29,500 Companies. No Transition Period.
Germany’s NIS2 implementation law took effect on December 6, 2025. The revised BSI Act (BSIG) is now live. No grace period.
The scope expansion hit hard. Germany went from roughly 4,500 regulated entities under the original NIS directive to around 29,500 under NIS2.
If your organization operates in any of 18 designated industry sectors and meets the size thresholds, you’re in scope. Right now.
The BSI’s first hard deadline has already passed. Registration via the new BSI portal closed on March 6, 2026, and the agency has publicly said the number of registrations came in well below expectations.
If you haven’t filed yet, the obligation hasn’t gone away. Late registrants are still expected to file, just under more uncomfortable scrutiny.
Cybersecurity is no longer an IT department problem. Under the new BSI Act, management bodies carry personal liability for compliance failures. Your CEO and board members can be held directly responsible.
This guide covers the technical requirements, who’s affected, what the first months of enforcement actually look like, and what to do if you’ve missed the registration window.
Who Falls Under NIS2?
Two categories of entities, both with mandatory cybersecurity obligations:
Essential entities. Large organizations in critical sectors. Think energy providers, transport companies, healthcare organizations, banking and financial services, digital infrastructure, and water utilities.
The threshold is typically 250+ employees or EUR 50 million+ in annual turnover. Fines: up to EUR 10 million or 2% of global annual revenue.
Important entities. A broader set. Manufacturing, food production, chemicals, waste management, postal services, research institutions. The threshold drops to 50+ employees or EUR 10 million+ in turnover. Same technical requirements. Lower maximum fines, but still substantial.
The 18 sectors
Energy. Transport. Banking. Financial market infrastructure. Health. Drinking water. Wastewater. Digital infrastructure. ICT service management. Public administration. Space. Postal and courier services. Waste management. Manufacturing. Food production and distribution. Chemicals. Research. Digital providers (marketplaces, search engines, social networks).
If you’re reading this and thinking “that’s almost everyone,” you’re not wrong. NIS2 was designed to be broad.
The Technical Requirements
NIS2 doesn’t prescribe specific technologies. It mandates outcomes. Here’s what your systems need to achieve:
Risk analysis and information system security
Continuous risk assessment. Not a one-time audit. Your organization must maintain a current view of threats, vulnerabilities, and potential impacts across all information systems.
Document the methodology and update it when conditions change.
Incident handling
Detection, analysis, containment, and response. You need the ability to detect a security incident, understand its scope, contain the damage, and respond effectively. This isn’t a document on a shelf. It’s operational capability.
The reporting requirements are strict. Within 24 hours of becoming aware of a significant incident, you must submit an initial notification to the BSI.
Within 72 hours, a full report. A final report follows within one month.
Can your team do that today? Most can’t. Only 14% of SMBs have a formal cybersecurity plan. The gap between requirement and reality is enormous.
Business continuity and backup management
Backup strategies that actually work. Not just “we run nightly backups.” Tested recovery procedures.
Defined RTOs (Recovery Time Objectives) and RPOs (Recovery Point Objectives). Crisis management plans that your team has rehearsed.
Supply chain security
You’re responsible for the cybersecurity posture of your vendors and suppliers. Every third-party component in your software stack, every cloud provider, every SaaS tool your team uses. NIS2 requires formal supplier risk assessments and contractual security requirements.
This is the requirement that surprises most organizations. Your security is only as strong as your weakest vendor. For more on this, see our guide on third-party risk management.
Network security and access control
Least-privilege access. Network segmentation. Multi-factor authentication for administrative access. Regular access reviews. These aren’t suggestions under NIS2. They’re requirements.
Encryption
Data in transit and at rest. TLS 1.2+ for all communications, AES-256 for stored data.
Key management procedures and certificate lifecycle management are also required.
Vulnerability management
Regular vulnerability scanning. Patch management with defined SLAs. Teams that maintain sub-30-day remediation for critical vulnerabilities pass compliance audits 94% of the time. Teams that don’t face uncomfortable questions.
Cybersecurity hygiene and training
Regular training for all staff. Not just IT. Everyone who touches a keyboard. Phishing awareness. Password hygiene. Incident reporting procedures. Documented, tracked, measurable.
Architecture Patterns for NIS2 Compliance
Centralized security logging
Every system, every service, every access event feeds into a centralized logging platform. SIEM (Security Information and Event Management) or equivalent.
Correlation rules that flag suspicious patterns. Retention periods that match regulatory requirements.
Without centralized logging, you can’t detect incidents within 24 hours. Period. This is your foundation.
Anomaly detection
Baseline normal behavior. Alert on deviations. This can be as simple as threshold-based alerting on failed login attempts, unusual data access patterns, or unexpected network traffic. Or as sophisticated as ML-powered behavioral analysis.
Start simple. Get visibility first. Sophisticate later.
Zero trust architecture
Don’t trust any connection by default, even from inside your network. Verify every request. Authenticate every user and device. Authorize every action. Log everything.
Zero trust isn’t a product you buy. It’s a design philosophy. Start with identity verification and micro-segmentation. Expand from there.
Network segmentation
Separate critical systems from general-purpose infrastructure. If an attacker compromises a marketing laptop, they shouldn’t be able to reach your production database. VLANs, firewalls, and strict routing rules. Simple concept, frequently ignored.
Immutable audit trails
Logs that can’t be modified or deleted. Write-once storage. Cryptographic hashing for integrity verification. If an attacker can erase their tracks, your incident investigation falls apart.
BSI Registration: The Window Closed on March 6
Every in-scope entity had to register with the BSI within three months of qualifying. With the law in force since December 6, 2025, the formal deadline expired on Friday, March 6, 2026.
Many companies missed it. The BSI itself flagged that registrations came in below expectations.
If that’s you, don’t wait. The obligation didn’t expire with the deadline. It’s still mandatory, and ongoing.
Incident reporting requires a registered entity profile. If a significant incident hits before you’ve registered, you can’t file the 24-hour early warning the way the BSI Act requires. One missed step escalates a bad day into a compliance investigation.
Registration happens via the BSI Portal (bsi.bund.de) using a “My Company” account (MUK) with an Elster organization certificate. You’ll need to provide: company information, sector classification, contact details for security incidents, and a designated point of contact.
A practical detail many late registrants didn’t budget for: getting an Elster organization certificate typically takes 5-10 working days, plus delivery of the activation ID by post. If your administrative onboarding isn’t done, start it today. Every week of delay is a week of explaining yourself if you’re audited.
What the First Months of Enforcement Actually Look Like
Enforcement isn’t theoretical anymore. As of spring 2026, three regulators across the EU are demonstrably moving on NIS2: Germany’s BSI, France’s ANSSI, and the Netherlands’ regulators.
Belgium beat everyone to a hard audit deadline. Essential entities there had to file a verified conformity assessment by April 18, 2026, through CyberFundamentals (CyFun), ISO/IEC 27001, or direct CCB inspection. Self-attestation is not accepted.
Germany’s BSI hasn’t issued a headline-making fine yet. What it has started doing is open formal proceedings. Industry trackers report dozens of early notices for failing to register or designate a point of contact.
Energy and digital infrastructure are the priority sectors.
Expect the curve to steepen now that the registration window has closed.
For everyone else, the signal is clear. Regulators are starting where they have the cleanest evidence. Did you register? Did you designate a contact? Did you submit the 24-hour early warning when the incident hit?
These are the easy wins for a supervisor. They’re also the easy losses for an unprepared entity.
A market-wide number worth knowing: a CyberSmart survey of 670 in-scope leaders across nine EU and UK countries, published in April 2026, found that only 16% are confident they are fully NIS2 compliant. The remaining 84% are not. Of those, more than one in ten didn’t know what NIS2 is, despite being in scope.
That isn’t “could improve.” That’s “would fail an audit today.”
The EU-Wide Picture: Most Member States Still Behind
NIS2 was supposed to be transposed across the EU by October 17, 2024. Most countries missed that.
In spring 2025, the European Commission sent a reasoned opinion to 19 Member States for failing to fully transpose. Germany was one of them, despite enacting NIS2UmsuCG in December 2025, because the Commission’s standard counts the full picture: primary law plus implementing regulations plus sectoral measures.
Where things stand a year later:
- Italy transposed early via Legislative Decree 138/2024 (in force October 2024).
- Germany is in force since December 2025, but secondary regulations are still being filled in.
- Poland brought its amended KSC Act into force on April 3, 2026, expanding scope from roughly 400 to 42,000 entities.
- Belgium activated its first hard audit window on April 18, 2026.
- Netherlands passed the Cyberbeveiligingswet in the lower house on April 15, 2026; entry into force is expected around July 2026.
- France, Spain, Ireland, Luxembourg are still finalizing or in active legislative process.
- Austria’s NISG 2026 is scheduled to take effect October 1, 2026; until then NISG 2018 remains in place.
If your organization operates across multiple EU countries, the transposition patchwork is real. The minimum security baseline is the same.
But the procedural and reporting details differ. Plan for the strictest, not the average.
ENISA Guidance: The Reference Document You Should Actually Read
ENISA’s Technical Implementation Guidance on Cybersecurity Risk Management Measures (version 1.0, June 2025) is the most useful single document for translating NIS2’s abstract requirements into concrete controls. It’s 170 pages, organized around 13 thematic areas, and maps each one to evidence examples.
Supply chain security is one of the 13. So is incident handling, asset management, cryptography, and human-resource security.
If you’re building a NIS2 control framework from scratch, start there. It’s not legally binding, but supervisors will treat it as the de-facto baseline.
For supply chain specifically, the NIS Cooperation Group also adopted the EU ICT Supply Chain Security Toolbox in 2025. It’s the policy-level companion to ENISA’s technical guidance.
The Penalties Are Real
Essential entities: fines up to EUR 10 million or 2% of global annual revenue. Important entities: fines up to EUR 7 million or 1.4% of global annual revenue.
But the fines aren’t the scariest part. Management liability is. Under the revised BSI Act, executives can be held personally liable for inadequate cybersecurity measures.
Before NIS2, cybersecurity failures were corporate liabilities. Now they’re personal.
Germany is Europe’s number one target for cyberattacks. Only 29% of SMBs rate their cyber defenses as mature. And 55% of SMBs say a cyberattack impact under EUR 50,000 would threaten their business viability.
The regulation isn’t theoretical. The attackers aren’t theoretical. The penalties aren’t theoretical.
Implementation Roadmap (Late-Starter Edition)
If you’re reading this in mid-2026 with no NIS2 work done, this is the catch-up sequence. It assumes you missed the March 6 registration deadline and need to close the gap fast.
This week: Scope and register. Confirm you’re in scope and determine your category (essential or important). Begin BSI registration if you haven’t. Order your Elster organization certificate today if you don’t already have one, and designate a primary and deputy security contact.
Weeks 1-2: Gap analysis against ENISA’s Implementing Guidance. Don’t reinvent. Map your current state against ENISA’s 13 thematic areas. The gaps will be obvious.
Month 1: Quick wins that auditors notice. MFA for all administrative access, plus centralized logging at minimum (SIEM if budget allows). A documented incident response procedure with the 24/72/30-day timeline baked in. Tested backup recovery, not just backup execution.
Month 2-3: Core implementation. Deploy SIEM or hardened centralized log management. Run a tabletop incident response exercise that drills the 24-hour BSI early-warning step. Start the supply chain assessment with your top 20 vendors and implement network segmentation between corporate and production environments.
Month 4-6: Risk management framework. Document your risk methodology. Run formal supplier risk assessments and add NIS2 security clauses to renewing contracts. Establish a vulnerability management SLA: 30 days for critical, 90 for high.
Ongoing. Quarterly incident response drills. Annual penetration testing. Continuous vulnerability scanning. Staff training. Supplier reassessment cycle.
If you’re already running this loop, a finding from a future audit means improvement, not failure. If you’re not, the first audit will be the failure.
For the broader EU regulatory context, see our pillar guide on EU compliance for software teams. And for embedding security into your development workflow, read Security by Design: Building Software That Passes Compliance Audits.
Need to bring your software systems into NIS2 compliance? Let’s assess your current state. We build security into the architecture from day one.
