Germany's NIS2 Deadline Just Passed — And 18,000 Companies Missed It

A letter arrives from the BSI — Germany's federal cybersecurity authority. Your company was required to register by 6 March 2026. You didn't. The BSI now has the legal authority to audit your organisation, issue binding orders, and impose fines of up to €10 million or 2% of your global annual turnover. And under §38 of the new BSIG, your managing directors can be held personally liable for the failure.

This is not a hypothetical scenario. It is happening right now in Germany, and it is a preview of what is coming across the rest of the European Union.

What Happened on 6 March 2026

Germany's NIS2 implementation law — the NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG) — entered into force on 6 December 2025. It gave organisations in scope exactly three months to register with the BSI through its dedicated portal.

That deadline was 6 March 2026.

Of the approximately 29,500 companies the BSI estimates fall under the law, only around 11,500 completed their registration in time. That leaves roughly 18,000 organisations in breach of a legal obligation before they have even started working on their actual cybersecurity measures.

NIS2 Implementation Status by Country (2025–2026)
✅
Fully in force
🇧🇪Belgium
🇭🇷Croatia
🇭🇺Hungary
🇱🇹Lithuania
🇱🇻Latvia
🇮🇹Italy
6 countries
📋
Adopted — late 2025
🇩🇪Germany
🇨🇿Czech Republic
🇫🇮Finland
3 countries
⏳
In progress — expected 2026
🇳🇱Netherlands
🇫🇷France
🇪🇸Spain
🇵🇱Poland
🇦🇹Austria
🇸🇪Sweden
🇮🇪Ireland
7 countries

The BSI has publicly stated it will now systematically identify non-registered entities. Germany is the first major EU Member State to reach this enforcement milestone — and the numbers are striking.

Why So Many Companies Missed It

Three patterns explain the gap.

Many organisations still do not know they are in scope. The NIS2 Directive applies to companies with more than 50 employees or more than €10 million in annual turnover operating in 18 designated sectors. Germany's Mittelstand — the backbone of its industrial economy — includes thousands of mid-sized manufacturers, logistics providers, and IT service companies that had never previously dealt with cybersecurity regulation.

The timeline was compressed. Three months from law to registration deadline left little room for companies that were still assessing whether NIS2 applied to them. Many were waiting for final clarity on sector classifications and thresholds.

Supply chain companies were caught off guard. Under Article 21(2)(d), NIS2 entities must manage cybersecurity risks in their supply chains. This means suppliers who are not directly in scope are receiving compliance demands from their customers — but the registration obligation applies to the NIS2 entity, not the supplier. The confusion between direct obligations and indirect supply chain pressure slowed decision-making.

What the BSI Can Do Now

The BSI's enforcement powers under the new BSIG are substantial:

Proactive audits. For essential entities — energy, transport, healthcare, digital infrastructure, banking — the BSI can conduct audits without waiting for an incident. It can request documentation, inspect security measures, and demand evidence of Article 21 compliance.

Binding orders. If the BSI identifies deficiencies, it can issue legally binding instructions to remediate within a specified timeframe. Non-compliance with a binding order escalates the severity of enforcement.

Fines. Essential entities face fines of up to €10 million or 2% of global annual turnover, whichever is higher. Important entities face up to €7 million or 1.4%. These are not theoretical maximums — they are the framework national authorities across the EU are now empowered to apply.

Personal liability for directors. §38 of the BSIG makes managing directors personally responsible for approving and overseeing cybersecurity risk management measures. This mirrors Article 20 of the NIS2 Directive, which establishes management body accountability across all Member States.

NIS2 Penalty Escalation — Beyond the Fine
!
Trigger event
Non-Compliance Detected or Incident Occurs
A supervisory authority identifies a compliance gap or an organisation fails to meet NIS2 requirements
Authorities can impose
▼
Non-Monetary Penalties
1
Compliance orders with binding deadlines
2
Mandatory security audits at your expense
3
Public disclosure of violations
4
Binding instructions on specific security measures
Escalates to
▼
Operational & Personal Consequences
1
Suspension of certifications or operating licences
2
Temporary ban on management functions for individuals
3
Public naming of responsible natural persons
Trigger
Non-monetary
Operational / personal

Temporary management bans. In serious cases of sustained non-compliance, the BSI can request that managing directors be temporarily suspended from their functions. This is the sharpest enforcement tool in the NIS2 toolkit and Germany has explicitly implemented it.

What This Means for the Rest of Europe

Germany is not an isolated case. It is the leading indicator.

Belgium has been enforcing its NIS2 transposition since late 2024 — the first EU country to do so. Italy (ACN) and Croatia have their frameworks in place. France (ANSSI) launched its ReCyF reference framework in March 2026 and is building its enforcement infrastructure. The Netherlands expects its Cyberbeveiligingswet (Cbw) in Q2 2026, with the RDI as supervisor.

The pattern is clear: every EU Member State is moving from legislation to enforcement. The implementation timeline varies by country, but the direction is uniform.

If Germany's experience teaches anything, it is this: the gap between "the law exists" and "companies are ready" is enormous. And regulators are not waiting for the gap to close before they start enforcing.

Does NIS2 Apply to Your Organisation?
1
Does your organisation operate in an essential or important sector (energy, transport, health, digital infrastructure, etc.)?
Yes▼
No▼
2
Does your organisation have 50 or more employees, or an annual turnover exceeding €10 million?
✗
NIS2 does not directly apply to your organisation.
Yes▼
No▼
✓
NIS2 applies to your organisation as an Essential or Important Entity.
3
Is your organisation a critical infrastructure provider or a qualified trust service provider?
Yes▼
!
NIS2 may apply to your organisation — seek legal advice to confirm your status.
1
Does your organisation operate in an essential or important sector (energy, transport, health, digital infrastructure, etc.)?
Yes ↓No →
2
Does your organisation have 50 or more employees, or an annual turnover exceeding €10 million?
Yes ↓No →
3
Is your organisation a critical infrastructure provider or a qualified trust service provider?
Yes ↓No →
✗
NIS2 does not directly apply to your organisation.
✓
NIS2 applies to your organisation as an Essential or Important Entity.
!
NIS2 may apply to your organisation — seek legal advice to confirm your status.
Applies
Possibly applies
Does not apply

What You Should Do This Week

Whether your organisation is in Germany or another EU Member State, the BSI deadline is a signal to act.

1. Determine if NIS2 applies to you. Check your employee count, turnover, and sector classification. The criteria are consistent across the EU — if you have more than 50 employees or €10 million in turnover and operate in a covered sector, you are almost certainly in scope.

2. Register with your national authority. Germany's deadline has passed, but other countries are still opening their registration portals. The Netherlands (via mijn.ncsc.nl), France (via MesServicesCyber), and Italy (via ACN) all have registration processes in place or forthcoming.

3. Start on Article 21. Registration is just the entry point. The real obligation is implementing the ten cybersecurity measures prescribed by Article 21: risk analysis, incident handling, business continuity, supply chain security, network security, vulnerability management, and more.

4. Brief your board. NIS2 is a governance obligation, not an IT project. Article 20 requires management bodies to approve cybersecurity measures and undergo training. If your board has not discussed NIS2, that conversation is overdue.

5. Assess your current position. You don't need a consultant to start. A structured readiness scan can tell you where you stand against NIS2 requirements in minutes — and show you exactly where the gaps are. Start the free NIS2 readiness scan to find out where your organisation stands today.

The Window Is Closing

Germany's 18,000 non-registered companies are now learning what enforcement looks like in practice. Every other EU Member State is following the same path — the only variable is timing.

The organisations that act now, before their national deadline arrives, will have the advantage of preparation rather than the pressure of enforcement. The ones that wait will face the same situation Germany's Mittelstand is facing today: a regulator with the authority to audit, fine, and hold directors personally accountable — and a compliance programme that should have started months ago.