NIS2 Registration: BSI Sets Extension Deadline of July 31, 2026
The statutory deadline for registration with the Federal Office for Information Security (BSI) under the NIS-2 Implementation Act (NIS2UmsuCG) expired on March 6, 2026. Of the approximately 29,500 affected companies in Germany, only about 11,500 had registered by that deadline. In response to this significant shortfall, the BSI has granted trade associations an extension until July 31, 2026 communicated in order to allow for late registrations.
Background: Low reporting rate leads to an extension of the deadline
Since the NIS2UmsuCG took effect on December 6, 2025, affected entities have been required to §33 BSIG are required to register with the BSI within three months. The registration portal set up for this purpose has been operational since January 6, 2026. The low registration rate indicates significant uncertainty regarding self-assessment and the new obligations. The extension now granted should be understood as a goodwill measure; however, it does not change the fact that the original failure to comply constitutes an administrative offense subject to a fine.
Who is subject to the NIS2 registration requirement?
The requirement applies to companies and organizations in 18 sectors that meet or exceed defined thresholds. The law distinguishes between two main categories:
- Particularly important facilities: Organizations with at least 250 employees or annual revenue exceeding 50 million euros and total assets exceeding 43 million euros.
- Important facilities: Companies with 50 or more employees, or with annual revenue exceeding 10 million euros and total assets exceeding 10 million euros.
Regardless of their size, certain entities—such as qualified trust service providers, TLD registries, and DNS service providers—are always classified as „particularly important.“ Companies in sectors such as energy, transportation, finance, healthcare, and digital infrastructure must assess whether they are affected and complete the registration process.
A special provision applies to financial institutions that fall within the scope of the DORA Regulation: They are exempt from the obligations under Section 30 of the BSIG (risk management), but the registration requirement under Section 33 of the BSIG remains in full force. In addition, affected institutions should note that, in parallel with the NIS2 reporting obligation, significant security incidents must also be reported to the competent data protection supervisory authority within 72 hours pursuant to Article 33 of the GDPR, provided that personal data is involved.
Legal Consequences and Personal Liability of Management
Failure to comply with the NIS2 requirements has significant financial and personal consequences. According to §65 BSIG Late registration alone can result in a fine of up to 500,000 euros will be penalized. In the event of violations of risk management and reporting obligations, the sanctions are even more severe:
- Particularly important facilities: Up to 10,000,000 euros or 2 % of global annual revenue.
- Important facilities: Up to 7,000,000 euros or 1.4 % of global annual revenue.
In addition, it has established §38 BSIG one Personal Liability of Management. This person is directly responsible for implementing and monitoring cybersecurity measures and can be held personally accountable for any breaches of duty.
Recommendations for Action: What to Do Now
1. Immediate registration: Affected companies that have not yet submitted their report should do so immediately via the official BSI portal. The extended deadline of July 31, 2026, provides an opportunity to complete the registration and reduce the risk of further consequences.
2. Implementation of safety measures: Registration is just the first step. According to §30 BSIG Companies must implement ten core risk management measures. These include risk analyses, security plans, and incident response processes. Facilities deemed particularly important must demonstrate compliance with these measures by December 2028.
3. Special Provision in Case of Uncertainty: Companies with questions about whether they are affected can submit them collectively to the BSI. Upon receiving a response, the agency will grant an additional six-week period for registration.
How LocateRisk Supports NIS2 Compliance
Compliance with NIS2 requirements necessitates continuous and verifiable assessment of an organization’s own IT security and supply chain security. LocateRisk provides the necessary data foundation for this.
The platform generates a detailed analysis of your external attack surface. Based on the results, potential vulnerabilities can be addressed and the effectiveness of security measures under Section 30 of the BSIG can be demonstrated. Another key aspect of the regulation is supply chain risk management. With the solution for cyber Vendor Risk Management LocateRisk enables you to continuously assess the IT security status of third-party providers and helps you fulfill your due diligence obligations.
LocateRisk operates its infrastructure in German data centers and adheres to ISO 27001 standards. This helps you comply with the technical data security requirements of the GDPR and NIS2 and provide the necessary documentation for audits.
Sources and further information
Do you know your external attack surface?
Compliance with NIS2 begins with a thorough understanding of your external systems and potential vulnerabilities. Create the transparency needed for your compliance.
Request a free safety check
-
A note on our own behalf: This article reflects the legal situation as of the date of publication. Since IT law and compliance requirements are highly complex, this text is intended solely as a general guide and does not constitute legally binding advice. If in doubt, we recommend seeking legal counsel regarding implementation within your company. We assume no liability for the content.
Frequently asked questions
This applies to companies and organizations that operate in one of the 18 regulated sectors and exceed defined size thresholds. An entity is considered a major institution if it employs at least 50 employees or has annual revenue exceeding 10 million euros and total assets exceeding 10 million euros. An entity is considered particularly important if it employs at least 250 employees or has an annual revenue of more than 50 million euros and a balance sheet total of more than 43 million euros. Certain entities, such as qualified trust service providers, TLD registries, and DNS service providers, are always classified as particularly important, regardless of their size.
The statutory deadline for registration expired on March 6, 2026. Failure to comply constitutes an administrative offense subject to a fine, which may be penalized with a fine of up to 500,000 euros pursuant to §65 BSIG. Furthermore, under Section 38 of the BSIG, management is personally liable for compliance with NIS2 obligations. Registration is still possible and recommended even after July 31, 2026, as it demonstrates to the BSI that the company is taking active steps to comply.
Registration is only the first step. Under Section 30 of the BSIG, affected organizations must implement ten core risk management measures, including risk analyses, security concepts, and incident response processes. Organizations deemed particularly important must provide evidence to the BSI that they have implemented these measures by December 2028. In addition, there is an ongoing obligation to report significant security incidents to the BSI through a three-step process: An early warning must be issued within 24 hours, followed by a detailed incident report within 72 hours and a final report after one month.
English 
Deutsch 
Français