NIS-2 Registration: What the Executive Suite Must Do Now
5 min read
The statutory NIS-2 registration deadline at the BSI expired on 6 March 2026-and by early April only about half of those required to register had done so. According to industry reports, affected entities still missing have until the end of July to submit a late registration under a temporary dispensation. Responsibility rests with senior management.
Key takeaways
- Deadline: The statutory registration closed on 6 March 2026. Late filings are tolerated until 31 July 2026 under an administrative grace period, without any change to the law.
- Gap: Roughly 29,500 entities are deemed obligated. By 2 April 2026, only 15,477 had registered in the BSI portal.
- Liability: Non-compliance carries fines of up to €500,000. Senior management must implement and monitor risk-management measures and can be held personally liable to their own company for culpable breaches.
- This week: Verify your entity’s scope, secure ELSTER/MUK access, complete registration in the BSI portal, and document the entire process.
Related:Germany’s AI oversight now has an official address / Government ban on an AI model: lessons for mid-market firms
The Deadline Has Passed, the Obligation Remains
On 6 December 2025, the NIS-2 Implementation Act came into force. Since then, the registration requirement for essential and important entities has been governed by the revised Federal Office for Information Security Act (BSIG). For entities affected from the date of entry into force, the statutory three-month deadline expired on 6 March 2026.
The BSI is clear: the legal registration deadline has passed. Any affected but unregistered entities should promptly complete their registration via the BSI portal. There is no legal extension of the deadline. Industry reports and an association letter evaluated by Heise Online describe a regulatory tolerance for late registrations until 31 July 2026: the BSI expects outstanding registrations to be completed by then. Legally, however, the obligation remains unchanged since 6 March-this leniency does not alter the penalty provisions.
For SME executives, the practical calendar is what counts: registrations should be finalised by the end of July 2026. After that, the risk of noticeable regulatory scrutiny increases. The file is already marked “obligation breached” as soon as the affected status applies.
The gap is glaring. Of the roughly 29,500 entities the BSI identifies as regulated, only 15,477 had registered in the portal by 2 April 2026-including 9,894 essential and 5,583 important entities. Heise later reported, citing the BSI, that registrations had reached nearly 18,500 by the end of May. Even then, a significant portion remains outstanding. The BSI plans to release its next official statistics update around 31 July 2026.
Does This Affect Me? The Check Takes Minutes
What is NIS-2? NIS-2 is an EU cybersecurity directive that Germany has transposed into national law through the NIS-2 Implementation Act. It requires companies in specific sectors above a certain size to register with the BSI, implement risk management, and report significant security incidents. Responsibility for compliance lies explicitly with company management.
Waiting for the BSI to reach out proactively misses the point: companies must assess their own status. The BSIG (German Federal Office for Information Security Act) covers essential and particularly essential entities in the sectors listed in Annexes 1 and 2-from energy and transport to healthcare, digital services, and manufacturing. Often, both size and sector are decisive. Particularly essential entities include operators of critical infrastructure and larger companies in high-risk sectors. Domain and DNS services may be affected regardless of company size.
| Question | What to Check | Next Steps |
|---|---|---|
| Sector | Does your business operate in Annex 1 or 2 of the BSIG? | Start BSI compliance check |
| Size | Particularly essential: 250+ employees or over 50 million Euro revenue and over 43 million Euro balance sheet total (Annex 1 only). Essential: 50+ employees or revenue and balance sheet total each over 10 million Euro (Annexes 1 and 2). |
Refer to figures from your latest financial statements |
| Special Cases | KRITIS, DNS, domain registries, digital services | Expert review or legal consultation |
| Result: “Yes” | Registration obligation under § 33 BSIG | MUK + BSI portal this week |
Source: Size thresholds according to § 28 (1) No. 4 and (2) No. 3 BSIG; registration obligation under § 33 BSIG. For KRITIS operators, trust services, TLD registries, and DNS providers, these thresholds do not apply-they are covered regardless of size (§ 28 (1) No. 1 and 2). The BSI’s online compliance check is non-binding-the legal assessment remains the company’s responsibility.
In practice, the BSI’s free online compliance check is often a good starting point. While non-binding, it provides a reliable indication in just a few minutes. If the result is “yes” or “unclear,” prepare for registration and, if in doubt, consult your tax advisor or specialized legal counsel-before the grace period expires.
Registration in Two Steps – and What It Costs
The process is two-tiered and fully digital. Step one: Access via “My Business Account” (MUK) using an ELSTER organisational certificate. Many mid-sized companies already have this certificate for tax administration purposes. If it’s missing, applying for it becomes the bottleneck-and the reason registrations often stall.
Step two: Register in the BSI portal at portal.bsi.bund.de. You’ll need to provide details such as your company name and legal form, contact information including public IP ranges, sector or industry, EU member states where you operate, and the relevant supervisory authorities. The portal also serves as the reporting channel for significant security incidents afterward.
Registration itself is free of charge. Costs arise internally: IT and management time, clarifying your sector and thresholds, and potentially external audits. If the MUK is in place and your NIS-2 obligations are clear, the actual portal registration often takes just a few hours. Technical protective measures are part of the overall package-but for registration, accurate master data and access credentials are all that’s required.
Fines, Liability, and Executive Responsibility: What Really Applies
Failing to register or providing incorrect information constitutes an administrative offense. Under Section 65 (2) No. 6 in conjunction with (5) No. 5 of the BSIG, fines can reach up to 500,000 euros. The higher thresholds-up to 10 million euros for particularly critical entities and 7 million euros for important entities-primarily apply to violations of risk management and reporting obligations. For companies with annual revenues exceeding 500 million euros, an additional revenue-based cap comes into play.
Personal liability under the BSIG primarily refers to internal executive accountability: Section 38 requires management to implement and monitor the risk management measures outlined in Section 30. If they breach these duties negligently, they are liable to their own organisation under the corporate law rules of their respective legal form. Additionally, Section 38 (3) BSIG mandates regular executive training on cyber risks. The chain of responsibility ends in the CEO’s office-and must be documented there.
For managing directors without an in-house legal team, this means: registration and the decision on whether your company is in scope must be filed in management records. Without traceable documentation, there’s no proof of due diligence. If registration is missing, the BSI can, under Section 33 (3), register the entity itself in coordination with other supervisory authorities-triggering external oversight.
What Management Needs to Tackle This Week
The deadline is tight: the industry’s so-called grace period expires on 31 July 2026. A realistic one-week plan for mid-sized companies looks like this:
- Day 1: Complete the BSI’s online scope assessment. Document the results and the key figures used (employees, revenue, balance sheet, sector).
- Days 1–2: Check for an ELSTER organisational certificate and MUK access. If missing, apply immediately-this is the critical path.
- Days 2–3: Designate a responsible contact point and person. Align IP ranges and sector details with IT and finance teams.
- Days 3–4: Finalise registration in the BSI portal. Save the confirmation. Brief management on the outcome and remaining NIS-2 obligations (reporting, risk management, training).
- Day 5: Create an internal to-do list for the next 90 days: incident reporting, risk analysis, and scheduling executive training. Prioritise technical measures in parallel with registration.
Letting the grace period lapse doesn’t remove your obligations-or the risk of fines. Registering now lays the groundwork for reporting and oversight processes. For mid-sized companies without a CISO, this is the pragmatic approach: get on the register first, then build the substance-documented and backed by management.
Frequently Asked Questions
Has the deadline been legally extended to 31 July 2026?
The statutory registration deadline expired on 6 March 2026 and was not extended in the legislative text. Industry reports describe an administrative tolerance for late submissions until 31 July 2026. BSI’s own pages still urge immediate registration. The obligation under § 33 BSIG remains unchanged.
What is the fine only for failing to register?
§ 65 BSIG provides for fines of up to €500,000 for breaches of the registration duty. The higher caps (up to €10 million or €7 million) mainly apply to other duties such as risk management and reporting. Whether and when BSI imposes fines is a matter of enforcement-the legal basis is already in place.
Does the managing director face personal liability if registration is missing?
§ 38 BSIG ties personal internal liability primarily to the duty to implement and monitor risk-management measures. Registration is an obligation of the entity and subject to fines. Its absence often documents organisational failure-and the executive board must be able to demonstrate and prove overall implementation.
How much does registration with BSI cost?
BSI’s portal does not charge a fee for the NIS-2 registration. Internal effort arises (MUK/ELSTER, data clarification, possibly external audits). Leaving affected status unclear risks costly follow-up work and fines-the portal fee is the smallest item on the list.
Is the BSI affectedness check sufficient as evidence?
It is a non-binding aid and a good starting point. Legal assessment and the registration decision remain with the company. Save the result, date and the company data used-this supports internal documentation and discussions with advisors.
Read more on MyBusinessFuture
MyBusinessFutureData Act Implementing Act: What German IoT manufacturers must complete by September 2026MyBusinessFutureE-Invoicing Mandate 2028: 18 months to ready SME accountingMyBusinessFutureEU AI Act: What SMEs must labelMore from the MBF Media Network
cloudmagazinCleanly separating NIS2 and DORA: compliance clusters in KubernetesDigital ChiefsPersonal liability: protecting CIOs under NIS2 and DORA in 2026SecurityTodayWhat is NIS2? Definition, obligations and liabilityImage source: AI-generated (July 2026)

