§33 BSIG

BSI Registration: Step-by-Step Guide

Every NIS2 entity must register with the BSI under Section 33 BSIG. The portal has been live since January 2026. Here is exactly how to complete the process.

Registration with the BSI is one of the most visible NIS2 obligations and has its own penalty provision of up to 500,000 euros. The process uses the 'Mein Unternehmenskonto' (MUK) portal, which requires ELSTER-based authentication. Most companies can complete the registration in 30 to 60 minutes, but you need to prepare several pieces of information beforehand.

The registration deadline was 6 March 2026 (three months after the BSIG entered into force). If you missed it, register as soon as possible. Late registration demonstrates good faith and is vastly better than no registration. The BSI can also proactively identify companies that should have registered and order them to do so.

What You Need Before Starting
Gather these four items before you open the BSI portal. Having everything ready makes the process straightforward.

Mein Unternehmenskonto (MUK)

You need an active MUK account at muk.bsi.bund.de. MUK is the federal government's business account system. If your company does not have one yet, create it first – this can take a few days because it requires ELSTER verification. Do not wait until the last minute.

ELSTER Certificate

MUK authentication uses your ELSTER business certificate – the same one you use for tax filings. If your tax advisor handles ELSTER for you, you will need either their help or your own ELSTER certificate. The person registering must be authorized to act on behalf of the company.

Company Data

You will need: legal company name, registered address, tax number, commercial register number (Handelsregister), sector classification (which NIS2 sector you fall under), employee count, and annual revenue. Have your most recent annual report or financial statements available.

Contact Persons

The BSI requires at least one designated contact person for cybersecurity matters. You need their name, role, email, and phone number. This person must be reachable – the BSI will use this contact for incident communication and compliance inquiries. Ideally, designate a primary and secondary contact.

Registration Walkthrough
Six steps from opening the portal to confirmed registration. The entire process takes 30 to 60 minutes if you have prepared everything.
1

Log in to MUK

Go to muk.bsi.bund.de and log in with your ELSTER certificate. If this is your first time using MUK, you will need to create an account and link it to your ELSTER identity. Make sure your browser allows the ELSTER security plugin. Use Chrome or Edge for the best compatibility.

2

Select NIS2 Registration

Once logged in, navigate to the BSI registration service. Select 'NIS2-Registrierung' from the available services. The portal will guide you through the process with a multi-step form. You can save your progress and return later if needed.

3

Enter Company Information

Fill in your company details: legal name, address, registration number, tax ID, sector classification, and size category. The portal will ask you to self-classify as either 'besonders wichtige Einrichtung' (essential entity) or 'wichtige Einrichtung' (important entity) based on your sector and size. If you are unsure, the portal provides guidance.

4

Declare Services and Infrastructure

Describe the services your company provides that fall under NIS2 scope. For example, a food production company would declare its production and distribution operations. List the Member States where you provide these services. If you operate only in Germany, select Germany only.

5

Add Contact Persons

Enter your designated contact person(s) for cybersecurity matters. Provide name, role, email, and phone for each contact. The BSI will use these contacts for incident communication, compliance inquiries, and any orders or inspections. Make sure the contact is someone who can actually respond – not a generic info@ email.

6

Review and Submit

Review all entered information carefully. Once submitted, you will receive a confirmation reference number. Save this number. The BSI may take several weeks to process your registration. You do not need to wait for confirmation before starting your compliance work – the obligation exists from the moment the law applies, not from the moment of registration.

Common Mistakes to Avoid
  • Starting without an ELSTER certificate – MUK requires ELSTER authentication, and getting a new certificate can take days. Check this first.
  • Using a personal ELSTER certificate instead of the company's business certificate. The registration must be tied to the legal entity, not an individual.
  • Misclassifying your entity category. If you are in an Annex I sector with 250+ employees, you are 'besonders wichtig' (essential), not just 'wichtig' (important). The wrong classification affects your supervision regime.
  • Entering a generic email address as the contact. The BSI will send time-sensitive incident communications to this address. Use a monitored mailbox with a named person behind it.
  • Waiting for the BSI to tell you to register. Registration is a self-identification obligation – the BSI does not send notifications. If you meet the criteria, you must register yourself.
  • Assuming registration equals compliance. Registration is step one of many. It does not satisfy the Section 30 security measures, Section 32 incident reporting, or Section 38 management obligations.

Frequently Asked Questions

I missed the registration deadline. Is it too late?

No. Register immediately. The portal is still open and accepting registrations. Late registration is far better than no registration. The fine for non-registration is up to 500,000 euros, but the BSI considers the circumstances – a company that registers a few weeks late and shows good faith is in a very different position than one that ignores the obligation entirely.

Can our tax advisor handle the registration for us?

They can help with the ELSTER authentication, but the registration content requires company-specific information about your NIS2 sector, services, and infrastructure that your tax advisor likely does not have. The best approach is to prepare the data yourself and have your advisor assist with the MUK/ELSTER technical setup if needed.

We are not sure if we classify as essential or important. What do we select?

Essential entities (besonders wichtige Einrichtungen) are large companies (250+ employees or 50M+ turnover) in Annex I sectors, plus all KRITIS operators. Important entities (wichtige Einrichtungen) are medium companies (50-249 employees or 10-50M turnover) in Annex I sectors, or medium/large companies in Annex II sectors. If you are genuinely uncertain, the BSI portal provides classification guidance during the registration process.

What happens after we register? Does the BSI contact us?

You receive a confirmation reference number. The BSI may take several weeks to process the registration. For essential entities, the BSI may initiate proactive supervision (audits, inspections) at any time. For important entities, supervision is reactive – meaning the BSI only investigates if there is evidence of non-compliance or after an incident. In both cases, start implementing Section 30 measures immediately. Do not wait for the BSI to reach out.

Do we need to register each branch or subsidiary separately?

Each legal entity that independently meets the NIS2 scope criteria must register separately. A subsidiary that is a separate legal entity with 50+ employees in a NIS2 sector needs its own registration. However, branch offices of the same legal entity do not register separately – one registration covers the entire legal entity.

Track Your Registration and Next Steps
Registration is step one. The platform guides you through the remaining 49 BSIG requirements with structured forms, deadline tracking, and automatic audit trail.
Start Your NIS2 Compliance Process