Cyberdome Germany: National Cyber Defense in the Context of the NIS2 Directive
The Federal Ministry of the Interior (BMI) and the Federal Office for Information Security (BSI) are developing the program Cyberdome Germany a new national framework for detecting and defending against cyberattacks. The initiative is a strategic response to the increased threat level and is closely linked to the requirements of the European NIS2 Directive, whose national implementing law took effect on December 6, 2025.
The Program: Objectives and Structure of the Cyberdome
Cyberdome Germany, established pursuant to a cabinet decision in August 2025, aims to build a centralized and highly automated defense structure. The program is based on three pillars:
- Detection Network: The expansion of sensor technology in public networks and among operators of critical infrastructure (KRITIS) is intended to provide an accurate and up-to-date picture of the threat situation in Germany.
- Analysis Consortium: In this central component, the collected data is consolidated, analyzed, and enriched with threat intelligence to identify attack patterns.
- Open ecosystem: An automated exchange of security measures and information between government agencies, the private sector, and IT service providers is intended to enable a rapid, coordinated response to security incidents.
This framework is intended to systematically strengthen Germany's digital resilience.
Relationship to the NIS2 Directive and the Legal Framework
The initiative is closely linked to the NIS2 Directive (Directive (EU) 2022/2555) linked to it. This law requires companies in 18 sectors to implement comprehensive risk management measures and to report security incidents. Germany initially missed the EU transposition deadline (October 17, 2024), whereupon the European Commission initiated infringement proceedings and issued a reasoned opinion on May 7, 2025. The NIS-2 Implementation Act (NIS-2UmsuCG) entered into force on December 6, 2025 It went into effect and comprehensively amended the BSI Act.
As a result, the obligations under the Directive have applied directly to affected companies in Germany since December 6, 2025, without a transition period. This applies to medium-sized and large companies (with 50 or more employees or annual revenue of 10 million euros) in 18 critical and important sectors. Certain entities, such as DNS providers, TLD registries, or KRITIS operators, are subject to the regulation regardless of their size. Article 21 of the NIS2 Directive Among other things, it calls for measures to ensure supply chain security and regular security audits. In the event of violations, critical infrastructure facilities face fines of up to 10 million euros or 2 % of global annual revenue, for key facilities up to 7 million euros, or 1.4 % of global annual revenue.
For companies in the DACH region, the entry into force of the NIS-2UmsuCG imposes specific and immediate obligations: Affected entities were required to register with the BSI by March 6, 2026 (§ 33 BSIG). Security incidents must be reported immediately to the BSI as the competent supervisory authority—in the case of data breaches involving personal data, the 72-hour reporting requirement under Article 33 of the GDPR also applies. KRITIS operators are additionally subject to the heightened requirements of the amended BSIG.
Timeline and Next Steps
The Cyberdome is being implemented in phases. In March 2026, the BSI launched a collaboration with govdigital eG and IT service providers from ten federal states to expand sensor infrastructure in the states and municipalities. A detailed implementation plan for the entire program is expected to be available by the end of 2026 and requires a cabinet decision.
At the same time, the BMI is working on updating the national cybersecurity strategy, which is expected to be published in the second half of 2026. According to the cabinet decision of August 2025, there were also plans to establish the legal basis for active defense measures—such as interventions in hostile infrastructure abroad—in a Cyber Defense Strengthening Act to establish; the current status of this initiative in Parliament is unclear.
How LocateRisk Supports NIS2 Compliance
The regulatory requirements of the NIS-2UmsuCG require companies to adopt a verifiable and systematic approach to cybersecurity management. A comprehensive inventory of the external attack surface and a continuous assessment of risks in the supply chain are key components of compliance.
LocateRisk helps companies comply with the requirements set forth in Article 21 of NIS2 to fulfill:
- External Attack Surface Management (EASM): The platform provides a continuous and automated inventory of all externally accessible IT assets—including forgotten subdomains, uncataloged cloud resources, and exposed interfaces. This complete transparency is the foundation for any risk management strategy and for meeting the obligation to provide evidence to auditors and the BSI as the supervisory authority.
- Vendor Risk Management (VRM): The solution helps meet supply chain security requirements through continuous monitoring of third-party providers. This allows risks associated with service providers and partners to be identified and assessed early on, before they lead to a reportable incident.
As a provider that develops and hosts its services in certified German data centers, LocateRisk is geared toward meeting data protection and digital sovereignty requirements. According to the company, the platform is designed to meet GDPR and BSI IT-Grundschutz requirements and is ISO 27001 certified; hosting in German data centers also reduces the risk of access by non-European authorities under the U.S. Cloud Act.
Sources and further information
Do you know your external attack surface?
The new regulatory requirements make it essential to have complete visibility into your external IT systems and those of your service providers. Do you know which of your systems are accessible from the Internet and what risks they pose?
Request a free safety check
—
A note on our own behalf: This article reflects the legal situation as of the date of publication. Since IT law and compliance requirements are highly complex, this text is intended solely as a general guide and does not constitute legally binding advice. If in doubt, we recommend seeking legal counsel regarding implementation within your company. We assume no liability for the content.
Frequently asked questions
The German NIS-2 Implementation and Cybersecurity Strengthening Act (NIS-2UmsuCG) entered into force on December 6, 2025. The EU transposition deadline had already expired on October 17, 2024; Germany had initially failed to meet this deadline, which triggered infringement proceedings by the European Commission.
The regulation applies to medium-sized and large companies (with 50 or more employees or 10 million euros in revenue) in 18 sectors, including energy, transportation, healthcare, digital infrastructure, and public administration. Certain entities, such as DNS providers, TLD registries, or operators of critical infrastructure (KRITIS), are subject to the regulation regardless of their size. For essential entities, proactive oversight applies, with fines of up to 10 million euros or 2 % of global annual revenue; for important entities, reactive oversight applies, with fines of up to 7 million euros or 1.4 %.
Currently, the Cyberdome is designed as a detection and analysis network. According to the cabinet decision of August 2025, the plan was to create a legal basis for active defense measures in the future through a Cyber Defense Strengthening Act; the status of this proposal in parliament remains unclear. Such interventions would be strictly regulated and limited to the defense against serious threats.