Germany Germany BSI cybersecurity NIS2 implementation

Germany's NIS2 Registration Flop Exposes the Costs of Compressed Compliance Timelines

With only 38.5% of obligated firms registered by the March 2026 statutory deadline, the BSI has granted a July 31 grace period — but the compliance gap reflects structural design failures, not corporate bad faith.

Germany NIS2 Registration: The Compliance Gap People of Internet Research · Germany 38.5% Entities registered by deadline Only ~11,500 of 29,500 obligated f… €500K Fine for non-registration Maximum penalty under §65 BSIG for… ~5× Scope expansion vs NIS1 BSIG covers roughly five times mor… Jul 31 Grace period deadline BSI's final informal deadline befo… peopleofinternet.com

Key Takeaways

A Mandate That Arrived Too Fast

When Germany's NIS-2 Implementation Act (BSIG) entered into force on December 6, 2025, it instantly subjected roughly 29,500 companies to mandatory registration with the Federal Office for Information Security (BSI). Three months later, on March 6, 2026, the registration window closed. Only about 11,500 companies — 38.5% of those legally obligated — had filed. Two weeks before the deadline, the number stood at just 4,856.

In June 2026, the BSI wrote to industry associations signalling a grace period: register by July 31, 2026 or face fines of up to €500,000 under §65 BSIG. The message was sent through trade groups rather than as a formal regulatory extension, which is itself telling — the BSI cannot easily un-require what the statute requires, so it is doing the next best thing: communicating leniency before enforcement escalates.

The Strongest Case for NIS2

Before dissecting what went wrong, the regulation's logic deserves a fair hearing. Germany's critical infrastructure — from energy grids to hospital networks to drinking water systems — faces genuine, escalating cyber threats. The original NIS1 framework covered a relatively narrow slice of the economy. The expanded NIS2 Directive, which member states were required to transpose by October 2024, rightly recognises that modern supply chains mean a ransomware attack on a mid-tier automotive parts supplier can cascade into production shutdowns at major OEMs. Bringing 29,500 entities under a unified reporting and risk-management framework is a defensible policy choice. The BSI's registration portal at portal.bsi.bund.de is free, the requirements are standardised, and the underlying goal — knowing which entities are operating critical infrastructure so that incidents can be reported and coordinated — is genuinely in the public interest.

What Actually Went Wrong

The problem is not with the goal but with the execution timeline and the architecture of the registration process itself.

The BSIG portal launched on January 6, 2026 — exactly one month after the law took effect. That gave obligated entities roughly two months of actual working time before the March 6 deadline. For a company encountering the BSI for the first time (which describes the bulk of newly in-scope mid-sized manufacturers), two months was nowhere near enough to determine scope, obtain ELSTER tax-system credentials through the Mein Unternehmenskonto (MUK) system — a prerequisite that itself takes five to ten business days — and complete the technical registration.

Scope confusion compounded the friction. The BSIG distinguishes between "particularly important" entities (250+ employees or revenue above €50 million and balance-sheet total above €43 million) and "important" entities (50+ employees or revenue above €10 million). But §28(3) BSIG allows exclusion of "negligible" business lines from threshold calculations, and in the absence of official guidance, companies self-excluded incorrectly. Some assumed they were out of scope when they were not; others spent months in legal analysis before concluding they were in scope, by which point the deadline had passed.

The healthcare sector presents a particularly acute case. Hospitals and care facilities that lack dedicated IT security staff were simultaneously navigating the sector's chronic staffing crisis and a novel regulatory regime they had no historical relationship with. According to legal analysis published by DLA Piper in February 2026, the BSIG covers "approximately five times as many companies" as its predecessor — an expansion that inevitably swept in organisations with no prior BSI engagement and, in many cases, no cybersecurity function at all.

By the end of May 2026, registrations had climbed to around 18,500 — still roughly 11,000 short of the obligated total. The compliance gap is real, but it is not primarily driven by corporate bad faith. It reflects a deadline that was set before the registration infrastructure existed, combined with a scope definition broad enough to catch thousands of firms that had never heard of the BSI.

The Enforcement Question

The July 31 deadline changes the picture materially. The BSI has been transparent that this is not a formal statutory extension — the March 6 deadline remains legally operative. Late registration already constitutes a violation. What the grace-period letter does is signal that the authority will prioritise its enforcement resources against "persistent non-registrants" rather than those who are simply behind on a process that the regulator itself acknowledges was operationally challenging.

German IT security lawyers Dennis-Kenji Kipker and Stefan Hessel, writing in June 2026 commentary covered by heise.de, pushed back: without actual fines being levied, NIS2 risks becoming a "paper tiger." They have a point. Regulatory credibility depends on enforcement following non-compliance. But the proportionate response here is tiered: issue warnings and demand remediation plans for first-time late registrants, while reserving penalties for those who remain non-compliant after the July 31 signal. Fining thousands of SMEs who missed a deadline partly because the portal wasn't ready would be disproportionate and politically counterproductive.

What the BSI Should Fix Before the Next Phase

The registration requirement is merely phase one. Under §30 BSIG, registered entities must implement ten core risk management measures — including risk analyses, incident response plans, and supply chain security protocols. Particularly important entities must demonstrate full compliance by December 2028. Personal liability for management failures is established under §38 BSIG.

For those obligations to land better than registration did, the BSI needs to address three structural issues now:

NIS2's goals are sound. A Europe-wide floor on critical-infrastructure cybersecurity is proportionate, necessary, and long overdue. But a 38.5% initial compliance rate is not a minor implementation hiccup — it is the system telling the regulator that the execution design needs to change before the harder obligations arrive.

Sources & Citations

  1. BSI — NIS-2-regulierte Unternehmen (official)
  2. BSI Press Release — Portal Launch, January 2026
  3. heise.de — BSI sets July 31 deadline
  4. Morrison Foerster — Germany's NIS2 Implementation
  5. locaterisk — BSI NIS2 Extension Analysis