NIS2 BSI Registration in Germany: Step-by-Step
A practitioner walkthrough of NIS2 BSI registration under NIS2UmsG — scope test, the BSI portal, deadlines, data you need, and what comes after.
TL;DR / Key takeaways
- NIS2UmsG applied from 6 December 2025 with no transition period. The BSI registration portal opened 6 January 2026 and the registration deadline was 6 March 2026 — late registration is still required and advisable.
- You self-identify. The BSI does not invite you. Each legal entity that meets the size and sector thresholds must register itself.
- Two tiers matter: important entities (≥50 staff or >EUR 10M turnover) and particularly important entities (≥250 staff or >EUR 50M turnover and >EUR 43M balance sheet).
- Registration ≠ compliance. Registering puts you on the BSI's list; it does not prove your risk-management measures are adequate.
- Management is personally liable for overseeing and approving risk-management measures. Fines reach EUR 10M or 2% of global turnover.
Germany implemented NIS2 through the NIS2-Umsetzungsgesetz (NIS2UmsG), and it landed harder than many organisations expected. There was no grace period: the law applied directly from 6 December 2025. The BSI portal NIS2 registration function opened on 6 January 2026, with a NIS2 registration deadline of 6 March 2026. If you are reading this after that date and have not registered, you are not off the hook — late NIS2UmsG registration remains a legal obligation, and completing it promptly is the right move both legally and reputationally.
This is a practitioner walkthrough of how to register with BSI: how to confirm whether you are in scope, what data to prepare, how the portal works in practice, and — crucially — what you must do once the confirmation lands in your inbox.
First, confirm whether you are actually in scope
The single most common mistake we see is organisations treating registration as the first question. It is the second. The first is the scope test, and it must be run per legal entity, not per group.
NIS2UmsG distinguishes two categories:
| Criterion | Important entity | Particularly important entity |
|---|---|---|
| Staff threshold | ≥ 50 employees | ≥ 250 employees |
| Turnover threshold | > EUR 10M | > EUR 50M |
| Balance sheet | — | > EUR 43M |
| Logic | size OR turnover | size OR (turnover AND balance sheet) |
| Supervisory regime | Reactive (after incidents) | Proactive (BSI can audit) |
Both categories must register. The distinction mostly affects how intensively the BSI supervises you afterwards — particularly important entities face proactive oversight, while important entities are supervised reactively. It does not create a "register later" tier.
A few traps worth flagging from our own engagements:
- Group structures. Obligations attach to each in-scope legal entity. A shared SOC or central security function does not let a parent register once on behalf of twelve subsidiaries. Run the test twelve times.
- The "OR" logic. You do not need to exceed both staff and turnover thresholds — either one puts you in. Finance-light, headcount-heavy organisations get caught here just as often as the reverse.
- Sector membership is necessary but not sufficient. You must be in a covered sector and meet the size criteria. Conversely, certain critical-sector entities can be in scope regardless of size.
If you want a structured, defensible way to document this decision, we wrote a dedicated piece: the NIS2 Germany scope test under NIS2UmsG. Document the outcome with named owners and dates — the scope decision is itself evidence the BSI may later ask to see.
What you need before you open the portal
Registration is not a place to improvise. Have the following assembled and signed off before you log in, because incomplete records create follow-up correspondence you do not want during an audit window.
- Legal entity identity — registered name, legal form, commercial register number, and address.
- Sector and entity-type classification — which NIS2UmsG sector and annex you fall under, and whether you are an important or particularly important entity.
- The services that bring you into scope — a concise description of the in-scope activities. Be precise; over-broad descriptions invite scope creep, over-narrow ones invite challenge.
- Security contact points — a function-based mailbox, not a single person's name, plus a 24/7 reachable responsible contact. Incidents do not respect office hours, and the reporting clock starts when you become aware.
- Management sign-off — because the Geschäftsleitung is personally accountable, the registration content should be reviewed and approved at board level, not delegated and forgotten.
The BSI registration: step by step
Here is the end-to-end procedure as we run it for clients.
- Confirm scope per entity. Complete and archive the scope test for every legal entity. Treat ambiguous cases conservatively — registering when arguably out of scope is far cheaper than the reverse.
- Assemble the data pack. Pull together the five items above into a single source of truth so multiple entities can be registered consistently.
- Access the BSI portal. Use the registration portal that opened on 6 January 2026. Create an account and an entity record for each in-scope company.
- Complete the registration form. Enter entity details, classification, in-scope services, and your contact points. Double-check the entity-type selection — it drives your supervisory regime.
- Submit and capture evidence. Submit each registration and retain the confirmation. This confirmation is your proof that the registration obligation has been met; store it where your compliance team and auditors can find it.
- Stand up reporting and governance. Registration is the trigger, not the finish line. Operationalise the incident-reporting workflow and align management approval of risk-management measures (more below).
Practitioner note: When we ran group-wide registration for a mid-sized European manufacturer with multiple German legal entities, the bottleneck was never the portal — it was reconciling who actually owned each entity's security contact and getting board-level approval scheduled in time. Start the internal coordination weeks before you touch the form.
Registration is the easy part — reporting is the obligation with teeth
Getting onto the BSI's list does not make you compliant. The substantive obligations begin afterwards, and the incident-reporting timeline is where unprepared organisations get hurt:
| Stage | Deadline | What you submit |
|---|---|---|
| Early warning | Within 24h of awareness | Initial notification that a significant incident is suspected |
| Detailed report | Within 72h | Initial assessment, severity, indicators of compromise |
| Final report | Within 1 month | Root-cause analysis and remediation |
A 24-hour clock cannot be met with a manual email chain that depends on one person seeing an alert. You need detection, triage, and an escalation path that reaches your reporting function automatically. We break down how to build this in our 24/72-hour incident reporting runbook.
The governance layer: management is personally liable
NIS2UmsG puts personal accountability on the Geschäftsleitung for overseeing and approving risk-management measures. This is not a delegable, sign-here-and-move-on formality. Management must understand and approve the measures, and can be held personally liable for failures of oversight. That changes the conversation: registration and compliance stop being an IT line item and become a board-governance topic.
If your security model still relies on a hardened perimeter and implicit trust inside it, NIS2UmsG is a forcing function to modernise. A Zero Trust architecture — least privilege, strong identity, continuous verification, and segmentation — maps directly onto the risk-management measures the directive expects. We cover the liability dimension in detail in our note on management liability under NIS2 in Germany.
A pragmatic post-registration checklist
- Scope test archived per legal entity, with owner and date
- Registration confirmation stored as compliance evidence
- 24/7 security contact verified and monitored
- 24h / 72h / 1-month reporting workflow tested end to end
- Risk-management measures formally approved by management
- Supply-chain security requirements cascaded to key suppliers
- Asset inventory current and mapped to in-scope services
- Annual review cycle scheduled, including re-running the scope test as the business changes
Where this leaves you
If you have registered, good — but treat that as day one, not the finish. If you missed the NIS2 registration deadline, register now and document why the delay occurred and what you are doing about it; a late-but-complete posture is far defensible than silence. Either way, the work that matters is operational: detection that meets a 24-hour clock, risk-management measures your board has genuinely approved, and a supply chain you can stand behind.
This is the kind of work we do every week — scope tests, registration, reporting runbooks, and the Zero Trust architecture that underpins them. If you want a second pair of senior, certified eyes on your NIS2 posture, see how we approach it on our Zero Trust & cybersecurity services page.
FAQ
What is the NIS2 BSI registration deadline in Germany?
The BSI registration portal opened on 6 January 2026 and the registration deadline was 6 March 2026. There was no transition period — NIS2UmsG applied directly from 6 December 2025. If you missed the deadline, registration is still legally required and you should complete it without further delay.
Who must register with the BSI under NIS2UmsG?
In-scope organisations are 'important entities' (50 or more staff, or more than EUR 10M turnover) and 'particularly important entities' (250 or more staff, or more than EUR 50M turnover and more than EUR 43M balance sheet) operating in the covered sectors. Most affected companies self-identify and must register themselves; the BSI does not send invitations.
Does registering with the BSI mean I am NIS2 compliant?
No. Registration is an administrative notification that places you on the BSI's radar. It does not certify that your risk-management measures, incident reporting capability, or supply-chain controls meet NIS2UmsG. Registration and substantive compliance are separate obligations that run in parallel.
What information do I need to complete the BSI registration?
You need your legal entity details, sector and entity-type classification, the size criteria you trigger, contact points for security incidents, and a named responsible contact reachable around the clock. You should also be ready to describe the services that bring you into scope.
What happens if we do not register with the BSI?
Failure to register is a breach of NIS2UmsG and can attract fines up to EUR 10M or 2 percent of global turnover for particularly important entities. Management is personally liable for overseeing and approving compliance, so non-registration is also a governance and director-liability exposure, not only a corporate one.
Can a subsidiary register on behalf of a whole group?
Generally no. NIS2UmsG obligations attach to each legal entity that independently meets the scope thresholds in a covered sector. Groups should run the scope test per entity and register each in-scope company, even where security is operated centrally from a shared SOC or parent function.
Topics