May 18, 2026
5 MIN.
NIS 2 Directive Update: The reality check – What you need to do from April 2026
Only 38 percent. That is the share of affected companies in Germany that registered with the national cybersecurity authority (BSI) by the first NIS 2 deadline. The NIS 2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) has been in force since December 6, 2025, and the deadline for initial registration expired on March 6, 2026. Any company that has not acted by then is already formally in breach of the law. This is not a preview of a possible future – it is the reality in many German companies today.
The topic itself is far from new. In our first two NIS 2 articles, we explained in detail which companies are affected, and which concrete measures they must implement. Now it is time for a NIS 2 update – where does Germany stand, which deadlines have passed, and what do companies need to do next?
The good news is that if you act now, you can still rectify the situation. With a structured approach to NIS 2, you can even turn it into a real competitive advantage. This article explains what you need to do next.
The situation as of March 6, 2026: Far from ideal, but not hopeless
We now have a clear overview of the situation. Despite the relatively straightforward initial registration with the BSI, only a small proportion – the 38% mentioned above – of the roughly 29,000 affected German companies registered by the deadline. The vast majority remained inactive. This gives a strong indication of how far behind many companies are when it comes to meeting the actual NIS 2 requirements.
The BSI, as the competent supervisory authority, has been granted extensive powers. It can request evidence, initiate audits, and impose substantial fines for proven breaches (see NIS2UmsuCG, §65).
Essential Entities (large companies in critical sectors):
up to 10 million euros or 2 percent of global annual revenue, whichever is higher.
Important Entities (medium-sized companies in relevant sectors):
up to 7 million euros or 1.4 percent of global annual turnover, whichever is higher.
Also important to note:
The NIS2UmsuCG now establishes personal liability for members of the management.
The message is clear: the regulation is serious, and the competent authorities are empowered to enforce it. Companies that take a structured approach will gain an edge over the many still hesitating.
Waiting is no longer a viable strategy
With the expiry of the March 6 registration deadline, an important threshold has been crossed. The transition period is over, and there is no informal grace period. The NIS2UmsuCG is now in force, and any company that fails to meet its requirements is in violation – even if the BSI has not yet taken active enforcement action.
Crucially, even missing the registration already constitutes a breach. This doesn’t mean that a penalty notice will arrive tomorrow, but it does mean that legal risks are real, and grow with every further delay. In addition, NIS 2 compliance is increasingly required for tenders and supply chain assessments – customers and partners expect it.
The key question is therefore no longer, “Are we obligated to do this,” but rather, “Where do we start, and how do we implement it correctly?”
What you need to do – with practical examples
A quick reality check: Does my company need to take action?
Which of your OT systems are reachable online, and who in your organization should be the first point of contact if a cyber attack hit your production systems? If you cannot answer these questions with certainty, your company is among those that need to take action now. The four focus areas below provide an initial, concrete starting point.
1. Incident Management
Owner: IT Manager or CISO
NIS 2 requires affected companies to submit an initial report to the BSI within 24 hours of a significant security incident. This calls for a clear, documented incident response process that sets out in writing which steps must be taken in the event of an incident. Who is the first internal point of contact? Who decides whether an incident is reportable? What information must be transmitted to the BSI, and in what format? For manufacturing companies in particular, it is important to note that OT incidents – such as the failure of a control unit due to an attack – follow different escalation paths than IT incidents. Both types of incident must be included in the documented process before an incident occurs, not afterward.
2. Minimum technical requirements
Owner: OT and Plant Managers in collaboration with IT Security
Mandatory actions include network segmentation, multi-factor authentication for privileged access, and a defined patch management process. The challenge in OT environments is that many legacy protocols, such as Modbus or OPC DA, cannot be updated, and patches cannot be applied without interrupting production. As a result, comprehensive monitoring and a clean separation between OT and IT networks become all the more important. edge.SHIELDOR was developed specifically for this use case: to make OT networks more secure without interfering with ongoing production processes.
3. Supply chain security
Owner: Procurement in collaboration with IT Security
NIS 2 explicitly requires companies to closely monitor the security of their supply chain. In practice, this involves classifying suppliers and external service providers according to their criticality. Who has remote access to your production facilities? Who shares network segments with your systems? For these partners, a structured supplier assessment is advisable, for example, a questionnaire on their IT/OT security posture, which can serve as the basis for contractual clauses or framework agreements.
4. Training and awareness
Owner: HR and IT Security
Technical measures only work if the people involved actively support and adhere to them. NIS 2 requires documented evidence that employees are made aware of cyber risks. OT and Machine Operators face different threat profiles than office staff – and training programs should reflect this. A single, annual session is rarely sufficient. Effective approaches include role-specific training that uses practical, real-world scenarios alongside regular updates whenever new threats are identified.
What you can do now
Catch up on registration with the BSI:
If you have not yet registered, this is the most urgent first step. The BSI portal is easily accessible, and the registration itself requires relatively little effort.
Run a gap analysis:
Systematically review which NIS 2 requirements you already meet, and where gaps remain. A structured self-assessment or an external audit provides clarity and helps you set priorities.
Document and test the incident response process:
Define in writing who does what in the event of a security incident. Designate specific contacts – both internally and for reporting to the BSI – and test the procedure in an exercise.
Initiate a supplier assessment:
Start with your most critical partners. Who has access to your production systems? Create an overview, and review security requirements in your supplier contracts.
From compliance risk to competitive advantage
Companies that take NIS 2 seriously are doing more than merely avoiding fines. They are building something that is increasingly in demand across industrial supply chains: verifiable cybersecurity. In regulated industries – such as the automotive, mechanical engineering, and food production sectors – procurement departments actively ask about their suppliers’ security posture. Investing in incident management, network segmentation, and supply chain assessment positions you as a reliable, future-ready partner, providing a tangible market advantage.
TRIOVEGA is certified under IEC 62443 and works alongside its partners to support manufacturers from gap analysis and technical implementation through to ongoing operational support. Now is the perfect time to take a structured approach.
Act now – Structured compliance for a strategic advantage
NIS 2 is not a one-time task, but an ongoing requirement for organizations to maintain their security maturity. Many companies missed the March 6, 2026 deadline, but that date also marked the starting point for a structured effort to catch up. Companies that begin with a robust assessment of their current state, clear processes, and targeted technical measures can close the compliance gap while strengthening their competitive advantage.
For more background on NIS 2, see our previous articles: The NIS-2-Directive Becomes Law and NIS 2: The measures industrial companies must take to comply. If you would like to understand where your company stands today, schedule a consultation call with our team.
Author: Mareike Redder
Mareike Redder has been working as an IT engineer at TRIOVEGA GmbH since 2018, and has been responsible for product management since 2022.
You want to know more about our products
and solutions?
edge.SHIELDOR
Holistic OT security for industrial plants that enables data connectivity and sustainably reduces costs
service.factoryINSIGHTS
Discover potential and optimize production processes effectively with our data science expertise
This might also interest you:
- NIS 2 Directive – Update: The reality check – What you need to do from April 2026Companies that take a structured approach will gain an edge over the many still hesitating.
- IEC 62443 – Systematic industrial cybersecurity
TRIOVEGA is certified according to IEC 62443. How the norm makes industrial software components more secure, and helps customers with compliance. - Cyber resilience in real-world manufacturing: Protecting legacy environments
How can legacy systems be made cyber-resilient? TRIOVEGA presents practical strategies for continued safe and compliant OT operation.
