Obses Secure
Obses Secure

DORA & NIS2: Connection and Relevance from the German Perspective

27 Jan 2026 • 4 min read

An academic analysis of how the EU's DORA and Germany's NIS2UmsuCG frameworks are fundamentally reshaping corporate liability and cybersecurity architecture.

An in-depth research project exploring the intersection of the European Union’s push for Digital Sovereignty and the practical, localized implementation of these directives within the German corporate and financial sectors.

Read the Full Report: You can download and read the complete scientific paper here .

Overview

Throughout the Digital Decade, the EU has engineered a protective regulatory mesh against cyber threats. While previous regulations like the GDPR focused heavily on data privacy, the current wave of legislation, specifically the NIS2 Directive and the Digital Operational Resilience Act (DORA), as it shifts the focus toward operational resilience and uptime.

For Germany, this represents a massive expansion of regulatory scope. Independent estimates suggest the number of regulated entities will explode from roughly 4,500 to 30,000. Standards are no longer voluntary; they are strict legal mandates.

Key Research Questions

This paper addresses two critical gaps in current professional discourse:

  1. RQ1: How does the German NIS2UmsuCG alter the liability landscape for corporate management?
  2. RQ2: In what ways does DORA function as lex specialis, and where do the two frameworks overlap?

The Lex Specialis Principle

To understand compliance in Germany, one must understand the relationship between NIS2 and DORA. German law relies on the concept of lex specialis derogat legi generali (the specific law overrides the general).

  • NIS2 acts as the general cybersecurity law across 18 broad sectors.
  • DORA acts as the specific law exclusively for the financial sector.
  • Consequently, a German bank reports incidents to BaFin under DORA, not to the BSI under NIS2.

A Bifurcated Supervisory Model

The framework introduces a split approach to auditing:

  • Ex-ante (Before the event): Applied to essential entities (formerly KRITIS and high-risk sectors). The BSI can audit these organizations proactively.
  • Ex-post (After the event): Applied to important entities (the broader economy). The BSI intervenes only when there is proof of non-compliance, such as after a major incident.

The German Implementation: NIS2UmsuCG

The NIS-2-Umsetzungsgesetz, which entered into force in December 2025, fundamentally changes how German businesses handle cyber risk.

The End of the “500,000” Rule

The old threshold requiring an entity to serve 500,000 people has been abandoned. Now, any entity operating in a regulated sector with over 50 employees or €10M+ in annual turnover is affected. Crucially, there is no government notification; companies must determine their own status (“Selbsteinschätzung”) and register with the BSI by March 6, 2026.

Strict Reporting Cadence

Germany has implemented a rigorous, three-stage incident reporting regime:

  1. 24 Hours: An early warning “red flag” sent to the BSI.
  2. 72 Hours: A fuller incident notification detailing severity and compromise.
  3. 1 Month: A finalized report including forensic analysis and root cause.

Feature Showcase: Management Liability (“Chefsache”)

Personal Liability: If a company suffers damages due to NIS2 non-compliance (e.g., failing to patch a known vulnerability), the company has a mandatory claim for damages against its own managers (“Regresspflicht”).

Under Section §38 of the new BSIG, management boards (“Geschäftsleitung”) must personally approve and oversee cybersecurity measures.

  • Non-Delegable: Managers cannot simply hand this off to a CISO to dodge liability.
  • Personal Assets at Risk: Managers are liable with their private assets.
  • Massive Fines: Essential entities face penalties up to €10 million or 2% of global turnover. These GDPR-level fines prove that operational uptime is now treated as critically as data privacy.

DORA & The Financial Sector

While NIS2 covers the broader economy, DORA strictly regulates finance. BaFin enforces DORA in Germany, phasing out older national circulars like BAIT and VAIT by December 2026.

The Five Pillars of DORA

Financial entities must document their compliance across five core areas:

  1. ICT Risk Management: A comprehensive internal governance framework.
  2. Incident Reporting: Streamlined major incident reporting to BaFin.
  3. Digital Operational Resilience Testing: Ranging from vulnerability scans to advanced Threat-Led Penetration Testing (TLPT).
  4. Third-Party Risk Management (TPRM): Creating a direct oversight framework for Critical ICT Third-Party Providers (CTPPs), including major cloud platforms like AWS and Azure.
  5. Information Sharing: The voluntary exchange of threat intelligence.

Conclusion

The 2025/2026 regulatory wave marks a pivotal shift. Cybersecurity is no longer just an IT problem, but a strict legal requirement and a direct liability issue for the C-suite. By shifting to personal liability for directors, the German state has effectively deputized the private sector to secure the nation’s digital infrastructure.

Author: Timur Sindirinschi

Institution: Hochschule für Technik und Wirtschaft Berlin (HTW)

Read the Document: Download PDF

Start searching

Enter keywords to search articles.

↑↓ Navigate
Select
ESC Close
CtrlK Shortcut