NIS2 Registration Gap Analysis
The BSI estimated ~30,000 entities subject to NIS2 in Germany. The registration deadline passed on March 6, 2026. A significant portion of in-scope companies have still not registered — leaving them exposed to enforcement under §65 BSIG.
§33 BSIG requires every entity that falls under NIS2 – whether besonders wichtige Einrichtung or wichtige Einrichtung – to register with the Bundesamt für Sicherheit in der Informationstechnik (BSI). This is not optional. The registration obligation exists independently of whether the company has implemented any cybersecurity measures. You must register first, then comply.
The BSI registration portal (muk.bsi.bund.de) went live on January 6, 2026 — one month after the BSIG entered into force. The registration deadline under §33 BSIG was March 6, 2026 (3 months after entry into force). Despite a clear legal obligation and a two-month window, a significant share of the estimated 29,000–30,000 in-scope entities did not register by the deadline. A G DATA survey found that 44% of affected companies were unaware of their NIS2 obligations entirely.
The registration gap is particularly concerning because registration is a precondition for the BSI's supervisory regime. Unregistered entities are not invisible – they are non-compliant by default. When the BSI begins systematic enforcement (which it has signalled for 2026), unregistered companies face penalties not just for missing cybersecurity measures, but for the registration violation itself – a separate offence under §65 BSIG.
~29,000–30,000
Estimated in-scope entities
BSI's own estimate of entities subject to NIS2 obligations under the NIS2UmsuCG, covering both besonders wichtige and wichtige Einrichtungen.
44%
Unaware of NIS2 obligations
G DATA survey (2024): 44% of German mid-market companies did not know NIS2 applied to them — before the law even entered into force.
2 months
Registration window
BSI portal went live January 6, 2026. Registration deadline was March 6, 2026 — a two-month window for ~30,000 entities to register.
§33 BSIG
Registration legal basis
Registration is required without undue delay (unverzüglich) after determining that the entity falls within scope. There is no grace period – the obligation is immediate upon the law taking effect.
Why the Gap Exists
Four structural factors explain why the majority of German NIS2 entities have not registered.
Lack of awareness
A G DATA survey conducted in 2024 found that 44% of German mid-market companies were unaware that NIS2 applied to them. The scoping criteria – 50+ employees or EUR 10 million turnover in 18 covered sectors – are not self-evident to companies that have never dealt with IT security regulation. Many companies in sectors like waste management, food production, and chemical manufacturing do not think of themselves as 'critical infrastructure'.
Scoping complexity
Determining whether a company falls under NIS2 requires mapping the business against Annex I and II of the NIS2 Directive (transposed into §28 BSIG). The sector definitions reference NACE codes, turnover thresholds, and employee counts – but edge cases abound. Companies with mixed business lines, partial sector coverage, or group structures face genuine uncertainty about whether they are in scope.
Resource constraints
German Mittelstand companies in the 50–250 employee range typically lack dedicated compliance or information security staff. The person responsible for 'IT' is often also responsible for facilities, procurement, and everything else that involves a computer. NIS2 registration requires understanding regulatory text, classifying the company's sector, and navigating a government portal – tasks that fall outside normal operations.
Legislative uncertainty
The NIS2UmsuCG went through multiple drafts and was delayed several times before final passage. Many companies adopted a 'wait and see' approach, expecting further changes or extended deadlines. This was a rational but incorrect bet – the law passed, the registration obligation is in force, and the BSI is not offering extensions.
Administrative fines
§65 BSIG provides for fines of up to EUR 10 million or 2% of worldwide annual turnover for besonders wichtige Einrichtungen, and up to EUR 7 million or 1.4% for wichtige Einrichtungen. Non-registration is a separate violation from non-compliance with substantive security measures – meaning companies can face penalties for both.
Management personal liability
Under §38 BSIG, the Geschäftsleitung is personally responsible for ensuring compliance with NIS2 obligations – including registration. A managing director who fails to register the company is in personal breach of their statutory duties, creating exposure for personal liability claims from the company or its shareholders.
Enforcement priority
The BSI has indicated that it will prioritize enforcement against entities that have not registered, because non-registration signals complete non-compliance. A company that has registered but is working on measures demonstrates good faith. A company that has not even registered has no defense of ongoing implementation efforts.
Reputational and commercial impact
NIS2 supply chain requirements (§30(2)(4) BSIG) mean that in-scope companies must assess the cybersecurity posture of their suppliers. An unregistered company cannot demonstrate NIS2 compliance to its customers – potentially losing contracts or being flagged in supply chain audits. This commercial pressure will accelerate as more companies implement supply chain due diligence.
- BSI – NIS2 registration statistics, public statements (2025)
- G DATA CyberDefense – NIS2 awareness survey: 44% of mid-market companies unaware of obligations (2024)
- G DATA CyberDefense – NIS2 awareness survey among German mid-market companies (2024)
- BSIG – §33 (Registration obligation), §65 (Administrative fines), §38 (Management liability)
- NIS2UmsuCG – Gesetz zur Umsetzung der NIS-2-Richtlinie (NIS2 Implementation Act)
- BMI – Referentenentwürfe and parliamentary documentation for NIS2UmsuCG