Missed the NIS2 registration deadline? The practical checklist under § 30 BSIG

7 min Reading Time

The deadline expired on March 6, 2026. Three months after the NIS2 Implementation Act came into force, around 29,500 companies were required to register with the BSI (Federal Office for Information Security). Result: Only 38.5 percent complied. Companies still unregistered now risk fines up to 10 million Euro and personal liability for executives. This article explains exactly what § 30 BSIG requires, where the most common gaps lie, and what IT security teams must do now.

TL;DR

🔒 Only 11,500 of 29,500 obligated companies registered with the BSI on time (Security Insider 2026).
⚠️ § 30 BSIG defines ten minimum risk management measures, from incident response to cryptography.
🛡️ Personal executive liability under § 38 BSIG: Executives must approve, monitor, and undergo cybersecurity training.
📊 Fines: up to 10 million Euro or 2 percent of global annual turnover for essential entities (§ 65 BSIG).
🔧 The BSI currently prioritizes cooperation over immediate penalties but has conducted on-site audits since January 2026.

The registration deadline has passed

The NIS2 Implementation Act (NIS2UmsuCG) entered into force on December 6, 2025, without transitional periods. From that date, all obligations applied. Three months later, on March 6, 2026, the deadline for BSI registration expired. The BSI had launched its registration portal on January 6, 2026.

The figures after the deadline are sobering: According to industry reports, only about 11,500 of approximately 29,500 obligated entities have registered. That’s just 38.5 percent. The majority of affected companies are thus formally in default.

For context: Under the previous IT Security Act, the BSI supervised around 4,500 organizations. With NIS2, this number has more than sextupled. Many newly affected companies have had no prior experience with BSI regulation and significantly underestimate the effort required to implement the minimum measures.

29.500

Obligated entities

38,5 %

Registered on time

10 Mio. €

Max. fine

Sources: BSI press release, Dec. 2025; Security Insider, March 2026; § 65 BSIG

Who is affected? The applicability check

NIS2 distinguishes two categories. If an organization falls into either, it must register.

Essential entities: Employing at least 250 people or generating at least 50 million euros in annual revenue with a balance sheet total of at least 43 million euros. These organizations are subject to proactive, regular BSI audits. Fines: up to 10 million euros or 2 percent of global annual turnover.

Important entities: Employing at least 50 people or generating at least 10 million euros in annual revenue. The BSI conducts audits here only reactively – upon suspicion of noncompliance or following a security incident. Fines: up to 7 million euros or 1.4 percent of global annual turnover.

In total, NIS2 covers 18 sectors. Eleven are classified as essential: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT services, public administration, and space. Seven additional sectors are designated as important: postal services, waste management, chemicals, food industry, manufacturing, digital service providers, and research.

The most common misconception: “We’re too small.” In reality, the threshold is just 50 employees or 10 million euros in revenue. Many mid-sized companies that never considered themselves critical infrastructure (KRITIS) fall below this threshold. Particularly tricky: Subsidiaries and affiliated companies may exceed these thresholds due to group affiliation.

§ 30 BSIG: The ten minimum measures in detail

The operational core of the NIS2 Implementation Act is laid out in § 30 paragraph 2 BSIG. Here, lawmakers define ten domains that every affected entity must cover. None of these measures is optional.

1. Risk analysis and security concepts. Organizations need documented risk analysis and information security concepts. Paper exercises won’t suffice: The BSI verifies whether these concepts are current, comprehensive, and tailored to the organization’s actual IT landscape.

2. Incident management. Security incidents must be detectable, classifiable, and manageable. The BSI expects defined reporting channels, escalation procedures, and documented post-incident reviews. Experience shows: Many organizations have incident response plans that fail in real-world scenarios.

3. Business continuity. Operational resilience, backup management, disaster recovery, and crisis management. It’s not just technical: Organizational emergency procedures must also be clearly defined and regularly tested through drills. A paper-based backup plan is useless if restoration has never been validated.

4. Supply chain security. Securing the supply chain – including direct vendors and service providers. This is one of the largest gaps: Many organizations lack visibility into their IT providers’ security practices. NIS2 mandates systematic identification and contractual governance of these risks. This applies equally to cloud providers, managed service providers, and software suppliers.

5. Secure procurement and development. Security measures for acquiring, developing, and maintaining IT systems. For organizations with internal software development, this means “security by design” becomes mandatory – not optional. As the SBOM practical check demonstrates, the software bill of materials helps fulfill this requirement.

6. Effectiveness evaluation. Organizations must not only implement measures but also regularly assess their effectiveness. Penetration tests, audits, and security metrics become mandatory. Evaluations must be documented and presented to executive leadership.

7. Training and awareness. Foundational cybersecurity training for all employees – not as a one-off, but continuously. Executive leadership has its own non-delegable training obligation under § 38 BSIG.

“Organizations need reliable regulatory frameworks.”
Ralf Wintergerst, President, Bitkom (Bitkom Press Release, 2025)

8. Cryptography. Concepts and processes governing cryptographic methods. This includes encryption in transit, at rest, and in communications. Organizations must document which algorithms they use – and why. Outdated methods like SHA-1 or RSA keys under 2048 bits are no longer acceptable.

9. Access control and personnel management. Personnel security, system access controls, and ICT system administration. Identity and access management (IAM) thus becomes a compliance issue – not just a security concern. The principle of least privilege must be rigorously implemented and demonstrably documented.

10. Multi-factor authentication and secure communication. MFA or continuous authentication, plus secured voice, video, and text communication. Organizations lacking MFA for critical systems are non-compliant effective immediately. This is especially relevant for those using Microsoft Teams or similar platforms for confidential communications.

18.350

Companies that missed the registration deadline

Source: Security Insider / digital-magazin.de, March 2026

§ 38 BSIG: Why executives face personal liability

Perhaps the most significant change introduced by NIS2 is found in § 38 BSIG. Managing directors and board members are personally liable for implementing risk management measures. Three legal duties are clearly defined.

Approval obligation: Risk management measures under § 30 must be formally approved by executive management. Delegation to the CISO or IT leadership is insufficient. Executives must demonstrably have made the decision.

Oversight obligation: Executives must actively monitor implementation. They must not only be informed but also steer the process. The BSI may demand proof that such oversight is taking place.

Training obligation: Management bodies must undergo regular cybersecurity training. This duty cannot be delegated. Refreshers are required at least every three years.

Crucially, a company cannot legally release executives from liability. Even if a CISO has been appointed, executives remain personally responsible for strategic oversight. Anyone unable to prove fulfillment of these three duties after an incident risks personal assets.

What the BSI is doing after March 6

After the registration deadline passed, the BSI signaled it would initially favor cooperation over immediate penalties. No public records of fines have emerged so far. However, this does not mean inaction.

Since January 2026, the BSI has been conducting on-site audits at essential entities. Initial findings reveal three recurring weaknesses: incident reporting processes that fail under real pressure, unknown dependencies in the supply chain, and logging systems insufficient for BSI audits.

For companies still unregistered, this means: The grace period is not a free pass. Registration itself takes only a few hours. But implementing the measures under § 30 can take weeks or months. Companies just starting now should prioritize: register immediately, then focus on quick wins like incident management and access control, while simultaneously establishing a full compliance roadmap.

Immediate checklist: What IT security teams must do now

Step 1: Determine applicability. Ask: More than 50 employees or more than 10 million Euro in annual revenue? Operating in one of the 18 NIS2 sectors? If yes: you are affected.

Step 2: Register with the BSI. If not already done: register immediately via the BSI portal. The registration process is straightforward. Every day of delay increases the risk of fines.

Step 3: Conduct a gap analysis against § 30. Review each of the ten minimum measures. Where do existing processes exist? Where is documentation missing? Where is the measure entirely absent? Outcome: a prioritized action list.

Step 4: Involve executive management. Obtain board approval for risk management measures. Schedule cybersecurity training for executives. Define a monitoring schedule. Document everything.

Step 5: Map your supply chain. Which IT service providers do you use? What security standards apply there? Are there contractual agreements in place? Supply chain security is the area most companies underestimate.

Step 6: Test reporting processes. Simulate a security incident. Do escalation paths work? Does everyone know whom to inform and when? Can the report reach the BSI within the legally mandated timeframe?

Conclusion: Registration is the easy part

BSI registration can be completed in a few hours. The real work lies in § 30 BSIG: ten areas of measures that must be documented, implemented, and regularly reviewed. With § 38 BSIG, executive personal liability adds another layer of urgency.

Companies that haven’t started yet should not rely on the BSI’s grace period. On-site audits are already underway. The question isn’t if the first fine will be issued, but when.

Frequently Asked Questions

Who must register with the BSI?

Companies with more than 50 employees or more than 10 million Euro in annual revenue operating in one of the 18 NIS2 sectors. The registration obligation has applied since March 6, 2026.

What happens if I missed the registration deadline?

The BSI currently favors cooperation over immediate penalties. However, fines remain possible at any time: up to 10 million Euro or 2 percent of global annual turnover for essential entities. Register immediately.

Are managing directors personally liable?

Yes. § 38 BSIG obliges executives to approve, monitor, and personally undergo cybersecurity training. A company cannot legally release executives from liability. This duty cannot be delegated to the CISO.

What are the ten minimum measures under § 30 BSIG?

Risk analysis, incident management, business continuity, supply chain security, secure procurement and development, effectiveness evaluation, training, cryptography, access control, and multi-factor authentication. All ten areas must be documented and implemented.

Does NIS2 apply to SMEs?

Yes. The threshold is 50 employees or 10 million Euro in annual revenue. Many mid-sized companies that never considered themselves critical infrastructure (KRITIS) are now covered by NIS2. Particularly affected: manufacturing, food industry, and digital service providers.