Three Compliance Laws, Zero Mercy
By Lukas Uhl ·
Three Laws, One Deadline Problem
Most companies deal with one major compliance overhaul at a time. European businesses right now are getting three simultaneously - and the deadlines are not waiting for anyone to catch up.
NIS2. The AI Act. CSRD.
What makes this different from previous regulatory waves: these three frameworks do not overlap cleanly. They require fundamentally different internal capabilities - cybersecurity documentation, AI governance, and ESG data infrastructure. A company that has its NIS2 posture sorted is often completely exposed on AI Act obligations. A company that is CSRD-aware has usually not inventoried its AI tooling at all.
And here is the thing nobody says in the consultancy brochures: this is not primarily a legal problem. It is a revenue problem.
The companies that move first on compliance are already using it to win deals. The companies that wait are about to lose them.
What Each Law Actually Demands
NIS2: The 30,000-Company Expansion
NIS2 (Network and Information Security Directive 2) did not just update the old NIS directive - it replaced it with something three times the scope. Where the original NIS covered roughly 1,000 companies in Germany, NIS2 captures an estimated 30,000 or more.
The trigger criteria: operating in covered sectors (manufacturing, food production, logistics, digital infrastructure, healthcare, energy, and more) with either more than 50 employees or more than €10 million in annual turnover. That threshold catches a significant portion of the German Mittelstand - companies that previously had zero contact with EU cybersecurity regulation.
What NIS2 actually requires is not vague: incident reporting within 24 hours of discovery, documented risk management processes, supply chain security assessments (meaning you need to audit your IT vendors), and - critically - board-level accountability. Under NIS2, managing directors can be held personally liable for cybersecurity failures. That is a significant shift from treating IT security as an IT department problem.
The penalty ceiling: €10 million or 2% of global annual turnover for essential entities. Germany transposed NIS2 into national law through the NIS2UmsuCG, and the BSI has been actively building its enforcement infrastructure.
A concrete example: In late 2024, a mid-sized German logistics company discovered during a vendor audit that one of their IT service providers had network access that had not been formally reviewed in over four years. Under NIS2, that gap is exactly the kind of supply chain exposure that constitutes a reportable risk. The company spent 14 weeks and approximately €80,000 in external consultant fees to document and remediate the issue retroactively. Companies that started the inventory process earlier paid a fraction of that.
The lesson is not that NIS2 is punishing. It is that undocumented complexity is expensive to uncover under pressure.
The AI Act: The Obligation Nobody Reads Until It Is Too Late
The EU AI Act is the world’s first comprehensive AI regulation, and it is already in partial force. What most companies miss: you do not have to build AI to be subject to it.
If your company uses AI tools that fall into the high-risk category - which includes AI systems used in recruitment and HR decisions, credit assessment, access to essential services, and safety-critical processes - you carry obligations under the AI Act regardless of whether you built the tool or bought it off the shelf.
The highest-risk applications (real-time biometric surveillance, social scoring systems) are already prohibited as of August 2024. High-risk AI systems face requirements that begin rolling in from August 2026:
- Technical documentation sufficient for regulatory review
- Human oversight mechanisms built into the process
- Conformity assessments before deployment or major updates
- Registration in the EU AI Act database for certain categories
The maximum penalty: €35 million or 7% of global annual turnover. For a company with €50 million in revenue, that is a potential €3.5 million fine - not for building dangerous AI, but for using it without adequate governance.
The practical challenge: most mid-sized companies have no systematic inventory of the AI tools their teams use. Marketing uses AI content generation. Finance uses algorithmic forecasting. HR uses AI-assisted candidate screening. Operations uses automated routing and dispatch. Each of these needs to be assessed against the AI Act risk categories before August 2026.
A B2B SaaS company in Munich ran this exercise internally in Q1 2025. They found 23 distinct AI tools in active use across their 140-person organization - including three that required immediate review under the AI Act’s high-risk definitions. None of the three were on the IT department’s radar. All had been adopted by individual teams without centralized review.
CSRD: The Supply Chain Problem Nobody Warned You About
CSRD (Corporate Sustainability Reporting Directive) replaces the old NFRD and mandates structured ESG reporting. Large companies - more than 250 employees or €40 million in revenue, EU-listed - are already in scope for financial years starting January 2024.
But here is the piece most SMEs are missing entirely: you can be subject to CSRD requirements without meeting any of the size thresholds.
If your customers include large companies that are CSRD-obligated, those customers need ESG data from their supply chain to complete their own reporting. They are increasingly requiring their suppliers - regardless of size - to provide structured, verifiable ESG data: CO2 emissions per product category, labor practices, supplier origin countries, governance documentation.
This is already playing out in German automotive and retail supply chains. A German Tier-2 automotive supplier with 120 employees - well below the CSRD threshold - received a formal ESG data request from their OEM customer in Q1 2025. The request included 47 specific data points required by the OEM for their own CSRD filing. The supplier had internally tracked almost none of them.
The cost to reconstruct 18 months of historical ESG data retroactively: approximately €35,000 in external support plus three months of internal team time. The cost of setting up a lightweight ESG data collection process from the start: under €5,000 and two weeks of setup.
CSRD creates a compounding advantage for early movers. The companies that start data collection now have clean historical records when customers ask. The companies that wait are reconstructing the past under deadline pressure - which is expensive, incomplete, and puts vendor relationships at risk.
Why Compliance Is Now a Revenue Lever
The standard framing for compliance is defensive: avoid fines, avoid legal exposure, keep the lights on.
That framing misses what is actually happening in the market.
NIS2 compliance is becoming a sales requirement. Enterprise customers - particularly in finance, healthcare, and public sector - are increasingly requiring NIS2 certification or equivalent documentation as a condition for vendor relationships. A mid-sized SaaS company reported in early 2026 that three enterprise sales processes had stalled because their procurement teams required NIS2-compliant IT security documentation before contract signing. The sales team had the right product at the right price. They lost the timeline because compliance was not ready.
AI governance is becoming an enterprise trust signal. As AI tools proliferate across operations, enterprise buyers are asking: “How do you govern AI use in your processes?” Companies that can show structured AI Act compliance documentation - an AI tool inventory, risk categorization, oversight mechanisms - have a concrete, credible answer. Companies that cannot are perceived as operationally immature, regardless of product quality.
CSRD data is becoming a procurement filter. The shift is already visible in German automotive and retail. Suppliers that cannot provide ESG documentation are being deprioritized in vendor selection. The bar rises every year: 2026 requirements are stricter than 2024. Companies already collecting the data have a compounding advantage. Companies starting late are chasing a moving target.
The compliance leaders are not spending more on legal fees. They are converting compliance infrastructure into competitive differentiation. They are winning deals that compliance laggards are losing.
This follows the same pattern we see across every operational domain: building systematic processes early pays compound dividends, while firefighting under pressure costs multiples of what structured investment costs upfront. Compliance is no exception.
The Three-Phase System
Phase 1: Scope Clarity (Weeks 1-2)
Before spending anything, answer one question per framework: are we in scope, and how?
The sector definitions in NIS2, the use-case categories in the AI Act, and the size calculations in CSRD all have nuances that a quick web search will not resolve. Use primary sources.
Run a three-column audit:
- Column A: What the law covers
- Column B: What your business actually does
- Column C: Where they genuinely overlap
Be conservative. Assume you are in scope until a qualified review says otherwise. The cost of wrongly assuming you are out of scope is dramatically higher than the cost of a precautionary assessment.
NIS2: Use the BSI’s NIS2 self-assessment tool at bsi.bund.de. 20 minutes. Clear first answer.
AI Act: List every AI tool your teams have used in the last 12 months - vendor by vendor, use case by use case. Then look up each vendor’s AI Act compliance documentation. The major providers (Microsoft, Google, Salesforce, SAP) have published this. Gaps are your starting point.
CSRD: Look at your customer list. If any customer is a large company (250+ employees, €40M+ revenue, EU-listed), email their procurement team and ask what ESG data they will require from suppliers in 2025 and 2026. Their answer tells you exactly what baseline you need to build.
Phase 2: Inventory and Gap Analysis (Weeks 3-6)
Once scope is confirmed, structured inventory reveals what you are working with.
For NIS2: map every critical IT system, every vendor with network access, every data flow that touches sensitive operations. This almost always reveals complexity that was not visible before - vendor access that was never formally reviewed, permissions granted years ago and never revoked, single points of failure in critical systems.
For the AI Act: categorize each AI tool by risk level. Most tools fall into minimal or limited risk categories requiring only basic documentation. High-risk tools need deeper review. The audit itself usually takes 2-3 weeks for a company under 200 people.
For CSRD: identify what ESG data your business already generates, even informally. Energy consumption in utility bills. Hiring and turnover data in HR systems. Major supplier geographies in procurement records. The baseline is usually further along than companies expect - it is just not organized into reportable format.
Gap analysis then prioritizes by two variables: penalty severity and implementation lead time. NIS2 incidents can trigger immediate enforcement action. CSRD requires 18-24 months of baseline data before the first credible report can be filed. The AI Act’s August 2026 deadline for high-risk systems is the next hard cut.
Phase 3: Embed Compliance Into Operations
The companies that handle compliance well do not have compliance departments. They have compliance habits embedded in existing workflows.
Quarterly review cycles built into the calendar. A designated owner per framework - not a new hire, but an existing person with explicit accountability and 2-3 hours per month dedicated to it. Documentation systems that do not rely on any individual’s memory.
The implementation work is a one-time investment. The maintenance cost, when built correctly, is a few hours per month per framework. The cost of not building it - scrambling when enforcement arrives or when a customer demands documentation under sales pressure - runs to multiples of the upfront investment.
For context on how this plays out in practice, AI implementation at mid-sized companies follows the same pattern: one-time setup investment, sustained operational advantage. Compliance infrastructure is no different.
One Action This Week
Pick one framework. Run the scope assessment.
Not a consultant call. Not a full audit. Just answer: are we in scope or not?
- NIS2: bsi.bund.de NIS2 self-assessment. 20 minutes.
- AI Act: List every AI tool your team paid for in the last 12 months. Find each vendor’s AI Act documentation. Note what is missing.
- CSRD: Email one enterprise customer’s procurement team. Ask what ESG data they will need from suppliers in 2026.
One question. One hour. Then you know where you stand.
The companies that started this process in 2024 are ahead. The companies starting now are catching up. The companies that start in 2026 are paying premium rates for expedited remediation - and still losing deals to compliant competitors while they scramble.
Compliance is not a legal formality anymore. It is an operational baseline that determines whether enterprise customers trust you enough to sign.
If you want to build this systematically without hiring an internal compliance function, that is exactly the operational infrastructure work we do at UHL Systems. We map the requirement landscape, identify the quick wins, and build the processes that make compliance sustainable rather than a recurring crisis. Book a strategy call - no pitch, just a clear-eyed look at where you stand and what it takes to get compliant without blowing your operations budget.
