Cybersecurity

Your Cybersecurity Duty Is Now Personal

Germany's NIS2 law makes management personally liable for cybersecurity, sets a hard registration deadline, and gives the BSI audit and fining powers. What owners must do now.

By Leon Soliman · 2026-06-30 · 3 min read

Why this law reaches further than you think

The NIS2 Implementation Act has applied in Germany since December 2025, and it does not only touch power plants and banks. It pulls in about 29,500 companies across 18 sectors, from logistics and food production to machine building, waste management, and digital services. The threshold is low. A firm with 50 or more employees, or 10 million euros in revenue, in one of these sectors is in scope by default.

Most owners in the Mittelstand have never thought of their business as critical infrastructure. The law does not ask for that self-image. It looks at the sector and the size, classes you as an important or an especially important entity, and attaches binding security obligations that did not exist a year ago.

The duty that lands on the owner personally

The sharpest change is who carries the duty. Under the new German law the management body must approve the cybersecurity risk measures and monitor that they are actually in place. This is not a task you can hand to an IT vendor and forget. Where leadership acts with gross negligence or intent, the law allows fines against the individuals and, in serious cases, a temporary ban from holding a management role.

For an owner-led company this is the part that matters. The person who signs for the firm now signs for its cyber posture. A clean outsourcing contract does not move the responsibility off the board. It only changes who you call when something goes wrong, and by then the duty has already been tested.

The registration list nobody told you about

Being well defended is not enough on its own. Affected companies have to register with the Federal Office for Information Security, the BSI, and identify themselves. The legal deadline was March 2026, and by that date only around 11,500 of the roughly 29,500 firms had done it. More than half were missing from the list.

The BSI has set a final extension to 31 July 2026 and has signalled that it will examine the first sanctions after this summer. Failing to register is itself a finable offence, up to 500,000 euros, separate from any breach. The quiet risk is not a cyberattack. It is being a company the regulator cannot find on a list it now actively checks.

What to put in motion this quarter

Three steps carry most of the weight. Confirm whether your company falls in scope, because the sector and size test is mechanical and easy to misread. Register with the BSI before the July cut-off if you are in scope. Then put a documented risk-management process in front of your management body, so the approval and oversight duty is met and recorded, not assumed.

None of this requires a large security department. It requires a clear reading of where you stand, evidence that leadership has looked at the risk, and a record you can show if the regulator asks. The companies that struggle will be the ones that treated a national cybersecurity law as an IT footnote.

Frequently asked questions

Does NIS2 apply to my company if we are not a utility or a bank?

Very possibly. The law covers 18 sectors including logistics, food, manufacturing, waste, and digital services, and applies to any firm in them with 50 or more staff or 10 million euros in revenue. Many Mittelstand companies are in scope without realising it.

Can I delegate this duty to my IT provider?

No. You can outsource the technical work, but the German law places the duty to approve and oversee the cybersecurity measures on the management body itself. The responsibility, and the personal liability, stay with leadership.

What is the immediate risk if we have not registered?

Failing to register with the BSI is a separate finable offence of up to 500,000 euros, and the final deadline is 31 July 2026. After that the BSI has said it will examine sanctions, starting with the clear registration failures.

A law that names your management body by function does not wait for an incident to become real. The duty is already live, and the only open question is whether your evidence is.

NIS2 Cybersicherheit ITSicherheit Mittelstand Familienunternehmen Geschaeftsfuehrerhaftung BSI Compliance Risikomanagement Informationssicherheit Unternehmensfuehrung KritischeInfrastruktur NIS2Richtlinie CyberSecurity Servola