NIS2 is not an IT project. It’s a compliance show if you approach it the wrong way.

Since December 6, 2025, NIS2 has been law in Germany. The registration deadline with the BSI expired on March 6, 2026. And now what? By March 2026, only around 38.5% of the estimated 29,500 affected companies had registered. This leaves more than 18,000 companies in a legal gray area. Registration is not the problem. The problem is that many companies treat NIS2 as a paperwork exercise – and in doing so, they neither prevent fines nor stop attackers.

The BSI Situation Report 2025 shows that small and medium-sized enterprises meet, on average, only about 56% of the basic IT security requirements and often overestimate their level of protection. At the same time, an average of 119 new vulnerabilities in IT systems were disclosed every day – a growth of around 24% compared to the previous reporting period. AI-driven attacks will further intensify the problem, and we can expect to see more attacks in the future.

Anyone who builds an Information Security Management System (ISMS) merely to satisfy auditors has already lost. Those who implement it because they understand that the company’s very existence depends on it are protecting their business from fines under Section 65 of the German Federal Office for Information Security Act (BSIG) – up to €10 million or 2% of global annual turnover- as well as from personal liability.

How many companies do you know that take their ISMS seriously and how many are simply ticking boxes?

Expected counterarguments & responses:

  • „We’re too small.“

Section 28 BSIG sets the threshold at 50 employees or €10 million in annual revenue across 18 sectors. Food production, mechanical engineering, chemicals, logistics – this is the heart of the SME sector.

  • „We have a service provider.“

You can outsource the activity, not the responsibility. Section 38 BSIG places accountability squarely on management.

  • „Nothing is happening yet.“

Exactly. The BSI is currently building its enforcement capacity. Companies that fail to act now may become the next example case within 12 months.

More insights can be found in the video below.

Nach oben scrollen