NIS-2 Implementation Act 2026: New Requirements for Risk Assessments and Reporting Processes in 18 Sectors

NIS-2 Implementation Act 2026: New Requirements for Risk Assessments and Reporting Processes in 18 Sectors

The NIS-2 Implementation Act has been in force since 6 December 2025 and extends cybersecurity obligations to around 29,500 companies in Germany - a sevenfold increase compared to the previous 4,500 entities. IT managers and security teams need to check whether they are affected without delay, as deadlines for registration, risk assessments and incident reporting are already running, and executives face personal liability.

EU Background and German Delay

The EU Directive (EU) 2022/2555 addresses weaknesses in the 2016 NIS Directive, which were exposed by ransomware attacks and disruptions to critical infrastructure. Germany missed the deadline of 17 October 2024, triggering infringement proceedings; the law only entered into force on 6 December 2025.

The delay underscores the urgency: Germany is now securing 18 sectors including energy, transport, and manufacturing. Affected entities fall into two categories: particularly important entities (e.g. energy providers with more than 250 employees or more than 50 million euros in revenue) and important entities (e.g. machine builders with more than 50 employees or more than 10 million euros in revenue). Mid-sized companies now fall under cybersecurity obligations.

Extended Sectors: From Energy to Mechanical Engineering

The 18 sectors cover energy, transport, finance, healthcare, water, IT services, postal services, chemicals, research, and manufacturing. Newly included are production industries - for example, a machine builder with 60 employees and 15 million euros in revenue who now has to analyse risks in control systems.

This expansion closes gaps in supply chains, such as automotive suppliers with cascading effects. Security teams must check their affected status by 6 March 2026, which is the registration deadline in the BSI portal.

Ten Minimum Requirements: Risk Management at the Core

Section 30 of the BSIG requires ten mandatory risk management measures, including risk analysis in line with BSI Standard 200-3 or ISO 27001. Further measures cover incident response, business continuity, supply chain security, patch management, effectiveness testing, training, cryptography, access control, and MFA. Measures must be risk-based and proportionate.

In practice: carry out a gap analysis and update it regularly.

Strict Reporting Processes: 24-Hour Initial Notification

For significant incidents (disruptions causing damage or harm to third parties): initial notification within 24 hours, detailed report within 72 hours, final report within 30 days. The BSI portal (live since 6 January 2026) is the reporting point; registration via MUK is required.

Financial and IT service providers must inform customers without delay. Test your incident response plans.

Personal Liability and Fines

Executives must approve measures, monitor them, and undergo training every three years; neglect can lead to personal liability from private assets (Section 93 AktG). Fines: up to 10 million euros or 2% of turnover (particularly important entities), up to 7 million euros or 1.4% (important entities).

A mid-sized company with 100 million euros in turnover risks 1.4 million euros in fines if it falls short.

Registration and Implementation Steps

Register in the BSI portal by 6 March 2026 (sector, size, IP ranges); report changes within two weeks. BSI audits are risk-based; evidence must be provided at the earliest after three years.

Roadmap for IT teams:

• Immediately: Check whether you are affected.
• By end of January 2026: Set up MUK account, start gap and risk analysis.
• By March 2026: Complete registration, implement incident processes, run training.
• Ongoing: Audit supply chain, roll out MFA, run tests.

Use ISO 27001 as a blueprint.

Outlook: Opportunity, Not Just Obligation

2026 is a transition year: the portal is live, the deadline is approaching - proactive action avoids chaos. NIS-2 strengthens resilience, supply chains, and the workforce, and creates competitive advantages.

Act now: cybersecurity is on the board agenda.

Sources & References

• https://www.bristol.de/updates-zur-nis-2-richtlinie-in-deutschland/
• https://www.advant-beiten.com/aktuelles/nis-2-umsetzungsgesetz-in-kraft-neue-cybersicherheitspflichten-fuer-unternehmen
• https://www.dihk.de/de/serviceportal/fuer-gewerbetreibende-unternehmer/gesetzliche-neuregelungen/nis-2-mehr-verantwortung-fuer-cybersicherheit-ab-2026-141670
• https://www.openkritis.de/it-sicherheitsgesetz/nis2-umsetzung-gesetz-cybersicherheit.html
• https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2025/251205_NIS-2-Umsetzungsgesetz_in_Kraft.html
• https://www.gdata.de/business/nis-2-richtlinie
• https://www.bundesregierung.de/breg-de/aktuelles/nis-2-richtlinie-deutschland-2373174
• https://www.ihk.de/magdeburg/unternehmensinteressen/it-sicherheit/gesetzgebung/nis2-6096160
• https://blog.etengo.de/die-nis-2-chronologie-teil-4
• https://actdigital.com/de/solutions-de/cybersecurity-de/nis2-richtlinie/

Summarised with the help of AI.