⚖️ Risk Mgmt

NIS2 Moves From Grace Period to Enforcement — Germany's BSI Registration Deadline Is Now

Eighteen months after the NIS2 transposition deadline, EU member states are moving from legislative implementation to active supervisory enforcement. Germany's BSI has set April 2026 as the registration deadline for essential and important entities under the national NIS2 implementation (NIS2UmsuCG). Organisations still treating NIS2 as a future requirement face immediate regulatory exposure as national competent authorities begin audit and penalty activity.

4 min read
#nis2#gdpr#compliance#regulatory#germany#bsi#incident-reporting#governance#eu

The Enforcement Phase Has Arrived

The NIS2 Directive transposition deadline passed on 17 October 2024. Since then, most organisations have been operating under a de facto grace period — national competent authorities were still standing up supervisory frameworks, guidance was incomplete, and few enforcement actions had been taken. That period is ending.

In Germany, the federal cybersecurity authority BSI (Bundesamt für Sicherheit in der Informationstechnik) has set April 2026 as the registration deadline for entities classified as essential or important under the German national implementation, the NIS2UmsuCG (NIS2 Umsetzungs- und Cybersicherheitsstärkungsgesetz). Registration is a legal obligation, not optional, and triggers supervisory oversight including audit rights and the ability to impose fines.

Across other EU member states, similar milestones are maturing. The April 18 enforcement milestone — flagged by multiple compliance bodies as the point at which organisations must have their cybersecurity risk management measures demonstrably in place — marks a qualitative shift: authorities are no longer setting up the regime, they are running it.

Who Is Caught Under NIS2

The directive significantly expanded its predecessor’s scope. The key categories:

Essential entities (subject to proactive supervision):

  • Operators in energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, and ICT service management
  • Typically: 250+ employees or €50 million+ annual turnover
  • Also: DNS providers, TLD registries, cloud providers, data centres, trust service providers, electronic communications providers — regardless of size

Important entities (subject to reactive supervision, triggered by incidents or complaints):

  • Postal and courier services, waste management, chemicals, food, medical devices, general manufacturing, digital providers (online marketplaces, search engines, social networking)
  • Typically: 50–249 employees or €10–50 million turnover

Significant expansion in practice: Organisations that were not in scope under NIS1 should not assume they remain out of scope. Supply chain dependencies, managed service provider relationships, and digital infrastructure roles have brought many mid-market enterprises into scope for the first time.

The Core Obligations

NIS2 mandates at least ten minimum cybersecurity risk management measures for all in-scope entities:

  1. Risk analysis and information system security policies
  2. Incident handling
  3. Business continuity, backup management, and disaster recovery
  4. Supply chain security (including vendor assessments)
  5. Security in network and information systems acquisition, development, and maintenance
  6. Policies and procedures to assess the effectiveness of cybersecurity risk management measures
  7. Basic cyber hygiene practices and cybersecurity training
  8. Policies and procedures regarding the use of cryptography and, where appropriate, encryption
  9. Human resources security, access control policies, and asset management
  10. Multi-factor authentication or continuous authentication solutions and encrypted communications

Incident reporting follows a mandatory three-stage cascade: 24-hour early warning to the national CSIRT, 72-hour detailed notification, and a one-month final report. The reporting threshold is broader than many expect — significant incidents affecting service availability, authenticity, or integrity must be reported, not just data breaches.

Penalty Exposure

The fines are material:

  • Essential entities: Up to €10 million or 2% of global annual turnover (whichever is higher)
  • Important entities: Up to €7 million or 1.4% of global annual turnover (whichever is higher)

Management liability is a distinct feature of NIS2: senior management can be held personally liable for non-compliance, and competent authorities can require management-level training and temporarily suspend individuals from management positions in severe cases.

What Organisations Should Do Now

For organisations that have not yet assessed NIS2 scope:

The first step is a scoping exercise against your primary country of establishment’s national transposition. If your organisation operates in multiple EU member states, determine in which state your NIS2 supervision will be anchored (the “primary establishment” rule applies to cross-border entities).

For organisations in-scope but not yet compliant:

  1. Complete the BSI registration immediately if you have German operations and meet the thresholds — the April 2026 deadline has arrived
  2. Conduct a gap assessment against the ten minimum measures and prioritise gaps by penalty risk and operational impact
  3. Establish your incident detection and reporting pipeline — the 24-hour early warning window is extremely tight; if you cannot reliably detect a significant incident within hours, your reporting capability is insufficient
  4. Review supply chain contracts for NIS2-aligned security clauses; you are accountable for the security of your supply chain under Article 21
  5. Engage your board and management layer — management liability provisions mean NIS2 compliance is a board-level governance matter, not solely an IT responsibility

For organisations already compliant:

The evolution from self-declaration to supervisory examination means documented evidence matters more than claimed compliance. Ensure your policies, procedures, and technical controls are documented in a form that can survive an audit. National competent authorities are beginning to request evidence of implementation, not just assertions of compliance.