Back to the overview
02-19-2026 Article

NIS-2: Registration requirement by March 6, 2026 – Act now!

Update Data Protection No. 234

With the NIS-2 Implementation Act coming into force on December 6, 2025 (we reported here and here), numerous companies are required to register with the Federal Office for Information Security (BSI) by March 6, 2026. Companies must determine for themselves whether they are affected – the BSI does not perform automatic checks. 

In addition to registering by March 6, 2026, affected companies have been required since December 6, 2025, to implement appropriate technical and organizational measures (TOM) to ensure the availability, integrity, and confidentiality of their network and IT infrastructure. They must also report significant security incidents within 24 hours. The key provisions are set out in the amended Act on the Federal Office for Information Security (BSIG).

In total, almost 30,000 companies and federal administrative institutions in Germany are affected. 

Violations can result in fines of at least EUR 10 million or 2 % of global annual turnover. 

Affected sectors – smaller companies may also be affected

The range of industries covered has been significantly expanded. In addition to the traditional critical infrastructure sectors – in particular energy, transport, finance, health, water, and aerospace – other economic sectors are now subject to the registration requirement. These include postal and courier services, waste management, the chemical industry, food production, and certain research organizations. Manufacturers of critical products are also included, for example, in the fields of medical technology, computer and electronics production, engineering, and vehicle manufacturing. In addition, there are central digital services such as cloud computing services, data centers, managed service providers (MSPs), managed security service providers (MSSPs), online marketplaces, online search engines and social networks.

The registration requirement generally applies to companies in the above-mentioned industries that meet the following thresholds:

  • at least 50 employees and an annual turnover or annual balance sheet total of €10 million each ("important entities")
  • at least 250 employees or annual revenue of more than €50 million and annual balance sheet total of more than €43 million ("particularly important entities").

Affiliated companies must generally be included, which is particularly important to note in the context of holding structures.

Certain companies must also register regardless of their size. This applies in particular to providers of public telecommunications networks, DNS resolvers, TLD registries and trust service providers under the eIDAS Regulation. The registration requirement also applies to operators of critical facilities within the meaning of the Ordinance on the Determination of Critical Infrastructures Pursuant to the BSIG (BSI-KritisV).

Personal responsibility of management 

Management is responsible for implementing and monitoring appropriate TOMs. Failure to comply with these obligations may result in personal liability. The responsibility for implementing IT and cyber security measures therefore lies directly with the board of directors and management. 

Next Steps

Check promptly whether these obligations apply to your business. If your company is part of a corporate group, the assessment must generally be carried out at group level.

Affected companies can register via the BSI portal: Login | BSI portal, where security incidents must also be reported. To register, companies need access credentials for "My Company Account" (MUK). To obtain this, companies must first apply for an ELSTER organization certificate: ELSTER. A German tax number is required to apply for the certificate. As the entire process can take some time, affected companies should act promptly.

The impact assessment and timely registration with the BSI, as well as the implementation of the necessary security measures, should be given the highest priority. This not only enables companies to fulfill their compliance obligations with regard to IT and cybersecurity, but also significantly reduces their risk of suffering considerable losses as a result of cyberattacks. 

We are happy to assist you with the impact assessment, registration and implementation of the BSIG requirements, including the introduction and implementation of appropriate security and risk management measures.

Download as PDF
Data Protection & Data Law
Information Security
Download as PDF

Contact persons

Andrea Elisabeth Bauer
Munich
Dr. Thomas Jansen
Munich

Contact persons

Andrea Elisabeth Bauer
Munich
Dr. Thomas Jansen
Munich

Related articles

02-19-2026
NIS-2: Registration requirement by March 6, 2026 – Act now!
02-13-2026
New cancellation button: What companies must implement by June 19, 2026
02-11-2026
28th Regime Explained: How the EU Plans to Simplify Start-Up Creation and Cross-Border Scaling
02-04-2026
New EDIP Regulation 2025/2643: What Governments and Suppliers Need to Know
01-26-2026
EU Data Spaces on the rise: What companies need to know now from a legal perspective
01-22-2026
EU Digital Rights 2026: What changes can be expected at the national level?
01-20-2026
Digital law in transition: What the EU-Mercosur agreement now means for businesses
01-09-2026
Effects of the unlawfulness of initial processing of personal data on further processing by another controller
01-09-2026
CJEU denies hosting safe harbour for GDPR infringements: “Russmedia” increases obligations for platform operators
01-07-2026
EU Digital Law 2026: An overview of the most important changes
12-22-2025
AI ACT: How do companies need to label AI-generated content?
12-17-2025
Mind the Label – What the EmpCo Directive Means for B2C Sales of Goods in the EU

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.