NIS2 personal liability for German boards is now live

NIS2 personal liability is now a binding reality for German management boards. Section 38 of the amended BSI Act (BSIG) establishes a personal, non-delegable responsibility for cyber risk at board and executive level — a responsibility that came into force without a transition period on 6 December 2025. Insufficient oversight, inadequate governance, or a board that cannot demonstrate appropriate awareness and training can trigger personal liability under §38 BSIG, regardless of where the wider implementation timeline currently stands.
The story most German boards are still being told is that NIS2 implementation is “slow” and “uncertain”. That framing is now misleading. The legislative foundation is in place, the substantive obligations apply, the BSI registration portal’s statutory deadline closed on 6 March 2026, and the supervisor has stated it will actively identify non-registered entities. This post sets out what NIS2 in Germany now legally requires of management boards, where the genuine ambiguity remains, and where the practical priorities lie.

1. What §38 BSIG places on management boards

Section 38 BSIG anchors NIS2 in German company law. Cyber-risk oversight is a duty of management itself; it cannot be delegated to a CISO, an external consultant, or a subsidiary entity. §38(3) goes further: management members of particularly important and important entities are personally required to undertake regular training in cybersecurity risks and measures. The German legislator has, in effect, converted a broad EU directive obligation into a concrete, individually-binding duty.
Two German categories matter here. NIS2’s “essential” entities map onto Germany’s particularly important entities (besonders wichtige Einrichtungen) under §28 BSIG; “important” entities map onto important entities (wichtige Einrichtungen). Both categories now sit under §38, but the size of the fines and the evidence obligations differ between them.
BSIG (consolidated text)

2. The obligations are already binding — there is no transition period

This is the point most “wait and see” arguments miss. The substantive obligations under §§28, 30, 32, 38 and 65 BSIG took effect immediately on 6 December 2025, ohne Übergangsfrist. What is still developing is supervisory practice and detailed BSI guidance — not the obligations themselves.
A few of those obligations have hard parameters that boards should know by name:

• §32 BSIG reporting cascade: an early warning within 24 hours, a follow-up notification within 72 hours, and a final report within one month of a significant incident.
• §39 BSIG evidence obligation: particularly important entities must demonstrate effective implementation within three years — i.e. by December 2028.
• §65 BSIG fines: up to €10 million or 2% of global annual turnover for particularly important entities; up to €7 million or 1.4% for important entities; up to €500,000 specifically for late or missed registration.

BSI press release: NIS-2-Umsetzungsgesetz in Kraft (5 December 2025)

3. Where Germany actually stands on registration

By the statutory deadline of 6 March 2026, industry tracking by German cybersecurity firms reports only around 11,500 in-scope organisations had completed registration with the BSI — a registration rate of just under 40% against the BSI’s own estimate of roughly 29,500 obligated entities. The gap is not evenly distributed: registration rates are particularly low among mid-sized companies that historically sat outside KRITIS and are encountering federal cybersecurity supervision for the first time.
The BSI has stated publicly that it will now actively identify non-registered entities and pursue administrative fines under §65 BSIG. Boards working from the assumption that supervisors lack the information to enforce should revisit that assumption.
Netguardia analysis: NIS2 registration rates by the 6 March 2026 deadline

4. The strategic risk is governance debt, not the fine

For most boards, the largest exposure from NIS2 is not the headline fine. It is the slow accumulation of governance debt: undocumented decisions, unmapped supplier dependencies, untrained executives, and incident response procedures last reviewed before the BSIG amendment took effect. Each of these items is recoverable on its own, expensive to remediate together, and now visible in the audit trail under §38 and §39.
NIS2 does not introduce new cybersecurity ideas. Management accountability, risk-based decision-making, documented oversight, incident preparedness — these have been recognised as best practice for years. NIS2 turns them into law, with named consequences for the people sitting on the board.
Compliance is no longer the test. Governance is.
European Commission — NIS2 Directive

5. Practical priorities for boards now

Rather than waiting for further guidance from the BSI, boards can use the current period productively by working on items that are unlikely to change.
The first priority is executive accountability. Document, in writing, which management roles carry responsibility for cyber risk, what evidence each role provides at each board cycle, and how training under §38(3) is being delivered.
The second is risk-based governance. Identify the critical services and supplier dependencies whose disruption would materially affect the business, and run realistic impact scenarios rather than focusing only on technical controls.
The third is incident readiness against the §32 reporting cascade. The 24-hour early warning is not a drill; the question for the board is whether the right escalation chain works at three in the morning, on a public holiday, in another time zone.
The fourth is supply-chain transparency. Map the critical service providers and ensure the board can answer how a supplier outage would propagate operationally and contractually.
DLA Piper: NIS 2 Directive transposed in Germany (11 February 2026)

Looking ahead

Germany’s slower-than-expected rollout has changed how boards should approach this period. It has not changed whether they need to act. The obligations are binding, the registration deadline has passed, the supervisor has signalled intent, and §38 BSIG sits squarely on the desks of management members in person.
Working with an experienced compliance partner can shorten this process. If NIS2 is on the agenda for your next board cycle, you can contact us to talk through where your organisation currently stands.