EU AI Act: Is my company affected?
The EU AI Act applies in stages. Here is what small and mid-sized companies need to know, which obligations kick in, and why panic is the wrong advisor.
NIS2 has been applicable since December 2025 for 29,500 companies. Here's how digital workers support reporting deadlines and compliance documentation.

Since December 6, 2025, the NIS2 Implementation and Cybersecurity Strengthening Act, for short NIS2UmsuCG, has been in force in Germany. Those affected must report security incidents within a narrow timeframe going forward and be able to document them comprehensively, often with teams that lack both additional personnel and established processes for this.
Digital workers address precisely this operational gap: not as a substitute for legal advice, but as a tool that keeps deadlines, protocols, and documentation tidy in the background.
Since the NIS2UmsuCG came into force, the BSI has overseen approximately 29,500 institutions in Germany, compared to just under 4,500 previously (BSI Press Release of November 13, 2025).
Affected are companies with 50 or more employees or 10 million euros in annual turnover in one of 18 regulated sectors, from energy and healthcare to transport and digital services. The law distinguishes between highly critical and critical entities, depending on sector and size. For mid-market companies, this is a tangible change: businesses that have never viewed themselves as critical infrastructure—such as an IT service provider with 60 employees or a mid-market logistics company—now fall regularly under the law.
By the first registration deadline on March 6, 2026, only about 11,500 of the 29,500 obligated companies had registered on the BSI portal, which is 38.5 percent (Security-Insider, March 2026).
The BSI responded with an extension until July 31, 2026, after which systematic audits begin. Anyone not registered and not prepared for a reliable reporting organization by then faces open risk: failure to register alone can be penalized with up to 500,000 euros.
A material security incident must be reported to the BSI in three successive stages: an early warning within 24 hours, a follow-up report within 72 hours, and a final report no later than one month (BSI on NIS 2 Notification Obligation).
Even the early warning requires an initial assessment of the incident, a description of the disruption, and whether malicious intent is suspected—explicitly before a complete investigation is even possible. The principle behind it: speed over completeness. For a small IT team already dealing with the disruption itself in an emergency, this creates a stressful situation that brings security incident and bureaucracy together in one day.
NIS2 has been in force since December 6, 2025, and affects approximately 29,500 companies in Germany. Only 38.5 percent had registered by the first deadline; the extension runs until July 31, 2026. In case of a security incident, every hour counts from the moment awareness is established: 24 hours for the early warning, 72 hours for the follow-up report, one month for the final report.
Automated workflows handle the operational side of NIS2 documentation, not the legal assessment. An n8n workflow, for example, can pick up monitoring alerts from the existing IT security infrastructure, automatically create an incident timeline with timestamps, and notify the responsible person of deadlines for early warning, follow-up report, and final report, including a countdown. In parallel, such a process prefills the recurring fields of the BSI report, gathers logs, ticket histories, and communication records in a folder, and keeps them ready for both internal and external audit.
This pays double because affected institutions must proactively and repeatedly demonstrate the implementation of their security measures, in practice regularly through audits, inspections, or certifications (activeMind AG on NIS 2 Documentation Obligation). Those who compile documentation continuously rather than just before an audit have significantly less effort at the next inspection. The legal assessment of whether an incident is reportable at all remains always with management or external consultation, similar to how it already applies with the EU AI Act for SMEs: automation and regulation complement each other only when roles remain clearly separated.
For building a robust governance structure around such processes, our AI Consultation, and for ongoing documentation and deadline tracking, our offering for Automating Reporting.
No workflow decides whether an incident is material under the BSIG—that remains a legal and technical assessment. Automation cannot replace a missing risk analysis or missing incident response plan; it only makes existing processes faster and more comprehensively documented. Anyone without a reporting organization yet should first establish this foundation with a specialized consultant or legal department, then automation of recurring processes becomes worthwhile.
The NIS2UmsuCG has been in force since December 6, 2025. Affected are companies with 50 or more employees or 10 million euros in annual turnover in one of 18 regulated sectors, regardless of whether they consider themselves critical infrastructure.
Violations of the notification obligation can be penalized with fines up to 10 million euros or 2 percent of worldwide annual turnover for highly critical entities, depending on severity and category of the entity.
Yes. The BSI has granted an extension until July 31, 2026. After that, systematic audits begin, but late registration is still fundamentally possible and significantly better than none.
NordFlux automates the documentation, deadline tracking, and logging around the reporting process. The legal assessment of whether an incident is reportable remains the responsibility of management or specialized legal consultation.
NordFlux builds digital employees for organisations: automations and AI agents that take over repetitive work. You stay in control.
The EU AI Act applies in stages. Here is what small and mid-sized companies need to know, which obligations kick in, and why panic is the wrong advisor.
AI rarely fails in mid-market companies due to technology; it's missing governance that stops it. Four checkpoints for AI readiness before your first AI agent goes live.
In a free initial analysis we discuss your case directly. No strings attached.