NIS2 BSI Registration: Missed the Deadline — What Now?

The statutory deadline expired on 6 March 2026, but the BSI is granting an extended deadline until 31 July 2026. If your company is subject to NIS2, you should complete your registration in the BSI portal now. NIS2Compass helps you do this: with the Pre-Check you can determine in just a few minutes which obligations apply specifically to your company.

Is NIS2 Registration Still Possible After the Deadline?

Yes, registration remains possible and mandatory. The BSI has set an extended deadline until 31 July 2026. By the end of May 2026, only around 18,500 of approximately 29,000 affected companies had registered.

The expiry of the original deadline does not lift the obligation. The registration requirement under §33 Abs. 1 BSIG remains in force unchanged (source: BSIG, gesetze-im-internet.de). A late registration is therefore not only permitted, but mandatory.

In June 2026, the BSI explicitly reminded non-compliant companies and communicated the new deadline. This reminder is documented, for example, by heise online. The message is clear: anyone who has so far failed to register should do so without delay.

The figures make the need for action plain. Of around 29,000 affected companies, roughly 10,500 were still unregistered at the end of May 2026. A substantial share of those obligated still have the first step ahead of them.

Unsure whether your company is even required to register? The article Am I Affected by NIS2? explains the thresholds and sectors in detail. Registration itself then takes place via the portal at portal.bsi.bund.de.

NIS2Compass supports you beyond mere registration, throughout the entire implementation. Start with the Pre-Check to determine your specific catalog of obligations.

Which Deadline Now Applies to the BSI Registration?

The statutory deadline ended on 6 March 2026, three months after the NIS2UmsuCG came into force. The BSI is effectively granting an extended deadline until 31 July 2026. Legally, the missed deadline remains a violation; the extension merely signals leniency before sanctions.

The timeline can be traced clearly. The key point is the distinction between the statutory obligation and the BSI's enforcement leniency.

6 December 2025: The NIS2UmsuCG comes into force. As a result, the obligations of the BSIG apply directly to affected companies.

6 January 2026: The BSI opens the registration portal at portal.bsi.bund.de. From this point onward, registration is technically possible.

6 March 2026: The statutory registration deadline under §33 Abs. 1 BSIG ends. It runs for three months from the date the company becomes subject to the obligation.

31 July 2026: The BSI tolerates late registrations up to this date. This extended deadline is purely a matter of enforcement and forbearance.

The crucial point: the extended deadline is not a new statutory date. The registration obligation fell due on 6 March 2026 and has been overdue ever since. The BSI is refraining from sanctions for now, but does not lift the obligation.

For companies, this means: the extended deadline buys time but does not erase the violation retroactively. Anyone completing registration now should view it as the first step of a structured implementation. The guide Implementing NIS2: Step by Step to Compliance shows how this works in practice.

How Does the BSI Registration Work Step by Step?

Registration is a two-stage process: first, signing up with Mein Unternehmenskonto (MUK), the German business account service, using an ELSTER organization certificate, and then registering in the BSI portal at portal.bsi.bund.de. Allow several working days of lead time for the ELSTER certificate, as the application takes time to process.

1. Clarify your applicability and entity type: Are you a particularly important entity, an important entity, or a KRITIS operator? The Pre-Check helps you classify your status systematically.
2. Have your tax number ready and apply for an ELSTER organization certificate: The tax number is a prerequisite for access. Issuance of the certificate takes several working days, so plan this lead time in firmly.
3. Set up Mein Unternehmenskonto (MUK) at mein-unternehmenskonto.de. MUK is the central identity service for signing in to the BSI portal.
4. Sign in to the BSI portal at portal.bsi.bund.de. You log in directly via your MUK account; a separate BSI account is not required.
5. Enter the mandatory information: Provide your master data, sector, IP address ranges, and your NIS2 point of contact. The point of contact must be reliably reachable.
6. Review your entries, submit, and secure your confirmation: Check all entries before submitting and save the confirmation as evidence.

The BSI provides official click-by-click instructions for each step. You can find the details in the BSI press release on the BSI portal.

Registration, however, does not cover the §30 BSIG obligations on risk management. It is only the formal first step. The actual substantive implementation of security measures comes afterward. The Implementation Guide shows you the structured path there, leading you step by step through all obligations.

What Information Does the BSI Require for Registration?

The BSI requires master data and a named NIS2 point of contact: name, address, legal form, sector and industry, number of employees, annual turnover, and IP address ranges. Changes must be reported without delay, no later than two weeks, via the BSI portal.

Registration takes place entirely digitally via portal.bsi.bund.de. Have the following information ready before logging in to complete the process quickly.

Required data catalog:

• Name of the entity
• Address of the company's registered office
• Legal form (e.g. GmbH, AG, registered cooperative)
• NIS2 point of contact or contact person with availability
• Sector and industry under Annex 1 or 2 BSIG
• Number of employees for the threshold check
• Annual turnover and balance sheet total
• IP address ranges assigned to the entity

How Must the NIS2 Point of Contact Be Reachable?

This is a common point of confusion. Round-the-clock (24/7) availability of the point of contact is mandatory only for KRITIS operators (§33 Abs. 2 Satz 2 BSIG).

All other important and particularly important entities do not need a 24/7 mailbox. For them, a functional mailbox staffed during normal business hours is sufficient. What matters is a function-based address, not the personal mailbox of an individual employee.

If registered information changes, such as the point of contact or the IP address ranges, a clear deadline applies. The change notification must be made without delay, no later than within two weeks, via the BSI portal (§33 Abs. 5 BSIG).

A complete overview of the obligations is provided by the official source BSI NIS-2-Pflichten. For the structured capture of point-of-contact data and ongoing documentation, NIS2Compass provides suitable templates in the Template Library.

What Penalties Apply for Late Registration?

A late or omitted registration can be penalized with fines of up to €500,000. In the case of cumulative violations, such as additional breaches of risk management and reporting obligations, fines of up to €10 million or 2 percent of worldwide annual turnover may apply. The higher of the two amounts is decisive.

The law distinguishes clearly by the type and extent of the violation. A pure registration violation stays within the range of up to €500,000. As soon as further obligations remain unfulfilled, however, such as missing technical measures or omitted incident reports, the risks add up to the upper limit of €10 million or 2 percent of annual turnover.

The personal dimension of liability is important. Under §38 BSIG, management bears responsibility for implementing the risk management measures. It cannot fully delegate this obligation and may, in the event of violations, be held personally liable. The article NIS2 Fines: What Penalties Apply for Violations? explains the penalties in detail.

The extended deadline until 31 July 2026 is the opportunity to remedy the risk without sanction. Anyone who registers now and documents the first steps significantly reduces their exposure to fines. A demonstrable, serious implementation effort works in the company's favor in case of doubt.

Practical scenario: A municipal utility (Stadtwerk) with around 150 employees in the energy sector notices, after a letter from the BSI, that it missed the 6 March deadline. It completes the registration within the extended deadline, designates a point of contact, and begins documenting its §30 measures. As a result, its exposure to fines drops significantly.

In addition to registration, affected companies should clarify their reporting channels early. The article NIS2 Reporting Obligations: When, What, and to Whom? summarizes which incidents must be reported, when, and to whom.

What Happens After the BSI Registration?

Registration is only the first step. After that, the risk management obligations under §30 BSIG apply, along with the three-stage reporting obligation with deadlines of 24 hours, 72 hours, and one month. The actual NIS2 implementation, with risk analysis, technical measures, and ongoing documentation, only begins after registration.

Registration does not equal compliance. It is purely a master-data notification to the BSI, not a substantive implementation. Registering does not yet fulfill a single security requirement.

The real effort begins with the risk management obligations under §30 BSIG. These include risk analysis, technical and organizational measures, and their ongoing review. These obligations apply regardless of registration status.

In addition, there is the three-stage reporting obligation for significant security incidents. It comprises an early warning within 24 hours, a main report after 72 hours, and a final report after one month. In parallel, there are proof and documentation obligations that the BSI can inspect in the event of an audit.

For this path, NIS2Compass offers a structured sequence. The Pre-Check first shows your individual implementation status. The Implementation Guide then leads you step by step through the §30 measures, supplemented by ready-made templates for policies and evidence.

The BSI emphasizes that the requirements have applied without transition periods since the NIS2UmsuCG came into force (BSI on NIS-2). Registration is therefore the start, not the conclusion, of NIS2 implementation.

Frequently Asked Questions

Can I still register with the BSI after 6 March 2026?

Yes. The registration obligation remains in force unchanged, even after the original deadline has passed. The BSI has granted an extended deadline until 31 July 2026. Complete your registration promptly now via portal.bsi.bund.de to limit your exposure to fines.

Do I need an ELSTER certificate for the BSI registration?

Yes. Signing in to the BSI portal is done via Mein Unternehmenskonto (MUK) using an ELSTER organization certificate. There is no separate BSI account. Apply for the certificate in good time, as delivery by post requires several working days of lead time.

What does NIS2 registration with the BSI cost?

Registration itself via portal.bsi.bund.de is free of charge. Effort arises from the ELSTER organization certificate, entering data in the portal, and the subsequent implementation of the §30 BSIG obligations. The latter is the real substantive challenge after the formal registration.

Must my NIS2 point of contact be reachable around the clock?

Only KRITIS operators must maintain a continuously reachable point of contact (§33 Abs. 2 S. 2 BSIG). Particularly important and important entities outside of KRITIS do not need a 24/7 setup. A functional mailbox staffed during business hours is usually sufficient here.

Am I even required to register?

Affected entities are particularly important and important entities in NIS2 sectors, generally from 50 employees or €10 million in turnover. Whether your company falls under this is quickly and systematically clarified by the Pre-Check from NIS2Compass based on industry and size.