and Annex 11 §3.1.

• The governance layer (owned by your team): User permissions and the joiner-mover-leaver process, vendor qualification of Scilife and AWS, your own internal cybersecurity training, the escalation paths to the BSI within 24 hours, and the parallel GDPR Article 33 clock when personal data is involved.

You have already delivered MDR, IVDR, and GDPR. You will deliver NIS2. The same risk-based muscle, the same documentation discipline, the same supplier qualification thinking. The only things genuinely new are the 24-hour clock and the personal exposure for the Geschäftsführer.

So, what is your first step this week? Register with the BSI if you have not already. Then map § 30 BSIG directly onto your existing SOP architecture.

Your QMS already has the structural bones. You just need to activate them.

See how Scilife’s eQMS helps regulated teams support NIS2 compliance with stronger traceability, audit readiness, and validated quality processes.