Skip to content
← All posts
· 5 min read·Emre Yurtbay

NIS2 Registration: Last Chance by 31 July 2026 – How German Businesses Can Still Comply

Germany's BSI has set a final deadline of 31 July 2026. Companies that haven't registered yet must act now – concrete steps and what is at stake.

NIS2IT securityComplianceSMBBSILaw

Germany's NIS2 implementation law (NIS2UmsuCG) has been in force since 6 December 2025. With it came a statutory registration obligation with the Federal Office for Information Security (BSI) – with an original deadline of 6 March 2026. If you missed that deadline: according to the BSI (as of July 2026), a final extension to 31 July 2026 has been granted. That leaves just over four weeks – around 30 days.

Note: This article is not legal advice. It provides an overview of the current legal situation and recommended next steps. Please consult a specialist lawyer or certified IT security advisor for your individual situation. As of July 2026.

Companies that let this deadline pass again risk significant fines – and management faces personal liability.

Who actually needs to register with the BSI?

The registration obligation under § 33 BSIG applies to essential entities and important entities. The thresholds:

  • Essential entities: from around 250 employees or €50M turnover and €43M balance sheet – in sectors such as energy, water, transport, healthcare, finance, and digital infrastructure.
  • Important entities: from around 50 employees or €10M turnover – in sectors such as logistics, machinery, food production, chemicals, postal and courier services, and digital services.

The BSI estimates around 29,000 registrable entities in Germany. Many still have no registration on file – and have been receiving direct letters from the BSI since spring 2026. If your company has received such a letter: this is a notice requiring action, not an invitation to debate.

What happens if the 31 July 2026 deadline is missed?

Two risks stand out:

1. Fines under § 60 BSIG Essential entities face fines of up to €10 million or 2% of global annual turnover – whichever is higher. For important entities the maximum is €7 million or 1.4% of annual turnover. Fines can be imposed for the failure to register alone – a security incident does not need to have occurred first.

2. Personal management liability under § 38 BSIG § 38 BSIG requires management to personally approve and monitor the implementation of the required risk management measures. Crucially: this liability cannot be contractually excluded. A managing director who is aware of the obligations and remains inactive bears the risk personally.

The two-step BSI registration process

BSI registration is not a simple online form. It involves two distinct steps – and both require lead time:

Step 1: Apply for an ELSTER business account (MUK)

The first step is identification via the ELSTER business account (MUK). If your company does not yet have a valid ELSTER certificate, apply now at www.elster.de. The postal activation process typically takes up to two weeks. Anyone without a certificate today who waits may not have portal access by 31 July.

Step 2: Register in the BSI portal

The registration portal at portal.bsi.bund.de has been fully available for all affected entities since June 2026. There you enter your company master data, sector, and category. Have the following ready:

  • Company master data and trade register number
  • Assignment to the applicable KRITIS sector (multiple sectors if your business operates across them)
  • Contact details for the security point of contact (SPOC) – a named, reachable person, not a shared inbox
  • ELSTER certificate for identification

Registration is not the same as compliance

Registering in the BSI portal satisfies § 33 BSIG – but it is only the beginning. NIS2 additionally requires:

  • Risk management measures: risk analysis, a security concept, access controls, MFA, encryption, patch management.
  • Reporting obligations: significant security incidents must be reported to the BSI within 24 hours (initial report) and within 72 hours (preliminary report).
  • Supply chain security: affected entities are required to pass security requirements on to their suppliers and service providers – this also affects SMBs below the thresholds if they serve NIS2-obligated clients.
  • Documentation: all measures must be verifiable.

In short: a company that is registered but has no tested backups, no current security concept, and no MFA in place remains non-compliant.

Common mistakes that cost time

In practice, most businesses trip over the same issues:

  • ELSTER certificate missing: The application takes up to two weeks – start immediately.
  • Wrong sector selected: Companies operating across multiple sectors must declare all applicable ones; errors can be corrected but cost time.
  • No SPOC named: The BSI expects a named, reachable person for security incidents – a shared mailbox is not sufficient.
  • Confusing registration with NIS2 compliance: Portal registration fulfils § 33 BSIG, but not the substantive requirements of §§ 30–37 BSIG.

What does this mean for businesses in the Ruhr region?

The thresholds exclude most small craft businesses, retailers, and medical practices in Recklinghausen and the surrounding area from direct obligations. However, mid-sized companies with 50 or more employees or more than €10M in turnover – particularly in logistics, food production, chemicals, or as IT service providers – need to actively assess their exposure.

Smaller SMBs should also be aware: if your larger clients are subject to NIS2, they will pass security requirements on to you contractually. The question then is no longer whether you are affected, but when the next auditor will come knocking.

Conclusion: start now, don't wait

Just over four weeks remain before 31 July 2026 – around 30 days. Registration is achievable – but only if the ELSTER certificate is applied for in time. Anyone who starts today can still make it.

First, check: do you exceed the thresholds? Have you received a letter from the BSI? Then begin the ELSTER application immediately, name a SPOC, and open the BSI portal.

Not sure whether your company needs to register – or want to combine registration with a solid NIS2 foundation? We support businesses across the Ruhr region with both. Feel free to get in touch.

Note: The articles on this blog are produced with the help of AI and are editorially reviewed before publication. Editorial responsibility lies with Emre Yurtbay (see the Impressum).

Discuss your project