# Regulatory Deadlines – ZEMID URL: https://zemid.de/en/compliance-radar Language: English Provider: ZEMID – Zentrum für Mittelstand und Digitalisierung GmbH Location: Frankfurt am Main, Germany Key deadlines for German SMEs – Q2/Q3 2026 --- ## Übersicht Regulatory Deadlines Key deadlines for German SMEs – Q2/Q3 2026 ## Regulatorische Fristen NIS2 – BSI Registration The official registration deadline has passed. Late registration is still possible and strongly recommended. Non-registration is an independent fine offence. Maßnahme: Register immediately via BSI Portal MUK (muk.bsi.bund.de). ELSTER organisation certificate required – application takes several business days. Sanktion: Up to €10M or 2% of annual turnover Betroffen: Approx. 29,500 companies in Germany NIS2 – Implement Security Measures Ongoing obligation without transition period since Dec. 2025. Applies to all affected entities across 10 security domains. Maßnahme: Implement risk management in 10 areas: backup management, multi-factor authentication, supply chain security, incident response plan, access controls, cryptography, emergency plans, vulnerability management, network security, training. Sanktion: Up to €10M (important entities: €7M), personal CEO liability under §38 BSIG Betroffen: Companies with 50+ employees in critical sectors EU AI Act – Governance Structure Recommended milestone before the main application date in August: complete AI inventory, set up governance processes, train employees. Maßnahme: 1. AI inventory across all departments (incl. embedded AI in ERP, CRM, recruiting). 2. Risk classification of each system. 3. Appoint internal AI compliance officers. 4. Assess training needs (obligation under Art. 4 in effect since Feb. 2025). Sanktion: From August 2026: fines up to €35M or 7% of annual turnover Betroffen: All companies using AI – regardless of company size Pay Transparency Directive – Transposition Deadline Germany must transpose the EU Pay Transparency Directive into national law by 7 June. Companies should analyse pay structures now. Maßnahme: Companies with 100+ employees: analyse gender pay gap. If >5% difference: action plan with works council (deadline: 6 months). Salary disclosure in job postings mandatory. Inform about right to information annually. Sanktion: Sanctions under national law (to be specified) Betroffen: Companies with 100+ employees E-Invoicing B2B – Compliance Check Transitional rules run until end of 2026 — paper invoices may still be used for B2B transactions in 2025 and 2026. Maßnahme: Check if ERP/accounting system can generate and receive XRechnung or ZUGFeRD. Inform suppliers and customers about the standard. Ensure archiving obligation for electronic invoices (10 years). Sanktion: Tax law risks, input tax deduction at risk Betroffen: All B2B companies in Germany EU AI Act – Main Application Date Core operator obligations take effect: risk management, log retention (6 months), human oversight, transparency obligations. Maßnahme: For high-risk AI: implement full risk management system + technical documentation. Set up monitoring processes. Note: High-risk AI (Annex III, e.g. AI in HR or credit scoring) only mandatory from Dec. 2027. Sanktion: Up to €35M or 7% of annual turnover Betroffen: All AI operators and providers EU Data Act – Access by Design All new products must enable data access directly and automatically. User data accessible without detour through the manufacturer. Maßnahme: Inform product and software teams. Develop interfaces (APIs) for direct data access. Document data access concepts. Evaluate new business models based on data-driven services. Sanktion: Sanctions under EU regulation, directly applicable Betroffen: Manufacturers of connected products and IoT devices --- Contact: hallo@zemid.de · +49 69 300 38 658 Address: Schumannstraße 27, 60325 Frankfurt am Main Web: https://zemid.de/en Additional machine-readable resources: https://zemid.de/llms.txt · https://zemid.de/sitemap.xml