SaaSFort
nis2 bsi germany compliance article-21 saas-security

NIS2 Germany BSI Deadline 2026: What SaaS Vendors Must Do Before April

BSI enforcement is active. Germany's April NIS2 deadline gives SaaS vendors 6 weeks to close Article 21 gaps. Here's the step-by-step action plan.

SaaSFort Security Team ·

The BSI registration deadline passed on March 6, 2026 — enforcement is no longer a future risk. Germany’s NIS2UmsuCG (NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz), which entered into force December 6, 2025, is the strictest NIS2 transposition in the EU. The next hard deadline — Article 21 technical measure compliance — lands in April 2026. This is your 6-week action plan.

Who Is in Scope? Essential vs. Important Entities

Germany estimates approximately 29,000 entities fall under NIS2UmsuCG. The distinction between “Essential” and “Important” determines your fine ceiling and audit frequency — not whether you’re in scope.

Entity TypeExamplesMax Fine
EssentialEnergy, water, banking, healthcare, digital infrastructure€10M or 2% global annual turnover
ImportantPostal, food, manufacturing, digital services, ICT providers€7M or 1.4% global annual turnover

The supply chain clause is what catches SaaS vendors. NIS2 Article 21(2)(d) requires covered entities to actively assess security risks in their supply chain. If your product is used by a German Essential or Important entity, that organization’s NIS2 audit now includes questions about you. Enterprise DDQs in Germany have included explicit NIS2 supply chain sections since Q4 2025.

You don’t need to be a German company. If you serve German-regulated customers, their compliance obligation flows upstream to you.

The March 6 Deadline Passed — What Does That Mean?

The BSI registration deadline required covered entities to self-declare their scope and contact information in the new BSI registration portal, which opened January 6, 2026. Organizations that missed March 6 are now technically non-compliant on registration.

What this means in practice:

  • Audit sweeps begin — the BSI has signaled it will start enforcement cycles. Organizations that haven’t registered are the first targets.
  • Enterprise procurement tightens — German enterprise buyers are under pressure to demonstrate their own compliance. Vendor security questionnaires now include NIS2 supply chain sections as standard.
  • Article 21 is the next gate — registration was step one. Step two is demonstrating that your technical and organizational measures meet Article 21’s requirements. That deadline is April 2026.

What it does not mean: it’s too late to act. Organizations that complete registration now and remediate Article 21 gaps before April have a defensible compliance posture. The ones who wait will face audits without documentation.

The 6 Article 21 Measures Auditors Check First

NIS2 Article 21 defines 10 minimum security measures. In practice, BSI auditors and enterprise procurement teams focus on six that are verifiable from the outside — and where gaps are most common.

  1. Art. 21(2)(e) — Network and information systems security: Evidence required: network segmentation documentation, firewall rules, intrusion detection logs. Most SaaS vendors can demonstrate this via architecture diagrams and cloud provider compliance reports.

  2. Art. 21(2)(f) — Vulnerability handling: Evidence required: a documented vulnerability disclosure policy, CVE tracking process, and patch timelines. Automated scanning with timestamps shows continuous attention, not just annual snapshots.

  3. Art. 21(2)(h) — Cryptography: Evidence required: TLS 1.2+ enforced, HSTS configured, weak ciphers disabled. This is externally verifiable — a scanner hitting your domain reveals your actual configuration, not your policy document.

  4. Art. 21(2)(i) — Access control and asset management: Evidence required: RBAC policy, privileged access review records, asset inventory. Focus on who can access production systems and how that access is reviewed.

  5. Art. 21(2)(j) — Multi-factor authentication: Evidence required: MFA enforced for all admin access, customer-facing admin interfaces, and remote access. BSI specifically calls out MFA as a baseline — not optional.

  6. Art. 21(2)(d) — Supply chain security: Evidence required: a vendor assessment process and security requirements in supplier contracts. As a SaaS vendor, you need to demonstrate you apply the same scrutiny to your own dependencies.

Personal Management Liability — What CTOs Need to Know

NIS2UmsuCG Article 38 introduces direct personal accountability for management. This is not a company fine — it is a fine that can attach to named individuals. For Essential entities, the ceiling is €10M or 2% of global annual turnover (whichever is higher). For Important entities: €7M or 1.4%.

Germany went further than most EU member states. The personal liability clause means a CTO who signed off on a security posture that was knowingly inadequate cannot shelter behind the company. Courts will look at whether management was informed of gaps and what action was taken.

The practical implication: document your decisions. If you run a scan, see findings, and choose not to remediate — document the rationale and risk acceptance. If you do remediate, document the before-and-after. The audit trail is your defense.

4-Week Action Plan for SaaS Vendors

You have 6 weeks to April. Four weeks of active remediation, two weeks of buffer. Here’s the sequence:

Week 1 — Baseline

Run an automated external scan of your production domain. You want to know your actual security headers, TLS configuration, and exposure — not what you think is configured. SaaSFort’s scan covers all 10 Article 21-verifiable measures and produces a shareable report in under a second.

Week 2 — Gap mapping

Map your scan findings to Article 21 measures. Prioritize: MFA gaps (21.2j), cryptography failures (21.2h), and missing vulnerability disclosure policies (21.2f). These three are the most common failure points in German enterprise DDQs.

Week 3 — Remediation

Fix priority gaps in this order: (1) enable HSTS with max-age ≥ 31536000 and includeSubDomains, (2) enforce TLS 1.2+ with modern cipher suites, (3) publish a security.txt with disclosure contact and PGP key, (4) verify MFA is enforced across all admin surfaces. Most of these are configuration changes, not engineering sprints.

Week 4 — Evidence package

Generate a scan report and attach it to your security documentation. Prepare a one-page Article 21 mapping: measure → control → evidence location. This is what enterprise procurement teams ask for — and what BSI auditors want to see.

Ongoing — Continuous monitoring

Compliance isn’t a point-in-time snapshot. Set up automated rescans on your deployment pipeline. Every release that changes security headers or TLS configuration should trigger a verification. Continuous evidence is what differentiates “we passed a scan last year” from “we monitor continuously.”

Run your NIS2 scan now. SaaSFort scans your domain against all Article 21-verifiable measures in under a second and generates a shareable evidence report — the format German enterprise procurement teams request. No signup required for the free scan.

Von der Theorie zur Praxis

Scannen Sie Ihre Domain kostenlos. Erste Ergebnisse in unter einer Stunde.

Kostenlosen Scan starten