NIS2 Regulatory Timeline
Key milestones and latest developments across the NIS2 Directive, BSIG, CIR 2024/2690, IT-Grundschutz, and ENISA - automatically updated.
2026
Dutch Senate committees open written input phase on Cyberbeveiligingswet (NIS2 transposition)
The Eerste Kamer committees for Digitalisering (DIGI) and Justitie en Veiligheid (J&V) opened the written input phase ('inbreng voor het verslag') on the Cyberbeveiligingswet (bill 36.764) and the parallel Wet weerbaarheid kritieke entiteiten (36.765) on 19 May 2026. Senators submit positions before the committees draft short preliminary notes on 21 May. The Tweede Kamer adopted the bill on 15 April 2026; Senate approval is the last step before entry into force, expected 1 July 2026. The Netherlands is one of the remaining laggard member states still completing NIS2 transposition.
European Commission publishes draft Guidelines on classification of high-risk AI systems (Art 6 AI Act)
The European Commission published on 19 May 2026 its draft Guidelines on the classification of high-risk AI systems under Article 6 of the AI Act (Regulation (EU) 2024/1689), together with a targeted stakeholder consultation open until 23 June 2026 (22:00 CET). The 148-page draft sets out the Commission's interpretation of Article 6(1) (Annex I embedded safety components) and Article 6(2) (Annex III standalone high-risk systems), and includes practical use-case examples per Art 6(5). Notable signals for NIS 2-regulated entities: critical-infrastructure high-risk classification under Art 6(2) + Annex III(2) is triggered by CER (Directive 2022/2557) designation, not by NIS 2 'essential entity' status; cybersecurity-purpose AI is explicitly excluded from high-risk (Recital 55); service-quality/operations AI is also excluded. Four Article 6(3) exemption paths preserved despite earlier Commission proposal to delete. Final guidelines expected after consultation close.
BSI signs cybersecurity cooperation agreement with Mecklenburg-Vorpommern (12th federal state)
BSI President Claudia Plattner and Mecklenburg-Vorpommern's Minister for Finance and Digitalization Dr. Heiko Geue sign a formal cooperation agreement in Hamburg, bringing the BSI's federal-state cooperation network to twelve states. Covers operational cybersecurity, mutual information and knowledge exchange, and joint awareness measures. Continues the Bund-Länder coordination push that began with Brandenburg on 29 April 2026 and supports NIS-2 implementation across affected public administration entities.
BSI publishes G7 guideline on Software Bill of Materials for AI
BSI and Italy's ACN co-led the G7 cybersecurity authorities and the EU Commission in producing the 'Software Bill of Materials (SBOM) for Artificial Intelligence' minimum-elements guideline. The document sets minimum requirements across seven information categories including AI models, training data sources, and potential biases. BSI President Claudia Plattner: transparency across the AI supply chain is the foundation for robust AI cybersecurity. Directly relevant to NIS 2 supply-chain risk management under Art 21(2)(d) and to the AI Act compliance pathway.
BMI/BKA Bundeslagebild Cybercrime 2025: ~335,000 cases, EUR 202.4bn damage to German economy
Federal Interior Minister Alexander Dobrindt and BKA Vice President Martina Link present the Bundeslagebild Cybercrime 2025 on 12 May 2026. About 335,000 cybercrime cases in the narrow sense were registered in 2025; two-thirds (207,888) committed from abroad or from unknown locations. Estimated damage to the German economy: EUR 202.4 billion, roughly 4.5 percent of GDP. AI-based tools are increasingly used by attackers; companies, public authorities and critical infrastructure are the principal targets. Dobrindt frames the response in NIS-2 enforcement terms: 'The state must not be a spectator in the digital space.' Provides political backdrop for the BSI's transition into the active NIS-2 audit phase started in May 2026.
BSI Cybersecurity Monitor 2026: one in ten Germans hit by cybercrime in the past year
Joint BSI and ProPK survey finds 27% of Germans have been victims of cybercrime, including 11% in the past 12 months. Most common offences: online shopping and banking fraud, account compromise, and phishing. Only 14% regularly inform themselves about cybersecurity; 33% of affected individuals report financial losses. The report underscores the broad awareness gap that NIS 2 supervision and BSI education programmes aim to close on the consumer side.
Luxembourg transposes NIS 2: Act of 5 May 2026 enters into force
Luxembourg's Act of 5 May 2026 on measures to ensure a high level of cybersecurity entered into force on 10 May 2026, transposing the NIS 2 Directive and repealing the previous NIS 1 Act. The Institut Luxembourgeois de Regulation (ILR) is the competent authority; a self-registration portal for in-scope entities is live. Notable because Luxembourg was one of the laggard member states and had been referred to the CJEU under the parallel CER infringement procedure days earlier on 29 April 2026. NIS 2-scope entities must self-register with the ILR.
AI Act Digital Omnibus: provisional political agreement reached
Council and European Parliament reached provisional political agreement on the AI Act Digital Omnibus in the early hours of 7 May 2026. Delays Annex III high-risk obligations to 2 December 2027 and Annex I embedded high-risk to 2 August 2028. Watermarking under Art 50(2) deferred to 2 December 2026. Adds new Art 5 prohibition on AI generating non-consensual intimate imagery and child sexual abuse material. Extends SME relief to small mid-cap enterprises. Formal Council and Parliament adoption required before 2 August 2026.
BSI publishes first IT security report on public EV charging infrastructure
BSI and the Federal Ministry for Transport release the first joint report analysing IT security of Germany's public EV charging infrastructure. The report examines protocol-level deficiencies in ISO 15118 and OCPP as well as software weaknesses across charging point operators, and proposes concrete security measures. BSI positions charging infrastructure at the intersection of NIS 2 transport and energy sectors: failures cascade from mobility disruption to grid-level effects.
BSI launches CyberGovSecure programme — coordinated NIS-2 implementation across German federal administration
BSI, CISO Bund and the Federal Ministry for Digital Affairs and State Modernization launched CyberGovSecure on 4 May 2026, a structured cross-departmental programme to roll out cybersecurity measures across all German federal authorities. BSI President Claudia Plattner described it as a central building block for NIS-2 implementation in the federal administration. Implementation responsibility rests with each authority; BSI provides technical and organisational support.
BSI signs cybersecurity cooperation agreement with state of Brandenburg
BSI President Claudia Plattner and Brandenburg State Secretary Ernst Buerger sign a formal cooperation agreement covering ten action areas: operational cybersecurity (information management, security tests and exercises), joint awareness and training programmes, and mutual exchanges to build technical expertise. Strengthens federal-state coordination in support of NIS2 implementation across public administration entities now in scope.
Commission refers 7 member states to CJEU for failing to transpose CER Directive
European Commission decided on 29 April 2026 to refer Bulgaria, France, Luxembourg, the Netherlands, Poland, Spain and Sweden to the Court of Justice of the EU for failing to transpose the CER Directive (EU 2022/2557), requesting financial sanctions in each case. CER and NIS 2 share the same 17 October 2024 transposition deadline; this is the first major CJEU enforcement action under the package. Procedural sequence: formal notice November 2024, reasoned opinion July 2025, CJEU referral April 2026. Strong enforcement signal for the parallel NIS 2 infringement track.
BSI publishes C3A criteria framework for cloud sovereignty
BSI releases the Criteria enabling Cloud Computing Autonomy (C3A) framework establishing transparent sovereignty standards for cloud services. C3A complements the existing C5 catalogue by addressing 'Cyber Dominance' — the ability of cloud manufacturers to maintain permanent access to customer systems and data. Cloud providers must meet C5 prerequisites; the framework offers flexibility on data localisation (Germany or EU). Aligned with the European Cloud Sovereignty Framework (EU CSF). Not regulatory; supplements rather than replaces NIS2 cloud certification pathways.
Public feedback period closes for proposed NIS2 Directive amendments
The public feedback period for the European Commission's proposed NIS2 amendments (published January 20, 2026) closes today. Proposals include submarine infrastructure in scope, small mid-cap entity category, ransomware reporting details, strengthened ENISA cross-border supervision role, and certification-based compliance pathways. Ordinary legislative procedure in Parliament and Council follows.
ENISA publishes National Capabilities Assessment Framework 2.0
ENISA released NCAF 2.0, an updated methodology for assessing national cybersecurity capabilities and strategy maturity. Aligned with NIS2 Article 19 peer review process. Supports Member States in identifying strengths, gaps, and priority areas in cybersecurity at strategic and operational levels.
Belgium enforces first NIS2 compliance deadline — essential entities must prove cybersecurity posture
Belgium becomes the first EU country to enforce ex-ante NIS2 supervision. By April 18, essential entities must submit verified cybersecurity documentation via one of three pathways: CyberFundamentals (CyFun) verification, ISO/IEC 27001 certification, or direct CCB inspection request. Non-compliance triggers administrative measures and fines up to 10M EUR or 2% of turnover. Full certification for essential entities due April 18, 2027.
BSI publishes v1.0 of management training guidance for §38(3) BSIG
The BSI released version 1.0 of its 24-page Handreichung 'Schulung fuer Geschaeftsleitungen' on 17 April 2026, updating the preliminary v0.9 from September 2025 after consultation with Bitkom, DIHK, GI, VDMA, Zentralverband Handwerk and ZVEI. The document defines the regulator's expectations for the §38(3) BSIG management training obligation across three blocks: training organisation (audience, intervals, formats, providers, evidence), recommended content (SOLL/KANN structure covering risk analysis, risk management practices and impact assessment), and a guided self-check (10 sections of Leitfragen with helpful vs red-flag answers). Eight training formats are explicitly endorsed including quarterly risk-management sessions with the CISO, tabletop exercises, audit simulations and management red/blue teaming. Documentation must record provider, participants with role, date/time/duration and contents with statutory references.
21st German IT Security Congress concludes — 8,000 participants, NIS2 and AI security in focus
BSI hosts the 21st IT-Sicherheitskongress in Bonn on April 15-16 under the theme 'Cybernation Deutschland'. Eight sessions cover NIS-2 implementation, AI security, post-quantum cryptography, zero trust, secure supply chains, and digital identity. Hybrid workshops address Grundschutz++ 'state of the art' and EUDI-Wallet topics. Congress content remains accessible through May 15.
Netherlands passes Cyberbeveiligingswet (NIS2 transposition) in lower house
The Dutch Tweede Kamer approved the Cyberbeveiligingswet and the Wet weerbaarheid kritieke entiteiten (CER implementation) on April 15, 2026. The Cyberbeveiligingswet replaces the existing Wbni and implements NIS2 obligations including care duties, reporting requirements, and registration. Entry into force expected July 1, 2026 pending Senate approval.
BSI Congress reveals NIS-2 implementation far behind expectations — companies deliberately avoiding registration
At the 21st IT Security Congress, BSI official Manuel Bach disclosed that NIS-2 registration remains far below expectations. Nearly 50% of German companies had never heard the term 'NIS-2' as of late 2025. Some companies are deliberately choosing not to register after consulting leadership and legal counsel. Bach compared non-compliance to tax liability: 'one cannot decide for oneself whether it applies.'
DENIC launches Phase 2 automated domain risk assessment for .de domains under NIS2
DENIC activates Phase 2 of its NIS2 implementation for .de domain registrations. An automated risk assessment system using a traffic light principle (Low/Suspicious/High Risk) now classifies all contact and domain orders. Anomalies in registration data trigger verification requests to the responsible DENIC member. Unverified domains face DNS quarantine and potential deletion. Phase 1 (December 6, 2025) had already made corporate domain owner data publicly visible in WHOIS. Affects all ~17 million .de domains.
BSI publishes C5:2026 cloud computing criteria catalogue
BSI released C5:2026, the updated Cloud Computing Compliance Criteria Catalogue replacing the 2020 version. The new edition covers container management, post-quantum cryptography, and confidential computing, aligns with the European EUCS certification scheme, and explicitly considered the NIS2 Directive in its design alongside ISO/IEC 27001:2022 and the CSA Cloud Controls Matrix v4. Will be released in machine-readable format for the first time.
Poland's amended KSC Act enters force — 42,000 entities now in scope
Poland's amended National Cybersecurity System (KSC) Act enters force on April 3, 2026, expanding NIS2 scope from ~400 to ~42,000 organizations including ~28,000 public sector bodies. New sectors added: food production, waste management, chemicals, postal services, manufacturing. Entity registry launched April 13 via the S46 platform. Self-registration deadline: October 3, 2026. Full compliance required by April 3, 2027.
BSI publishes Grundschutz++ methodology guide — PDCA-based ISMS framework
BSI releases the first methodology guide for Grundschutz++, establishing a forward-looking framework for systematically building an ISMS based on the PDCA cycle. The guide integrates strategic planning, requirements analysis, implementation, monitoring, and continuous improvement. Currently designated for pilot projects only — Edition 2023 remains the valid audit reference through 2028.
EDPB and EDPS adopt Joint Opinion 4/2026 on NIS2 amendments and Cybersecurity Act 2
EU data protection authorities formally endorse strengthening cybersecurity while raising data protection guardrails: welcome Digital Identity Wallet providers as essential entities, call for ENISA-EDPB consultation before adopting certification schemes touching personal data, recommend single-entry point for breach notifications to reduce administrative burden, and urge clarity on GDPR-cybersecurity certification overlap.
BSI and Govdigital announce 'Cyberdome' — automated cyber defense for 10 federal states
BSI and public IT providers association Govdigital announce Cyberdome: sensor-based automated cyber defense infrastructure across 10 federal states and municipalities with real-time BSI-linked monitoring.
KRITIS-Dachgesetz enters into force — physical security on top of NIS2 cyber requirements
Germany's CER Directive transposition (KRITIS-Dachgesetz) enters into force, adding physical security and resilience requirements on top of NIS2 cybersecurity. Requires BCMS alongside ISMS, physical security controls, and triennial audits. Penalties up to €1M.
Cyber Security Report 2026: 92% of small German firms misunderstand NIS2 scope
Schwarz Digits' Cyber Security Report 2026 surveys 1,001 German companies and finds 48% mistakenly believe they are not affected by NIS2. Among small companies (10-49 employees, >€10M revenue) the misconception rate reaches 92%, even though they meet the regulatory threshold.
BSI launches NIS2 FAQ specifically for public administration
BSI publishes a dedicated FAQ addressing NIS2 applicability and compliance requirements for federal, state, and municipal government entities.
BSI publishes NIS-2 implementation checklist for affected entities
BSI released a downloadable NIS-2-Checkliste on 13 March 2026 as a practical step-by-step tool for affected entities to verify implementation of NIS-2 / BSIG duties. The checklist sits in the #nis2know-Downloads package alongside the affected-entities decision tree and the public-administration FAQ that landed the same day. Currently at version 9, indicating ongoing iteration on the basis of operator feedback. Addresses registration, governance, risk management, supply-chain, incident reporting and training obligations.
ENISA publishes Technical Advisory for Secure Use of Package Managers
New guidance on secure software development lifecycle focusing on package manager security — directly relevant for NIS2 supply chain security requirements (Art. 21(2)(d)).
22 of 27 EU member states have completed NIS2 transposition
Cullen International reports 22 EU states have transposed NIS2. Five remain: France, Ireland, Luxembourg, Netherlands (legislation in parliament) and Spain (no draft submitted). Spain is the furthest behind.
BSI registration deadline passes — fines now possible for non-registration
Three months after BSIG entry into force, the mandatory registration deadline at the BSI portal expires. Late registration is still accepted but penalties of up to €10M or 2% of annual revenue are now legally enforceable.
Only ~11,500 of ~29,500 affected entities registered by the deadline
By the March 6 deadline, approximately 11,500 authorities, companies, and other critical facilities registered with the BSI under NIS2 — leaving around 18,000 of the 29,500 obligated entities still missing. The BSI spokesperson said it remains unclear whether the original estimate was too high or whether large numbers of affected parties simply failed to comply.
BOS digital radio operator receives ISO 27001/IT-Grundschutz certification
Germany's public safety digital radio (BOS) network operator achieves ISO 27001 certification on IT-Grundschutz basis, demonstrating critical infrastructure security compliance.
Public comment period opens for CRA compliance technical guideline
BSI opens public comment period for the Cyber Resilience Act (CRA) compliance technical guideline, connecting product security requirements with NIS2 supply chain obligations.
BMI publishes draft Active Cyber Defense Act — new obligations for NIS2-regulated entities
Federal Interior Ministry presents the Gesetz zur Stärkung der Cybersicherheit, granting BKA, Federal Police, and BSI active cyber defense powers including disrupting attacker infrastructure. Adds obligations for NIS2-regulated entities: mandatory cooperation during state-led cyber operations, attack detection systems connected to BSI, and DNS-based protection for customers. Fines up to €20M or 2% of global turnover. Requires ~375 new government positions by 2030.
Poland signs NIS2 transposition into law — enters force April 2, 2026
President Nawrocki signs the amendment to Poland's National Cybersecurity System Act (UKSC), transposing NIS2 into Polish law. Enters force April 2 after one-month vacatio legis. Entity registration deadline: October 3, 2026. Full compliance deadline: April 3, 2027. President simultaneously refers provisions on high-risk providers and penalties to Constitutional Tribunal.
ENISA releases Cybersecurity Exercise Methodology framework
New methodology for planning, running, and evaluating cybersecurity exercises — relevant for NIS2 entities required to test incident response capabilities under Art. 21.
NIS Cooperation Group adopts ICT Supply Chain Security Toolbox
The NIS Cooperation Group publishes a common framework for identifying, assessing, and mitigating cybersecurity risks across ICT supply chains. The toolbox includes risk scenarios, mitigation measures, and guidance on reducing dependencies on high-risk suppliers. Accompanied by sector-specific risk assessments for connected vehicles and detection equipment.
ENISA publishes International Strategy for cybersecurity cooperation
ENISA releases its international cooperation strategy outlining how the agency works with non-EU partners on cybersecurity standards and threat intelligence sharing.
Südwestfalen-IT receives ISO 27001 certification on IT-Grundschutz basis
Following the devastating 2023 ransomware attack, the municipal IT provider Südwestfalen-IT achieves ISO 27001 certification based on IT-Grundschutz, demonstrating recovery and security maturity.
EU proposes NIS2 amendments — new entity types, harmonization ceiling, PQC migration
European Commission unveils cybersecurity package with targeted NIS2 amendments: submarine infrastructure and digital wallet providers added, new 'small mid-cap' category (~22,500 companies), mandatory ransomware reporting details, and post-quantum cryptography migration deadlines (2030/2035).
First EUCC cybersecurity certificate issued under EU framework
The first European Cybersecurity Certification (EUCC) certificate is issued, establishing a common EU-wide certification scheme that NIS2 entities can use to demonstrate compliance.
BSI NIS2 registration portal launches
BSI launches portal.bsi.bund.de for NIS2 entity registration and incident reporting. Registration requires an ELSTER organizational certificate (5-10 business days processing).
Grundschutz++ transition phase begins — parallel operation through 2029
BSI officially launches the Grundschutz++ modernization transition. Machine-readable OSCAL/JSON format replaces PDF/Excel. Edition 2023 remains valid for audits during the transition through 2029.
2025
BSIG enters into force — NIS2 is law in Germany
The amended BSIG enters into force on St. Nicholas Day, over a year after the EU transposition deadline. No transition period — all obligations are immediately effective for ~29,500 affected entities.
NIS2UmsuCG published in Federal Law Gazette (BGBl. 2025 I Nr. 301)
The NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz is published in the Federal Law Gazette, entering into force the following day.
Bundestag passes NIS2UmsuCG — Germany's NIS2 implementation law
German parliament passes the NIS2UmsuCG in 2nd and 3rd readings. Votes: CDU/CSU + SPD + AfD in favor, Greens against, Die Linke abstained. Approximately 29,500 entities now fall under BSI supervision.
Coalition agrees on NIS2UmsuCG compromises — ex-post model for critical components
CDU/CSU-SPD coalition reaches agreement: critical component regulation shifts from ex-ante approval to ex-post notification model. Federal CISO role transferred to BSI in Bonn.
BSI publishes Grundschutz++ preview on GitHub (OSCAL/JSON)
BSI releases the Stand-der-Technik-Bibliothek on GitHub with preview of abstract requirements in OSCAL/JSON format. Not production-ready — initial draft only, concrete measures still being added.
German cabinet approves NIS2UmsuCG draft law
The German federal cabinet approves the draft NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz, forwarding it to parliament. The bill was fast-tracked due to the missed EU deadline.
ENISA publishes NIS2 Technical Implementation Guidance v1.0
170-page document translating CIR 2024/2690 into practical measures across 13 thematic areas with evidence examples and standards mappings. Primary reference for NIS2 compliance implementation.
EC sends reasoned opinions to 19 member states for late NIS2 transposition
The European Commission escalates infringement proceedings against 19 member states that failed to transpose the NIS2 Directive by the October 2024 deadline.
2024
CIR 2024/2690 enters into force
The Commission Implementing Regulation becomes binding across all EU member states 20 days after publication, establishing the technical baseline for NIS2 compliance.
CIR 2024/2690 published — NIS2 technical requirements regulation
Commission Implementing Regulation (EU) 2024/2690 published, specifying technical and methodological requirements for NIS2 cybersecurity risk management measures for digital infrastructure and service providers.
NIS2 transposition deadline expires — most member states miss it
Member states were required to transpose NIS2 into national law by this date. Most, including Germany, miss the deadline. Only Belgium has fully transposed and begun enforcement.
2023
IT-Grundschutz Kompendium Edition 2023 released
BSI publishes the IT-Grundschutz Kompendium Edition 2023 — the current production standard for information security management in Germany. Remains the valid audit reference through the Grundschutz++ transition.
NIS2 Directive enters into force
The NIS2 Directive enters into force 20 days after publication. Member states have until October 17, 2024 to transpose it into national law.
2022
NIS2 Directive published in Official Journal
Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union published in the Official Journal of the European Union.
Sources
This page is regularly updated from the following official and journalistic sources.