NIS2 Implementation: What Mid-Sized Companies Still Need to Do
6 min read
The NIS2 Implementation Act has been in force since December 6, 2025 – with no transition period. Around 29,500 companies across 18 sectors are affected, including thousands of mid-sized companies in mechanical engineering, IT services and logistics for the first time. The BSI registration deadline expired on March 6, 2026. Those who have not yet registered risk fines of up to 10 million euros and personal liability for management. This is not a future scenario – this is current law.
Key Takeaways
- 29,500 companies in 18 sectors fall under NIS2 – significantly more than under the previous NIS Directive (BSI, 2025).
- No transition period: The NIS2UmsuCG has been in effect since December 6, 2025. Security measures and reporting obligations are binding immediately.
- Personal liability: Section 38 BSIG makes managing directors personally responsible. Serious violations can result in a professional ban.
- Fines up to 10 million euros or 2 percent of global annual turnover for essential entities (Section 60 BSIG).
- BSI registration expired: Deadline was March 6, 2026. Late registration is possible, but every day of delay increases the fine risk.
NIS2 in Germany: What has been in effect since December 2025
The European NIS2 Directive should have been transposed into national law by October 2024. Germany missed this deadline – the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) was only passed by the Bundestag on November 13, 2025, confirmed by the Bundesrat on November 20, and entered into force on December 6, 2025.
What many managing directors underestimate: The law has no grace period. From the day it entered into force, the security measures under Section 30 BSIG and the tightened reporting obligations are binding for all affected companies. Anyone not yet compliant is already violating current law. And the BSI has been actively auditing since early 2026 – not just when an incident occurs.
To make matters worse: According to BSI data, only about 38.5 percent of the estimated 29,500 affected companies had registered by March 2026. More than 18,000 companies are thus in a legal grey zone – affected but neither registered nor compliant.
Who is affected? The 18 sectors at a glance
NIS2 affects companies with 50 or more employees or 10 million euros in annual turnover across 18 sectors. The law distinguishes two categories: essential entities (higher obligations, stricter fines) and important entities.
Essential entities include energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT services in B2B, public administration and space. Important entities include postal and courier services, waste management, chemicals, food, manufacturing (mechanical engineering, automotive, electrical engineering), digital service providers and research institutions.
For mid-sized companies, the second category is decisive: A mechanical engineering firm with 80 employees and 15 million euros in revenue falls under NIS2 – even if it has never dealt with IT security regulation before. The same applies to IT service providers, logistics companies and automotive suppliers. The threshold for being affected is deliberately low.
NIS2 requires that management not only tolerate but actively steer the establishment and operation of an adequate security level. Approving security concepts, providing resources and regularly assessing risks – this is the personal duty of management.
Summary of obligations under Section 38 BSIG
Fines and personal liability under Section 38 BSIG
The sanctions under NIS2 are more severe than anything German companies have previously faced in IT security. Essential entities risk fines of up to 10 million euros or 2 percent of global annual turnover – whichever is higher. For important entities, the limits are 7 million euros or 1.4 percent of turnover.
The truly explosive aspect is Section 38 BSIG: personal liability for management. Managing directors must approve the implementation of security measures and monitor their execution. They are required to regularly attend training to understand IT risks, technical fundamentals and legal requirements. In cases of gross negligence or intent, the managing director is personally liable.
In extreme cases, the BSI can impose a temporary professional ban on executives who repeatedly or seriously violate NIS2. This is a new quality: IT security can no longer be delegated – it is a management responsibility with personal consequences. Those looking into cyber insurance quickly discover that many policies require NIS2 compliance as a prerequisite for coverage.
A concrete example: The managing director of a mid-sized IT service provider with 120 employees had missed the NIS2 registration. In February 2026, a ransomware attack hit the company. The 24-hour reporting deadline was not met because no incident response plan existed. The consequence: In addition to the economic damage from the attack, fines are pending for missing registration, late reporting and inadequate security measures. The managing director is personally liable because he can neither prove training attendance nor approval of security measures. This case is not isolated – the BSI has been actively auditing since early 2026.
What exactly do affected companies need to implement?
Section 30 BSIG defines ten areas in which companies must take measures. The scope depends on company size, risk exposure and societal significance. For mid-sized companies, the following are particularly relevant:
Risk management: Regular risk analyses for all IT systems and business processes. Not as an annual compliance exercise, but as an ongoing process.
Incident response: A documented plan for handling security incidents. An initial report must be filed with the BSI within 24 hours. A qualified report assessing severity follows within 72 hours. A final report is due after one month.
Business continuity: Backup strategies, recovery plans and crisis management. The company must demonstrate that it can survive a serious IT incident.
Supply chain security: Assess and secure the entire supply chain. This particularly affects companies that serve as suppliers to critical infrastructure – and there are many in the mid-market. Those who have not yet reviewed their cloud strategy for sovereignty should do so as part of NIS2 implementation.
Management training obligation: Section 38 BSIG requires documented training. Managing directors must understand IT security fundamentals, current threat landscapes and legal requirements. Training must be documented – it is a key defense in case of audit. This also applies to owner-managers in mid-sized companies who have previously delegated IT security to the system administrator.
Access control and cryptography: Multi-factor authentication, encrypted communication and structured authorization management are no longer optional recommendations but legal obligations. Especially in mid-sized companies where simple passwords and shared admin accounts are still standard, this means considerable effort.
5 steps to NIS2 compliance
Check if you are affected
Does your company fall into one of the 18 sectors? Do you have more than 50 employees or more than 10 million euros in annual turnover? Then you are very likely affected. The BSI provides an affectedness check on its website.
Complete BSI registration
The official deadline was March 6, 2026. If you missed it: Complete it immediately. Registration is done through the BSI reporting and information portal. Every day of delay increases the fine risk.
Conduct a gap analysis
Compare your current IT security posture against the requirements of Section 30 BSIG. Where do you already have measures in place, where are gaps? An external auditor or specialized consultant can complete this analysis in two to four weeks.
Set up an incident response plan
Define clear reporting channels, responsibilities and escalation levels. Practice the emergency scenario at least once a year with a tabletop exercise. The 24-hour reporting deadline to the BSI requires documented processes that activate immediately in a crisis.
Train and document management participation
Section 38 BSIG requires verifiable management training. This is not optional. Book certified NIS2 training courses and document attendance. These records are critical for liability defense in case of an audit.
In addition to NIS2 compliance, companies should keep an eye on the Cyber Resilience Act, which places additional requirements on manufacturers of digital products. And those wanting to maintain a regulatory overview will find the second major compliance block for 2026 in the article on the EU AI Act.
Frequently Asked Questions
Does NIS2 also apply to companies with fewer than 50 employees?
Generally not. The threshold is 50 employees or 10 million euros in annual turnover. Exceptions apply to companies in particularly critical areas such as DNS services, trust service providers or top-level domain operators – these fall under NIS2 regardless of size.
Can I still complete the BSI registration?
Yes. The March 6, 2026 deadline has passed, but registration through the BSI portal remains possible. Companies should complete the late registration immediately. The late registration itself carries a fine risk, but the risk increases with every day of delay.
What happens during a security incident under NIS2?
Affected companies must file an initial report with the BSI within 24 hours. A qualified report assessing severity, scope and potential cross-border impact follows within 72 hours. A final report is due within one month at the latest.
Is the managing director personally liable for NIS2 violations?
Yes. Section 38 BSIG provides for personal responsibility of management. Managing directors must approve security measures, monitor their implementation and regularly attend training. In cases of gross negligence or intent, personal liability applies. In severe cases, the BSI can impose a temporary professional ban.
What does NIS2 implementation cost for a mid-sized company?
It depends on the current security level. Companies with an existing ISMS according to ISO 27001 face the least effort – they mainly need to add reporting obligations and management training. Companies without structured IT security management should expect an initial investment of 50,000 to 200,000 euros spread over six to twelve months.
Is an ISO 27001 certification sufficient for NIS2 compliance?
An ISO 27001 certification covers many NIS2 requirements but is not sufficient on its own. NIS2 additionally requires BSI registration, specific reporting obligations within 24 hours, verifiable management training and supply chain security. ISO 27001 is an excellent foundation but must be supplemented with NIS2-specific obligations.
Recommended Reading
Title image source: Pexels / Tima Miroshnichenko (px:5380596)
