NIS2 Regulatory Timeline
Key milestones and latest developments across the NIS2 Directive, BSIG, CIR 2024/2690, IT-Grundschutz, and ENISA — automatically updated.
2026
EDPB and EDPS adopt Joint Opinion 4/2026 on NIS2 amendments and Cybersecurity Act 2
EU data protection authorities formally endorse strengthening cybersecurity while raising data protection guardrails: welcome Digital Identity Wallet providers as essential entities, call for ENISA-EDPB consultation before adopting certification schemes touching personal data, recommend single-entry point for breach notifications to reduce administrative burden, and urge clarity on GDPR-cybersecurity certification overlap.
BSI and Govdigital announce 'Cyberdome' — automated cyber defense for 10 federal states
BSI and public IT providers association Govdigital announce Cyberdome: sensor-based automated cyber defense infrastructure across 10 federal states and municipalities with real-time BSI-linked monitoring.
KRITIS-Dachgesetz enters into force — physical security on top of NIS2 cyber requirements
Germany's CER Directive transposition (KRITIS-Dachgesetz) enters into force, adding physical security and resilience requirements on top of NIS2 cybersecurity. Requires BCMS alongside ISMS, physical security controls, and triennial audits. Penalties up to €1M.
BSI launches NIS2 FAQ specifically for public administration
BSI publishes a dedicated FAQ addressing NIS2 applicability and compliance requirements for federal, state, and municipal government entities.
ENISA publishes Technical Advisory for Secure Use of Package Managers
New guidance on secure software development lifecycle focusing on package manager security — directly relevant for NIS2 supply chain security requirements (Art. 21(2)(d)).
BSI registration deadline passes — fines now possible for non-registration
Three months after BSIG entry into force, the mandatory registration deadline at the BSI portal expires. Late registration is still accepted but penalties of up to €10M or 2% of annual revenue are now legally enforceable.
Only 38.5% of affected companies registered — 18,000+ miss the deadline
Only ~11,500 of ~29,500 affected entities registered by the March 6 deadline. Over 4,000 rushed to register in the final week. Main barriers: uncertainty about applicability, complex ELSTER certificate requirement, and lack of awareness among mid-sized companies.
BOS digital radio operator receives ISO 27001/IT-Grundschutz certification
Germany's public safety digital radio (BOS) network operator achieves ISO 27001 certification on IT-Grundschutz basis, demonstrating critical infrastructure security compliance.
Public comment period opens for CRA compliance technical guideline
BSI opens public comment period for the Cyber Resilience Act (CRA) compliance technical guideline, connecting product security requirements with NIS2 supply chain obligations.
BMI publishes draft Active Cyber Defense Act — new obligations for NIS2-regulated entities
Federal Interior Ministry presents the Gesetz zur Stärkung der Cybersicherheit, granting BKA, Federal Police, and BSI active cyber defense powers including disrupting attacker infrastructure. Adds obligations for NIS2-regulated entities: mandatory cooperation during state-led cyber operations, attack detection systems connected to BSI, and DNS-based protection for customers. Fines up to €20M or 2% of global turnover. Requires ~375 new government positions by 2030.
Poland signs NIS2 transposition into law — enters force April 2, 2026
President Nawrocki signs the amendment to Poland's National Cybersecurity System Act (UKSC), transposing NIS2 into Polish law. Enters force April 2 after one-month vacatio legis. Entity registration deadline: October 3, 2026. Full compliance deadline: April 3, 2027. President simultaneously refers provisions on high-risk providers and penalties to Constitutional Tribunal.
ENISA releases Cybersecurity Exercise Methodology framework
New methodology for planning, running, and evaluating cybersecurity exercises — relevant for NIS2 entities required to test incident response capabilities under Art. 21.
Hybridity raises €2M for AI-powered NIS2/DORA compliance automation
Stockholm-based Hybridity raises €2M (total €5M) for its AI platform 'Hy5' automating DORA, NIS2, and GDPR compliance. Platform auto-reviews contracts and generates compliance action lists.
ENISA publishes International Strategy for cybersecurity cooperation
ENISA releases its international cooperation strategy outlining how the agency works with non-EU partners on cybersecurity standards and threat intelligence sharing.
Südwestfalen-IT receives ISO 27001 certification on IT-Grundschutz basis
Following the devastating 2023 ransomware attack, the municipal IT provider Südwestfalen-IT achieves ISO 27001 certification based on IT-Grundschutz, demonstrating recovery and security maturity.
EU proposes NIS2 amendments — new entity types, harmonization ceiling, PQC migration
European Commission unveils cybersecurity package with targeted NIS2 amendments: submarine infrastructure and digital wallet providers added, new 'small mid-cap' category (~22,500 companies), mandatory ransomware reporting details, and post-quantum cryptography migration deadlines (2030/2035).
First EUCC cybersecurity certificate issued under EU framework
The first European Cybersecurity Certification (EUCC) certificate is issued, establishing a common EU-wide certification scheme that NIS2 entities can use to demonstrate compliance.
BSI NIS2 registration portal launches
BSI launches portal.bsi.bund.de for NIS2 entity registration and incident reporting. Registration requires an ELSTER organizational certificate (5-10 business days processing).
Grundschutz++ transition phase begins — parallel operation through 2029
BSI officially launches the Grundschutz++ modernization transition. Machine-readable OSCAL/JSON format replaces PDF/Excel. Edition 2023 remains valid for audits during the transition through 2029.
2025
BSIG enters into force — NIS2 is law in Germany
The amended BSIG enters into force on St. Nicholas Day, over a year after the EU transposition deadline. No transition period — all obligations are immediately effective for ~29,500 affected entities.
NIS2UmsuCG published in Federal Law Gazette (BGBl. 2025 I Nr. 301)
The NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz is published in the Federal Law Gazette, entering into force the following day.
Bundestag passes NIS2UmsuCG — Germany's NIS2 implementation law
German parliament passes the NIS2UmsuCG in 2nd and 3rd readings. Votes: CDU/CSU + SPD + AfD in favor, Greens against, Die Linke abstained. Approximately 29,500 entities now fall under BSI supervision.
Coalition agrees on NIS2UmsuCG compromises — ex-post model for critical components
CDU/CSU-SPD coalition reaches agreement: critical component regulation shifts from ex-ante approval to ex-post notification model. Federal CISO role transferred to BSI in Bonn.
BSI publishes Grundschutz++ preview on GitHub (OSCAL/JSON)
BSI releases the Stand-der-Technik-Bibliothek on GitHub with preview of abstract requirements in OSCAL/JSON format. Not production-ready — initial draft only, concrete measures still being added.
German cabinet approves NIS2UmsuCG draft law
The German federal cabinet approves the draft NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz, forwarding it to parliament. The bill was fast-tracked due to the missed EU deadline.
ENISA publishes NIS2 Technical Implementation Guidance v1.0
170-page document translating CIR 2024/2690 into practical measures across 13 thematic areas with evidence examples and standards mappings. Primary reference for NIS2 compliance implementation.
EC sends reasoned opinions to 19 member states for late NIS2 transposition
The European Commission escalates infringement proceedings against 19 member states that failed to transpose the NIS2 Directive by the October 2024 deadline.
2024
CIR 2024/2690 enters into force
The Commission Implementing Regulation becomes binding across all EU member states 20 days after publication, establishing the technical baseline for NIS2 compliance.
CIR 2024/2690 published — NIS2 technical requirements regulation
Commission Implementing Regulation (EU) 2024/2690 published, specifying technical and methodological requirements for NIS2 cybersecurity risk management measures for digital infrastructure and service providers.
NIS2 transposition deadline expires — most member states miss it
Member states were required to transpose NIS2 into national law by this date. Most, including Germany, miss the deadline. Only Belgium has fully transposed and begun enforcement.
2023
IT-Grundschutz Kompendium Edition 2023 released
BSI publishes the IT-Grundschutz Kompendium Edition 2023 — the current production standard for information security management in Germany. Remains the valid audit reference through the Grundschutz++ transition.
NIS2 Directive enters into force
The NIS2 Directive enters into force 20 days after publication. Member states have until October 17, 2024 to transpose it into national law.
2022
NIS2 Directive published in Official Journal
Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union published in the Official Journal of the European Union.
Sources
This page is regularly updated from the following official and journalistic sources.