You Missed the BSI Registration Deadline. Now What?
About 18,000 German companies missed the §33 BSIG registration deadline. The BSI portal is still open. Here is what matters now – and what actually happens if you act quickly.
The Short Answer
Don't panic. You are not alone — and you are not too late to fix this. The BSI estimated that roughly 30,000 entities fall under NIS2 in Germany. The registration deadline passed on March 6, 2026, but a significant number of companies have still not registered. You are far from the only one in this position.
The registration portal under §33 BSIG is still open. You can register today. The BSI has signaled that it will prioritize enforcement against companies that ignore their obligations entirely – not against those who registered late but are acting in good faith. Late is better than never, and 'never' is the only truly dangerous option.
The key is to act now, document that you started, and begin the actual compliance work. A late registration with visible progress looks fundamentally different to a regulator than no registration at all.
1. Confirm you are actually in scope
Before you register, verify that NIS2 applies to your company. The criteria are in §28 BSIG: you need to operate in one of 18 listed sectors AND meet the size threshold (50+ employees or €10M+ annual revenue). If you are unsure, check the BSI's sector lists in Annex I and Annex II of the NIS2 Directive. Many companies assume they are out of scope when they are not – and vice versa. If you are genuinely uncertain, get a legal opinion before registering, but do not use uncertainty as an excuse to delay.
2. Register via the BSI portal immediately
Go to the BSI's NIS2 registration portal and complete your registration under §33 BSIG. You will need: your company details, sector classification, contact person for cybersecurity matters, and IP address ranges for your critical systems. The registration itself takes about 30 minutes if you have your information ready. Do this today – every day you wait adds to the gap between the deadline and your registration date.
3. Document that you have started
Create a written record – even a simple internal memo – that documents when you became aware of your NIS2 obligations, when you registered, and what steps you are taking. This creates a paper trail that demonstrates good faith. If the BSI ever asks why you were late, 'we identified the obligation, registered immediately, and began compliance work on [date]' is a strong answer.
4. Begin actual compliance work
Registration is just the first step – §30 BSIG requires you to implement cybersecurity risk management measures. Start with the foundations: asset inventory, risk assessment methodology, and incident reporting procedures. You do not need to be fully compliant overnight, but you need to be visibly working toward it. The BSI will look at trajectory, not just current state.
5. Consider legal counsel if scope is unclear
If your company sits near the threshold (close to 50 employees or €10M revenue), operates in a sector that could be interpreted multiple ways, or has a complex corporate structure, consult a lawyer specializing in IT regulation. The cost of a legal opinion (€2,000–5,000) is trivial compared to the cost of either non-compliance or unnecessary compliance. Some industry associations (like Bitkom or BDI) also offer NIS2 scope guidance for members.
What Are the Actual Risks of Late Registration?
Being honest about the risks helps you make proportionate decisions. The consequences are real but not catastrophic – if you act now.
Administrative fines
§65 BSIG provides for fines of up to €500,000 specifically for registration violations. In practice, the BSI has limited enforcement capacity and is focused on getting companies into the system, not punishing stragglers. A company that registers late and demonstrates active compliance efforts is unlikely to face the maximum penalty. A company that never registers is a different story.
Compliance orders
The BSI can issue binding compliance orders requiring you to register and implement specific measures within a set timeframe. Non-compliance with such an order escalates the legal situation significantly. Registering proactively – even late – avoids this escalation path entirely.
Management personal liability
§38 BSIG makes the Geschäftsführung personally liable for ensuring NIS2 compliance. If your company is in scope and you – as management – knowingly delayed registration, this creates personal exposure. The liability cannot be waived by shareholder resolution. Documenting that you acted as soon as you became aware is important protection.
Increased scrutiny in future audits
For besonders wichtige Einrichtungen (essential entities), the BSI conducts periodic audits. A late registration will be visible in your compliance timeline. However, a well-documented catch-up process that shows systematic improvement is viewed very differently from a pattern of neglect. Auditors assess trajectory, not just the starting point.
The NIS2 registration gap is not primarily caused by negligence. The German legislative process was delayed repeatedly – the NIS2UmsuCG passed months after the original EU transposition deadline. Many companies reasonably waited for the German law to be finalized before taking action. Others were unaware they fell in scope because the sector definitions expanded dramatically compared to the old KRITIS regime.
The BSI itself acknowledged the scale of the registration gap publicly. The agency has taken a pragmatic stance: the priority is getting all 30,000 entities registered and into the compliance system, not punishing the first wave of late registrants. This pragmatism has limits – it applies to companies that are actively working toward compliance, not to those using the BSI's patience as an excuse to do nothing.
Frequently Asked Questions
Is the BSI registration portal still open?
Yes. The §33 BSIG registration portal remains open. There is no deadline after which you can no longer register – the obligation is ongoing. The deadline was when you should have registered, not when you could. Register now.
What is the fine for late registration?
§65 BSIG provides for fines of up to €500,000 for registration violations. However, fines are assessed on a case-by-case basis considering the severity, duration, and whether the company acted in good faith. A company that registers a few months late and shows active compliance efforts faces a very different risk profile than one that ignores the obligation entirely.
Does late registration affect my other NIS2 obligations?
No. Your obligations under §30 BSIG (cybersecurity measures), §32 (incident reporting), and §38 (management liability) exist independently of whether you have registered. Registration does not create the obligations – it fulfills one of them. The other obligations apply from the moment you meet the scope criteria, regardless of registration status.
Can I register if I am not sure we are in scope?
Yes, and the BSI recommends erring on the side of registration if you are uncertain. Registering when you turn out to be out of scope has no negative consequences – the registration can be corrected. Not registering when you are in scope carries real legal risk. When in doubt, register.
What if we registered but have not started compliance work?
Registration without compliance work is like filing a tax return but not paying the tax – you fulfilled one obligation but not the substantive ones. Start with §30 BSIG measures now: asset inventory, risk assessment, incident reporting procedures. The BSI expects registered entities to be actively working toward compliance, not just sitting on a registration number.
- BSI – NIS2 registration statistics and public statements on enforcement approach (2025)
- G DATA CyberDefense – NIS2 awareness survey: 44% of mid-market companies unaware of obligations (2024)
- BSIG – §33 (Registration obligation), §65 (Administrative fines), §38 (Management liability)
- NIS2UmsuCG – Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Stärkung der Cybersicherheit
- BMI – Parliamentary documentation and guidance on NIS2UmsuCG implementation