---
title: "NIS2 Implementation Deadlines: Timeline and Fines"
date: 2026-06-02T09:10:00+02:00
author: FAST LTA
canonical_url: "https://www.fast-lta.de//en/blog/nis2-umsetzungsfristen-zeitplan-und-bußgelder"
section: "Entries: Articles"
---
### Critical Timeline (Germany) [\#](#critical-timeline-germany "Critical Timeline (Germany)")

#### In Force Since 6 December 2025 [\#](#in-force-since-6-december-2025 "In Force Since 6 December 2025")

What applies immediately:

- Risk management obligations (technical and organisational measures, including backup management and recovery)
- Incident reporting obligations: early warning within 24 hours, full notification within 72 hours, final report within one month
- Management accountability: executives must approve and oversee the risk management measures

#### Registration: Completed by 6 March 2026 [\#](#registration-completed-by-6-march-2026 "Registration: Completed by 6 March 2026")

Affected entities had to register with the BSI (German Federal Office for Information Security) within three months of the law taking effect. The BSI registration portal opened on 6 January 2026; the deadline expired on 6 March 2026.

If your organisation is in scope and has not registered: do it now. Late registration is better than discovery during an incident.

#### Evidence of Compliance: By December 2028 [\#](#evidence-of-compliance-by-december-2028 "Evidence of Compliance: By December 2028")

Particularly important entities must demonstrate the implementation of their measures to the BSI within three years, i.e. by December 2028. Important entities are supervised reactively: the BSI investigates upon indications of non-compliance.

Around 29,000 organisations in Germany fall under the new régime.

---

### Fine Structure [\#](#fine-structure "Fine Structure")

The fine ceilings follow the directive and are substantial:

- Essential / particularly important entities: up to EUR 10,000,000 or 2% of global annual turnover, whichever is higher
- Important entities: up to EUR 7,000,000 or 1.4% of global annual turnover, whichever is higher

Fines apply to violations of risk management, registration and reporting obligations. In addition, supervisory authorities can issue binding instructions.

#### Personal Accountability [\#](#personal-accountability "Personal Accountability")

Executive management is explicitly responsible under NIS2: management must approve the cybersecurity risk measures, monitor their implementation and attend cybersecurity training. Breaches of these duties can trigger liability of executives towards the company under general corporate law.

---

### Realistic Expectations: Enforcement Scenarios [\#](#realistic-expectations-enforcement-scenarios "Realistic Expectations: Enforcement Scenarios")

Scenario 1: Good management, minor deficiencies. Expected outcome: instruction to remediate with a deadline; a fine is possible but unlikely as a first step.

Scenario 2: Lax management, systematic deficiencies (no registration, no backups, no training). Expected outcome: substantial fine, binding supervisory instructions, executive accountability becomes a real issue.

Scenario 3: Following a security incident with failure to report and demonstrable non-compliance. Expected outcome: fines for both the compliance and the reporting failures, civil claims from customers and partners. The incident itself is usually far more expensive than any fine.

---

### What You Should Do Now (mid-2026) [\#](#what-you-should-do-now-mid-2026 "What You Should Do Now (mid-2026)")

1. Verify classification: essential/​particularly important or important entity? Which systems are in scope? Document the reasoning.
2. Close the registration gap: if in scope and not registered, register with the competent national authority immediately.
3. Risk analysis and measures plan: identify critical data and systems, define RTO/RPO, identify gaps, plan measures with owners, budget and dates.
4. Implement core measures: patch management, backup concept with offline or air-gapped copies and tested recovery, incident response plan including the 24h/​72h reporting workflow, training including management.
5. Build audit readiness: internal gap analysis, compliance documentation in one place; particularly important entities should plan the evidence audit well before the December 2028 deadline.

---

### Budget Planning: What Does It Cost? [\#](#budget-planning-what-does-it-cost "Budget Planning: What Does It Cost?")

Indicative figures for an important entity (50 to 250 employees, EUR 10 to 50 million turnover):

- Consulting / risk analysis: EUR 20,000 to 50,000
- Hardware air gap backup: EUR 60,000 to 150,000
- EDR/​security software (annual): EUR 30,000 to 80,000
- Training/​awareness: EUR 10,000 to 30,000
- Audit (annual): EUR 20,000 to 50,000
- Administration/​documentation: EUR 15,000 to 30,000
- Total year 1: EUR 155,000 to 390,000
- Total year 2 onwards: EUR 90,000 to 240,000 per year

These are estimates from project experience, not legal requirements. The investment is significant, but far below the typical cost of a successful ransomware attack.

---

### Frequently Asked Questions [\#](#frequently-asked-questions "Frequently Asked Questions")

Is there a transition period for the security measures? No. In Germany the obligations apply since 6 December 2025. What is phased is the evidence requirement for particularly important entities (by December 2028).

We missed the registration deadline. What now? Register immediately. The deadline was 6 March 2026. Authorities distinguish between late and unwilling.

Will auditors actually come? Particularly important entities must proactively demonstrate compliance by December 2028. Important entities are checked when there are indications of problems, and a reported incident is exactly such an indication.

Is a self-declaration sufficient? The evidence can be provided through security audits, certifications (e.g. ISO 27001) or BSI-defined procedures. External validation carries far more weight, especially after an incident.

---

### Further Resources [\#](#further-resources "Further Resources")

→ NIS2 Explained: Who Is Affected and What Do You Need to Do? (/en/blog/nis2-einfach-erklaert/) → NIS2 Personal Liability: What Executives Need to Know (/en/blog/nis2-persoenliche-haftung/) → NIS2 IT Resilience Requirements (/en/blog/nis2-it-resilienz-anforderungen/) → Audit Preparation: NIS2 Checklist (/en/blog/audit-preparation-nis2-checklist/)

### Disaster Recovery

Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery)