€10M or €7M? How Germany’s BSI Selects NIS2 Fines — and When Your Directors Pay Personally

Germany’s NIS2 implementation came into force on 6 December 2025. The headline penalty figure — €10 million, or 2 percent of global annual turnover for the worst violations — gets most of the attention. The mechanism that determines whether your organisation faces an unannounced inspection tomorrow or only after a breach occurs gets far less.

That mechanism turns on a single classification: whether your entity is particularly important or important. The classification changes not just the maximum fine but the entire supervisory relationship with the Bundesamt für Sicherheit in der Informationstechnik (BSI). This guide explains both tiers, the escalating enforcement toolkit the BSI holds beyond the financial penalty, the personal liability that §38 BSIG places on directors and management body members, and what Germany’s first enforcement actions signal about 2026 priorities.

Two Entity Categories, Two Penalty Ceilings

Germany’s revised BSIG maps directly onto the NIS2 Directive’s two-tier structure. The classification determines both the supervisory model and the financial exposure, so getting it right is the first compliance task.

Category	Who qualifies	Max fine ceiling
Particularly important entity (besonders wichtige Einrichtung)	KRITIS operators in energy, water, transport, banking, financial market infrastructure, health; large digital infrastructure operators; organisations with 250+ employees or €50M+ turnover in NIS2 Annex I high-criticality sectors	€10,000,000 or 2% of total worldwide annual group turnover, whichever is higher
Important entity (wichtige Einrichtung)	Mid-size organisations in NIS2 Annex I and Annex II sectors that do not reach the KRITIS or large-enterprise threshold; certain digital service providers	€7,000,000 or 1.4% of total worldwide annual group turnover, whichever is higher

Both ceilings operate on a “whichever is higher” logic. A particularly important entity with €600 million in global annual revenue therefore faces a potential ceiling of €12 million — 2 percent — not the fixed €10 million figure. The percentage basis is designed to ensure that large organisations cannot treat even the maximum fixed fine as an acceptable cost of non-compliance.

Approximately 29,000 entities are estimated to fall within the new BSIG framework — a roughly sixfold increase from the approximately 4,500 regulated under Germany’s previous IT security regime. The registration deadline for the national BSI entity register was 6 March 2026. For a breakdown of how classification criteria apply to specific business structures and sector combinations, see the Germany NIS2 implementation guide.

The Supervision Divide — Ex Ante for KRITIS, Reactive for Everyone Else

The NIS2 Directive establishes a fundamental asymmetry in supervisory powers. Article 32 governs essential entities; Article 33 governs important entities. Germany’s BSIG implements this distinction directly, and the operational consequence is significant.

For particularly important entities — including all KRITIS operators — the BSI operates in ex ante mode. The authority can conduct on-site inspections, request documentation, carry out targeted security audits, run security scans, and demand evidence of policy implementation without waiting for an incident, a complaint, or any sign of non-compliance. No trigger is required. The BSI can audit at will, at any point in the compliance lifecycle.

For important entities, the BSIG limits the BSI to ex post supervision. The authority must have evidence of non-compliance before opening a formal supervisory action. In practice, this means important entities attract investigation primarily through incident notifications, complaints from affected parties, or intelligence gathered during broader sector-level reviews.

In operational terms: a KRITIS energy infrastructure operator in Bavaria can expect that the BSI may request its risk assessment documentation, incident procedures, and audit evidence at any point — with no precipitating event required. An important entity in a transport-adjacent service sector is more likely to face scrutiny following a reported breach or a failed registration check.

This is not a comfortable position for important entities either. The BSI actively monitors sector compliance through cross-entity data collection, and regulatory attention frequently follows from incident notifications filed by related entities in the same sector. But the legal trigger threshold is different, and that distinction should be built into compliance programme design and board-level risk reporting.

For a detailed review of how NIS2 supervisory measures work across both tiers, see the supervisory measures overview.

The BSIG Fine Table — From €100,000 to €10 Million

Germany’s implementing law sets graduated fine ceilings for specific violation types, not a single headline number. The relevant ranges under §65 BSIG by violation category, alongside the headline ceilings from Article 34 of the NIS2 Directive:

Violation	Particularly important entities	Important entities
Cybersecurity measure failure (§30 BSIG)	Up to €10M or 2% worldwide turnover	Up to €7M or 1.4% worldwide turnover
Incident reporting failure (§32 BSIG)	Up to €10M or 2% worldwide turnover	Up to €7M or 1.4% worldwide turnover
Non-compliance with BSI directive	Up to €10M or 2% worldwide turnover	Up to €7M or 1.4% worldwide turnover
KRITIS critical component reporting	Up to €5,000,000	N/A
KRITIS audit evidence procedures	Up to €2,000,000	N/A
Registration or notification failures	Up to €500,000	Up to €500,000
Obstruction of BSI inspection	Up to €500,000	Up to €500,000
Contact point accessibility failures	Up to €100,000	Up to €100,000

Several observations from this structure matter in practice.

The €500,000 ceiling for registration failures is not a minor administrative penalty. It applies per violation and can be applied repeatedly. The roughly 18,500 entities that missed the March 2026 registration deadline face this exposure for every compliance cycle in which they remain unregistered. The BSI has made public that it is now actively identifying unregistered entities through sector-level analysis.

Obstruction of inspection carries the same €500,000 ceiling as registration failure — independent of whatever underlying compliance failure prompted the inspection. Refusing to provide documentation, limiting auditor access, or delaying responses to formal information requests creates its own separate penalty exposure.

The KRITIS-specific ceilings for component reporting (€5M) and audit evidence procedures (€2M) sit between the headline tier and the registration-failure tier. These provisions apply exclusively to KRITIS operators and reflect the heightened obligations that accompany ex ante supervisory status.

The NIS2 Directive’s “effective, proportionate, and dissuasive” standard from Article 34 governs all fine determinations. Authorities weigh the severity and duration of the violation, the number of affected persons, whether the act was intentional or negligent, previous violations by the same entity, and the degree of cooperation during the investigation. An entity that voluntarily registered late, notified the BSI, and remediated documented gaps is in a materially different position than one that ignored formal notices.

BSI’s Enforcement Toolkit — Beyond the Fine

Administrative fines are the most visible BSI sanction, but the enforcement toolkit is broader. Several of its components are more operationally disruptive than the fine itself. Under Article 32 NIS2, implemented through the BSIG for particularly important entities, the BSI can deploy the following measures in escalating order of severity.

Warnings and binding instructions: The BSI issues formal warnings about identified non-compliance and follows with binding instructions specifying what corrective action must be taken and by when. Non-compliance with a binding instruction converts that failure into an additional enforceable obligation, compounding the exposure.

Monitoring officer appointment: The BSI can designate a monitoring officer for a defined period to oversee remediation. The entity bears the cost of this appointment. For organisations where a prolonged external supervisory presence would interfere with normal management authority or operational continuity, this is one of the most materially impactful enforcement tools available short of a suspension.

Public disclosure: The BSI can require an organisation to publish specific details of an infringement, or can itself make aspects of a compliance failure public. For regulated entities where counterparty confidence, customer trust, or sector standing matters, a public compliance failure determination carries consequences substantially beyond the associated administrative fine.

Suspension of certification or authorisation: Where an entity holds certifications or authorisations linked to its operating licence — common in digital infrastructure provision, financial services, and regulated health technology — the BSI can suspend these in whole or in part. Suspension can halt commercial activity in the affected service areas.

Temporary prohibition on management: This is the most severe individual sanction in the framework. Article 32(5)(b) of the NIS2 Directive enables competent authorities to request that a court or tribunal temporarily prohibit any natural person bearing managerial responsibility at CEO or legal representative level from exercising management functions in the entity. The prohibition continues until the entity remedies the identified deficiencies. The mechanism applies only to particularly important entities, and it is not theoretical: the legal instrument exists, Germany has implemented it, and it can be activated where an entity persistently fails to respond to other enforcement steps.

For advance preparation before a BSI audit or inspection, see the audit preparation checklist.

§38 BSIG — Personal Liability That Cannot Be Waived

§38 of the new BSIG creates a structure of personal, non-delegable obligations for members of the management body. These obligations came into force without a transitional period on 6 December 2025.

Three core duties apply:

Approval (Billigung): Management must formally approve the organisation’s cybersecurity risk management measures. This is not a passive sign-off against a summary document. The requirement is substantiated, documented endorsement of the specific measures taken — a standard that requires the management body to understand the controls being approved, not merely acknowledge that cybersecurity exists as a function.

Oversight (Überwachung): Approved measures must be actively monitored. Management cannot delegate cybersecurity and disengage. If approved measures are not implemented, deteriorate over time, or become inadequate as the threat environment changes, the oversight duty has not been met — and the personal liability exposure persists regardless of whether an incident occurs.

Training (Schulung): Management body members must complete cybersecurity training on a regular basis — specifically, at minimum every three years — with documented participation records. The BSI clarified in a November 2025 webinar that “management body” extends beyond traditional managing directors to include CFOs and general partners holding management authority within the entity’s structure. Supervisory board members (Aufsichtsrat) who exercise operational management authority are also potentially in scope, though this requires case-specific legal assessment.

What personal liability means in practice: Where a management member culpably breaches these duties and the entity incurs damage as a result, that individual faces personal liability for the resulting damage. The BSIG includes an explicit non-waiver clause — responsibility cannot be contractually shifted to the entity, a CISO, an external compliance consultant, or a board resolution that delegates the matter without substantive engagement.

On D&O insurance: policies frequently include exclusions for regulatory fines and for conduct constituting intentional breach of a statutory duty. Boards should review their D&O coverage specifically against §38 BSIG exposure before treating it as a risk backstop. The civil liability arising from a §38 breach is separate from the enforcement sanctions available through Article 32(5)(b) — both can apply simultaneously in a serious non-compliance scenario.

For a practical breakdown of what management approval and oversight documentation looks like in an audit-ready governance structure, see board and director NIS2 obligations.

Early Enforcement Signals — What Has Actually Happened

No major administrative fines under the new BSIG have been issued as of June 2026. Germany’s enforcement pattern has followed the recognisable NIS2 playbook visible in other member states: initial focus on structural compliance (registration and governance documentation), with financial penalties reserved for persistent or serious non-compliance.

Q4 2025: The BSI issued 47 formal notices to entities that had failed to register in the national NIS2 entity register or had not designated an accessible contact point. Energy sector operators and digital infrastructure providers were the primary targets. These notices represent the first stage of formal enforcement — legally binding instructions with short compliance deadlines, preceding the fine escalation path.

March 2026: The registration deadline passed. Approximately 18,500 entities — roughly two-thirds of those estimated to be in scope — had not registered. The BSI transitioned from advisory outreach to active enforcement identification, using sector-level analysis to locate unregistered entities systematically.

May 2026: The BSI entered its operational enforcement phase: systematic sector-by-sector reviews, followed by formal notices and, where these produce no response, administrative proceedings including financial penalties.

EU comparison context: Early enforcement patterns from other member states provide a forward indicator. The Netherlands conducted 120 entity assessments within its first active enforcement months and identified compliance gaps in 38 to 52 percent of assessed organisations. France issued 23 remediation orders to energy and transport operators in its first enforcement round. Italy registered over 4,800 entities but found approximately 2,000 with outstanding compliance failures. Germany, with 29,000 in-scope entities and a more complex KRITIS classification framework, is a substantially larger enforcement environment. The escalation trajectory is consistent across all three: structural failures first, financial penalties second, sector-wide audits third.

The practical implication is clear: entities that self-registered, designated an accessible contact point, and can produce documented risk management processes on request are not currently the BSI’s primary targets. Entities that ignored registration obligations or failed to respond to formal notices are. That distinction will narrow as the enforcement programme matures beyond its first phase.

Key Takeaways

• Particularly important entities (including KRITIS) face ex ante BSI supervision — audits can occur without any incident or complaint as a trigger. Important entities face reactive oversight only.
• The maximum fine for particularly important entities is €10 million or 2% of global annual turnover (whichever is higher); for important entities, €7 million or 1.4%.
• The BSIG’s violation-specific fine table runs from €100,000 for contact point failures to €10 million for core cybersecurity measure violations, with registration failures and inspection obstruction each capped at €500,000.
• BSI’s enforcement toolkit includes public disclosure of infringements, monitoring officer appointment, service authorisation suspension, and — in persistent non-compliance cases for particularly important entities — a court-ordered temporary prohibition on CEO-level management.
• §38 BSIG places non-waivable personal liability on management body members for three duties: approval, oversight, and regular documented training. This liability is separate from organisational fines.
• Germany’s initial enforcement focus has been registration and governance documentation. The escalation path toward financial penalties and supervisory actions is now active.

Frequently Asked Questions

Does the €10 million / 2% ceiling apply per violation or as an aggregate across all violations?

The BSIG sets these as maximum amounts per violation category. Where multiple violations exist simultaneously — for example, a cybersecurity measure failure combined with an incident reporting failure — each can in principle attract its own fine up to the relevant ceiling. The “effective, proportionate, and dissuasive” standard from Article 34 NIS2 governs the aggregate package, and authorities consider proportionality to the entity’s circumstances.

Can an important entity become subject to ex ante BSI supervision?

Not under the standard supervisory distinction established by Articles 32 and 33. The ex ante / ex post divide tracks entity classification, not behaviour. However, an important entity that notifies a significant incident may attract a more intensive ex post investigation, effectively producing a supervisory engagement that resembles ex ante scrutiny in practical depth. The legal trigger threshold remains different.

Does §38 BSIG personal liability apply to non-executive supervisory board members?

The BSIG targets members of the Leitungsorgan — the management body. In German corporate law, the management board (Vorstand) and managing directors (Geschäftsführer) fall squarely within this. The BSI’s November 2025 guidance confirmed that the obligation extends to CFOs and general partners. Non-executive supervisory board members (Aufsichtsrat) are generally not in scope unless they exercise operational management authority, though specific structures should be assessed with qualified legal counsel.

Does the BSI have a formal leniency or cooperation credit mechanism?

The NIS2 Directive and BSIG both list cooperation as a mitigating factor in fine determination. The BSI has signalled publicly that proactive registration and voluntary engagement are considered favourably. This falls short of a formal leniency programme, but the 2025–2026 enforcement record shows that entities engaging proactively — registering, designating contacts, and producing documentation on request — have not been the primary targets of escalation actions.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. NIS 2 Directive, Article 32: Supervisory and enforcement measures in relation to essential entities — nis-2-directive.com (linked inline above)
2. NIS 2 Directive, Article 33: Supervisory and enforcement measures in relation to important entities — nis-2-directive.com (linked inline above)
3. NIS 2 Directive, Article 34: General conditions for imposing administrative fines — nis-2-directive.com (linked inline above)
4. NIS2 in Germany: The New BSI Act Makes Cybersecurity a Board-Level Issue — Greenberg Traurig LLP, December 2025. gtlaw.com/en/insights/2025/12/nis2-in-germany-the-new-bsi-act-makes-cybersecurity-a-board-level-issue
5. NIS2 in Germany 2026: Deadlines, Fines & BSIG Guide — nisd2.eu
6. Germany’s Implementation of NIS2: Scope, Liability, and Documentation — Taylor Wessing, November 2025
7. NIS2 Enforcement 2026: BSI Actively Auditing – Fines Looming — Advisori