When the registration window for Germany’s NIS2 Implementation Act closed on March 6, 2026, the Federal Office for Information Security (BSI) had received filings from roughly 11,500 of an estimated 29,500 obligated companies — a registration rate of 38.5 percent. Two weeks before the deadline, the count was barely 4,856. The vast majority of in-scope organizations missed their first formal NIS2 obligation, and the gap is now the central enforcement question facing German cybersecurity regulators.
The shortfall is not simply a story of corporate negligence. It reflects a compressed legislative timeline, a six-fold expansion of the regulatory perimeter, a registration architecture that depends on tax-system credentials many companies didn’t have, and a definition of “in scope” that catches mid-sized manufacturers who have never dealt with the BSI before. Each of these shaped the registration curve. Each will shape what happens next.
What the German NIS2 Implementation Act Actually Requires
The NIS2 Implementation Act — formally amending the BSI Act (BSIG) — entered into force on 6 December 2025, transposing the EU NIS2 Directive into national law after a delay of more than two years. Germany missed the EU’s October 17, 2024 transposition deadline and was already subject to infringement proceedings from the European Commission by the time the law passed. There was no transition period; the law applied immediately.
The scope shift is the headline. Under the previous IT Security Act, the BSI supervised approximately 4,500 entities — primarily operators of designated critical infrastructure (KRITIS). The new BSIG raises that to roughly 29,500 entities, classified as either “particularly important” (besonders wichtige) or “important” (wichtige) facilities. Germany’s terminology diverges slightly from the EU directive’s “essential” and “important” categories, but the practical thresholds align: most in-scope entities are caught by having at least 50 employees or annual turnover and balance sheet above EUR 10 million, operating in one of 18 designated sectors.
The substantive obligations under §30 BSIG track the NIS2 directive’s risk-management catalog: incident response, business continuity, supply chain security, cryptography, access control, vulnerability handling, secure development, training, and effectiveness testing. Reporting deadlines under §32 BSIG mirror the directive — an early warning within 24 hours, a follow-up notification within 72 hours, and a final report within one month. Penalties under §65 BSIG reach EUR 10 million or 2 percent of global annual turnover for particularly important entities, and management liability under §38 BSIG cannot be waived by the company.
How the BSI Registration Process Actually Worked
The mechanics matter, because the mechanics are part of the explanation. Registration was a two-step process that placed a non-trivial administrative burden on companies before they could even reach the BSI’s portal.
Step one: an entity needed a Mein Unternehmenskonto (MUK) — a “My Company Account” — which is the federal authentication layer for digital interactions with German authorities. To get one, the company first needed an ELSTER organization certificate, the same digital credential used for tax filings. Companies without an existing ELSTER footprint — many smaller importers, foreign subsidiaries, and B2B service providers in scope for the first time — had to apply from scratch. Processing the certificate takes five to ten working days, and requires a German tax number.
Step two: the actual BSI registration portal. It launched on January 6, 2026 — exactly one month into the three-month registration window. Once inside, registrants submitted master data, contact details, IP address ranges, sectoral classification, and the responsible federal authority. The portal also functions as the channel for §32 BSIG incident reporting.
The compressed sequence — law in force December 6, portal live January 6, deadline March 6 — left companies with a real working window of roughly two months once the technical infrastructure was actually operational. For organizations that had not pre-staged their ELSTER credentials, the timeline was tighter still.
Why the Registration Rate Came in Below 40 Percent
The 61.5 percent shortfall has several distinct causes, and conflating them obscures both the diagnosis and the appropriate enforcement response.
Scope ambiguity. The single largest factor cited by practitioners is uncertainty about whether the law applies. The German implementation reaches manufacturers of seemingly unremarkable products — lamps, household appliances, the entire mechanical engineering sector — if they have 50 or more employees or 10 million euros in turnover. The directive’s 18 sectors, combined with German-specific size thresholds and the rule that group-affiliated company values are aggregated into the calculation, make scoping non-obvious. Many companies that should have registered did not realize they were obligated.
Negligible-activity carve-out confusion. Germany’s transposition added a wrinkle absent from the EU text: under Section 28(3) BSIG, business activities considered “negligible” relative to an entity’s overall operations may be excluded from the threshold calculation. There is no official guidance on what counts as negligible. Some companies excluded themselves on plausible but unverified grounds. Others excluded themselves wrongly and now sit outside the registry believing they’re compliant.
The healthcare-sector pattern. Hospitals, large medical practices, and care facilities are flagged in post-deadline analyses as systematically under-registered. Many healthcare facilities under NIS2 lack a dedicated IT security team, and the two-step registration process is itself time-consuming — a problem that compounds for organizations whose IT capacity is already stretched.
Process friction. The MUK/ELSTER prerequisite is straightforward for German enterprises with established tax filings, but it’s a meaningful obstacle for smaller in-scope entities and foreign-headquartered companies operating in Germany.
Awareness gap. The BSI repeatedly emphasized in the weeks before the deadline that registrations were significantly below expectations. Coverage in trade press and law-firm bulletins was extensive, but it didn’t reach the long tail of newly in-scope mid-market companies whose management had no historical relationship with the regulator.
What the Six-Fold Scope Expansion Caught
The previous BSIG regime focused on a narrow set of operators of designated critical infrastructure. NIS2 reaches further. Eleven sectors now classify as “particularly important” — energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT services, public administration, and space. Seven additional sectors are caught as “important,” including postal services, waste management, chemicals, food, and a broad reading of manufacturing.
Manufacturing is where the registration gap is largest. A mid-sized German Maschinenbau firm — say, 200 employees building specialty machinery for export — has historically operated outside the BSI’s regulatory reach. Under §28 BSIG and Annex 2, the same firm is now an “important entity” with a registration obligation, a §30 risk-management obligation, a §32 incident-reporting obligation, and exposure to the §38 management-liability regime. The firm’s executive team typically has no internal compliance function pointed at the BSI, and the cybersecurity controls expected under §30(2) — supply-chain security, cryptography policy, secure development practices — exceed what many of these firms have formally documented.
The implication is structural: a large fraction of the 18,000 unregistered entities are not deliberately defying the regulator. They are companies whose cybersecurity posture is unprepared for any regulator’s scrutiny, registered or not.
How the BSI Plans to Enforce
The BSI has stated publicly that it will not yet impose sanctions for late registrations, framing the post-deadline period as a final grace window. The framing is pragmatic. The portal launched a month into the registration period, and the regulator has consistently signaled that voluntary compliance is preferable to enforcement actions against tens of thousands of confused mid-market firms.
That posture has limits. Under §61 BSIG, the BSI can compel registration, request documentation, and audit particularly important entities directly. After the deadline, the BSI announced it will actively identify non-registered companies, request registration, and impose fines for non-compliance. Late registration alone is a §65 fineable violation worth up to EUR 500,000 — a separate exposure from the substantive §30 and §32 obligations.
BSI President Claudia Plattner struck a confident tone before the deadline, telling press that “NIS2 has been implemented comparatively quickly despite the change of government, and we are ready. We can get started”. The practical strategy appears to be risk-based enforcement: prioritize particularly important entities in highest-criticality sectors, use sectoral data to identify obvious non-registrants, and reserve fines for cases of clear and persistent non-compliance.
A second pressure vector is operating outside the BSI entirely. Large in-scope companies are now obligated to manage supply-chain cybersecurity risk under §30(2) Nr. 4 BSIG, which requires due diligence on suppliers and service providers. Smaller suppliers that failed to register are visible to their enterprise customers as a compliance risk. The result is a B2B enforcement loop: the registered are increasingly demanding evidence of NIS2 alignment from the unregistered as a condition of continued business.
What Comes Next for the 18,000 Late Registrants
The most concrete near-term risk for unregistered entities is not a BSI fine — it’s the absence of a registered status when a security incident occurs. Under §32 BSIG, an in-scope entity must report a significant incident within 24 hours regardless of whether it has registered. An unregistered entity hit by ransomware on day one will have to register, document its scope assessment, and file the incident report simultaneously, under regulator scrutiny, while also handling the breach itself. That sequence is the unforced error the BSI is implicitly warning companies about.
The second risk is the supply-chain effect. A particularly important entity — say, an energy utility — performing §30(2) Nr. 4 due diligence on its industrial control system vendors has both motive and obligation to ask whether those vendors are NIS2-registered. Unregistered status becomes a contracting flag. SaaS providers without NIS2 compliance represent a direct liability risk for their customers, and the same logic applies to any supplier in the chain.
The third dynamic is the slow-burn enforcement timeline. Operators of critical facilities face additional obligations under §39 BSIG, including initial evidence of implementation no later than three years after the law comes into effect, i.e., from 2027, with ongoing evidence every three years thereafter. The first audit cycle will reveal which entities used the registration grace period to actually build compliance and which simply registered to clear the formal hurdle.
Frequently Asked Questions
Is the registration deadline truly closed, or can entities still register? The deadline closed on March 6, 2026, but the portal remains open and the BSI is actively encouraging late registrations. Late filing is a fineable violation under §65 BSIG, but the regulator has signaled it will not pursue immediate sanctions during the current grace period.
How does an entity determine whether it falls within scope? The BSI offers a free, non-binding self-assessment tool, but it is German-language and non-binding. Determining status requires careful analysis of sector definitions in Annexes 1 and 2 of the BSIG, size criteria, and group structures. Most entities benefit from formal legal review given the §28(3) negligible-activity question.
What is the difference between Germany’s NIS2 implementation and the EU directive? Germany uses “particularly important” and “important” rather than the directive’s “essential” and “important.” It excludes local government, educational institutions, and long-term care from health-sector coverage. It allows the negligible-activity exclusion in threshold calculation. And it preserves a separate, stricter regime for “operators of critical facilities” — a German concept that predates NIS2.
Are foreign companies operating in Germany affected? Yes, where they meet the size thresholds and provide services in Germany. The territorial scope follows the directive: the relevant question is whether the entity provides services or carries out activities within the EU, with Germany as the place of main establishment or operation.
The Real Test Begins Now
A 38.5 percent registration rate is not, by itself, evidence that NIS2 has failed in Germany. It is evidence that a regulatory regime designed to govern roughly 4,500 designated infrastructure operators was extended to 29,500 entities of widely varying maturity, on a compressed timeline, through a tax-system authentication layer, with no transition period — and the result was a long tail of confusion among newly in-scope mid-market firms.
The substantive test arrives over the next eighteen months. The BSI has the tools and stated intent to identify non-registrants risk-based, beginning with particularly important entities. The first significant incident at an unregistered entity in a sensitive sector will set the enforcement tone. And the 2027 evidence cycle for operators of critical facilities will produce the first hard data on whether registered entities have actually built §30-grade controls or merely populated a portal.
For unregistered in-scope companies, the rational move is straightforward: complete the scoping analysis, secure the ELSTER credentials, register, and treat §30 controls as overdue rather than upcoming. The grace period is real but not durable. The B2B pressure from registered customers is already operating. And the personal liability exposure under §38 does not wait for the BSI to act.
