German Companies Face Fines and Personal Liability After Missing Key Cybersecurity Deadline
02.07.2026 - 12:14:03 | boerse-global.de
Only 18,500 of the roughly 30,000 firms affected by Germany's new IT security law registered on the BSI portal by the 6 March 2026 deadline — leaving nearly 11,500 companies non-compliant. The Federal Office for Information Security (BSI) followed up in mid-June by sending reminder letters to industry associations. Security experts are now demanding financial penalties and more staffing for regulators.
The law, based on the European NIS2 directive, came into force in Germany in December 2025. It obliges businesses to register via the BSI portal and comply with a sweeping set of technical and organisational requirements. The missed deadline signals a slow start for a regime designed to harden critical infrastructure against cyber threats.
Who Must Comply and What It Costs
Any company with at least 50 employees and annual revenue exceeding €10 million is covered. The directive splits firms into "essential" and "important" categories across 18 sectors — including energy, transport, healthcare, banking, digital infrastructure, food, and chemicals.
The healthcare sector is under particular strain. The German Hospital Association estimates initial compliance costs of €1.5 billion, with recurring annual expenses of around €760 million.
Technical Requirements Tighten
Firms must implement network segmentation into four zones, draw up incident-response and emergency plans, and follow security-by-design principles. Even craft businesses and manufacturing companies need to act — managing supply-chain risks and securing remote-maintenance access with multi-factor authentication.
Reporting and Liability
A staggered notification regime applies for IT security incidents:
- 24 hours: initial early warning
- 72 hours: detailed report
- One month: final report
Company management bears personal responsibility for implementation. Executives must attend regular cybersecurity training — every three years for those in healthcare. Penalties for violations can reach €10 million or 2% of global annual turnover.
AI Regulation Adds Pressure
Since February 2025, the EU AI Act has required organisations operating in certain domains to train employees in AI literacy. Yet a recent study shows only 38% of organisations meet this requirement — even though more than half of companies fear attacks using artificial intelligence.
What Comes Next: KRITIS-Verordnung
Later in 2026, Germany plans to introduce the KRITIS-Verordnung, a regulation that will force operators of critical infrastructure to connect their attack-detection systems directly to the BSI. A government draft dated 27 May 2026 envisions faster threat response. New sectors such as active-ingredient production, biotechnology, and logistics are expected to be added.
With two regulatory fronts now active and more on the horizon, the pressure on German companies to catch up is only set to intensify.
