NIS2 Regulatory Timeline
Key milestones and latest developments across the NIS2 Directive, BSIG, CIR 2024/2690, IT-Grundschutz, and ENISA - automatically updated.
2026
BSI signs cybersecurity cooperation agreement with state of Brandenburg
BSI President Claudia Plattner and Brandenburg State Secretary Ernst Buerger sign a formal cooperation agreement covering ten action areas: operational cybersecurity (information management, security tests and exercises), joint awareness and training programmes, and mutual exchanges to build technical expertise. Strengthens federal-state coordination in support of NIS2 implementation across public administration entities now in scope.
BSI publishes C3A criteria framework for cloud sovereignty
BSI releases the Criteria enabling Cloud Computing Autonomy (C3A) framework establishing transparent sovereignty standards for cloud services. C3A complements the existing C5 catalogue by addressing 'Cyber Dominance' — the ability of cloud manufacturers to maintain permanent access to customer systems and data. Cloud providers must meet C5 prerequisites; the framework offers flexibility on data localisation (Germany or EU). Aligned with the European Cloud Sovereignty Framework (EU CSF). Not regulatory; supplements rather than replaces NIS2 cloud certification pathways.
Public feedback period closes for proposed NIS2 Directive amendments
The public feedback period for the European Commission's proposed NIS2 amendments (published January 20, 2026) closes today. Proposals include submarine infrastructure in scope, small mid-cap entity category, ransomware reporting details, strengthened ENISA cross-border supervision role, and certification-based compliance pathways. Ordinary legislative procedure in Parliament and Council follows.
ENISA publishes National Capabilities Assessment Framework 2.0
ENISA released NCAF 2.0, an updated methodology for assessing national cybersecurity capabilities and strategy maturity. Aligned with NIS2 Article 19 peer review process. Supports Member States in identifying strengths, gaps, and priority areas in cybersecurity at strategic and operational levels.
Belgium enforces first NIS2 compliance deadline — essential entities must prove cybersecurity posture
Belgium becomes the first EU country to enforce ex-ante NIS2 supervision. By April 18, essential entities must submit verified cybersecurity documentation via one of three pathways: CyberFundamentals (CyFun) verification, ISO/IEC 27001 certification, or direct CCB inspection request. Non-compliance triggers administrative measures and fines up to 10M EUR or 2% of turnover. Full certification for essential entities due April 18, 2027.
21st German IT Security Congress concludes — 8,000 participants, NIS2 and AI security in focus
BSI hosts the 21st IT-Sicherheitskongress in Bonn on April 15-16 under the theme 'Cybernation Deutschland'. Eight sessions cover NIS-2 implementation, AI security, post-quantum cryptography, zero trust, secure supply chains, and digital identity. Hybrid workshops address Grundschutz++ 'state of the art' and EUDI-Wallet topics. Congress content remains accessible through May 15.
Netherlands passes Cyberbeveiligingswet (NIS2 transposition) in lower house
The Dutch Tweede Kamer approved the Cyberbeveiligingswet and the Wet weerbaarheid kritieke entiteiten (CER implementation) on April 15, 2026. The Cyberbeveiligingswet replaces the existing Wbni and implements NIS2 obligations including care duties, reporting requirements, and registration. Entry into force expected July 1, 2026 pending Senate approval.
BSI Congress reveals NIS-2 implementation far behind expectations — companies deliberately avoiding registration
At the 21st IT Security Congress, BSI official Manuel Bach disclosed that NIS-2 registration remains far below expectations. Nearly 50% of German companies had never heard the term 'NIS-2' as of late 2025. Some companies are deliberately choosing not to register after consulting leadership and legal counsel. Bach compared non-compliance to tax liability: 'one cannot decide for oneself whether it applies.'
DENIC launches Phase 2 automated domain risk assessment for .de domains under NIS2
DENIC activates Phase 2 of its NIS2 implementation for .de domain registrations. An automated risk assessment system using a traffic light principle (Low/Suspicious/High Risk) now classifies all contact and domain orders. Anomalies in registration data trigger verification requests to the responsible DENIC member. Unverified domains face DNS quarantine and potential deletion. Phase 1 (December 6, 2025) had already made corporate domain owner data publicly visible in WHOIS. Affects all ~17 million .de domains.
BSI publishes C5:2026 cloud computing criteria catalogue
BSI released C5:2026, the updated Cloud Computing Compliance Criteria Catalogue replacing the 2020 version. The new edition covers container management, post-quantum cryptography, and confidential computing, aligns with the European EUCS certification scheme, and explicitly considered the NIS2 Directive in its design alongside ISO/IEC 27001:2022 and the CSA Cloud Controls Matrix v4. Will be released in machine-readable format for the first time.
Poland's amended KSC Act enters force — 42,000 entities now in scope
Poland's amended National Cybersecurity System (KSC) Act enters force on April 3, 2026, expanding NIS2 scope from ~400 to ~42,000 organizations including ~28,000 public sector bodies. New sectors added: food production, waste management, chemicals, postal services, manufacturing. Entity registry launched April 13 via the S46 platform. Self-registration deadline: October 3, 2026. Full compliance required by April 3, 2027.
BSI publishes Grundschutz++ methodology guide — PDCA-based ISMS framework
BSI releases the first methodology guide for Grundschutz++, establishing a forward-looking framework for systematically building an ISMS based on the PDCA cycle. The guide integrates strategic planning, requirements analysis, implementation, monitoring, and continuous improvement. Currently designated for pilot projects only — Edition 2023 remains the valid audit reference through 2028.
EDPB and EDPS adopt Joint Opinion 4/2026 on NIS2 amendments and Cybersecurity Act 2
EU data protection authorities formally endorse strengthening cybersecurity while raising data protection guardrails: welcome Digital Identity Wallet providers as essential entities, call for ENISA-EDPB consultation before adopting certification schemes touching personal data, recommend single-entry point for breach notifications to reduce administrative burden, and urge clarity on GDPR-cybersecurity certification overlap.
BSI and Govdigital announce 'Cyberdome' — automated cyber defense for 10 federal states
BSI and public IT providers association Govdigital announce Cyberdome: sensor-based automated cyber defense infrastructure across 10 federal states and municipalities with real-time BSI-linked monitoring.
KRITIS-Dachgesetz enters into force — physical security on top of NIS2 cyber requirements
Germany's CER Directive transposition (KRITIS-Dachgesetz) enters into force, adding physical security and resilience requirements on top of NIS2 cybersecurity. Requires BCMS alongside ISMS, physical security controls, and triennial audits. Penalties up to €1M.
Cyber Security Report 2026: 92% of small German firms misunderstand NIS2 scope
Schwarz Digits' Cyber Security Report 2026 surveys 1,001 German companies and finds 48% mistakenly believe they are not affected by NIS2. Among small companies (10-49 employees, >€10M revenue) the misconception rate reaches 92%, even though they meet the regulatory threshold.
BSI launches NIS2 FAQ specifically for public administration
BSI publishes a dedicated FAQ addressing NIS2 applicability and compliance requirements for federal, state, and municipal government entities.
ENISA publishes Technical Advisory for Secure Use of Package Managers
New guidance on secure software development lifecycle focusing on package manager security — directly relevant for NIS2 supply chain security requirements (Art. 21(2)(d)).
22 of 27 EU member states have completed NIS2 transposition
Cullen International reports 22 EU states have transposed NIS2. Five remain: France, Ireland, Luxembourg, Netherlands (legislation in parliament) and Spain (no draft submitted). Spain is the furthest behind.
BSI registration deadline passes — fines now possible for non-registration
Three months after BSIG entry into force, the mandatory registration deadline at the BSI portal expires. Late registration is still accepted but penalties of up to €10M or 2% of annual revenue are now legally enforceable.
Only ~11,500 of ~29,500 affected entities registered by the deadline
By the March 6 deadline, approximately 11,500 authorities, companies, and other critical facilities registered with the BSI under NIS2 — leaving around 18,000 of the 29,500 obligated entities still missing. The BSI spokesperson said it remains unclear whether the original estimate was too high or whether large numbers of affected parties simply failed to comply.
BOS digital radio operator receives ISO 27001/IT-Grundschutz certification
Germany's public safety digital radio (BOS) network operator achieves ISO 27001 certification on IT-Grundschutz basis, demonstrating critical infrastructure security compliance.
Public comment period opens for CRA compliance technical guideline
BSI opens public comment period for the Cyber Resilience Act (CRA) compliance technical guideline, connecting product security requirements with NIS2 supply chain obligations.
BMI publishes draft Active Cyber Defense Act — new obligations for NIS2-regulated entities
Federal Interior Ministry presents the Gesetz zur Stärkung der Cybersicherheit, granting BKA, Federal Police, and BSI active cyber defense powers including disrupting attacker infrastructure. Adds obligations for NIS2-regulated entities: mandatory cooperation during state-led cyber operations, attack detection systems connected to BSI, and DNS-based protection for customers. Fines up to €20M or 2% of global turnover. Requires ~375 new government positions by 2030.
Poland signs NIS2 transposition into law — enters force April 2, 2026
President Nawrocki signs the amendment to Poland's National Cybersecurity System Act (UKSC), transposing NIS2 into Polish law. Enters force April 2 after one-month vacatio legis. Entity registration deadline: October 3, 2026. Full compliance deadline: April 3, 2027. President simultaneously refers provisions on high-risk providers and penalties to Constitutional Tribunal.
ENISA releases Cybersecurity Exercise Methodology framework
New methodology for planning, running, and evaluating cybersecurity exercises — relevant for NIS2 entities required to test incident response capabilities under Art. 21.
NIS Cooperation Group adopts ICT Supply Chain Security Toolbox
The NIS Cooperation Group publishes a common framework for identifying, assessing, and mitigating cybersecurity risks across ICT supply chains. The toolbox includes risk scenarios, mitigation measures, and guidance on reducing dependencies on high-risk suppliers. Accompanied by sector-specific risk assessments for connected vehicles and detection equipment.
ENISA publishes International Strategy for cybersecurity cooperation
ENISA releases its international cooperation strategy outlining how the agency works with non-EU partners on cybersecurity standards and threat intelligence sharing.
Südwestfalen-IT receives ISO 27001 certification on IT-Grundschutz basis
Following the devastating 2023 ransomware attack, the municipal IT provider Südwestfalen-IT achieves ISO 27001 certification based on IT-Grundschutz, demonstrating recovery and security maturity.
EU proposes NIS2 amendments — new entity types, harmonization ceiling, PQC migration
European Commission unveils cybersecurity package with targeted NIS2 amendments: submarine infrastructure and digital wallet providers added, new 'small mid-cap' category (~22,500 companies), mandatory ransomware reporting details, and post-quantum cryptography migration deadlines (2030/2035).
First EUCC cybersecurity certificate issued under EU framework
The first European Cybersecurity Certification (EUCC) certificate is issued, establishing a common EU-wide certification scheme that NIS2 entities can use to demonstrate compliance.
BSI NIS2 registration portal launches
BSI launches portal.bsi.bund.de for NIS2 entity registration and incident reporting. Registration requires an ELSTER organizational certificate (5-10 business days processing).
Grundschutz++ transition phase begins — parallel operation through 2029
BSI officially launches the Grundschutz++ modernization transition. Machine-readable OSCAL/JSON format replaces PDF/Excel. Edition 2023 remains valid for audits during the transition through 2029.
2025
BSIG enters into force — NIS2 is law in Germany
The amended BSIG enters into force on St. Nicholas Day, over a year after the EU transposition deadline. No transition period — all obligations are immediately effective for ~29,500 affected entities.
NIS2UmsuCG published in Federal Law Gazette (BGBl. 2025 I Nr. 301)
The NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz is published in the Federal Law Gazette, entering into force the following day.
Bundestag passes NIS2UmsuCG — Germany's NIS2 implementation law
German parliament passes the NIS2UmsuCG in 2nd and 3rd readings. Votes: CDU/CSU + SPD + AfD in favor, Greens against, Die Linke abstained. Approximately 29,500 entities now fall under BSI supervision.
Coalition agrees on NIS2UmsuCG compromises — ex-post model for critical components
CDU/CSU-SPD coalition reaches agreement: critical component regulation shifts from ex-ante approval to ex-post notification model. Federal CISO role transferred to BSI in Bonn.
BSI publishes Grundschutz++ preview on GitHub (OSCAL/JSON)
BSI releases the Stand-der-Technik-Bibliothek on GitHub with preview of abstract requirements in OSCAL/JSON format. Not production-ready — initial draft only, concrete measures still being added.
German cabinet approves NIS2UmsuCG draft law
The German federal cabinet approves the draft NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz, forwarding it to parliament. The bill was fast-tracked due to the missed EU deadline.
ENISA publishes NIS2 Technical Implementation Guidance v1.0
170-page document translating CIR 2024/2690 into practical measures across 13 thematic areas with evidence examples and standards mappings. Primary reference for NIS2 compliance implementation.
EC sends reasoned opinions to 19 member states for late NIS2 transposition
The European Commission escalates infringement proceedings against 19 member states that failed to transpose the NIS2 Directive by the October 2024 deadline.
2024
CIR 2024/2690 enters into force
The Commission Implementing Regulation becomes binding across all EU member states 20 days after publication, establishing the technical baseline for NIS2 compliance.
CIR 2024/2690 published — NIS2 technical requirements regulation
Commission Implementing Regulation (EU) 2024/2690 published, specifying technical and methodological requirements for NIS2 cybersecurity risk management measures for digital infrastructure and service providers.
NIS2 transposition deadline expires — most member states miss it
Member states were required to transpose NIS2 into national law by this date. Most, including Germany, miss the deadline. Only Belgium has fully transposed and begun enforcement.
2023
IT-Grundschutz Kompendium Edition 2023 released
BSI publishes the IT-Grundschutz Kompendium Edition 2023 — the current production standard for information security management in Germany. Remains the valid audit reference through the Grundschutz++ transition.
NIS2 Directive enters into force
The NIS2 Directive enters into force 20 days after publication. Member states have until October 17, 2024 to transpose it into national law.
2022
NIS2 Directive published in Official Journal
Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union published in the Official Journal of the European Union.
Sources
This page is regularly updated from the following official and journalistic sources.