German Firms Race to Meet Twin EU Cybersecurity and AI Deadlines as Fines Loom
17.06.2026 - 08:36:27 | boerse-global.de
A suspected data theft by a former employee at a Munich service provider has thrust the urgency of Germany’s coming IT and AI compliance overhaul into sharp relief. The LHM Services GmbH case involves the alleged download of records belonging to roughly 120,000 students and teachers, reportedly in 2024. The company denies the data has surfaced on the darknet, but political representatives are demanding a full investigation. The incident underscores why a wave of new obligations under European Union directives will soon demand swift action from tens of thousands of businesses.
Since December 2025, around 30,000 German enterprises—chiefly mid-sized firms—have been legally required to introduce IT risk management, basic security standards (the so-called IT-Grundschutz), and specific incident-reporting processes under the NIS-2 directive. According to experts at Germany’s Federal Office for Information Security (BSI), demand for guidance remains high. Companies that fail to comply with the stricter rules face significant liability, including personal exposure for board members once the directive is fully transposed into national law via the updated BSI Act.
To bridge the knowledge gap, specialized training formats have been available since mid-June 2026. A webinar hosted by KEDi on June 18 targets energy-sector executives and managing directors, offering cybersecurity strategies tailored to small and medium-sized enterprises. On the same day, a lecture in Gütersloh explores the intersections between NIS-2, the General Data Protection Regulation (GDPR), and the security of artificial intelligence systems. Another information event is scheduled for July 29 in Weiherhammer, focusing on the conversion of the EU directive into German law and the question of personal liability for top management. Registration closes on July 23.
Alongside traditional IT security, companies must also prepare for the EU AI Act. By August 2, 2026, organizations operating high-risk AI systems need to meet the regulation’s governance requirements. Experts strongly recommend conducting inventories and risk analyses now. The penalties for non-compliance are steep: up to €35 million or seven percent of global annual turnover, whichever is higher.
Parallel to these legal deadlines, international certification is gaining traction. A series of online workshops on ISO 27001 Foundation begins on June 17–18, providing baseline knowledge for information security management systems (ISMS). Additional sessions are scheduled for late June, July, and September 2026. A more advanced iX workshop in early July and again in October will dive into combining ISO standards with NIS-2 requirements.
The auto sector is also getting tailored help. A webinar on June 30 aims specifically at automotive businesses, training them on how to respond within the first 24 hours after a hacker attack, because every minute after an intrusion can determine the scale of damage.
