Germany's transposition of the EU NIS2 Directive entered into force on December 6, 2025 with no transition period — and by its first hard deadline, the numbers told a revealing story. When the registration window closed on March 6, 2026, the Federal Office for Information Security (BSI) had received filings from roughly 11,500 of an estimated 29,500 obligated entities, a registration rate of about 38.5 percent. Two weeks before the deadline, the figure was barely 4,856. That gap is the most important data point in German cybersecurity policy this year, and it deserves a sober reading rather than a panicked one.
What the law actually does
The NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG) overhauls the BSI Act (BSIG). The Bundestag passed it on November 13, 2025 — with CDU/CSU, SPD and AfD in favour, the Greens opposed and Die Linke abstaining — and it was promulgated weeks later. Its headline effect is scale: the BSIG's reach jumps from roughly 4,500 regulated organisations to more than 29,500 supervised entities, sweeping in firms with over €10 million turnover or 50-plus employees across energy, health, manufacturing, digital infrastructure, food, and waste management.
In-scope entities must register with the BSI, implement risk-management measures across ten defined areas (risk analysis, backups, supply-chain security, multi-factor authentication and more), and report significant incidents on a three-tier clock: a 24-hour early warning, a 72-hour report, and a final report within one month. Management bodies bear personal liability — Section 38 BSIG requires them not merely to approve security measures but to oversee their implementation, with mandatory training. Penalties reach €10 million or 2 percent of global annual turnover for the most critical entities; late registration alone is fineable up to €500,000.
The case for moving fast — stated fairly
The strongest argument for Germany's approach is that cyber risk does not wait for transition periods. The threat landscape facing German industry — ransomware against hospitals, supply-chain compromises against Mittelstand manufacturers — is real and worsening, and the EU directive Germany was transposing was already two years overdue (the bloc-wide deadline was October 2024). BSI President Claudia Plattner framed the speed as a feature: "NIS2 has been implemented comparatively quickly despite the change of government, and we are ready. We can get started." A baseline of mandatory hygiene — backups, MFA, incident reporting — across 29,500 firms genuinely raises the floor, and aligning Germany with a single European standard reduces fragmentation for firms operating across borders. On the merits of what must be done, NIS2 is largely defensible.
Where proportionality slipped
The problem is how the obligations were switched on. A 38.5 percent registration rate is not evidence that two-fifths of German industry is reckless. It is evidence that the state activated sweeping duties — with personal director liability and seven-figure fines — on a population of companies, most of which had never been regulated under the BSIG before, and gave them effectively zero runway. The law took effect the day it was promulgated. The self-assessment of whether a firm even qualifies as an "important" or "essential" entity is non-trivial, and many smaller firms simply did not know they were in scope.
The federal government's own impact estimate underlines the burden: the private sector faces roughly €2.2 billion in one-off costs and €2.3 billion annually, with federal administration absorbing about €212 million per year through 2029. Those are not trivial sums to impose without a phase-in, and the parts of the law governing the government's own networks drew criticism in the Bundestag for excluding subordinate federal agencies — a reminder that the state held itself to a looser standard than it imposed on industry.
The BSI's pragmatic correction
To its credit, the BSI read the room. Rather than blanket fines, it has signalled a risk-based enforcement strategy focused first on "particularly important entities in the highest-criticality sectors," and publicly described the post-deadline period as a final grace window rather than a sanctions trigger. This is the right instinct, and it is the model other member states transposing NIS2 should study: pair an ambitious scope with enforcement discretion that distinguishes the genuinely negligent from the merely overwhelmed.
But grace is not a substitute for design. The better path would have been a statutory transition period — six to twelve months — calibrated to entity size, so that a regional water utility or a mid-sized parts supplier could conduct a gap assessment, budget the spend, and register without director liability hanging over an honest classification mistake. Firms with existing ISO 27001 certification reportedly already satisfy 70–80 percent of the technical baseline; the bottleneck was never the security controls but the compressed legal onramp.
What to watch
The substance of NIS2 is sound and the BSI's restraint is encouraging. The lesson for evidence-based regulators is narrower and sharper: when you expand a compliance regime more than sixfold overnight, a low first-year registration rate is a foreseeable consequence of design, not a moral failing of the regulated. Germany now has the most expansive cybersecurity-supervision regime in its history. Whether it earns legitimacy will depend less on the fines it can levy than on how proportionately it chooses not to.