Missed NIS2 Registration Deadline? Practical Checklist §30 BSIG

7 Min. read

March 6, 2026, marked the deadline. Three months after the NIS2 Implementation Act came into force, around 29,500 companies had to register with the BSI. The result: Only 38.5 percent made it. Those not registered now risk fines of up to 10 million euros and personal liability for managing directors. This article explains what § 30 BSIG specifically requires, where the most common gaps lie, and what IT security teams need to do now.

Key Takeaways

• 🔒 Only 11,500 out of 29,500 obligated companies registered with the BSI on time (Security Insider 2026).
• ⚠️ § 30 BSIG defines ten minimum measures for risk management, from incident response to cryptography.
• 🛡️ Personal liability for managing directors under § 38 BSIG: Managing directors must approve, monitor, and undergo training for measures.
• 📊 Fines: Up to 10 million euros or 2 percent of global annual revenue for particularly important institutions (§ 65 BSIG).
• 🔧 The BSI is currently focusing on awareness rather than immediate penalties but has been conducting on-site inspections since January 2026.

The registration deadline has passed

The NIS2 Implementation Act (NIS2UmsuCG) came into force on December 6, 2025, without any transitional periods. From this day on, all obligations applied. Three months later, on March 6, 2026, the deadline for BSI registration ended. The BSI had activated the registration portal on January 6, 2026.

The numbers after the deadline are sobering: Out of around 29,500 obligated institutions, only about 11,500 registered, according to industry reports. That corresponds to 38.5 percent. The majority of affected companies are thus formally in default.

For comparison: Under the old IT Security Act, the BSI supervised around 4,500 organizations. With NIS2, this number has increased more than sixfold. Many of the newly affected companies have had no previous contact with BSI regulation and significantly underestimate the effort required to implement the minimum measures.

Sources: BSI press release Dec. 2025, Security Insider Mar. 2026, § 65 BSIG

Who is affected? The Impact Check

NIS2 distinguishes two categories. If you fall into one of them, you are required to register.

Critical entities: With 250 or more employees or an annual turnover of €50 million and a balance sheet total of at least €43 million. These companies are proactively and regularly audited by the BSI. Fines: up to €10 million or 2 percent of global annual turnover.

Important entities: With 50 or more employees or an annual turnover of €10 million. The BSI only conducts reactive audits here, i.e., in case of suspected violations or after a security incident. Fines: up to €7 million or 1.4 percent of global annual turnover.

In total, NIS2 covers 18 sectors. Eleven of them are considered critical: energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT services, public administration, and space. Seven other sectors are classified as important: postal services, waste management, chemicals, food industry, manufacturing, digital providers, and research.

The most common misconception: “We’re too small.” In reality, the threshold is 50 employees or €10 million in turnover. Many medium-sized businesses that never considered themselves KRITIS-relevant fall below this threshold. Particularly tricky: Subsidiaries and affiliated companies can also exceed the threshold values due to their corporate affiliation.

§ 30 BSIG: The ten minimum measures in detail

The core of the NIS2 implementation law for practical purposes is outlined in § 30 paragraph 2 BSIG. There, the legislator defines ten areas that every affected entity must cover. None of these measures are optional.

1. Risk analysis and security concepts. Companies need documented concepts for risk analysis and information security. Not just on paper: The BSI checks whether these concepts are current, complete, and adapted to the actual IT landscape.

2. Incident Management. Security incidents must be identified, classified, and managed. The BSI expects defined reporting paths, escalation processes, and documented follow-up. Experience shows: Many companies have incident response plans that do not work in real emergencies.

3. Business Continuity. Business continuity, backup management, recovery from emergencies, and crisis management. Not just technical: Organizational processes for emergencies must also be defined and regularly tested in exercises. A backup concept on paper is useless if recovery has never been practiced.

4. Supply Chain Security. The security of the supply chain, including direct suppliers and service providers. This is one of the biggest gaps: Many companies do not know the security practices of their IT service providers. NIS2 requires these risks to be systematically recorded and contractually controlled. This also affects cloud providers, managed service providers, and software suppliers.

5. Secure procurement and development. Security measures for the acquisition, development, and maintenance of IT systems. For companies with their own software development, this means: Security by Design becomes mandatory, not optional. The SBOM practical check shows how the software bill of materials helps with this.

6. Effectiveness assessment. Companies must not only implement measures but also regularly assess their effectiveness. Penetration tests, audits, and security metrics thus become mandatory. The assessment must be documented and presented to the management.

7. Training and awareness. Basic cybersecurity training for all employees. Not a one-time event, but continuous. The management has its own training obligation according to § 38 BSIG, which cannot be delegated.

“Companies need reliable framework conditions.”
Ralf Wintergerst, President Bitkom (Bitkom Press Information, 2025)

8. Cryptography. Concepts and processes for the use of cryptographic methods. This affects encryption in transit, at rest, and in communication. Companies must document which algorithms they use and why. Outdated methods such as SHA-1 or RSA with less than 2048 bits are no longer acceptable.

9. Access control and personnel management. Security of personnel, access control to systems, and administration of ICT systems. Identity and Access Management (IAM) thus becomes a compliance issue, not just a security issue. The principle of least privilege must be consistently implemented and demonstrably documented.

10. Multi-Factor Authentication and secure communication. MFA or continuous authentication as well as secured voice, video, and text communication. Anyone who does not have MFA for critical systems is no longer compliant from now on. Particularly relevant for companies that use Microsoft Teams or similar platforms for confidential communication.

§ 38 BSIG: Why Managing Directors Are Personally Liable

Perhaps the most significant innovation of NIS2 is outlined in § 38 BSIG. Managing directors and board members are personally liable for implementing risk management measures. Three obligations are legally anchored.

Approval Obligation: The risk management measures under § 30 must be formally approved by the management. Delegation to the CISO or IT management is not sufficient. The management must demonstrably have made the decision.

Monitoring Obligation: Managing directors must actively monitor the implementation. Not just be informed, but steer. The BSI can demand proof that this monitoring is taking place.

Training Obligation: Management must regularly undergo training in cybersecurity. This obligation cannot be delegated. A refresher is due at least every three years.

Particularly relevant: A liability waiver by the company is legally excluded. Even those who have appointed a CISO remain personally responsible for strategic control. Those who cannot prove that they have fulfilled the three obligations after an incident are liable with their personal assets.

What the BSI Does After March 6

After the registration deadline, the BSI has indicated that it will initially focus on awareness rather than immediate penalties. No fines have been publicly announced so far. However, this does not mean that nothing is happening.

Since January 2026, the BSI has been conducting on-site inspections at particularly important facilities. The first results show three recurring weaknesses: reporting processes that do not work in an emergency, unknown dependencies in the supply chain, and logging systems that are insufficient for BSI inspections.

For companies that are not yet registered, this means: the grace period is not a free pass. The registration itself takes only a few hours. But implementing the measures under § 30 takes weeks to months. Those who are just starting should prioritize: register immediately, then incident management and access control as quick wins, and simultaneously set up the complete compliance roadmap.

Immediate Checklist: What IT Security Teams Need to Do Now

Step 1: Affected Check. Check: More than 50 employees or more than 10 million euros in revenue? Active in one of the 18 sectors? If yes: You are affected.

Step 2: BSI Registration. If not already done: Register immediately via the BSI portal. The registration itself is straightforward. Every day of delay increases the risk of fines.

Step 3: Gap Analysis Against § 30. Go through the ten minimum measures individually. Where are there already processes? Where is documentation missing? Where is the measure completely missing? Result: A prioritized list of actions needed.

Step 4: Involve Management. Obtain a board resolution for the approval of the risk management measures. Schedule a training date for the management. Define a monitoring rhythm. Document everything.

Step 5: Map the Supply Chain. Which IT service providers do you use? What security standards apply there? Are there contractual arrangements? Supply chain security is the area most underestimated by companies.

Step 6: Test Reporting Processes. Conduct a simulated security incident. Do the escalation paths work? Does everyone know whom to inform and when? Does the report reach the BSI within the prescribed time?

Conclusion: Registration Is the Easy Part

The BSI registration is completed in a few hours. The real work lies in § 30 BSIG: ten areas of measures that must be documented, implemented, and regularly reviewed. With § 38 BSIG, the personal liability of the management is added.

Those who have not started yet should not rely on the BSI’s grace period. On-site inspections are already underway. And the question is not if, but when the first fine will be imposed.

Frequently Asked Questions

Who Needs to Register with the BSI?

Companies with 50 or more employees or an annual revenue of 10 million euros or more, operating in one of the 18 NIS2 sectors. The registration obligation has been in effect since March 6, 2026.

What happens if I miss the registration deadline?

The BSI is currently focusing on insight rather than immediate penalties. However, fines are possible at any time: up to 10 million euros or 2 percent of the global annual turnover for particularly important facilities. Register immediately.

Is the managing director personally liable?

Yes. § 38 BSIG obliges managing directors to approve, monitor, and undergo their own cybersecurity training. A liability waiver by the company is legally excluded. The obligation is not delegable to the CISO.

What are the ten minimum measures according to § 30 BSIG?

Risk analysis, incident management, business continuity, supply chain security, secure procurement and development, effectiveness evaluation, training, cryptography, access control, and multi-factor authentication. All ten areas must be documented and implemented.

Does NIS2 also apply to medium-sized businesses?

Yes. The threshold is 50 employees or 10 million euros in turnover. Many medium-sized businesses that never considered themselves relevant to KRITIS fall under NIS2. Particularly affected: manufacturing industry, food economy, and digital providers.

Source of title image: Pexels / Tima Miroshnichenko

About the author: Alec Chizhik

More articles by Alec Chizhik