Regulatory wave 2026: NIS2, DORA, AI Act & CRA — What companies need to do now

Last updated on February 23, 2026

Four regulations, one time window — the situation in February 2026

2026 is not a normal compliance year. Four European regulations are taking full effect at the same time - and each one of them has the potential to keep the compliance departments of medium-sized and large companies busy for months. Together they create pressure that many organizations underestimate.

The NIS2 implementation requires BSI registration of around 30,000 companies in Germany by March 6, 2026. DORA has been applicable since January 17, 2025 and will put the entire financial sector to the test through BaFin audits in the coming months. The KI-MIG — Germany's implementing law for the EU AI Act — was passed by the cabinet on February 11, 2026 and makes AI sanctions enforceable from August 2026. And the Cyber Resilience Act will require manufacturers of digital products to report actively exploited vulnerabilities from September 2026.

This is no coincidence. The EU is pursuing a coordinated approach with its digital sovereignty strategy: network security (NIS2), financial stability (DORA), responsible AI (AI Act) and product security (CRA) are intertwined. If you only look at one of these regulations in isolation, you waste budget and time - because the overlap in risk management, reporting obligations and supply chain requirements is significant.

Regulation | Scope | Core duty | Next critical deadline | Max. Sanction

NIS2(NIS2UmsuCG) | ~30,000 companies in 18 sectors | Cybersecurity risk management, reporting requirements, BSI registration | March 6, 2026 (registration) | €10 million / 2% sales

DORA| Financial sector + ICT third party providers | ICT risk management, TLPT, third-party oversight | Q1 2026 (BaFin audits) | Sector-specific, including license revocation

AI Act(AI-MIG) | Any company that uses or develops AI | Risk classification, transparency, high-risk compliance | 08/02/2026 (Sanctions) | €35 million / 7% sales

CRA| Manufacturers/importers of digital products | Security by Design, SBOM, Vulnerability Management | September 11, 2026 (reporting requirements) | €15 million / 2.5% sales

This article gives you the complete overview: what each regulation specifically requires, where obligations overlap, and how you can save up to 40% implementation effort with an integrated approach.

NIS2 — Registration deadline March 6, 2026: What’s still possible?

The NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) has been German law in force since December 6, 2025. TheBundestag resolution on NIS2UmsuCGended more than two years of delays — thereby shortening the effective preparation time for affected companies to just a few months.

The numbers are alarming: around 30,000 companies in Germany fall under the NIS2 regulations. According to a survey by nis2-check.de, 80% of those affected do not even know that they are affected. This is due to the expanded criteria: NIS2 covers 18 sectors and significantly lowers the threshold values. A company with 50 employees and €10 million in sales in a relevant sector is already in the scope.

The most immediate duty: UntilMarch 6, 2026All affected companies must register with the BSI. Technically, this is done via the BSI portal with an ELSTER organization certificate. And this is exactly where there is a practical problem that many people underestimate: If you have not yet applied for an ELSTER certificate for your organization, you must expect a processing time of several weeks. With eleven days remaining, this will be extremely tight.

The consequences of non-compliance are not an empty threatening scenario. §38 NIS2UmsuCG establishes onepersonal liability of the management— a novelty in German cybersecurity law. Managing directors and board members can no longer argue that cybersecurity is a purely operational matter. In addition, there are fines of up to €10 million or 2% of global annual turnover. Who has the details about theFines and personal liability at NIS2If you want to delve deeper, you can find a complete breakdown there.

NIS2 checklist: The 5 most important immediate measures

Even if time is of the essence, panic is the wrong advice. The following five measures can be addressed in a prioritized manner and cover the most critical NIS2 requirements.

First: carry out BSI registration immediately.If an ELSTER organization certificate is available, registration can be completed within a few hours. If not, the application must start today - and at the same time an emergency plan must be drawn up in the event that the certificate does not arrive on time. The BSI has signaled that a demonstrably initiated registration if the deadline is just missed will be viewed more leniently than complete inaction.

Second: complete the impact analysis.The question “Are we even affected?” must be answered in a documented manner. It's not just about your own classification, but also about the question of whether subsidiaries, joint ventures or key suppliers fall under NIS2. The10 most common errors in NIS2 implementationshow that the impact analysis is most often carried out incorrectly, especially in medium-sized companies.

Third: set up a risk management framework.NIS2 requires systematic risk management according to the state of the art. Anyone who already operates an ISMS according to ISO 27001 has a solid basis - but must explicitly map the NIS2-specific requirements (particularly supply chain security and business continuity).

Fourth, establish reporting processes for security incidents.NIS2 provides for a three-tier reporting system: initial report within 24 hours, qualified report within 72 hours, final report within one month. These deadlines must be operationally mapped - with clear responsibilities, escalation paths and prepared templates.

Fifth: Start supplier assessment.Supply chain security is one of the most demanding NIS2 requirements because it extends far beyond your own organization. Companies must assess and contractually secure the cybersecurity measures of their critical suppliers. If you approach this aspect strategically, you can even turn it into a competitive advantage - as we discussed in the articleNIS2 supply chain requirementsdescribed in detail.

DORA — Financial sector under pressure

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) has been directly applicable since January 17, 2025 - no national implementation law necessary, no postponement possible. Nevertheless, a survey by Computerwoche shows that 44% of the affected companies have significant implementation problems. This is not a statistic about small fintechs - the survey includes banks, insurance companies and payment service providers of all sizes.

DORA is aimed at the entire financial sector: credit institutions, insurance companies, investment firms, payment service providers, crypto-asset service providers and - this is often overlooked - the third-party ICT providers that provide critical services to these sectors. A cloud provider that hosts core banking systems falls under DORA, as does the bank itself.

The core duties are divided into five pillars: ICT risk management, incident reporting, digital operational resilience testing, third-party risk management and information sharing. At first glance, these requirements are similar to what NIS2 requires. At second glance it becomes clear: DORA goes much deeper in every area.

The most important difference concerns resilience testing. DORA requires system-relevant institutes to carry out so-called Threat-Led Penetration Tests (TLPT) - a methodology in which real attack scenarios are simulated by specialized red teams, based on current threat intelligence. This is a completely different caliber than an annual penetration test by a standard service provider. The TLPT requirement is based on the TIBER-EU framework and requires resources that are simply scarce on the market.

DORA implementation: Where the biggest gaps lie

Practice shows four recurring weak points in DORA implementation.

ThisThird Party Risk Registeris incomplete at many institutes. DORA requires a complete register of all contractual agreements regarding the use of ICT services — including a classification of which of these service providers support critical or important functions. Many companies do not have a complete overview of which cloud services, SaaS solutions and managed services are actually in use. Shadow IT is not the fringe phenomenon that it is often dismissed as - it is the blind spot in the DORA register.

TheTLPT capacitiesmissing on the market. Qualified red team providers working according to TIBER-EU specifications are limited. If you are just starting to look for a TLPT provider now, you will have to expect waiting times of several months. BaFin has signaled that it will act pragmatically in the initial phase - but that does not mean that missing TLPT tests will have no consequences.

Exit strategies for critical ICT service providersare another problem child. DORA requires exit plans in the event that a critical ICT service provider fails or the business relationship has to be terminated. In practice, very few institutions have a realistic plan for how they would migrate from AWS to Azure within a reasonable time frame. This is not a theoretical risk - it is a regulatory obligation that will be queried at the latest during the next BaFin audit.

TheIncident reporting deadlinespresent operational challenges. DORA requires an initial report within 4 hours — significantly stricter than the 24-hour deadline under NIS2. An ICT-related incident must be reported in a qualified manner within 72 hours. If you want to meet these deadlines on weekends or public holidays, you need to be available 24/7 with clear processes and prepared reporting channels to BaFin.

AI Act & KI-MIG — AI regulation becomes German law

The EU AI Act (Regulation (EU) 2024/1689) comes into force gradually. The bans on unacceptable AI systems – such as social scoring or real-time biometric remote identification in public spaces – have been in effect since August 2024. The obligations for high-risk AI systems will come into effect from August 2026, making things concrete for the vast majority of companies.

The decisive breakthrough at the national level came on February 11, 2026: the federal cabinet decided thisAI MIG(AI Market Implementation Act) — Germany's implementing law for the AI Act. This makes it clear how the AI Act is enforced in Germany. TheFederal Network Agencybecomes the central supervisory authority for AI market surveillance. This is a conscious decision: The BNetzA already has experience with market surveillance in regulated sectors and has the necessary technical expertise.

Without the KI-MIG, the AI Act would actually not have been enforceable in Germany. The law regulates the distribution of responsibilities between federal authorities, defines the sanction mechanisms and creates the framework for regulatory sandboxes in which innovative AI systems can be tested under regulatory supervision. The KI-MIG provides for transition periods for existing AI systems - however, these are significantly shorter than required by industry associations.

The AI Act risk classification is the key element that every company must understand.Prohibited AI practices(Art. 5 AI Act) have been prohibited since August 2024 - anyone who uses social scoring or subliminal manipulation techniques is already operating unlawfully.High-risk AI systems(Appendix III AI Act) include, among others, AI in human resources (recruiting, performance assessment), credit scoring, medical diagnostics and critical infrastructure. Comprehensive obligations will apply to these systems from August 2026: risk management, data quality, technical documentation, human oversight, accuracy, robustness and cybersecurity.AI systems with limited riskare subject to transparency obligations - such as the labeling of AI-generated content or chatbot interactions.

The sanctions are the highest of all four regulations: up to€35 million or 7% of global annual salesfor violations of the prohibited AI practices. For high-risk violations, fines are up to €15 million or 3% of turnover. These amounts significantly exceed even the GDPR sanctions and show how seriously the EU is taking the issue.

If you want to understand the intersection between NIS2 and AI regulation, I recommend the articleNIS2 meets AI: Why AI governance is becoming mandatory— it shows in detail why companies can no longer think of cybersecurity and AI governance separately.

KI-MIG: What the German implementing law specifically requires

The KI-MIG names themresponsible authorities: The Federal Network Agency as the central market surveillance authority, supplemented by sectoral responsibilities (BaFin for financial AI, Federal Ministry of Health for medical AI). Market surveillance includes warrantless audits, complaint mechanisms and the power to prohibit the operation of non-compliant AI systems.

TheRegulatory sandboxesare a deliberately innovation-friendly element. Companies can test AI systems in a controlled environment and test regulatory requirements under the supervision of the Federal Network Agency. This is particularly relevant for startups and medium-sized AI developers who do not have the resources to fully implement all compliance requirements in advance.

Forexisting AI systems, which were put into operation before August 2, 2026, the KI-MIG provides for transition periods. However, companies must demonstrate that they are actively working towards compliance. An AI system that has been operated for years without any documentation or risk analysis does not enjoy grandfathering protection.

Cyber Resilience Act (CRA) — product security from September 2026

The Cyber Resilience Act (Regulation (EU) 2024/2847) addresses a gap that the previous regulatory landscape has left open: the cybersecurity of products with digital elements. Whether it's a connected industrial control, a smart home device, business software or an IoT sensor, the CRA covers virtually every product that establishes a data connection and is sold on the EU market.

The implementation takes place in two stages. From then onSeptember 11, 2026The reporting requirements apply to actively exploited vulnerabilities. Manufacturers must inform ENISA within 24 hours if they become aware of an actively exploited vulnerability in one of their products. The full compliance obligation - including all technical requirements - applies from this dateDecember 11, 2027.

The core philosophy of the CRA isSecurity by design: Cybersecurity must be considered right from the product conception, not as an afterthought. This includes secure standard configurations, automatic security updates, minimal attack surfaces and documented vulnerability management across the entire product lifecycle.

A particularly concrete instrument is theCE marking, which is expanded to include cybersecurity requirements. Products that do not meet the CRA requirements may not bear a CE mark and therefore may not be sold in the EU internal market. For manufacturers outside the EU, the obligation falls on the respective importer - a mechanism that is also known from product safety legislation.

CRA preparation: What manufacturers and importers need to do now

The most important preparation concerns theSoftware Bill of Materials (SBOM). The CRA requires machine-readable documentation of all software components of a product — including open source libraries and their versions. Anyone who underestimates the extent of this requirement should consider: an average enterprise application contains hundreds of dependencies. This requirement cannot be met without automated SBOM generation in the CI/CD pipeline.

OneVulnerability Disclosure Policymust be established — a documented process for how external security researchers can report vulnerabilities and how the manufacturer responds. This is new territory for many German medium-sized companies, but has long been standard in the international software industry.

ThisPatch managementneeds to be formalized. The CRA requires that security updates be provided for the entire expected product lifecycle — at least five years, unless the expected useful life is shorter. Free and timely. For manufacturers of IoT devices that have previously lived a “fire and forget” model, this means a fundamental change in the business model.

TheConformity assessmentmust be prepared. Depending on the risk class of the product, a self-assessment is sufficient or an inspection by a notified body is required. Class II products (e.g. firewalls, operating systems, industrial controls) require third-party assessment — and notified body capacity will be scarce in 2027.

The overlap — why isolated compliance is a waste of money

If you treat NIS2, DORA, AI Act and CRA as four separate projects, you are building governance structures four times, risk management processes four times, reporting channels four times and supply chain assessments four times. Not only is this inefficient — it leads to inconsistencies that are noticeable during audits.

The overlaps are substantial:

Mandatory area | NIS2 | DORA | AI Act | CRA

Risk management| ✅ Systematic, state of the art | ✅ ICT-specific, BaFin-compliant | ✅ AI risk classification | ✅ Product-related, security by design

Reporting requirements| ✅ 24h / 72h / 1 month to BSI | ✅ 4h / 72h to BaFin | ✅ Serious incidents in supervision | ✅ 24h to ENISA (vulnerabilities)

Supply chain| ✅ Supplier rating | ✅ ICT Third Party Provider Register | ✅ Value chain for AI | ✅ SBOM, component security

Governance| ✅ Management liability §38 | ✅ Management responsibility | ✅ Human supervision | ✅ CE responsibility

Documentation| ✅ Security concept, evidence | ✅ ICT strategy documentation | ✅ Technical documentation | ✅ SBOM, Declaration of Conformity

The common denominator is obvious: all four regulations requiresystematic risk management,defined reporting processes,Supply chain transparencyand onedocumented governance. A company that operates a mature ISO 27001 ISMS has already laid 60-70% of the groundwork for NIS2 and DORA. This ISMS can be expanded to include the AI Act and CRA-specific requirements with a manageable amount of effort.

Our project experience shows: Aintegrated compliance approachsaves compared to a silo implementation30-40% of the total effort. This savings comes from the multiple use of risk assessments, consolidated reporting processes, uniform supplier assessment and common governance structures. We describe the details of building such a framework in the context ofNIS2 Risk Management Frameworks.

Integrated Compliance Roadmap: A Framework for Four Regulations

The implementation can be divided into four phases, which are tailored to the deadline logic of the four regulations.

Phase 1 — Immediately (February/March 2026): Gap analysis and quick wins.A comprehensive impact analysis clarifies which of the four regulations are relevant for your company. At the same time, the BSI registration for NIS2 will be completed. For institutes affected by DORA, an inventory of the ICT third-party provider register is carried out. An initial AI inventory scan identifies all AI systems used in the company.

Phase 2 — Q1/Q2 2026: Joint risk management and governance.Building an integrated risk management framework that covers the requirements of all relevant regulations. Definition of governance structures with clear responsibilities. Establishment of a consolidated reporting process that maps the different deadlines (4h DORA, 24h NIS2/CRA, AI Act) in one workflow.

Phase 3 — Q2/Q3 2026: Technical measures.Implementation of security monitoring and incident response. SBOM generation in the development pipeline. Evaluate and document AI systems according to risk classes. Carry out supplier assessment across all regulations. Commission a TLPT provider (for institutes affected by DORA).

Phase 4 — Q3/Q4 2026: Audit readiness.Internal audits against all relevant regulations. Finalize documentation. Prepare conformity assessment for CRA-relevant products. Training of management on their liability obligations under NIS2 and DORA.

Deadline calendar 2026 – all deadlines at a glance

The following overview shows the critical dates in chronological order. Please note that some obligations (particularly DORA) already apply and BaFin can review them at any time.

Date | Regulation | duty | Urgency

03/06/2026| NIS2 | BSI registration deadline | 🔴 Critical — 11 days

Q1 2026| DORA | First BaFin audits expected | 🔴 Already applicable

08/02/2026| AI Act / AI-MIG | High-risk AI obligations apply, sanctions enforceable | 🟡 6 months

09/11/2026| CRA | Reporting requirements for actively exploited vulnerabilities | 🟡 7 months

12/11/2027| CRA | Full compliance obligation (all technical requirements) | 🟢 22 months

The window for proactive action is closing. Anyone who starts with integrated implementation today still has enough time for all four regulations. Anyone who doesn't start until summer 2026 will already be behind schedule with NIS2 and will have to improvise for the AI Act and CRA.

FAQ — Frequently asked questions about the 2026 regulatory wave

Which companies are affected by all four regulations at the same time?

The extreme case is a financial service provider that uses AI and sells digital products at the same time. For example, an insurance company that uses AI-based claims processing and offers a customer app as a SaaS product falls under all four regulations: NIS2 (as a critical infrastructure operator), DORA (as a financial institution), AI Act (as an AI operator with a high-risk application in the area of insurance valuation) and CRA (as a manufacturer of a digital product).

But medium-sized businesses are also more affected than often assumed. A mechanical engineering company with 200 employees that produces connected industrial controls and offers AI-based predictive maintenance falls under NIS2 (manufacturing sector), AI Act (AI system in an industrial context) and CRA (product with digital elements). Only DORA is spared because it is not a financial institution. The rule of thumb: the more digital the business model, the more regulations apply.

Is ISO 27001 certification enough for NIS2 and DORA?

ISO 27001 is an excellent basis - but it is not sufficient for either regulation on its own. NIS2 requires additional elements that ISO 27001 does not cover or does not cover completely: the BSI registration, the specific reporting obligations with defined deadlines (24h/72h/1 month), the personal management liability according to §38 NIS2UmsuCG and the extended requirements for supply chain security.

DORA goes even further. The regulation requires TLPT (Threat-Led Penetration Testing) according to TIBER-EU methodology, a complete ICT third-party provider register, defined exit strategies for critical service providers and specific BaFin reporting requirements. An ISO 27001 certified company has laid the cultural and organizational foundation, but must make significant regulatory enhancements. Allow 4-6 months for this - less if the ISMS is mature and well documented.

What does non-compliance cost — specific fines?

The fine ranges vary considerably between the four regulations and make prioritization based on the level of the sanction sensible:

NIS2provides for fines of up to €10 million or 2% of global annual turnover, whichever is greater. In addition, there is the personal liability of the management in accordance with Section 38 NIS2UmsuCG, which also includes claims for damages by the company against the management.

DORAworks with sector-specific sanctions from BaFin. The spectrum ranges from fines to public reprimands to the revocation of business licenses. For a financial institution, the potential license revocation is a threat to its existence - a risk that cannot be expressed in euros in any table of fines.

AI Actbrings the highest fines: up to €35 million or 7% of global annual turnover for violations of the banned AI practices. For high-risk violations up to €15 million or 3% of sales. For providing false information to regulators up to €7.5 million or 1% of turnover.

CRAprovides for up to €15 million or 2.5% of annual turnover. More serious than the fine, however, is the potential oneProduct ban in the EU market: Non-compliant products may not bear the CE mark and must be withdrawn from the market. This can be a threat to the existence of a manufacturer whose main market is the EU.

What is the AI-MIG and why is it relevant to the AI Act?

The KI-MIG (AI Market Implementation Act) is Germany's national implementing law for the EU AI Act. Although the AI Act applies directly as an EU regulation, it requires national implementation rules for practical enforcement - especially when it comes to the question of which authority is responsible, how audits are carried out and how sanctions are imposed.

On February 11, 2026, the Federal Cabinet approved the KI-MIG. It designates the Federal Network Agency as the central supervisory authority for AI market surveillance, defines the sanction mechanisms for the German legal area and creates the legal basis for regulatory sandboxes. Without the KI-MIG, no German authority would have the authority to punish AI Act violations. With the KI-MIG, sanctions can actually be enforced from August 2026. For companies, this means: The AI Act is no longer just an EU regulation on paper, but is flanked by a specific national supervisory authority with audit and sanction powers.

How do I get started if my company is not prepared for any of the four regulations?

Don't panic, but don't put it off either. The prioritization results from the deadlines and the level of sanctions.

Step 1 — Concern Analysis (this week).Systematically clarify which of the four regulations apply to your company. Use the NIS2 impact check at nis2-check.de as a starting point. At the same time, check whether you use AI systems (including purchased ones - such as AI-supported recruiting or automated decision-making systems) and whether you produce or import digital products.

Step 2 — NIS2 registration immediately (deadline March 6, 2026).If you fall under NIS2, BSI registration has absolute priority. Obtain an ELSTER organization certificate if you don't already have one and complete the registration.

Step 3 — Integrated Gap Analysis (March/April 2026).Have a comprehensive gap analysis carried out that considers all relevant regulations at the same time. This avoids duplication of work and identifies synergies. External advice is worthwhile here because the regulatory requirements are complex and the interactions are not obvious.

Step 4 — Prioritized Roadmap.Based on the gap analysis, a roadmap is created that prioritizes according to deadlines and level of sanctions. NIS2 and DORA first (deadlines already underway), AI Act next (August 2026), CRA reporting requirements in parallel (September 2026), full CRA compliance by the end of 2027.

Conclusion - act instead of waiting

The wave of regulation is not coming — it is here. NIS2 is current law with a registration deadline in eleven days. DORA has been applicable for over a year, and BaFin will systematically review it for the first time in 2026. The KI-MIG makes the AI Act enforceable in Germany from August 2026. And the CRA will establish reporting requirements for product vulnerabilities from September 2026.

Companies that now choose an integrated approach win twice: they save 30-40% implementation effort compared to a silo strategy and create a compliance architecture that is also sustainable for future regulations. However, if you wait, you pay twice - first the fines, then the retrofitting under time pressure.

The most important insight from our consulting practice: Compliance is not a project with an end date. It is an ongoing process that must be integrated into company management. The wave of regulation in 2026 is the right reason to finally tackle this integration - not as a compulsory exercise, but asstrategic advantage through early implementation.

Next step: Free initial consultation

Would you like to successfully implement AI strategies in your company? Our experts will be happy to advise you - without obligation and in a practical manner.Arrange an initial consultation now →

Next step: Free initial consultation

Would you like to successfully implement AI strategies in your company? Our experts will be happy to advise you - without obligation and in a practical manner.Arrange an initial consultation now →

Next step: Free initial consultation

Would you like to successfully implement AI strategies in your company? Our experts will be happy to advise you - without obligation and in a practical manner.Arrange an initial consultation now →