6 Min. read<\/p>\n\n
On April 18, 2026, the first NIS2 enforcement deadline for particularly important entities expired in Belgium. In Germany, the BSI registration deadline passed on March 6, 2026. Those who failed to register by then are now under the scrutiny of a supervisory system that can impose fines of up to 10 million EUR or 2 percent of annual turnover and hold managing directors personally liable. The enforcement wave is no longer just a threat.<\/strong><\/p>\n\n Key Takeaways<\/p>\n Related: GDPR Fines 2026: Why Supervisory Authorities Are Now Targeting SMEs<\/a><\/strong><\/p>\n\n Related<\/span>EU AI Act: High-risk systems from August 2, 2026<\/a> \/<\/span> BePrime Breach April 2026: The Cost of Missing MFA<\/a><\/p>\n Enforcement is no longer an orientation phase. In Germany, the BSI registration deadline for regulated entities expired on March 6, 2026. Those who did not register have missed a deadline. This is not a formal error in the NIS2 context, but a formal violation – a fine of up to 100,000 EUR is possible even without further elements of the offense.<\/p>\n In Belgium, the first compliance proof obligation for particularly important institutions expired on April 18, 2026. CyFun conformity, ISO 27001 certification, or direct inspection by the Centre for Cybersecurity Belgium – one of these had to be demonstrated. The pattern emerging there will become a reference point in Germany, Austria, and Switzerland. What is considered a minimum standard in Belgium will become the benchmark.<\/p>\n In Q4 2025, the BSI sent formal notices to 47 institutions due to lack of registration. This is not a final measure, but the beginning of an escalation chain. From May 2026, the BSI will be in the operational audit phase – focusing on registration status, risk management measures under Art. 21 NIS2, and incident reporting processes.<\/p>\n\n What is NIS2?<\/strong> The EU Directive on Network and Information Security (NIS2, Directive 2022\/2555) establishes binding cybersecurity obligations for critical sectors. It replaces the 2016 NIS Directive, significantly expands its scope, and introduces a uniform sanctions regime with personal manager liability.<\/p>\n The NIS2UmsuCG has been in force since December 6, 2025. The often-cited “appropriate security” has now been concretized by the ENISA Technical Implementation Guidance (June 2025) – this is the difference from older compliance frameworks that allowed more room for interpretation. Anyone who argues that they did not have clarity about what specifically needed to be done has a research problem, not a regulatory problem.<\/p>\n Art. 21 NIS2 defines ten categories of measures that a regulated institution must have implemented and documented. In Q1 2026, ENISA additionally clarified: MFA for privileged access, remote access accounts, and vendor accounts is “practically always appropriate” – there is little room for “where appropriate” there anymore.<\/p>\n\n What many already have<\/p>\n What is typically missing<\/p>\n Germany was one of the last EU members to implement the changes. The NIS2UmsuCG came into force on December 6, 2025, almost 15 months after the European deadline. Between enactment and operational BSI enforcement, affected companies had around 13 weeks\u2014less than a quarter to build risk management, document, and register.<\/p>\n Austria passed the NISG 2026 on December 12, 2025. Effective date: October 1, 2026. Affected Austrian companies thus have a short window to establish their compliance basics before the new supervisory authority\u2014the Federal Office for Cybersecurity\u2014enters the operational phase. Scope: around 4,000 companies from 18 sectors.<\/p>\n Poland enacted one of the EU’s most extensive implementations with the KSC Act on April 3, 2026: 42,000 regulated entities, expanded from previously around 400. This is not a typo. For German-Polish supply chains and nearshoring partners, this means immediate compliance pressure on both sides.<\/p>\n Switzerland: Not an EU member, no direct NIS2 obligation. For Swiss companies acting as IT service providers for NIS2-regulated EU entities, indirect pressure arises through the supply-chain requirements of the client side.<\/p>\n\n Five steps cover the most common compliance gaps. None of these points require ISO 27001\u2014but all require written evidence.<\/p>\n\n Essential entities are companies in highly critical sectors (Annex 1 BSIG) with at least 250 employees or 50 million Euro annual turnover and 43 million Euro balance sheet total. For them, the higher fine range of up to 10 million Euro or 2 percent of global annual turnover applies, whichever amount is higher. Important entities from Annex 2 or with lower thresholds have a range of 7 million Euro or 1.4 percent.<\/p>\n\n The NIS2UmsuCG provides for a fixed fine of up to 100,000 Euro for failing to register with the BSI – regardless of annual turnover. This is not a percentage of turnover, but a separate offense. In addition, the BSI can request information and take further measures if there is a lack of cooperation.<\/p>\n\n Not directly. Switzerland is not an EU member. However, Swiss companies that act as IT service providers for NIS2-regulated EU entities come under pressure due to the supply chain requirements of their clients. Those who operate systems for a German hospital, energy supplier, or government agency can expect their clients to demand security evidence.<\/p>\n\n In the event of a significant security incident – defined as an incident with significant impact on the service – an initial report must be made to the BSI within 24 hours. A more detailed assessment follows within 72 hours, and a final report after one month. The report is submitted via the BSI reporting portal. A “significant incident” is a term that the BSI will further specify – when in doubt, report, don’t wait.<\/p>\n\n Not necessarily in the sense that suppliers themselves must be registered. However, regulated entities are required to assess and manage security risks in their supply chain. This means: written evidence of IT service providers’ security practices with critical access, contractual minimum requirements, and audit rights. Those who fail to do so bear the liability risk themselves.<\/p>\n\n Photo: Pexels \/ cottonbro studio<\/p>\n\n Source title image: Wikimedia Commons \/ Wolkenkratzer (CC BY-SA 3.0)<\/em><\/p>","protected":false},"excerpt":{"rendered":"The BSI has been in the operational testing phase since May\u202f2026. This is what the NIS2 enforcement wave means for the 29,500 regulated entities in\u2026","protected":false},"author":8,"featured_media":13800,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"NIS2 Enforcement","_yoast_wpseo_title":"NIS2 Enforcement 2026: BSI Audit Phase & DACH Checklist","_yoast_wpseo_metadesc":"BSI enforcement from May 2026: Fines up to \u20ac10M, mandatory registration, and compliance checklist for NIS2-regulated entities in DACH.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/05\/nis2-enforcement-welle-q2-2026-erste-eu-verfahren-laufen-was-dach-unternehmen-bei-der-eigenen-compliance-jetzt-pruefen-muessen-cover-hero.jpg","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/05\/nis2-enforcement-welle-q2-2026-erste-eu-verfahren-laufen-was-dach-unternehmen-bei-der-eigenen-compliance-jetzt-pruefen-muessen-cover-hero.jpg","_yoast_wpseo_twitter-image-id":0,"_wp_old_slug":[],"footnotes":""},"categories":[3,251],"tags":[],"class_list":["post-13807","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aktuelles","category-news"],"wpml_language":"en","wpml_translation_of":13796,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/13807","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=13807"}],"version-history":[{"count":3,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/13807\/revisions"}],"predecessor-version":[{"id":14925,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/13807\/revisions\/14925"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/13800"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=13807"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=13807"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=13807"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
What the enforcement phase means in concrete terms<\/h2>\n
What NIS2 requires of regulated institutions<\/h2>\n
\n
\n
How the DACH Region Stands on Implementation<\/h2>\n
What IT Teams Need to Check Now<\/h2>\n
Frequently Asked Questions<\/h2>\n
What qualifies as an “essential entity” under NIS2?<\/h3>\n
What are the concrete costs of missing the BSI registration deadline?<\/h3>\n
Does NIS2 also apply to Swiss companies?<\/h3>\n
What are the details of the 24-hour reporting obligation?<\/h3>\n
Must suppliers themselves be NIS2-compliant?<\/h3>\n
More from the MBF Media Network<\/h3>\n
\n