NIS2 Enforcement 2026: BSI Audit Phase & DACH Checklist
6 Min. read
On April 18, 2026, the first NIS2 enforcement deadline for particularly important entities expired in Belgium. In Germany, the BSI registration deadline passed on March 6, 2026. Those who failed to register by then are now under the scrutiny of a supervisory system that can impose fines of up to 10 million EUR or 2 percent of annual turnover and hold managing directors personally liable. The enforcement wave is no longer just a threat.
Key Takeaways
- 29,500 regulated entities in Germany. The NIS2UmsuCG has expanded the German scope from 4,500 to 29,500 entities. Many are still unaware that they are affected.
- Enforcement phase active since May 2026. Belgium’s first deadline was April 18, 2026. The BSI has been in the operational review phase since May 2026. Austria follows with implementation on October 1, 2026.
- Fine framework: 10 million EUR or 2 percent. For particularly important entities. Additionally, in Germany, personal manager liability can reach up to 500,000 EUR – affecting the individual, not the legal entity.
- 84 percent not ready. According to CyberSmart (April 2026), 84 percent of enforcement-exposed organizations are not compliance-ready. The gap between regulatory requirements and operational reality has not diminished.
Related: GDPR Fines 2026: Why Supervisory Authorities Are Now Targeting SMEs
RelatedEU AI Act: High-risk systems from August 2, 2026 / BePrime Breach April 2026: The Cost of Missing MFA
What the enforcement phase means in concrete terms
Enforcement is no longer an orientation phase. In Germany, the BSI registration deadline for regulated entities expired on March 6, 2026. Those who did not register have missed a deadline. This is not a formal error in the NIS2 context, but a formal violation – a fine of up to 100,000 EUR is possible even without further elements of the offense.
In Belgium, the first compliance proof obligation for particularly important institutions expired on April 18, 2026. CyFun conformity, ISO 27001 certification, or direct inspection by the Centre for Cybersecurity Belgium – one of these had to be demonstrated. The pattern emerging there will become a reference point in Germany, Austria, and Switzerland. What is considered a minimum standard in Belgium will become the benchmark.
In Q4 2025, the BSI sent formal notices to 47 institutions due to lack of registration. This is not a final measure, but the beginning of an escalation chain. From May 2026, the BSI will be in the operational audit phase – focusing on registration status, risk management measures under Art. 21 NIS2, and incident reporting processes.
What NIS2 requires of regulated institutions
What is NIS2? The EU Directive on Network and Information Security (NIS2, Directive 2022/2555) establishes binding cybersecurity obligations for critical sectors. It replaces the 2016 NIS Directive, significantly expands its scope, and introduces a uniform sanctions regime with personal manager liability.
The NIS2UmsuCG has been in force since December 6, 2025. The often-cited “appropriate security” has now been concretized by the ENISA Technical Implementation Guidance (June 2025) – this is the difference from older compliance frameworks that allowed more room for interpretation. Anyone who argues that they did not have clarity about what specifically needed to be done has a research problem, not a regulatory problem.
Art. 21 NIS2 defines ten categories of measures that a regulated institution must have implemented and documented. In Q1 2026, ENISA additionally clarified: MFA for privileged access, remote access accounts, and vendor accounts is “practically always appropriate” – there is little room for “where appropriate” there anymore.
What many already have
- Firewall and endpoint protection
- Backup routine (often without recovery test)
- Patch management – somehow
- Antivirus on endpoints
- Basic password policy
What is typically missing
- Documented incident response plan
- ISMS with risk register
- 24h BSI reporting process (contact point, escalation chain)
- MFA on all privileged accounts
- Supply chain risk analysis for IT service providers
How the DACH Region Stands on Implementation
Germany was one of the last EU members to implement the changes. The NIS2UmsuCG came into force on December 6, 2025, almost 15 months after the European deadline. Between enactment and operational BSI enforcement, affected companies had around 13 weeks—less than a quarter to build risk management, document, and register.
Austria passed the NISG 2026 on December 12, 2025. Effective date: October 1, 2026. Affected Austrian companies thus have a short window to establish their compliance basics before the new supervisory authority—the Federal Office for Cybersecurity—enters the operational phase. Scope: around 4,000 companies from 18 sectors.
Poland enacted one of the EU’s most extensive implementations with the KSC Act on April 3, 2026: 42,000 regulated entities, expanded from previously around 400. This is not a typo. For German-Polish supply chains and nearshoring partners, this means immediate compliance pressure on both sides.
Switzerland: Not an EU member, no direct NIS2 obligation. For Swiss companies acting as IT service providers for NIS2-regulated EU entities, indirect pressure arises through the supply-chain requirements of the client side.
What IT Teams Need to Check Now
Five steps cover the most common compliance gaps. None of these points require ISO 27001—but all require written evidence.
Frequently Asked Questions
What qualifies as an “essential entity” under NIS2?
Essential entities are companies in highly critical sectors (Annex 1 BSIG) with at least 250 employees or 50 million Euro annual turnover and 43 million Euro balance sheet total. For them, the higher fine range of up to 10 million Euro or 2 percent of global annual turnover applies, whichever amount is higher. Important entities from Annex 2 or with lower thresholds have a range of 7 million Euro or 1.4 percent.
What are the concrete costs of missing the BSI registration deadline?
The NIS2UmsuCG provides for a fixed fine of up to 100,000 Euro for failing to register with the BSI – regardless of annual turnover. This is not a percentage of turnover, but a separate offense. In addition, the BSI can request information and take further measures if there is a lack of cooperation.
Does NIS2 also apply to Swiss companies?
Not directly. Switzerland is not an EU member. However, Swiss companies that act as IT service providers for NIS2-regulated EU entities come under pressure due to the supply chain requirements of their clients. Those who operate systems for a German hospital, energy supplier, or government agency can expect their clients to demand security evidence.
What are the details of the 24-hour reporting obligation?
In the event of a significant security incident – defined as an incident with significant impact on the service – an initial report must be made to the BSI within 24 hours. A more detailed assessment follows within 72 hours, and a final report after one month. The report is submitted via the BSI reporting portal. A “significant incident” is a term that the BSI will further specify – when in doubt, report, don’t wait.
Must suppliers themselves be NIS2-compliant?
Not necessarily in the sense that suppliers themselves must be registered. However, regulated entities are required to assess and manage security risks in their supply chain. This means: written evidence of IT service providers’ security practices with critical access, contractual minimum requirements, and audit rights. Those who fail to do so bear the liability risk themselves.
More from the MBF Media Network
- cloudmagazin: BSI-KRITIS and Cloud Use – Multi-Cloud Compliance under NIS2 and C5
- MyBusinessFuture: CSRD after the EU Omnibus 2026 – who still has reporting obligations
- Digital Chiefs: From Operator to Orchestrator – Deloitte Study 2026 for DACH Boards
Photo: Pexels / cottonbro studio
Source title image: Wikimedia Commons / Wolkenkratzer (CC BY-SA 3.0)
