EPSIA Logo
  • Back to Home
  • DE | EN

Funding · July 2026

NIS2 and the EU AI Act: What German SMEs Must Do Now

Introduction

Over the past two years, European lawmakers have created two regulatory milestones that directly affect German SMEs: the NIS2 directive, which has been transposed into national law since December 2025, and the EU AI Act, whose key obligations take effect from August 2026. Both frameworks have direct implications for the software companies use — and in particular for outdated systems that have been in use for years without fundamental modernisation.

Anyone still running legacy software today that neither meets current security standards nor is adequately documented faces a twofold compliance problem. The good news: there are state funding programmes that provide financial support for exactly this modernisation.

NIS2 — What Is It?

The NIS2 directive (Network and Information Security Directive 2) is the revised EU cybersecurity directive, transposed into German law since December 2025. It replaces the original NIS directive from 2016 and massively expands the range of affected companies: no longer only critical infrastructure in the narrower sense is affected, but also small and medium-sized enterprises from sectors such as manufacturing, food production, waste management, postal and courier services, the chemical industry and digital services.

Companies with 50 or more employees or 10 million euros in annual turnover in these sectors fall under the regulation. The key requirements include:

  • Risk management: Companies must implement technical and organisational measures to manage cybersecurity risks.
  • Incident reporting: Security incidents must be reported within 24 hours and reported in detail within 72 hours.
  • Supply-chain security: The security of the entire supply chain — including the software used — must be demonstrably ensured.

For a company's software landscape this means, concretely: legacy software with known vulnerabilities, unpatched dependencies or missing security mechanisms is an immediate compliance risk. Anyone running outdated systems simply cannot meet the requirements for risk management and supply-chain security.

EU AI Act — What's Coming?

The EU AI Act is the world's first comprehensive regulation for artificial intelligence. From August 2026, the key obligations apply to companies that develop, deploy or make AI systems available on the European market. The regulation works with a risk-based approach and distinguishes four categories:

  • Unacceptable risk: AI systems that are prohibited (e.g. social scoring, manipulative techniques).
  • High risk: AI in safety-critical areas such as medicine, transport, human resources or credit scoring — here strict documentation and audit obligations apply.
  • Limited risk: Systems with transparency obligations, such as chatbots that must identify themselves as AI.
  • Minimal risk: Freely usable AI applications without special requirements.

If you use AI in your software or plan to, the technical foundation must be right. Among other things, the AI Act requires complete documentation of the training data used, traceability of decision-making processes, robust quality assurance and continuous monitoring. None of this can be meaningfully built on an outdated, poorly documented codebase.

What This Means for Legacy Software

Many small and medium-sized enterprises rely on software solutions that were developed years ago and have run essentially unchanged ever since. These systems are often the backbone of day-to-day operations — but they carry considerable regulatory risks:

  • Outdated dependencies = security risks = NIS2 problem. Frameworks and libraries that no longer receive security patches contain known vulnerabilities. Each of these vulnerabilities is a potential compliance breach under NIS2.
  • Missing documentation = AI Act problem. Without technical documentation, architecture descriptions and traceable development processes, evidence towards supervisory authorities is impossible — neither for existing AI functions nor for planned AI integrations.
  • No tests = no quality evidence. Anyone without automated tests cannot prove that the software works correctly and securely. This affects both the risk assessment under NIS2 and the quality assurance under the AI Act.

The regulatory message is clear: technical debt is no longer merely an internal efficiency problem — it is a compliance risk with potential fines. Under NIS2, penalties of up to 10 million euros or 2 percent of worldwide annual turnover are possible.

Making Use of Funding Programmes

The good news: the state is aware of the challenges of digital transformation and funds exactly this kind of modernisation. Small and medium-sized enterprises can choose from a range of programmes:

  • Bayern Digitalbonus: Grant of up to 50% of eligible costs, up to a maximum of EUR 30,000 (Digitalbonus Plus). Funds the introduction or improvement of IT security and digital processes — suitable for software modernisation projects.
  • BW Digitalisation financing (L-Bank): Grant and loan variants for IT infrastructure, automation and the use of AI — the successor to the former Digitalisierungsprämie Plus.
  • KfW-ERP digitalisation promotional loan: Low-interest financing from 3.5% for digitalisation projects. Suitable for larger modernisation projects with a longer term.
  • BAFA consulting funding: Grant of up to EUR 1,750 for qualified consulting services around digitalisation and IT security. A good starting point to have the need for action assessed professionally.

In many cases several programmes can be combined. What matters is that the application is submitted before the project starts — retroactive funding is generally excluded.

Conclusion: Modernisation Is No Longer an Option — It's an Obligation

NIS2 and the EU AI Act fundamentally change the rules of the game for German SMEs. Anyone running outdated software risks not only security incidents and data losses, but also substantial fines and competitive disadvantages. The regulatory requirements are clear, the deadlines are running, and the funding opportunities are available.

The first step need not be a mammoth project. A sound analysis of your existing software shows where the greatest risks lie and which measures have the highest compliance impact. That is exactly what we help with.

Start the Quick Check now

© 2026 EPSIA GmbH. All rights reserved. | Imprint | Privacy Policy