MICKAI
Article · 4 July 2026

Germany Flipped the NIS2 Switch. Two-Thirds of Firms Still Have Not Registered

Germany's NIS2 law is binding, the BSI deadline has passed, and its critical-components regime is about to collide with the unmapped AI layer inside every KRITIS operator

Germany Flipped the NIS2 Switch. Two-Thirds of Firms Still Have Not Registered
Author
Micky Irons
Published
4 July 2026
Follow Micky Irons
LinkedInX
NIS2GermanyBSI Actcritical infrastructureKRITIS

# Germany Flipped the NIS2 Switch. Two-Thirds of Firms Still Have Not Registered

By Micky Irons

On 6 December 2025 Germany stopped talking about NIS2 and started enforcing it. The NIS2 Implementation Act brought the revised BSI Act into force with immediate effect, no grace period, and it handed more than 29,500 companies a hard deadline: register with the Bundesamt fuer Sicherheit in der Informationstechnik by 6 March 2026. The portal opened on 6 January. The deadline passed. And by most credible counts only about one-third of in-scope entities had actually registered.

That is not a paperwork gap. It is a signal that a large slice of German and DACH critical infrastructure still cannot answer the two questions the new BSI Act quietly forces to the surface: what exactly is in scope, and what exactly is inside the components that scope depends on. We built Mickai for organisations that need to answer both questions with evidence, not assurances.

What actually changed on 6 December

The headline is the immediacy. Unlike the phased runways operators had grown used to, the German transposition applies from the day it came into force. Essential and important entities were expected to identify themselves, register, and begin meeting incident-reporting and risk-management duties straight away. Fines scale to a percentage of global turnover, and the Act pulls management personally into the loop by making cybersecurity governance an explicit board-level duty.

Germany also went further than the EU floor. Beyond the NIS2 minimum, the BSI Act carries a designated critical-components regime. For operators of critical installations, certain components can only be deployed after notification, and the state retains the power to restrict or prohibit a component on the grounds of its provenance and the trustworthiness of its manufacturer. This is the part most compliance summaries underplay, and it is the part that matters most once you look at the modern technology stack honestly.

The part nobody is mapping: your AI stack is a component

Critical-components scrutiny was written with a familiar picture in mind: network gear, control-system hardware, telecoms equipment with a traceable manufacturer and a country of origin. That picture is now incomplete. Increasingly the most consequential component sitting inside a KRITIS operator is an AI system: a model, its weights, its inference runtime, its data pipeline, and the third-party cloud endpoints it quietly calls.

Ask a German energy, water, health, or logistics operator the provenance questions the BSI Act implies, but aim them at the AI stack instead of the switchgear. Who is the manufacturer of the model? Where do the weights physically run? What leaves the building on every inference? Which sub-processors sit behind the API? Most operators cannot answer, because the AI layer arrived as a convenience, not as an engineered, attested component. Under a critical-components regime, "we send it to a hosted model and trust the provider" is exactly the answer the law is designed to interrogate.

This is the under-served intersection. NIS2 supply-chain and critical-components duties apply to the AI stack itself, and almost nobody is treating the AI stack as a declarable component with a provenance file.

Classical marble scene, Hephaestus, gold rim light on void black

Why an owned substrate simplifies both problems

Mickai is a Sovereign Intelligence Operating System. Regulated organisations own it and run it inside their own walls, air-gapped where the workload demands it, with a cryptographically-signed audit record on every action the system takes. It is built and live, not a roadmap. That architecture does two useful things for an operator staring at a missed BSI deadline.

First, it collapses the registration-scope question. A large part of why firms have not registered is genuine uncertainty about where their obligations begin and end once data and workloads are scattered across external providers. When the intelligence layer runs on infrastructure you own and control, the boundary of the system is the boundary of your estate. Scope becomes something you can draw on your own network diagram rather than reconstruct from a stack of sub-processor contracts.

Second, it answers the critical-components provenance question directly. Because Mickai is owned rather than rented, the model, the weights, and the runtime are components you can name, version, locate, and attest. The signed audit record gives you a tamper-evident history of what the system did and when. Where an operator needs to demonstrate the trustworthiness of a component to the BSI, "here is the component, here is where it runs, here is the immutable log of its behaviour" is a far stronger position than a vendor attestation you cannot inspect.

I want to be precise and honest here, because the market deserves it. NIS2 does not bar KRITIS operators from cloud. DORA, the EBA guidelines, GDPR, and the German regime all permit cloud with controls. The genuine no-cloud bar is workload-level: classified material, isolated OT and SCADA environments, cases where a data-protection assessment comes back negative. For everything else the case for an owned substrate rests on preference and provability, control over your data, lower long-run exposure to exfiltration, and the ability to produce component-level evidence on demand. That preference is not niche. Across the UK and EU we count roughly 16,092 sovereignty-minded institutions, some 7,933 regulated core organisations plus about 8,159 large private-sector adjacent ones, sitting inside a Verdantix enterprise-AI-platform software market growing from around 11.7 billion pounds in 2024 toward 39.7 billion pounds by 2030. Under a critical-components regime, provability is not a nice-to-have. It is the whole point.

What the patents contain

We have filed 104 UK patent applications across 13 families, roughly 2,340 claims, naming inventor Mickarle Wagstaff-Irons, and we are working them toward examination. What those filings describe is directly relevant to a critical-components world: sealed on-premise intelligence, the signed per-action audit trail, and provenance and attestation mechanisms for the model layer. These are applications, not grants, but the substance is the point. We built the provenance machinery because we expected regulators to start asking exactly the questions the BSI Act now asks.

Classical marble scene, Hephaestus, gold rim light on void black

The takeaway for DACH operators

If you are one of the two-thirds who had not registered by 6 March, the immediate task is registration, and that cannot wait. But do not treat NIS2 as a form to file and forget. The critical-components dimension of the German law is a preview of where supply-chain scrutiny is heading across the EU, and the AI systems now embedded in your operations are components you will eventually have to declare, locate, and defend. An owned, air-gapped, fully-audited intelligence substrate turns that future obligation from an anxious scramble into a diagram you can hand across the table.

The operators who move first will be the ones who can answer the provenance question before they are asked it.

Frequently asked questions

Does NIS2 or the German BSI Act ban us from using cloud AI?

No. The German regime, like DORA and GDPR, permits cloud with appropriate controls. The genuine no-cloud requirement is workload-specific, for classified data, isolated OT and SCADA, or cases where a data-protection assessment fails. The argument for an owned substrate is control and provability, not a blanket legal prohibition.

How does owning the AI substrate help with the critical-components list?

The critical-components regime asks about the provenance and trustworthiness of components inside critical installations. When your model, weights, and runtime run on infrastructure you own, they become components you can name, version, locate, and attest, backed by a cryptographically-signed audit record, rather than an opaque third-party endpoint you cannot inspect.

Are Mickai's patents granted?

No. We have 104 UK patent applications on file, around 2,340 claims across 13 families, named inventor Mickarle Wagstaff-Irons, working toward examination. They describe sealed on-premise intelligence, per-action signed audit trails, and model-provenance attestation.

We missed the 6 March BSI deadline. What now?

Register without further delay, since obligations have applied since 6 December 2025 and penalties scale with turnover. In parallel, start treating your AI stack as a declarable component and map where its data and inference actually run, because that is the question the critical-components regime is built to ask next.

---

Related reading from Mickai: our work on sovereign intelligence for regulated infrastructure, the signed per-action audit record that underpins provable compliance, and how an owned AI substrate answers supply-chain and provenance scrutiny.

Sources: Morrison Foerster, DLA Piper, Greenberg Traurig, Reed Smith.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/german-nis2-march-2026-critical-components-list-and-ai-supply-chain. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles
4 Jul 2026
Alex Karp Is Right: You Are Paying For Tokens You Cannot Audit
Alex Karp said hosted-AI vendors capture your data and bill you for unproductive tokens that create no value. He is right. We built Mickai so regulated organisations own the substrate instead of renting it, with a signed audit record on every action.
4 Jul 2026
The EU Just Pushed High-Risk AI to December 2027. Here Is What We Are Building Instead of Waiting
The Digital Omnibus provisional agreement moves the EU AI Act high-risk deadlines from August 2026 to December 2027. Most coverage frames the delay as relief. We frame it as the window to own your compliance stack outright, so you are compliant on day one in 2027 instead of retrofitting logging, oversight and traceability under a live deadline.
4 Jul 2026
Article 50 Lands in August: Machine-Detectable AI Provenance, and Why We Sign It At Source
Article 50 makes synthetic content machine-detectable from 2 August 2026, and the draft Code of Practice names C2PA as the route. We bind Content Credentials to the cryptographically-signed audit record Mickai writes on every action, so provenance is produced at source inside your own walls, not bolted onto a cloud API afterward.
4 Jul 2026
Under Oath, They Said They Could Not Say No. That Sentence Is the Whole Market
Microsoft France told the French Senate under oath that it cannot guarantee European data will never reach US authorities under the CLOUD Act, even inside a French sovereign region. We think that single sentence defines the market. Sovereign cloud is a real engineering improvement, but while the parent is US-domiciled the legal gap stays open. The only structure where the answer to a foreign subpoena is genuinely no is one you own and run inside your own walls.