16. June 2026 | Print article | | | |

NIS2 after the deadline: Now the BSI supervision begins

6 min read

The registration deadline for NIS2 expired on 6 March 2026, marking the end of the implementation phase. Around 29,000 organisations in Germany fall under the NIS2 Implementation Act, with the BSI serving as the central supervisory authority. 2026 is therefore the year when the question is no longer whether you’re registered, but whether your reported measures can withstand scrutiny. Those who set things up properly gain a maturity advantage rather than a disadvantage in the EU comparison.

Key Takeaways

  • The phase shifts. With the registration deadline passed on 6 March 2026, the focus moves from registration to supervision. The BSI can now conduct audits, issue orders, and impose sanctions.
  • Liability is personal. For essential entities, fines can reach up to 10 million Euro or 2% of global annual turnover-whichever is higher. This is in addition to the personal accountability of management.
  • Early maturity pays off. Those who meet obligations now are prepared for the next wave of supervision and already meet the EU minimum standard.

Related:NIS2 enforcement underway: First proceedings, personal liability  /  NIS2 enforcement impacts 29,500 German companies

The deadline has passed, supervision begins

The NIS2 Implementation Act was announced on 6 December 2025 and has been in effect without a transition period since then. The registration obligation with the BSI expired on 6 March 2026. Late registrations remain possible, but this doesn’t change the key point: obligations are already in force, and the supervisory authority is operational.

What is the NIS2 supervision phase? The supervision phase is the period following the registration deadline, during which the BSI actively monitors compliance with legal security measures. It can request evidence, initiate audits, issue orders, and impose fines for violations. The focus shifts from formal registration to substantive review.

For security leaders, this changes priorities. During the implementation phase, the goal was completeness of reporting. Now, it’s about resilience: can the reported measures be substantiated, are reporting channels tested, and is accountability documented?

around 29,000
organisations in Germany fall under NIS2, spanning 18 sectors and two categories.
Source: BSI / NIS2 Implementation Act

Why Germany’s Implementation Goes Beyond the Minimum Standard

The NIS2 Directive sets a European framework that each member state transposes into national law. The 18 covered sectors and the two categories of entities are already defined by the EU directive. However, Germany has taken a stricter stance on one critical point: the personal accountability of management, which in severe cases can extend to the revocation of supervisory approval. This could be seen as an additional burden-but there’s a more compelling interpretation.

Companies that meet Germany’s requirements inherently meet the EU’s minimum standards-and often exceed them. For businesses operating across multiple EU countries, this is a practical advantage: a security level that satisfies German regulators will typically pass muster in neighboring countries as well. What might seem like extra effort becomes a common benchmark.

This isn’t a reason for complacency, but it does counter the narrative of pure regulatory burden. The maturity built now pays dividends beyond German oversight.

What the Supervisory Phase Means in Practice

In concrete terms, supervision means the BSI (Federal Office for Information Security) no longer has to wait for an incident to take action. It can request evidence on a case-by-case basis or proactively, depending on how an entity is classified. Security leaders should prepare three key things.

First, *demonstrable compliance*: risk analyses, technical and organizational measures, and their effectiveness must be documented and retrievable-not just implemented. Second, the *reporting chain*: deadlines for incident notifications to the BSI are tight, and the process should be rehearsed before it matters in a crisis. Third, *governance*: since management is personally liable, security must be elevated to the executive level, not just confined to IT.

None of these requirements are new. What *is* new is that their absence can now have immediate consequences.

NIS2 Timeline in Germany
06.12.2025
The NIS2 Implementation Act is promulgated and takes effect without a transition period.
06.03.2026
The registration deadline with the BSI expires; late registrations remain possible.
from 2026
Supervisory phase: The BSI reviews measures, requests evidence, and can impose sanctions.

What If You Missed the Deadline?

Late registration with the BSI is still possible-but it doesn’t provide a grace period. Legal obligations have been in force since the law’s promulgation in December 2025, regardless of whether an entity registered on time. Those catching up now are only completing a formality while their substantive responsibilities have long been active.

For latecomers, the practical steps are clear: register first, then swiftly establish demonstrable compliance. If a reportable incident occurs before measures are verifiable, a missed or delayed registration will weigh against you. The order isn’t about ticking boxes-it’s about managing risk.

Frequently Asked Questions

What does the end of the NIS2 registration deadline mean?

The deadline to register with the BSI as an affected entity expired on March 6, 2026. However, the obligations themselves have been in force since the law’s promulgation on December 6, 2025. The focus now shifts to supervision: the BSI will verify whether the reported measures have been implemented.

Who is affected by NIS2 in Germany?

Approximately 29,000 entities across 18 sectors fall under the law, divided into essential and important entities. This includes newly covered companies, operators of critical infrastructure, and certain federal institutions.

What Penalties Threaten in Case of Violations?

For particularly critical entities, fines can reach up to 10 million Euro or 2 percent of global annual turnover-whichever is higher. For important entities, the upper limit is lower. On top of that, management faces personal liability, with the possibility of losing supervisory authority in severe cases.

Why Is Germany’s Implementation Considered Strict?

Germany has gone beyond the EU’s minimum NIS2 requirements, particularly in holding leadership personally accountable-even to the point of revoking supervisory authority in extreme cases. Companies meeting these standards typically already satisfy the European baseline.

What Should Companies Prioritize Now?

Three key actions: ensuring traceability of security measures, establishing a tested incident reporting chain, and embedding security responsibility at the leadership level. This preparation determines whether a BSI audit proceeds without issues.

Editor’s Reading Recommendations

More from the MBF Media Network

cloudmagazin

Keeping NIS2 and DORA Separate: Compliance Clusters in Kubernetes

mybusinessfuture

NIS2 Implementation: A Checklist for SMEs Now

digital-chiefs

NIS2 and the EU AI Act Reveal the Skills Gap

Cover image: AI-generated (June 2026)

Print article
Alec Chizhik

About the author: Alec Chizhik

More articles by

Also available in

FrançaisEspañolDeutsch
A magazine by Evernine Media GmbH