NIS2 is now law. Your liability starts now.
Around 29,500 companies in Germany have been directly obligated since 6. Dezember 2025 – with no transition period. Under Section 38 of the BSIG (the German Act on the Federal Office for Information Security), executive management bears personal responsibility. We get you to a defensible state before the first BSI enquiry, the first incident or the first auditor knocks on your door.
Management is accountable
Section 38 of the BSIG requires senior management to personally approve and oversee the risk-management measures – this cannot be delegated.
Obligations have applied since 6. Dezember 2025
The statutory registration deadline (6 March 2026) has passed. The BSI has set a final grace period until 31. Juli 2026 – after that, fines may apply.
Up to €10 million or 2% of turnover
For essential entities; important entities face up to €7 million or 1.4% of global annual turnover.
BSI sets final deadline: register for NIS2 by 31. Juli 2026
The statutory registration deadline (6. März 2026) has already passed. The BSI (Germany's Federal Office for Information Security) is granting one final grace period until 31. Juli 2026 – after that, fines of up to 500.000 Euro may apply. Not registered yet? We will get you registered with the BSI in time.
The basics
NIS2 is no longer just an IT topic.
It is a board, executive and supervisory-board topic. Anyone who does not actively manage risk is personally liable.
The NIS2 Directive (EU) 2022/2555 and the German implementation act (NIS2UmsuCG) fundamentally reform the BSI Act. The number of regulated organisations rises from around 4,500 to roughly 29,500 – and soft recommendations become hard obligations backed by sanctions.
-
Reach
-
18 sectors instead of the previous ten or so. What was a critical-infrastructure topic becomes an economy-wide one that, for the first time, reaches the Mittelstand in full.
-
Responsibility
-
Cybersecurity is a leadership matter – legally enshrined under Section 38 of the BSIG, not merely a cultural aspiration.
-
Sanctions
-
Fine ranges on a par with the GDPR, plus the personal responsibility of senior management.
-
Speed
-
A 24-hour early warning for significant incidents, a 72-hour notification and a final report after one month.
Core obligations under Section 30 of the BSIG
You must not only implement these measures but be able to demonstrate them at any time.
- Risk analysis & security concept – Not a one-off document but a living process with versioning, reviews and sign-off by senior management.
- Handling security incidents – With escalation paths, clearly defined roles and a tiered reporting chain to the BSI.
- Business continuity & crisis management – A backup strategy, tested recovery times and a crisis team that functions even without email.
- Supply-chain security – Your responsibility does not end at the factory gate: service providers must be assessed and managed.
- Security in procurement, development & maintenance – Security by design is no longer optional but subject to documentation requirements.
- Effectiveness review – You must be able to measure whether your measures actually work – not merely that they exist.
- Cyber hygiene & training – For all staff, on a regular basis and documented.
- Cryptography & encryption – With documented key-management processes.
- Personnel security, access control & asset management – Demonstrably governed, not just left to "IT to sort out".
- Multi-factor authentication & secured communication – Non-negotiable for privileged access.
Management obligations under Section 38 of the BSIG: Approving the measures, overseeing their implementation and completing regular mandatory training for the management level.
Affected sectors
If you have 50 or more employees or more than €10 million in turnover in one of the 18 sectors, the question is no longer "whether" but "in which category".
Energy
Electricity, gas, oil, heating, hydrogen
Transport
Air, rail, water, road
Banking
Credit institutions
Financial markets
Trading venues & infrastructures
Healthcare
Hospitals, laboratories, manufacturers
Drinking water
Water supply
Wastewater
Collection & disposal
Digital infrastructure
IXP, DNS, cloud, data centres
ICT services
Managed (security) services B2B
Public administration
Federal and state authorities
Space
Ground-infrastructure operators
Postal & courier
Postal and delivery services
Waste
Waste management
Chemicals
Manufacturing & trade
Food
Production, processing, distribution
Manufacturing
Manufacturing industry
Digital providers
Marketplaces, search engines, social networks
Research
Research institutions
Your classification determines which obligations apply.
Clarify your status in a conversationNIS2 status check
Where do you stand today – affected, registered, ready to implement, audit-proof? In just a few minutes, the DLAU status check makes clear where your biggest gaps are and what risk a BSI audit or an incident would realistically pose.
Legal notice (disclaimer)
The NIS2 quick check does not constitute legal advice and is not legally binding. It serves solely as a non-binding initial assessment and does not replace an individual legal, organisational or technical review. No claims or obligations can be derived from the results. Responsibility for NIS2 conformity rests solely with the respective company.
From the status quo to a defensible position
We get you to a defensible state.
Most of the companies we speak to in 2026 are not in the preparation phase – they are playing catch-up. That is exactly what our approach is built for: prioritised, robust, audit- and incident-tested. We rely on structures that hold up under pressure.
Status check & gap analysis
An unflinching inventory: what is in place, what is missing, and what would fail in an emergency?
- Complete inventory
- Prioritised list of measures
- Risk heatmap
BSI registration & mandatory setup
We get you registered and equipped with the minimum evidence the BSI will want to see in an emergency.
- Registration via the BSI reporting office
- Designation of the point of contact
- Documenting the minimum evidence
ISMS development & NIS2 specifics
An ISO 27001-oriented core plus the NIS2-specific additions from the BSIG.
- ISMS core to ISO 27001
- Section 30 catalogue of measures
- Section 32 reporting chain & Section 38 duties
Incident & reporting readiness
Anyone who only rehearses the reporting chain during an incident has already lost. We build it, rehearse it and document it.
- Reporting chain to the BSI (24h/72h/1 month)
- Emergency drills
- Audit-proof documentation
Supply-chain security
The most underrated lever – and the most common finding in BSI audits.
- Service-provider assessment
- Contract clauses
- Supplier audits
Management briefings & training
Section 38 of the BSIG requires demonstrable training. We deliver it at leadership level – with clarity for decisions.
- Section 38-compliant training
- Management briefings
- Evidence documentation
Why DLAU for your NIS2 implementation?
We are not generalists
Our core is ISMS architecture based on BSI IT-Grundschutz and ISO 27001, together with the German compliance landscape: NIS2, KRITIS, DORA and IT-Grundschutz.
We build things that last
Our concepts keep working even when the main contact person resigns or the first incident hits. Person-independent, documentation-solid, audit-stable.
We speak to senior management
We translate risk into euros, measures into quarters and compliance into board papers – so that your leadership can meet its Section 38 obligations.
We stay once the certificate is on the wall
Compliance is a process, not a project. We support you operationally – with recurring audits and adaptation to new BSI regulations.
The road to a defensible position
A defensible position in three phases
No one becomes fully NIS2-compliant in twelve weeks. But in twelve weeks an acute liability risk can be turned into an orderly, documented and defensible state.
Situation picture
Inventory, gap analysis, BSI registration status and prioritisation of measures. By the end you know exactly where you stand, what an audit would mean today and which five measures offer the greatest risk leverage.
Stabilisation
Building the non-negotiable minimum structures: ISMS core, reporting chain, emergency management, supply-chain governance and the management setup. Goal: audit-proof and incident-ready.
Maturity & evidence
Effectiveness reviews, internal audits, certification support (ISO 27001 / BSI IT-Grundschutz) and continuous adaptation to new BSI regulations and sector-specific minimum requirements.
Frequently asked questions
NIS2 in brief
What is the NIS2 Directive?
The NIS2 Directive (EU) 2022/2555 is an EU-wide cybersecurity directive that strengthens the protection of critical infrastructure and important entities. In Germany it is transposed by the NIS2 Implementation Act (NIS2UmsuCG), which reforms the BSI Act.
Who is affected by NIS2?
NIS2 affects companies and organisations across 18 sectors – including energy, transport, healthcare, digital infrastructure, finance and public administration. As a rule, entities with 50 or more employees or more than €10 million in turnover are affected; they are classified as essential or important entities.
What penalties apply for non-compliance?
Essential entities face fines of up to €10 million or 2% of global annual turnover, and important entities up to €7 million or 1.4%. On top of that comes the personal responsibility of senior management under Section 38 of the BSIG.
Where do you stand today – and what will an incident cost you tomorrow?
A 30-minute status call is usually enough to identify the biggest risks and sketch a way out of the acute liability zone. Confidential, with no obligation, at management level.
Further reading: Standards & Compliance · Grundschutz++ · Our services