6 min read<\/p>\n
The registration deadline for NIS2 expired on 6 March 2026, marking the end of the implementation phase. Around 29,000 organisations in Germany fall under the NIS2 Implementation Act, with the BSI serving as the central supervisory authority. 2026 is therefore the year when the question is no longer whether you\u2019re registered, but whether your reported measures can withstand scrutiny. Those who set things up properly gain a maturity advantage rather than a disadvantage in the EU comparison.<\/strong><\/p>\n Key Takeaways<\/p>\n Related:<\/span>NIS2 enforcement underway: First proceedings, personal liability<\/a> \/<\/span> NIS2 enforcement impacts 29,500 German companies<\/a><\/p>\n The NIS2 Implementation Act was announced on 6 December 2025 and has been in effect without a transition period since then. The registration obligation with the BSI expired on 6 March 2026. Late registrations remain possible, but this doesn\u2019t change the key point: obligations are already in force, and the supervisory authority is operational.<\/p>\n What is the NIS2 supervision phase?<\/strong> The supervision phase is the period following the registration deadline, during which the BSI actively monitors compliance with legal security measures. It can request evidence, initiate audits, issue orders, and impose fines for violations. The focus shifts from formal registration to substantive review.<\/p>\n For security leaders, this changes priorities. During the implementation phase, the goal was completeness of reporting. Now, it\u2019s about resilience: can the reported measures be substantiated, are reporting channels tested, and is accountability documented?<\/p>\n The NIS2 Directive sets a European framework that each member state transposes into national law. The 18 covered sectors and the two categories of entities are already defined by the EU directive. However, Germany has taken a stricter stance on one critical point: the personal accountability of management, which in severe cases can extend to the revocation of supervisory approval. This could be seen as an additional burden-but there\u2019s a more compelling interpretation.<\/p>\n Companies that meet Germany\u2019s requirements inherently meet the EU\u2019s minimum standards-and often exceed them. For businesses operating across multiple EU countries, this is a practical advantage: a security level that satisfies German regulators will typically pass muster in neighboring countries as well. What might seem like extra effort becomes a common benchmark.<\/p>\n This isn\u2019t a reason for complacency, but it does counter the narrative of pure regulatory burden. The maturity built now pays dividends beyond German oversight.<\/p>\n In concrete terms, supervision means the BSI (Federal Office for Information Security) no longer has to wait for an incident to take action. It can request evidence on a case-by-case basis or proactively, depending on how an entity is classified. Security leaders should prepare three key things.<\/p>\n First, *demonstrable compliance*: risk analyses, technical and organizational measures, and their effectiveness must be documented and retrievable-not just implemented. Second, the *reporting chain*: deadlines for incident notifications to the BSI are tight, and the process should be rehearsed before it matters in a crisis. Third, *governance*: since management is personally liable, security must be elevated to the executive level, not just confined to IT.<\/p>\n None of these requirements are new. What *is* new is that their absence can now have immediate consequences.<\/p>\n Late registration with the BSI is still possible-but it doesn\u2019t provide a grace period. Legal obligations have been in force since the law\u2019s promulgation in December 2025, regardless of whether an entity registered on time. Those catching up now are only completing a formality while their substantive responsibilities have long been active.<\/p>\n For latecomers, the practical steps are clear: register first, then swiftly establish demonstrable compliance. If a reportable incident occurs before measures are verifiable, a missed or delayed registration will weigh against you. The order isn\u2019t about ticking boxes-it\u2019s about managing risk.<\/p>\n The deadline to register with the BSI as an affected entity expired on March 6, 2026. However, the obligations themselves have been in force since the law\u2019s promulgation on December 6, 2025. The focus now shifts to supervision: the BSI will verify whether the reported measures have been implemented.<\/p>\n Approximately 29,000 entities across 18 sectors fall under the law, divided into essential and important entities. This includes newly covered companies, operators of critical infrastructure, and certain federal institutions.<\/p>\n For particularly critical entities, fines can reach up to 10 million Euro or 2 percent of global annual turnover-whichever is higher. For important entities, the upper limit is lower. On top of that, management faces personal liability, with the possibility of losing supervisory authority in severe cases.<\/p>\n Germany has gone beyond the EU\u2019s minimum NIS2 requirements, particularly in holding leadership personally accountable-even to the point of revoking supervisory authority in extreme cases. Companies meeting these standards typically already satisfy the European baseline.<\/p>\n Three key actions: ensuring traceability of security measures, establishing a tested incident reporting chain, and embedding security responsibility at the leadership level. This preparation determines whether a BSI audit proceeds without issues.<\/p>\n\n
The deadline has passed, supervision begins<\/h2>\n
Why Germany\u2019s Implementation Goes Beyond the Minimum Standard<\/h2>\n
What the Supervisory Phase Means in Practice<\/h2>\n
What If You Missed the Deadline?<\/h2>\n
Frequently Asked Questions<\/h2>\n
What does the end of the NIS2 registration deadline mean?<\/h3>\n
Who is affected by NIS2 in Germany?<\/h3>\n
What Penalties Threaten in Case of Violations?<\/h3>\n
Why Is Germany\u2019s Implementation Considered Strict?<\/h3>\n
What Should Companies Prioritize Now?<\/h3>\n
Editor\u2019s Reading Recommendations<\/h3>\n