Today, Friday, 6 March 2026, is the deadline for registration under NIS2. But what does this mean for companies that have not yet taken action? Are the first fines now imminent?
Registration requirement: Many companies still not registered
The German Federal Office for Information Security (BSI), as the responsible supervisory authority, has repeatedly emphasised in recent weeks that the number of registrations received is significantly below expectations. Apparently, many companies are still unaware that they fall within the scope of the NIS2 legislation.
What has happened so far?
The German law implementing the NIS2 Directive (EU) 2022/2555 came into force on 6 December 2025. The new regulations, which impose on affected companies to implement comprehensive cybersecurity measures, are now essentially contained in the amended Act on the Federal Office for Information Security (“BSIG”).
Section 33 BSIG stipulates that affected companies must register with the BSI within three months. From a formal legal perspective, late registration already constitutes the first violation punishable by a fine (up to € 500,000).
The BSI portal for NIS2 registration
Since 6 January 2026, a dedicated portal for NIS2 registration has been available on the BSI website. Affected companies can and must use this portal to submit the required information. The portal guides users step by step through the process – from master data and contact details to IP address ranges and the relevant sector. Detailed instructions on how to register using an ‘Elster’ certificate and ‘Mein Unternehmenskonto’ (MUK) can also be found on the BSI website.
Are fines now imminent?
The good news is that the BSI has repeatedly stated publicly that it will not yet impose any sanctions for late registrations at this stage. This is particularly relevant given that the registration portal only went online one month after the law came into force. Therefore, no immediate fines or other measures are to be expected in the coming weeks.
However, this is not an invitation to just sit and wait. It is unclear how long this ‘final grace period’ for companies affected by NIS2 will last.
Why are so many companies affected and unaware of it?
One reason for the low registration rate is the significantly expanded scope of application of the new BSIG. The explanatory notes to the law assume that around 30,000 companies in Germany are affected – in reality, the number is likely to be significantly higher.
It no longer affects only traditional critical infrastructures (KRITIS), but a broad spectrum of sectors and activities. In addition to some service providers that are affected per se, companies listed in Annexes 1 and 2 of the BSIG fall within the scope of application – either as ‘important entities’ or as ‘particularly important entities’.
The relevant thresholds apply not only to the respective sector activities, but to the entire company or group of companies: as few as 50 employees or, alternatively, an annual turnover and annual balance sheet total of over 10 million euros may suffice. The values of affiliated group companies are also included in the calculation!
Surprising results: examples from practice
Many companies are simply unaware that they are subject to NIS2 obligations. This is partly due to the broad definitions of the sectors affected. Here are a few examples from our consulting practice:
- Group IT: Do you provide other group companies with IT applications such as Confluence or Microsoft? Then you are probably considered a managed services provider (MSP) according to Annex 1 BSIG. Even the internal operation or support of ICT applications for other group companies is sufficient. Employees and revenues of affiliated companies are usually included in the calculation – the thresholds are quickly reached.
- E-commerce: Do you operate your own online shop and also allow third parties to sell through it – perhaps even only companies affiliated with your group? Then you are probably considered an operator of an online marketplace within the meaning of NIS2 and must comply also with the requirements of the additional Implementing Regulation (EU) 2024/2690.
- Property managers and telecommunications services: Are you a housing association offering your tenants internet, TV or telephone services via a tenant surcharge? If so, as a provider of publicly available telecommunications services, you may be affected by NIS2 regardless of threshold values.
- Photovoltaic systems: Do you operate photovoltaic systems on your office building or production site and feed electricity into the public grid or sell it to tenants? Unless this activity is exceptionally ‘negligible’, you may be affected as an energy producer under Annex 1 BSIG.
- Manufacturing industry: The NIS2 Directive and the BSIG refer to the statistical sector list ‘NACE Rev.2’. This list is very broad. Even manufacturers of seemingly harmless products such as lamps or household appliances and the entire mechanical engineering sector can be considered ‘important entities’ if they have 50 or more employees or a turnover of 10 million euros.
What should you do now?
Carefully check whether your company is affected. The management (“Geschäftsführung”) is responsible for implementing and monitoring NIS2 obligations. They must also undergo special training. In the event of negligence, management is personally liable to the company.
Are you unsure whether your company is affected or how to implement the obligations? Feel free to contact us – we will support you in implementing the NIS2 requirements. In an introductory workshop, we will be happy to explain to you in a concise and understandable manner which NIS2 requirements the law and the supervisory authority specifically require of you and how you can implement these requirements efficiently. We support you in NIS2 implementation, in particular with legal assistance for your gap analysis and implementation measures, in securing the supply chain through fair purchasing conditions and in the legal part of the legally required management training.
A free quick check using our NIS2 impact analysis tool offers you initial guidance.
You can find our SKW white paper on this topic here.
'/%3e%3c/svg%3e){kind=small}
'/%3e%3c/svg%3e){kind=small}
