From Rulebook to Reckoning
Germany's cybersecurity enforcement landscape changed materially on December 6, 2025, when the Act Transposing the NIS 2 Directive (NIS2UmsG) came into force — completing a transposition that the EU had threatened to fine Berlin over after years of political delay, including a parliamentary standstill during snap elections. No transitional grace periods survived: companies had three months to register with the Federal Office for Information Security (BSI), and that deadline expired on March 6, 2026. The BSI is now legally empowered to request evidence, initiate audits, issue binding orders, and levy fines of up to €10 million — or 2% of global annual turnover, whichever is higher — against roughly 29,500 regulated entities across 18 sectors. Management boards cannot delegate ultimate oversight responsibility.
This is, on paper, the most consequential expansion of German cybersecurity law in a generation. Whether it produces genuine resilience or elaborate compliance theater depends on the next eighteen months.
The Case for Firm Enforcement
Before reaching for the sceptic's pen, the case for strong NIS2 enforcement deserves a fair hearing. Ransomware attacks on German hospitals, water utilities, and logistics operators in recent years have demonstrated that cyber incidents in critical infrastructure impose real costs on real people — delayed surgeries, disrupted supply chains, data held hostage. The previous KRITIS framework covered roughly 4,500 to 5,000 entities; this expansion to 29,500 acknowledges that modern supply chains mean a mid-sized waste management firm or a food distributor can become an attack vector into the systems that matter most. The EU directive's logic — raising a consistent floor across member states, reducing regulatory arbitrage — is sound. And the management liability provision in §38 of the revised BSI Act (BSIG), which makes board-level cybersecurity oversight legally non-delegable and requires training at least every three years, reflects a genuine lesson from prior enforcement regimes: security fails when executives treat it as purely an IT department problem.
What Enforcement Now Looks Like
The NIS2UmsG creates a two-tier entity structure. "Particularly important" entities — which include critical infrastructure operators in energy, transport, banking, healthcare, digital infrastructure, water, and space — face the €10 million or 2% turnover ceiling. "Important" entities, drawn from Annex II sectors including postal services, waste management, chemicals, food, manufacturing, digital services, and research, face fines up to €7 million or 1.4% of global turnover. The BSI can also order public disclosure of serious violations and, in the most severe cases, temporarily prohibit unreliable management from exercising their functions.
Incident reporting now operates on a strict timeline: entities must file an initial notification within 24 hours of discovering a significant incident, a detailed follow-up within 72 hours, and a final report within one month. The entire reporting channel runs through the BSI Portal, which opened for registration on January 6, 2026.
Germany also went beyond the directive's baseline in one significant respect: companies must notify the BSI of critical components in their infrastructure without the advance prohibition procedures the old law required — and the Federal Ministry retains authority to ban specific components from manufacturers deemed security risks, a provision clearly shaped by ongoing debates over Chinese suppliers in telecommunications.
The Registration Gap Complicates the Picture
Here is where the enforcement story gets complicated. By the March 6 deadline, a fraction of the expected 29,500 entities had registered — estimates put the figure well below half of all required organisations. The BSI, rather than immediately deploying its fine authority, extended the registration deadline to July 31, 2026, and committed to continued outreach through industry associations. By late May, approximately 18,500 entities had registered, still leaving a gap of roughly 11,000.
Two structural explanations emerge. First, the registration process itself is onerous: it requires an ELSTER organizational certificate delivered by post, plus detailed technical disclosures including public IP address ranges — information that many mid-market companies cannot easily retrieve. Second, genuine uncertainty persists among companies about whether their specific operations clear the size and sector thresholds. The law covers entities with 50 or more employees or annual revenue exceeding €10 million operating in regulated sectors, but the sector definitions span 18 categories with significant interpretive grey areas — especially in manufacturing and research.
The German government estimates that the NIS2UmsG will impose approximately €2.3 billion in annual compliance costs on the national economy, with one-time implementation costs of a further €2.2 billion. For the many previously unregulated companies now captured, those costs are not marginal.
Proportionate Enforcement Is the Only Sustainable Path
From a pro-innovation standpoint, the design tension in Germany's NIS2 implementation is clear: the fine structure is GDPR-scale, the scope is broader than almost any prior tech regulation, but the BSI has simultaneously signalled "business-friendly implementation" with sanctions expected only in extreme cases initially. That ambiguity carries real risk in both directions.
If the BSI moves too slowly, the law risks becoming a paper tiger — an outcome openly discussed among German legal advisers. The financial sector's faster DORA compliance offers a counter-example: when supervisory authorities like BaFin actively supervised and held institutions accountable, the sector moved. When supervisors signal forbearance, companies rationally delay.
If the BSI pivots to aggressive enforcement against the 11,000 unregistered entities — many of which are SMEs genuinely confused about their obligations — it risks turning a cybersecurity law into a fine-collection exercise that punishes complexity rather than genuine negligence. Neither outcome serves the directive's actual purpose.
The proportionate path is risk-stratified enforcement: prioritise audits and sanction threats against the largest critical infrastructure operators and those handling the most sensitive data, while giving smaller newly-regulated entities a structured compliance pathway and a simplified self-assessment tool. The July 31 deadline extension was the right call. The next call — whether BSI can distinguish determined non-compliance from structural confusion — will define the regime's credibility.