AI Regulation 2026: What German SMEs Must Do Now

Executive Summary

Seven EU regulations are simultaneously active and enforceable in April 2026, each requiring operational responses from German SMEs. Germany's NIS2 implementation law took effect in December 2025 with no transition period, covering an estimated 29,500 organizations¹. The AI Act's AI literacy obligation has been live since February 2025, and from December 2026, manufacturers of software and AI products face liability under the revised Product Liability Directive²²³. An integrated governance framework can reduce compliance effort by up to 60%, because six of the seven regulations share the same core requirements¹².

Digital Omnibus status (8 April 2026): Council (13 March) and Parliament (26 March, 569 to 45 votes) have adopted their negotiating positions³. Both call for the high-risk deadline to shift to December 2027. Trilogue has been running since 26 March. Target agreement: 28 April 2026. Current deadlines remain legally binding until formal adoption.

Which regulations apply to your company?

Every CEO needs to know which of these regulations apply to their specific company. Three factors determine this: employee count, sector, and product portfolio.

Every company deploying AI systems must ensure AI literacy of its staff since February 2025 (Art. 4 AI Act)². Prohibited practices apply regardless of company size. Any AI application processing personal data triggers GDPR obligations. The EDPB clarified in its Opinion 28/2024 that legitimate interest can serve as a legal basis for AI training but requires a three-part balancing test⁴.

Companies in NIS2 sectors (energy, transport, healthcare, digital infrastructure, manufacturing, food, chemicals, and 12 others) with more than 50 employees or €10 million revenue fall under Germany's NIS2 implementation law¹. The BSI registration portal has been live since January 2026; the deadline passed in March 2026. Managing directors bear personal liability under §38 BSIG with no option for contractual limitation⁶.

Manufacturers of products with digital elements (machinery, IoT devices, industrial software) are subject to the Cyber Resilience Act. From September 2026, actively exploited vulnerabilities must be reported within 24 hours⁷. Full conformity with CE marking applies from December 2027. For connected products, the Data Act adds an "Access by Design" obligation from September 2026⁸. In the UK, the Product Security and Telecommunications Infrastructure Act has been in force since April 2024 with similar objectives, making CRA compliance a competitive advantage beyond EU borders.

The revised Product Liability Directive adds another layer: software and AI systems are now classified as "products" for liability purposes, with a transposition deadline of 9 December 2026²³. The German Bundestag held its first reading of the implementing legislation on 4 March 2026²³. Non-compliance with CRA or AI Act requirements can trigger a rebuttable presumption of product defectiveness in civil proceedings. Manufacturers who retain control over their product after placing it on the market (through updates, digital services, or connected components) can be held liable for defects that arise afterward²³.

Financial sector firms and their IT suppliers fall under DORA, which has been fully applicable since January 2025. DORA is lex specialis to NIS2 and imposes stricter incident reporting: four hours after classification as severe¹⁰. The BaFin is conducting systematic audits throughout 2026. SMEs are affected if they serve as critical ICT third-party providers to financial institutions.

Even companies below the formal thresholds face indirect pressure. NIS2-regulated customers increasingly require contractual cybersecurity assurances from their suppliers¹¹.

Where do the requirements overlap?

Five requirement areas appear across virtually every regulation. Building them once in an integrated framework saves an estimated 60% of compliance effort compared to siloed projects¹².

A single risk register with regulation-specific categories serves all frameworks. One incident response process with differentiated reporting timelines replaces five parallel notification chains. A vendor assessment framework with regulation-specific add-on modules eliminates redundant supplier audits.

The Digital Omnibus proposes a unified EU reporting portal that automatically routes notifications to the relevant authorities³. Until that portal is operational, companies must build their own multi-regime notification logic. The revised Product Liability Directive adds further motivation: non-compliance with CRA or AI Act requirements can serve as evidence of product defectiveness in civil proceedings²³.

Which certification delivers the most leverage?

ISO 27001:2022 covers 60 to 85% of NIS2 requirements and approximately 85% of DORA requirements¹³. The remaining gaps are primarily sector-specific reporting timelines and technical penetration testing mandates. For a 100-person SME, certification typically costs between €50,000 and €100,000 (estimate) and takes six to twelve months.

For AI governance specifically, ISO 42001:2023 supports EU AI Act compliance for high-risk systems, though it does not guarantee conformity since legal requirements exceed any voluntary standard¹⁴. The forthcoming harmonised standards from CEN-CENELEC JTC 21 are expected to reference ISO 42001 concepts.

Revised in October 2025, ISO 27701 is now a standalone management system, removing the previous ISO 27001 prerequisite¹⁶. It maps GDPR requirements directly and includes new annexes on AI-related data processing.

For the automotive supply chain, TISAX assessments cover NIS2 Art. 20 and Art. 21 requirements completely when all affected locations are within scope¹⁷. Cloud service providers benefit from the BSI C5 attestation with 121 controls¹⁸. In contrast, US-based frameworks like SOC 2 Type II provide reasonable overlap with ISO 27001 but do not map directly to NIS2 or AI Act requirements. For EU compliance, ISO-based certification is the more efficient path.

Will the Omnibus package shift the deadlines?

Two Omnibus packages affect SMEs. The Sustainability Omnibus has been adopted: Directive (EU) 2026/470 entered into force on 16 March 2026, raising CSRD reporting thresholds to 1,000 employees and €450 million revenue¹⁹. For the typical Mittelstand company, sustainability reporting obligations are effectively gone.

The Digital Omnibus has been in trilogue since 26 March 2026. Council and Parliament broadly agree on core points: the high-risk deadline shifts to December 2027 (Annex III) and August 2028 (Annex I)³. Both institutions have rolled back several of the Commission's simplification proposals. Parliament wants to keep the AI literacy obligation mandatory, with a lowered standard³. A new prohibition on AI systems generating non-consensual sexual deepfakes has been added by both co-legislators. For watermarking of AI-generated content (Art. 50), Parliament is pushing for 2 November 2026 as the deadline³. The DIHK position paper calls for unified definitions across all digital legislation and tiered certification options²¹. Agreement is targeted for 28 April 2026. Until the Omnibus is formally adopted, all existing deadlines remain legally binding. Plan for August 2026, hope for December 2027.

What must CEOs do this week?

Block 90 minutes on Monday and open the BSI's applicability check at bsi.bund.de. The 15 questions determine whether NIS2 applies to your company. Write the result on a single page: affected sector yes/no, thresholds met yes/no, BSI registration completed yes/no. If you missed the March 2026 registration deadline, complete it in the same session. The BSI portal has been online since January 2026¹. In the same sitting, assess whether the CRA or Data Act applies to your products.

Commission an ISO 27001 readiness assessment from an accredited provider, even if NIS2 does not formally apply to you. The assessment benchmarks your current posture against the standard and produces a gap analysis with a prioritised action list. Typical timeline to certification: six to twelve months. Investment for lower Mittelstand: from €50,000 (estimate). The readiness assessment itself costs between €3,000 and €8,000 (estimate) and takes two to four weeks.

Map every AI system in use across your company, from the customer service chatbot to AI-assisted applicant screening. Classify each according to the AI Act risk tiers: prohibited, high-risk, limited risk, minimal risk. Most office AI tools (Copilot, ChatGPT in a browser) fall under minimal risk. It gets critical with AI in HR processes, credit decisions, or biometric identification. Verify that your staff meets the Art. 4 AI literacy requirement². Bitkom provides free self-assessment guides²². If you operate high-risk systems, begin documentation now. Waiting for the Omnibus to be formally adopted is a bet, not a strategy.

Our Take

Almost every managing director tells us the same thing: "We're handling NIS2 with the IT manager and sorting out the AI Act separately." It sounds reasonable. It is the most expensive approach. With one client of around 200 employees, we built a single risk register with five regulation-specific modules. The compliance workload roughly halved (estimate based on two comparable engagements).

Something that stuck with me since: across three other engagements, ISO 27001 certification ended up costing less than the legal fees that a penalty negotiation would have required.

Three deadlines converge in September 2026: CRA vulnerability reporting, Data Act Access by Design, AI Act transparency obligations. In December, the Product Liability Directive adds another. Companies without a functioning multi-regime incident response process by summer 2026 will spend the autumn in crisis mode.

To check which regulations apply specifically to your company and where you stand today, see the AI regulation check for SMEs.

Sources

Have questions about this topic?