On May 1, 2026, Germany's Federal Office for Information Security (BSI) shifted from helping companies register under the NIS-2 Implementation Act (NIS2UmsuCG) to actively supervising them. The transition followed a stark number: by the March 6, 2026 deadline, only about 11,500 of an estimated 29,500 obligated companies had registered — a rate of roughly 38.5 percent. With a first formal supervisory audit wave signalled for Q3 2026, fines reaching €10 million or 2 percent of global turnover, and personal liability for executives under §38 of the BSI Act, the gap between obligation and compliance is now a live enforcement question.
The case for the regime is strong
It is worth stating plainly why this framework exists and why much of it is sound. The threat is not hypothetical: ransomware against German hospitals, logistics firms, and municipal utilities has caused real operational harm, and supply-chain compromises propagate across borders. The EU's NIS2 Directive (Directive (EU) 2022/2555) deliberately tiers entities into "essential" and "important" categories and imposes a proportionate, all-hazards risk-management standard under Article 21. Crucially, it makes management bodies accountable for cybersecurity — a corrective to the long pattern of boards treating security as a line item to be delegated and forgotten. Germany's §38 BSIG, which bars executives from fully delegating or waiving that responsibility and requires documented training, is a defensible attempt to put security on the agenda where capital is actually allocated. On the merits of what must be done, the regime is largely reasonable.
The problem is the on-ramp, not the destination
The 61.5 percent shortfall is better read as a design failure than as corporate defiance. Three choices compounded into it.
First, timing. The EU set a transposition deadline of October 17, 2024. Germany missed it by more than a year: the NIS2UmsuCG was passed by the Bundestag on November 13, 2025 and entered into force on December 6, 2025 — then gave companies a three-month registration window closing March 6, 2026. A regulator that took an extra year to legislate left obligated firms barely twelve weeks to identify their status, stand up governance, and file. Two weeks before the deadline, registrations reportedly stood at fewer than 5,000.
Second, scope expansion without scaffolding. The regime grew the regulated population from roughly 4,500 entities under the old IT Security Act to about 29,500 (BSI). The newly captured majority are mid-sized manufacturers, suppliers, and service providers — firms with no prior dedicated compliance function and no CISO to read a 24/72-hour incident-reporting clock. Worse, NIS2 in Germany relies on self-identification: companies must determine for themselves whether they cross sectoral and size thresholds. When the on-ramp requires a legal analysis before you can even register, a low completion rate is the predictable result, not a moral one.
Third, the liability-and-fine framing arrived before the support did. Executives now face personal exposure under §38 and fines of up to €10 million or 2 percent of turnover for essential entities (€7 million or 1.4 percent for important ones), plus up to €500,000 for registration failures alone (K&L Gates). Heavy sanctions are a legitimate backstop. But announcing them at the front of a process that thousands of firms cannot yet navigate inverts the incentive: it signals jeopardy before it builds capability.
Enforcement should be remediation-first
The BSI's stated approach offers a path that fits a pro-innovation, proportionate posture. The agency has indicated risk-based supervision, beginning with high-impact sectors — energy, health, digital infrastructure — and a grace-period tolerance for late registrants who engage in good faith. That is the right instinct, and it should be made explicit policy rather than discretion.
Concretely, three things would convert the shortfall into security gains rather than litigation:
- Treat registration as triage, not as the violation. A firm that registers late but is actively implementing the Article 21 measures is a success of the regime, not a target for it. Reserve §38 personal liability and turnover-percentage fines for genuine negligence after a breach — gross failures, cover-ups, repeat conduct — not for paperwork lag.
- Fund the on-ramp. The BSI's portal, webinars, and the ~9,000-member Alliance for Cyber Security are useful, but determining who is in scope still falls on each firm. A binding self-assessment tool that produces a definitive in/out determination would remove the single largest source of non-registration (BSI).
- Sequence enforcement to capacity. Germany is not alone — Belgium's first NIS2 deadlines have also lapsed. A staged audit cadence that starts with the genuinely critical and ramps as smaller entities mature is more likely to raise the national security baseline than a blanket Q3 sweep.
The board-level accountability at the heart of NIS2 is the kind of structural reform that durably improves cybersecurity. But security is produced by firms actually implementing controls, not by maximizing the count of firms in technical breach. Germany has built a defensible standard on top of a rushed, under-supported rollout. Whether the next phase reads as a security upgrade or a compliance tax now depends almost entirely on how the BSI wields the discretion it has just acquired.