German Companies Face Fresh Cybersecurity Mandates as EU AI Act Brings Hefty Penalties
26.06.2026 - 10:34:29 | boerse-global.de
German companies are navigating a thickening web of digital compliance requirements. The biggest hammer drops on August 2, 2026: the EU AI Act will impose fines of up to €35 million or 7 percent of global annual turnover for violations involving high-risk AI systems. That deadline is now just over a year away, and the Bundestag is already weighing a separate cyber-security law that would give federal authorities more muscle.
Lawmakers held a first reading this week on a bill to strengthen the country's cyber defenses. Under the draft, the Federal Office for Information Security (BSI) would gain the power to redirect harmful data traffic and deploy incident response teams more directly. The Federal Criminal Police Office (BKA) and the Federal Police would also receive clearer operational authority for cyber defense.
But the most immediate obligation for many businesses arrived back in January. An updated technical rule for operational safety — TRBS 1115 — now requires employers to include cybersecurity in their mandatory risk assessments. The rule covers not just physical plant safety but also IT and operational-technology environments. The BSI warns that the threat landscape has shifted because of artificial intelligence: attackers can now scan for vulnerabilities almost autonomously and scale assaults faster than ever. Defense, the agency notes, remains constrained by operational limits. Reducing attack surfaces and implementing the IT baseline protection framework have become more urgent.
With the new TRBS 1115 rule integrating cybersecurity into mandatory risk assessments, having the right documentation structure has never been more important. A free Risk Assessment Toolkit provides 41 ready-to-use templates and checklists to help your business manage workplace risks in line with current regulations. Download the free Risk Assessment Toolkit
Small and medium-sized enterprises got some relief in late May. The threshold for appointing dedicated safety officers rose from 20 to 50 employees, cutting red tape. Nonetheless, the core risk assessment under the Occupational Safety Act still applies, and companies with special hazards may still need safety officers even with fewer staff. A similar relaxation is planned for data protection officers: the current requirement — triggered at 20 employees processing automated data — is scheduled to be dropped by the end of the year. Instead, only the GDPR’s risk-based obligation will apply, easing the burden on firms without high-risk data processing.
The financial stakes are enormous. According to the Resilience Risk Index 2026, IT downtime represents the single biggest risk for businesses globally. Company PCs are vulnerable an average of 76 days per year, and roughly 20 percent of endpoints are inadequately protected. The global cost of such outages is estimated at $400 billion. A key factor is patch delays: for operating systems like Windows 10 and 11, the average lag reaches 127 days. About 10 percent of companies still run Windows 10 even though support ended in October 2025. In specialized sectors such as biogas plants, outdated systems can be compromised within minutes.
Two major reporting frameworks are already in force. The NIS2 directive became national law last October. Under DORA, financial firms must notify Germany’s financial regulator BaFin of serious incidents within four hours. NIS2 demands an early warning to the BSI within 24 hours of becoming aware of an incident. With the AI Act compliance deadline approaching, companies are urged to complete a full inventory and risk analysis of their AI systems well before August 2026.
