NIS2 in Practice, Mid-2026: The Law Is Here — What You Need To Do Now

Back in December 2024 we wrote an introduction to NIS2 for Bavarian SMEs — still in the conditional tense that hung over the whole topic for months: "the law is coming, at some point." That phase is over. Germany's NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) has been in force since 6 December 2025, and with no transition period. Anyone who is affected has been affected since the day of publication.

We are not going to repeat the basics here — those are in the linked article. Instead, this is about the practical status mid-2026: what has actually changed, what we are seeing in our engagements right now, and the order in which you can pragmatically bring an SME into a defensible state.

The status: in force, registration required, no grace period

The key facts in brief, so everyone starts from the same baseline:

• Entry into force: The Bundestag passed the act in November 2025, the Bundesrat approved it, and it has been in force since 6 December 2025.
• No transition period. Unlike earlier IT security legislation, there is no run-up year. The obligations apply from day one.
• Registration with the BSI: The BSI reporting portal went live in early January 2026. The statutory deadline for affected entities to register expired in March 2026.
• Scope: Estimates put the number of directly affected companies in Germany at around 29,500 — compared with roughly 2,000 entities under the old critical-infrastructure rules. That is the real break: NIS2 brings the broad mid-market into scope.

So anyone affected mid-2026 who has not yet registered is already past the deadline. That is no reason to panic, but it is a reason to do it now rather than keep postponing.

Who is affected — and why "we're too small" often isn't true

NIS2 distinguishes two classes. Simplified: from 50 employees or more than 10 million euros in annual turnover within one of the regulated sectors, you generally fall under the law. Larger entities (broadly from 250 employees or 50 million euros turnover in the most critical sectors) count as essential entities and are under proactive BSI supervision — the authority may audit even when nothing has happened. Important entities are supervised reactively, that is, only after a reported incident or on concrete suspicion.

But the point we most often have to explain in practice is a different one: the supply chain. Even if, as a 30-person business, you formally fall outside NIS2's direct scope, the requirement reaches you through your customers. An affected company is legally obliged to manage the security of its supply chain. As a result, larger clients pass their NIS2 requirements down to their suppliers via contracts and supplier questionnaires. We are already seeing this concretely across the Berchtesgaden and Traunstein region: mechanical engineering firms, IT providers and suppliers across the DACH region receive questionnaires from their major customers asking about MFA, backup tests and an incident response plan — months before their own company would ever have heard from the BSI.

Our advice: if you are unsure whether you are directly affected, get that assessed properly (the scope assessment is part of our consulting). But do not wait on that to start working on the measures — they are coming anyway, at the latest via the first customer contract.

The three core duties that matter

NIS2 boils down to three duties that are decisive for managing directors:

1. Risk management. The act requires concrete technical and organisational measures: risk analysis, incident handling, business continuity and backup management, supply-chain security, access control, encryption, multi-factor authentication. This is not an exotic list — at its core it is solid IT security that a well-run company needs anyway. What is new is that it must be demonstrably documented.

2. Reporting obligations. A significant security incident triggers a three-stage timeline: an early warning within 24 hours, a more detailed report within 72 hours, and a final report within one month. In practice this is where most fail — not because they don't want to report, but because when it matters no one knows who decides what counts as "significant" and how to operate the portal in the first place. That has to be rehearsed in advance.

3. Management duty and liability. This is the most uncomfortable change. Management must approve the risk-management measures and oversee their implementation — and is personally liable for breaches of duty. In addition, training for the leadership level on cybersecurity is mandatory. With NIS2, cybersecurity is definitively no longer a pure IT matter to be "delegated to the tech team." It is a boardroom responsibility, and one backed by personal liability.

A workable order of steps for SMEs

The most common reaction we encounter is paralysis: the list looks overwhelming, so nothing happens. A clear order of steps is the cure. This is how we proceed in projects:

Step 1 — Clarify scope and register. First answer the question "Am I directly affected?" properly. If yes: register with the BSI, even if the deadline has passed. A late registration is always better than none.

Step 2 — Take stock instead of acting blindly. Before you spend money, do an honest inventory: what is already in place today? MFA everywhere? Working, tested backups? A patching process? Up-to-date access rights? This inventory overlaps strongly with what we check in our IT security audits anyway — and with the twelve points from our GDPR audit for SMEs. Data protection and NIS2 overlap considerably; no one needs to do the work twice.

Step 3 — The quick, effective measures first. Enable MFA across the board. Close orphaned accounts of former employees. A backup that is demonstrably restorable (a backup you have never restored is a hope, not a backup). These measures cost little and reduce risk noticeably right away.

Step 4 — Define the reporting chain and run it once. Who decides whether an incident is "significant"? Who reports within 24 hours? Where are the BSI portal credentials? A one-page emergency sheet that is to hand when it matters is worth more than an 80-page concept buried in SharePoint.

Step 5 — Documentation and management training. Only at the end comes what most fear first: the documentation. It stays lean when the measures are genuinely implemented — you then simply describe what actually exists. In parallel, complete the mandatory training for the leadership level.

The pleasant side effect: cyber insurance

An argument that often carries more weight in the boardroom than the law itself: as of mid-2026, insurers require essentially the same measures for a cyber policy — MFA, EDR instead of classic antivirus, tested backups, clean patch management, an incident response plan. Anyone who implements NIS2 properly thereby meets a large part of what is the precondition for an affordable policy anyway, and for the insurer actually paying out in a claim. So the work pays off twice.

Our take

Mid-2026, NIS2 is no longer a question for the future but applicable law with no grace period — and via the supply chain it affects far more businesses in the Berchtesgaden region and across DACH than feel directly concerned. The good news: the required measures are solid, sensible IT security, not bureaucratic box-ticking. Anyone who proceeds in the right order — first clarify and register, then the effective baseline measures, then document — reaches a defensible state with manageable effort. We accompany exactly this path: not with reports for the drawer, but with measures that hold up when it matters. If you want to know where you stand, a structured inventory is the right first step.

---