Digital Compliance 2026: BFSG, NIS2, and E-Invoicing for SMEs
In 2025 and 2026, a regulatory wave is rolling over German companies that many haven’t yet noticed. The Accessibility Strengthening Act (Barrierefreiheitsstärkungsgesetz, or BFSG) has applied since June 2025, the e-invoicing mandate is taking effect in stages, and NIS2 is already creating pressure despite open implementation questions in Germany. Anyone who doesn’t start checking now which of these regulations affect their own website and business processes risks having to retrofit under time pressure in the coming months — or worse, running into a formal warning or a security incident.
This post is an early warning system: we explain which regulations are truly relevant for which SMEs, which deadlines apply, and how you can start with a pragmatic prioritization — without being driven by panic or bureaucratic overload.
Important note: This post does not constitute legal advice. The information is based on publicly available sources regarding BFSG, NIS2, and e-invoicing requirements and provides an overview. For legally binding statements about your specific situation, please consult a specialist in IT and data protection law.
The Three Regulations at a Glance
1. Accessibility Strengthening Act (BFSG) — In Force Since June 2025
The BFSG is the German implementation of the European Accessibility Act. Since June 28, 2025, certain digital products and services must be accessible. The full legal text is available on gesetze-im-internet.de/bfsg. An overview is provided by the German Federal Ministry of Labour and Social Affairs.
Affected areas (selection): E-commerce websites with online shop functionality, banking services and digital financial products, e-books and digital media, telecommunications services, passenger transport services with online booking.
What “accessible” concretely means: The requirements are oriented toward established standards like WCAG 2.1 at Level AA. This includes keyboard operability, sufficient color contrast, screen reader compatibility, meaningful alt texts, clear error messages, and understandable language.
The exception for micro-enterprises. For services, there is an exception for micro-enterprises (fewer than ten employees and under two million euros annual turnover). Important: This exception does not apply to products and does not automatically cover all business models. If you’re unsure whether you fall under this exception, have it checked on a case-by-case basis — the classification isn’t always obvious.
Practical examples that many overlook: An online florist with ordering capability falls under the discussion just as much as a large shop. A trades business with an integrated booking and payment process can be affected. A fitness studio that sells memberships online, likewise. In practice, the law reaches significantly further than most people spontaneously estimate — and that’s precisely why an early check makes sense.
Accessibility pays off even beyond the legal requirement. Even companies that aren’t formally covered by the BFSG benefit from an accessible website: you reach more people (millions of people in Germany live with a disability, many millions more are over 65), you typically improve SEO quality at the same time, and you come across as more professional to every visitor. The effort invested in accessibility pays off multiple times over.
Details on practical implementation in our comprehensive BFSG guide.
2. NIS2 Directive — Implementation Status and Practical Pressure
The Network and Information Security Directive 2 (NIS2) is the EU-wide response to growing cyber threats. What is already clear is that the circle of affected companies will expand well beyond classic “critical infrastructures.” What is less clear, at least in Germany, is the exact implementation status in every detail. That is precisely why companies should not wait passively, but should instead have their likely exposure checked from both a legal and technical perspective.
Who is affected? NIS2 distinguishes between “particularly important” and “important” entities across numerous sectors — including digital infrastructure and IT services, parts of manufacturing, food production and trade, postal and courier services, and areas that many SMEs don’t automatically associate with cybersecurity regulation.
The thresholds aren’t the whole picture. Formally, obligations kick in above certain company sizes (typically from 50 employees or ten million euros annual turnover in affected sectors), but smaller companies can also be affected — especially if they work as suppliers or service providers to critical infrastructures.
The supply chain effect is the real point. Many smaller companies feel safe because they don’t meet the thresholds. The reality: NIS2-obligated companies are required to verify the security of their supply chain — and they will demand corresponding proof from their service providers. A web designer with ten employees who manages websites for a logistics company can be indirectly pulled into scope, even if they aren’t directly regulated themselves.
What NIS2 means for your website and infrastructure (in essence):
- Basic encryption of all data transfers (HTTPS as a given)
- Regular security updates and active patch management for CMS and infrastructure
- Incident response plan for security incidents
- Risk assessment of deployed IT systems including website and CMS
- Reporting obligations for security incidents within defined timeframes
- Documented security concepts and regular audits
- Management-level responsibility — NIS2 explicitly addresses executive leadership
Executive responsibility. A point many SME owners don’t have on their radar: NIS2 holds leadership bodies more accountable for actively addressing the company’s cybersecurity. Exactly how personal liability looks in individual cases is a legal question — but the basic idea is clear: IT security is a management issue, no longer just the IT department’s concern.
If you’re unsure whether and how your company is affected, seek a legal and technical assessment rather than hoping nobody comes knocking.
3. E-Invoicing Mandate — Gradually from 2025
Since January 1, 2025, companies in Germany must be able to receive e-invoices in the B2B sector. The sending requirement takes effect in further stages in subsequent years.
What many don’t know: An e-invoice in the sense of this mandate is not a PDF sent via email. These are structured, machine-readable formats — in Germany, XRechnung and ZUGFeRD are the most common. Anyone processing invoices through their own website or customer portal needs to ensure the technical prerequisites are in place: receiving from 2025, sending from the subsequent deadlines.
The key message: If you’re still sending Word documents or simple PDFs as invoices today, it’s time to discuss this with your tax advisor and accounting software. Most modern accounting tools already support the new formats — the technical part is manageable. The organizational part (processes, responsibilities, transition phase) requires more planning.
The specific deadlines for the sending requirement depend on factors including annual turnover and are being introduced in stages under German implementation law. Check current deadlines with your tax advisor, as details may still change through 2028.
What This Means for Your Website Concretely
The combination of BFSG, NIS2, and the e-invoicing mandate means: A website that simply “exists” is no longer enough. The minimum requirements for a legally compliant business website are rising noticeably — and the good news is that many of these requirements are simultaneously good practice that benefits a website regardless of any regulation. Security, performance, accessibility, and clean documentation aren’t just compliance topics — they’re economically sensible.
Checklist: Is Your Website 2026-Ready?
Accessibility (BFSG):
- WCAG 2.1 AA conformity has been tested or at least assessed
- Keyboard navigation works throughout
- All images have meaningful alt texts
- Color contrasts meet minimum requirements
- Forms are clearly labeled and error-tolerant
- Videos have subtitles where required
- An accessibility statement is published (if applicable)
- A feedback mechanism for accessibility is in place
IT Security (NIS2-relevant):
- HTTPS encryption is active
- CMS and plugins are up to date
- Strong passwords and two-factor authentication are established
- Regular, automated, and tested backups
- Basic security monitoring is set up
- Privacy policy is current and complete
- An incident response plan is documented
- Responsibilities for IT security are clearly assigned
- Employees are trained on phishing and secure working practices
E-Invoicing:
- Receiving structured e-invoice formats is technically possible
- Accounting software supports e-invoice formats
- A customer portal (if applicable) can provide e-invoices
- A process for sending is planned or already established
Data Protection (GDPR):
- Cookie consent is correctly implemented
- Data processing agreements with all service providers are in place
- The hosting location is known and documented
- A processing register exists
Details on GDPR implementation in our GDPR-Compliant Website Checklist.
What SMEs Should Concretely Do Now
Step 1: Take Stock
Have your website tested for accessibility and security. There are free testing tools that provide an initial overview — but the most important test is a human one: try navigating your own website using only the keyboard. Check whether your accounting software can receive e-invoices. Talk to your tax advisor about the specific deadlines for your company.
Step 2: Prioritize
Not everything needs to happen immediately. A pragmatic prioritization:
- Highest priority: Close basic security gaps — HTTPS, current CMS and plugin versions, backups.
- High priority: Accessibility for core functions — navigation, forms, checkout (if applicable).
- Medium priority: Content adjustments — alt texts, contrasts, subtitles, clear error messages.
- Planned: Establish full e-invoicing capability, build security documentation, training.
Step 3: Implement
Work through the priority list — internally or with agency support. For complex websites, a structured website relaunch is often more efficient than patching ten things at once after the fact.
Step 4: Document and Monitor
Accessibility and security are not one-time projects. Establish regular audit routines and document your measures. This protects you in case of disputes and is simultaneously the beginning of clean internal quality assurance.
Timeline: What Should Be on Your Radar and When
| Regulation | Status | What should be checked or implemented |
|---|---|---|
| BFSG | In force since 28.06.2025 | Check if affected, establish or demonstrably improve accessibility |
| NIS2 | Implementation in stages | Check whether direct or indirect impact exists; document security and processes |
| E-invoicing (receiving) | Since 01.01.2025 | Ensure ability to receive structured formats |
| E-invoicing (sending) | Gradually in following years | Discuss with tax advisor, plan transition phase |
Our recommendation on the order: Don’t start with what’s easiest, but with what carries the highest risk. For most companies, that means: close security fundamentals first, then tackle accessibility, then set up clean e-invoicing processes.
Conclusion: Regulation as an Occasion for an Honest Assessment
Yes, the 2025/2026 regulatory wave means effort. But it’s also an occasion to take a thorough look at your own digital infrastructure — something that’s been overdue in most SMEs for years. An accessible, secure, and cleanly documented website isn’t just legally compliant. It’s also better for users, better for SEO, better for AI visibility, and better for your business.
The regulations are forcing you to do something you should be doing anyway. Anyone who starts now with a structured plan avoids the stress and last-minute fixes that others will have to catch up on in six months. And whoever does it right ends up not just with a compliant website — but one that performs better, reaches more people, and works more reliably in the long run.
Your Next Step
At Lindwurm Digital, we analyze your current situation and help you create a pragmatic action plan — prioritized by risk, with clear steps, and without scaremongering. We’ll also tell you honestly if something isn’t relevant for your case.
Schedule a non-binding initial consultation and let’s look together at which of the points described here have the biggest lever for your company — and which you can safely prioritize lower.
Related posts: BFSG and Accessibility in Detail | GDPR-Compliant Website Checklist | The Most Common Business Website Mistakes
Lindwurm Digital GmbH — Web Development and Digital Solutions.