NIS2 Enforcement 2026: What Happens Now – and What Companies Must Do Immediately

NIS2 Enforcement 2026: What Happens Now – and What Companies Must Do Immediately

Avatar of Boris Friedrich
Boris Friedrich
17. März 2026
9 min Lesezeit

It's a Tuesday morning. Your assistant places a letter from the Federal Office for Information Security on your desk. Sender: BSI. Subject: Request for registration according to § 33 BSIG-new — deadline 14 days. Your company employs 120 people, generates 25 million euros in revenue, provides IT services to hospitals. You are NIS2-obligated. And you missed the registration deadline on March 6, 2026.

⚠️ Important: The BSI registration obligation is in effect. Companies that have not yet registered risk fines up to €10 million and personal CEO liability.

This letter is not a hypothetical scenario. The BSI has signaled that it is now transitioning from the registration phase to active enforcement. Those who have not acted yet risk fines up to 10 million euros and personal CEO liability. This article explains what happens now — and what you must do immediately.

What Has Happened So Far: The NIS2 Law is in Effect

Since December 6, 2025, the NIS2 Implementation Act (NIS2UmsuCG) has been in effect in Germany. It affects approximately 29,500 companies in 18 critical sectors — from energy to healthcare to digital infrastructure, logistics, and waste management. Companies with 50 or more employees or 10 million euros in annual revenue operating in these sectors automatically fall under the regulation.

The first obligation: Registration with the BSI via the new MELDUNG.BSI portal. The deadline for this was three months after entry into force — March 6, 2026. According to BSI estimates, approximately 18,500 companies missed this deadline.

BSI Switches to Enforcement Mode

Until now, the BSI was in the orientation and registration phase: online impact assessment, workshops, FAQ pages. This is changing now. The BSI has announced that after the registration deadline expires, it will actively check which companies have not registered. The authority has extensive powers for this:

Binding orders: The BSI can require companies to implement or demonstrate specific security measures.

Audits and inspections: On-site audits or document requests to verify NIS2 compliance.

Public announcements: In case of serious violations, the BSI can make these public — a significant reputational risk.

Fines: For particularly important facilities up to 10 million euros or 2% of global annual revenue, for important facilities up to 7 million euros or 1.4% of revenue.

Personal Liability of Management

NIS2 contains an innovation that many companies are not yet aware of: Managing directors can be held personally liable for NIS2 violations. § 38 BSIG-new provides that management must approve and monitor the implementation of security measures. In case of gross negligence or intent, personal liability is possible. The BSI can even impose a temporary professional ban on executives who repeatedly or seriously violate NIS2.

What Specifically Happens If You Are Not Yet Registered?

The BSI systematically works through the sectors. Anyone operating in a regulated sector and exceeding the size thresholds will sooner or later be identified — through industry and commercial registers, reports from business partners, or BSI's own surveys. Experience from other EU countries shows: Authorities start with high-profile sectors (energy, healthcare, digital infrastructure) and gradually expand audits.

The typical process after a BSI finding: First comes an informal request for registration with a short deadline. If the company does not respond, a formal notice follows. After that, administrative offense proceedings can be initiated. In the worst case, it ends with a fine and public announcement.

Immediate Measures: What You Must Do in the Next 14 Days

If you missed the registration deadline, every day counts now. Here are the prioritized measures:

✅ Step 1: Finally clarify applicability

Use the official BSI decision tree at betroffenheitspruefung-nis-2.bsi.de. Check sector, employee count, and revenue. If in doubt, get legal confirmation — your self-assessment is not binding on the BSI.

✅ Step 2: Apply for ELSTER organization certificate

Without an ELSTER organization certificate, no BSI registration. Application via elster.de, processing time 3-7 business days. Start immediately.

✅ Step 3: Registration in the MELDUNG.BSI portal

Once the certificate is available: Registration at meldung.bsi.de. Information on company structure, sector, facility type (important vs. particularly important), and contact details for security incidents.

✅ Step 4: Inventory security measures

§ 30 BSIG-new prescribes 10 core measures: Risk analysis, incident response plan, business continuity, supply chain security, network security, vulnerability management, cryptography, access control, multi-factor authentication, and security training. Document the current status.

✅ Step 5: Establish reporting process for security incidents

NIS2 requires a 24-hour initial report for significant security incidents. Those without a process are doubly exposed: once for the missed registration, once for an unreported incident.

Further ADVISORI Articles on NIS2

Detailed information on fines and liability can be found in our article NIS2 Deadline Missed: Fines & Liability 2026. A step-by-step guide to BSI registration is provided by NIS2 Registration with BSI: The Complete Guide.

Frequently Asked Questions About NIS2 Enforcement

What happens if I missed the registration deadline?

Complete the registration immediately. As long as the BSI has not yet issued a notice, voluntary late registration is the best way to minimize fine risk. The BSI has signaled that proactive action is taken into account when determining sanctions.

How does the BSI find out that my company is NIS2-obligated?

The BSI uses various sources: Commercial and company registers, industry associations, self-disclosures, and reports from the business community. Additionally, the BSI works with sector regulators — in the energy and healthcare sectors, for example, with the Federal Network Agency and BfArM.

Am I as a GmbH managing director really personally liable?

Yes, under certain conditions. § 38 BSIG-new obligates company management to approve and monitor cybersecurity measures. In case of demonstrable negligence, the BSI can impose fines directly on natural persons and — in severe cases — issue a temporary professional ban.

Does NIS2 also apply to subsidiaries of international corporations?

Yes. Every entity active in Germany that meets the size thresholds and sector criteria is NIS2-obligated — regardless of whether the parent company is based abroad. Registration and compliance obligations apply to the German legal entity.

ADVISORI Supports You with NIS2 Compliance

The NIS2 clock is ticking. ADVISORI accompanies companies from the impact assessment through BSI registration to complete compliance implementation. Our NIS2 consultants have already guided over 50 companies in Germany through the process — quickly, legally secure, and without business interruptions.

Contact us now — before the BSI does it for you.

Hat ihnen der Beitrag gefallen? Teilen Sie es mit:

Ihr strategischer Erfolg beginnt hier

Unsere Kunden vertrauen auf unsere Expertise in digitaler Transformation, Compliance und Risikomanagement

Bereit für den nächsten Schritt?

Vereinbaren Sie jetzt ein strategisches Beratungsgespräch mit unseren Experten

30 Minuten • Unverbindlich • Sofort verfügbar

Zur optimalen Vorbereitung Ihres Strategiegesprächs:

Ihre strategischen Ziele und Herausforderungen
Gewünschte Geschäftsergebnisse und ROI-Erwartungen
Aktuelle Compliance- und Risikosituation
Stakeholder und Entscheidungsträger im Projekt

Bevorzugen Sie direkten Kontakt?

Direkte Hotline für Entscheidungsträger

Strategische Anfragen per E-Mail

Detaillierte Projektanfrage

Für komplexe Anfragen oder wenn Sie spezifische Informationen vorab übermitteln möchten