Skip to main content
NIS2 Implementation Act · In force since 6. Dezember 2025

NIS2 is now law. Your liability starts now.

Around 29,500 companies in Germany have been directly obligated since 6. Dezember 2025 – with no transition period. Under Section 38 of the BSIG (the German Act on the Federal Office for Information Security), executive management bears personal responsibility. We get you to a defensible state before the first BSI enquiry, the first incident or the first auditor knocks on your door.

Management is accountable

Section 38 of the BSIG requires senior management to personally approve and oversee the risk-management measures – this cannot be delegated.

Obligations have applied since 6. Dezember 2025

The statutory registration deadline (6 March 2026) has passed. The BSI has set a final grace period until 31. Juli 2026 – after that, fines may apply.

Up to €10 million or 2% of turnover

For essential entities; important entities face up to €7 million or 1.4% of global annual turnover.

Current · BSI grace period NIS2 13 days left

BSI sets final deadline: register for NIS2 by 31. Juli 2026

The statutory registration deadline (6. März 2026) has already passed. The BSI (Germany's Federal Office for Information Security) is granting one final grace period until 31. Juli 2026 – after that, fines of up to 500.000 Euro may apply. Not registered yet? We will get you registered with the BSI in time.

Get registered now

The basics

NIS2 is no longer just an IT topic.

It is a board, executive and supervisory-board topic. Anyone who does not actively manage risk is personally liable.

The NIS2 Directive (EU) 2022/2555 and the German implementation act (NIS2UmsuCG) fundamentally reform the BSI Act. The number of regulated organisations rises from around 4,500 to roughly 29,500 – and soft recommendations become hard obligations backed by sanctions.

Reach

18 sectors instead of the previous ten or so. What was a critical-infrastructure topic becomes an economy-wide one that, for the first time, reaches the Mittelstand in full.

Responsibility

Cybersecurity is a leadership matter – legally enshrined under Section 38 of the BSIG, not merely a cultural aspiration.

Sanctions

Fine ranges on a par with the GDPR, plus the personal responsibility of senior management.

Speed

A 24-hour early warning for significant incidents, a 72-hour notification and a final report after one month.

Core obligations under Section 30 of the BSIG

You must not only implement these measures but be able to demonstrate them at any time.

  • Risk analysis & security concept – Not a one-off document but a living process with versioning, reviews and sign-off by senior management.
  • Handling security incidents – With escalation paths, clearly defined roles and a tiered reporting chain to the BSI.
  • Business continuity & crisis management – A backup strategy, tested recovery times and a crisis team that functions even without email.
  • Supply-chain security – Your responsibility does not end at the factory gate: service providers must be assessed and managed.
  • Security in procurement, development & maintenance – Security by design is no longer optional but subject to documentation requirements.
  • Effectiveness review – You must be able to measure whether your measures actually work – not merely that they exist.
  • Cyber hygiene & training – For all staff, on a regular basis and documented.
  • Cryptography & encryption – With documented key-management processes.
  • Personnel security, access control & asset management – Demonstrably governed, not just left to "IT to sort out".
  • Multi-factor authentication & secured communication – Non-negotiable for privileged access.

Management obligations under Section 38 of the BSIG: Approving the measures, overseeing their implementation and completing regular mandatory training for the management level.

Affected sectors

If you have 50 or more employees or more than €10 million in turnover in one of the 18 sectors, the question is no longer "whether" but "in which category".

Energy

Electricity, gas, oil, heating, hydrogen

Transport

Air, rail, water, road

Banking

Credit institutions

Financial markets

Trading venues & infrastructures

Healthcare

Hospitals, laboratories, manufacturers

Drinking water

Water supply

Wastewater

Collection & disposal

Digital infrastructure

IXP, DNS, cloud, data centres

ICT services

Managed (security) services B2B

Public administration

Federal and state authorities

Space

Ground-infrastructure operators

Postal & courier

Postal and delivery services

Waste

Waste management

Chemicals

Manufacturing & trade

Food

Production, processing, distribution

Manufacturing

Manufacturing industry

Digital providers

Marketplaces, search engines, social networks

Research

Research institutions

Your classification determines which obligations apply.

Clarify your status in a conversation
A quick classification in just a few minutes

NIS2 status check

Where do you stand today – affected, registered, ready to implement, audit-proof? In just a few minutes, the DLAU status check makes clear where your biggest gaps are and what risk a BSI audit or an incident would realistically pose.

Legal notice (disclaimer)

The NIS2 quick check does not constitute legal advice and is not legally binding. It serves solely as a non-binding initial assessment and does not replace an individual legal, organisational or technical review. No claims or obligations can be derived from the results. Responsibility for NIS2 conformity rests solely with the respective company.

From the status quo to a defensible position

We get you to a defensible state.

Most of the companies we speak to in 2026 are not in the preparation phase – they are playing catch-up. That is exactly what our approach is built for: prioritised, robust, audit- and incident-tested. We rely on structures that hold up under pressure.

Status check & gap analysis

An unflinching inventory: what is in place, what is missing, and what would fail in an emergency?

  • Complete inventory
  • Prioritised list of measures
  • Risk heatmap

BSI registration & mandatory setup

We get you registered and equipped with the minimum evidence the BSI will want to see in an emergency.

  • Registration via the BSI reporting office
  • Designation of the point of contact
  • Documenting the minimum evidence

ISMS development & NIS2 specifics

An ISO 27001-oriented core plus the NIS2-specific additions from the BSIG.

  • ISMS core to ISO 27001
  • Section 30 catalogue of measures
  • Section 32 reporting chain & Section 38 duties

Incident & reporting readiness

Anyone who only rehearses the reporting chain during an incident has already lost. We build it, rehearse it and document it.

  • Reporting chain to the BSI (24h/72h/1 month)
  • Emergency drills
  • Audit-proof documentation

Supply-chain security

The most underrated lever – and the most common finding in BSI audits.

  • Service-provider assessment
  • Contract clauses
  • Supplier audits

Management briefings & training

Section 38 of the BSIG requires demonstrable training. We deliver it at leadership level – with clarity for decisions.

  • Section 38-compliant training
  • Management briefings
  • Evidence documentation

Why DLAU for your NIS2 implementation?

We are not generalists

Our core is ISMS architecture based on BSI IT-Grundschutz and ISO 27001, together with the German compliance landscape: NIS2, KRITIS, DORA and IT-Grundschutz.

We build things that last

Our concepts keep working even when the main contact person resigns or the first incident hits. Person-independent, documentation-solid, audit-stable.

We speak to senior management

We translate risk into euros, measures into quarters and compliance into board papers – so that your leadership can meet its Section 38 obligations.

We stay once the certificate is on the wall

Compliance is a process, not a project. We support you operationally – with recurring audits and adaptation to new BSI regulations.

The road to a defensible position

A defensible position in three phases

No one becomes fully NIS2-compliant in twelve weeks. But in twelve weeks an acute liability risk can be turned into an orderly, documented and defensible state.

1

Situation picture

Inventory, gap analysis, BSI registration status and prioritisation of measures. By the end you know exactly where you stand, what an audit would mean today and which five measures offer the greatest risk leverage.

2-4 weeks
2

Stabilisation

Building the non-negotiable minimum structures: ISMS core, reporting chain, emergency management, supply-chain governance and the management setup. Goal: audit-proof and incident-ready.

3-6 months
3

Maturity & evidence

Effectiveness reviews, internal audits, certification support (ISO 27001 / BSI IT-Grundschutz) and continuous adaptation to new BSI regulations and sector-specific minimum requirements.

Ongoing

Frequently asked questions

NIS2 in brief

What is the NIS2 Directive?

The NIS2 Directive (EU) 2022/2555 is an EU-wide cybersecurity directive that strengthens the protection of critical infrastructure and important entities. In Germany it is transposed by the NIS2 Implementation Act (NIS2UmsuCG), which reforms the BSI Act.

Who is affected by NIS2?

NIS2 affects companies and organisations across 18 sectors – including energy, transport, healthcare, digital infrastructure, finance and public administration. As a rule, entities with 50 or more employees or more than €10 million in turnover are affected; they are classified as essential or important entities.

What penalties apply for non-compliance?

Essential entities face fines of up to €10 million or 2% of global annual turnover, and important entities up to €7 million or 1.4%. On top of that comes the personal responsibility of senior management under Section 38 of the BSIG.

Where do you stand today – and what will an incident cost you tomorrow?

A 30-minute status call is usually enough to identify the biggest risks and sketch a way out of the acute liability zone. Confidential, with no obligation, at management level.

Further reading: Standards & Compliance · Grundschutz++ · Our services