Personal Liability for Executives Looms as Germany’s NIS-2 Deadline Catches a Third of Firms Unprepared

Six months after Germany’s NIS-2 implementation law took effect on December 6, 2025—without any transition period—roughly one in three affected companies still has not registered. The expansion has been dramatic: the regulated pool grew from 4,500 businesses to about 29,500. Firms with at least 50 employees or €10 million in annual revenue now face obligations across 18 sectors.

The law splits companies into two categories. “Particularly important entities”—covering energy, healthcare, and banking—had to register with Germany’s Federal Office for Information Security (BSI) within three months. “Important entities,” such as those in food, chemicals, or research, were required to register immediately. Small and medium-sized enterprises faced a deadline of March 6, 2026.

Yet it is not simply missing a registration date that keeps compliance officers awake. At the “State of Security” conference in Berlin on June 3, experts stressed that NIS-2 has turned cybersecurity into a boardroom issue. Company management now bears personal liability for risk and security management. That legal exposure, they argued, far outweighs even the steep fines.

Those fines themselves are severe. Particularly important entities risk up to €10 million or 2 percent of global annual revenue. Important entities face up to €7 million or 1.4 percent of revenue.

Reporting obligations create logistical headaches

A central challenge is the strict incident reporting regime. Firms must notify authorities of significant disruptions within tight windows. The 24-hour deadline for an initial report has proved especially difficult for mid-sized companies. To help, the German Chamber of Industry and Commerce (DIHK) and cybersecurity firm G DATA CyberDefense AG are offering webinars on June 10 that cover correct reporting procedures.

The urgency of those procedures was underscored in April 2026, when a cyberattack hit the billing service provider Unimed, leaking sensitive patient data from multiple university hospitals. Under NIS-2, affected institutions are now obligated to conduct regular audits of suppliers and service providers.

Artificial intelligence adds a new layer of threat

The EU AI Act now overlaps with NIS-2, particularly around unauthorized AI tools in the workplace. Conference speakers noted that artificial intelligence acts as a catalyst for cybercrime—amplifying phishing campaigns and ransomware attacks. At the same time, hastily deployed AI systems create fresh vulnerabilities that attackers can exploit.

Bavaria breaks from Microsoft, industry builds European alternatives

On June 4, the state of Bavaria announced it had halted negotiations over a large-volume Microsoft licensing deal. Instead, it will pursue European alternatives and sovereign workplace solutions. The private sector is moving in a similar direction. A consortium of SAP, Deutsche Telekom, and the Schwarz Group has unveiled plans to build European AI “gigafactories” at several German locations, aiming to reduce reliance on non-European cloud providers.

The scale of the threat is stark. A recent survey of large enterprises in Germany, Austria, and Switzerland found that 97 percent had experienced cyber incidents over the past year. Consequences ranged from reputational damage to lost revenue and fines. As a result, two-thirds of those companies said they plan to significantly increase their cybersecurity spending.

en | boerse | 69490537 |