Germany’s Federal Office for Information Security (BSI) has pushed back the registration deadline for the country’s new cybersecurity legislation to 31 July 2026 — but more than 10,000 businesses still have not completed the process. As of late May, only around 18,500 of the roughly 29,000 to 30,000 affected organisations had registered, according to the BSI. The original cutoff date of 6 March 2026 was already missed by about 11,500 companies.
The law, formally the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), has been in force since 6 December 2025 with no transition periods for its security requirements. Companies that still need to clarify open questions during registration can use a six-week finalisation period, but the clock is ticking.
Fines of up to €10 million and management on the hook
Failing to register alone carries penalties of up to €500,000. For more serious breaches, the fines are tiered:
- Especially important entities: up to €10 million or 2 percent of annual global turnover
- Important entities: up to €7 million or 1.4 percent of annual global turnover
A central element is personal liability for executives. Company leaders must formally approve cybersecurity measures and oversee their implementation. If gross negligence is involved, management faces direct financial consequences — cybersecurity is now unequivocally a boardroom issue.
The law applies to organisations with at least 50 employees or annual revenue of €10 million, provided they operate in one of 18 defined sectors.
Cyber threats escalate as healthcare and finance bear the brunt
The urgency is underscored by the current threat landscape. Cyberattacks cause an estimated €200 billion in annual damage across Germany. Since the start of the year, attacks that bypass multi-factor authentication (MFA) have surged 37-fold. In the financial sector, phishing attempts have quadrupled, with roughly 82 percent of attacks now AI-generated.
The healthcare sector is particularly exposed. A 2025 study by the German Hospital Institute (DKI) found that 20 percent of general hospitals with more than 100 beds had experienced reportable incidents in the previous three years, and 86 percent of facilities expect the situation to worsen. For financial institutions, the EU’s DORA regulation takes precedence over NIS-2; the BSI and the financial regulator BaFin are coordinating oversight.
Strict reporting obligations when incidents hit
The NIS-2 legislation introduces a multi-stage incident reporting process that begins the moment management becomes aware of a breach:
- Within 24 hours: an early warning must be sent to the BSI
- Within 72 hours: a full incident report is required
- Within one month: a final report must be submitted
Because these requirements overlap with the General Data Protection Regulation (GDPR), companies need to align their reporting processes. Notifications must reach both the BSI and the relevant data protection authorities on time. Experts recommend using established frameworks such as ISO 27001 or the BSI IT-Grundschutz as a baseline, as they address the core NIS-2 areas of risk management, incident response, and business continuity.
