NIS2 is a European directive under which significantly more companies than before will be required to implement IT security measures within their operations, including many organizations that likely never expected to be classified as important entities for Germany’s critical infrastructure. The requirements of the EU directive have already been incorporated into the German BSI Act and are directly applicable without any transitional periods.
Among the obligations of affected entities is the registration with the German Federal Office for Information Security (BSI). The deadline for this registration, which is subject to administrative fines, officially expired on March 6, 2026.
So far, however, the BSI has shown some leniency despite the low number of registrations received. According to statements by the authority, fines (of up to €500,000) were not expected to be imposed at this stage (as we reported here).
Is that changing now? It appears so!
The BSI has now sent a letter to business associations in which the authority has noticeably tightened its tone.
Affected entities are expected to complete their registration no later than July 31, 2026. According to the BSI, these registrations are overdue. Even in difficult cases involving uncertainty about whether an entity falls within the scope of the regulation, the authority is showing increasingly little tolerance for further delays. Such entities are requested to submit their consolidated questions to the BSI and, if they are found to be within scope, complete their registration within six weeks after receiving the authority’s response.
In other words: “Last Call” for anyone who has not yet devoted sufficient attention to this issue.
The scope of the new IT security requirements is broad and by no means limited to traditional “critical infrastructure” operators. We have previously reported here on examples of rather unexpected cases falling within the scope of the regulation.
Our NIS2 applicability assessment tool (here) provides a free and easy starting point for companies that now need to determine whether they are affected.
'/%3e%3c/svg%3e){kind=small}
'/%3e%3c/svg%3e){kind=small}
