NIS2 in Germany: BSI Registration, IT-Grundschutz, and Your 2026 Compliance Deadlines
By ArvexLab Team — Compliance Research
Germany's NIS2 Transposition: The NIS2UmsuCG
Germany was among the first EU member states to formally transpose the NIS2 Directive into national law. The NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) became effective on 6 December 2025, replacing significant portions of the previous IT Security Act 2.0 (IT-SiG 2.0).
The impact is enormous. Under the old regime, roughly 4,000 organizations were classified as critical infrastructure (KRITIS) operators. Under NIS2UmsuCG, approximately 29,500 entities are now in scope — a seven-fold increase that pulls mid-sized companies across 18 sectors into regulatory obligations for the first time.
If your organization operates in Germany and meets the size thresholds, this guide covers everything you need to know about registration, compliance mapping, and upcoming deadlines.
Who Is in Scope Under German NIS2?
NIS2UmsuCG introduces two tiers of regulated entities, mirroring the EU directive:
Besonders wichtige Einrichtungen (Essential Entities)
- 250+ employees or annual turnover exceeding €50M
- Sectors: energy, transport, banking, health, water, digital infrastructure, ICT service management, public administration, space
- Subject to the strictest supervisory regime, including proactive audits by BSI
Wichtige Einrichtungen (Important Entities)
- 50+ employees or annual turnover exceeding €10M
- Sectors: postal services, waste management, chemicals, food, manufacturing, digital providers, research
- Subject to reactive supervision — BSI investigates after incidents or credible reports
Special Cases
Certain entities are in scope regardless of size:
- Qualified trust service providers
- Top-level domain (TLD) registries and DNS providers
- Telecommunications network operators
- Sole providers of essential services in a member state
BSI Registration: Timeline and Process
The Federal Office for Information Security (BSI) opened its NIS2 registration portal on 6 January 2026. All in-scope entities were required to complete registration by 6 March 2026.
Registration Requirements
- ELSTER organizational certificate — You must authenticate via the ELSTER system (the same platform used for German tax filings). Personal certificates are not accepted; you need an organizational certificate tied to your legal entity.
- Contact information — A designated point of contact for cybersecurity matters, reachable 24/7 for incident coordination with BSI.
- Sector and sub-sector classification — Self-assessment of which NIS2 sector(s) your organization falls under.
- Entity size data — Employee count and turnover figures to determine your tier.
What If You Missed the Deadline?
Organizations that failed to register by 6 March 2026 are technically in violation and may face administrative fines. BSI has indicated that late registrations will still be processed, but enforcement action is at the authority's discretion. If you haven't registered yet, do so immediately — the portal remains open.
IT-Grundschutz and NIS2 Article 21 Mapping
Germany's IT-Grundschutz framework, maintained by BSI, has been the de facto cybersecurity standard for German organizations for over two decades. The good news: it maps well to NIS2 Article 21 requirements.
How IT-Grundschutz Aligns with NIS2
| NIS2 Art. 21 Measure | IT-Grundschutz Module |
|---|---|
| Risk analysis and security policies — Art. 21(2)(a) | ISMS (BSI-Standard 200-1), Risk Analysis (BSI-Standard 200-3) |
| Incident handling — Art. 21(2)(b) | DER.2 Security Incident Management |
| Business continuity — Art. 21(2)(c) | DER.4 Business Continuity Management |
| Supply chain security — Art. 21(2)(d) | OPS.2 Third-Party Operations, ORP.1 Organization |
| Network and information system security — Art. 21(2)(e) | NET.1-4 Network modules, SYS modules |
| Effectiveness assessment — Art. 21(2)(f) | DER.3 Security Audits, IS Revision |
| Cyber hygiene and training — Art. 21(2)(g) | ORP.3 Awareness and Training |
| Cryptography — Art. 21(2)(h) | CON.1 Crypto Concept |
| HR security and access control — Art. 21(2)(i) | ORP.2 Personnel, ORP.4 Identity and Access Management |
| MFA and secure communications — Art. 21(2)(j) | ORP.4 Authentication, NET.4 Encrypted Communications |
Practical Implications
If your organization already holds an ISO 27001 certificate based on IT-Grundschutz (the so-called "ISO 27001 on the basis of IT-Grundschutz"), you have a strong foundation. However, NIS2 introduces requirements that go beyond traditional IT-Grundschutz profiles — specifically in supply chain documentation, management body accountability, and incident reporting timelines.
BSI C5 for Cloud Providers
Organizations using cloud services should pay particular attention to the BSI Cloud Computing Compliance Criteria Catalogue (C5). NIS2UmsuCG explicitly references C5 as a benchmark for cloud provider security assessments.
If your critical infrastructure or essential services depend on cloud providers, verify that they hold a C5 Type 2 attestation. This demonstrates not only that security controls are designed appropriately but that they have been operating effectively over a defined period.
Key C5 areas relevant to NIS2 compliance:
- Organisation of information security (OIS) — maps to Art. 21(2)(a)
- Supply chain management (SSO) — maps to Art. 21(2)(d)
- Incident management (SIM) — maps to Art. 21(2)(b)
- Business continuity (BCM) — maps to Art. 21(2)(c)
BaFin's Role: Where DORA and NIS2 Overlap
For financial institutions in Germany, the regulatory landscape is more complex. The Federal Financial Supervisory Authority (BaFin) oversees DORA compliance, which took effect in January 2025.
Under the lex specialis principle, DORA takes precedence over NIS2 for financial entities where DORA's requirements are equivalent or stricter. In practice:
- Incident reporting: Follow DORA's 4-hour initial notification to BaFin, not NIS2's 24-hour timeline
- ICT risk management: DORA's framework satisfies NIS2 Art. 21 for the areas it covers
- Third-party risk: DORA's Register of Information and critical ICT provider oversight go beyond NIS2 supply chain requirements
However, financial entities must still register with BSI under NIS2UmsuCG. BaFin and BSI coordinate supervision, but registration obligations are separate.
Penalty Structure
NIS2UmsuCG adopts the EU penalty framework:
| Entity Type | Maximum Fine |
|---|---|
| Essential entities (besonders wichtig) | €10M or 2% of global annual turnover |
| Important entities (wichtig) | €7M or 1.4% of global annual turnover |
Beyond monetary penalties:
- Management liability: Geschaeftsfuehrer and Vorstand members can be held personally liable for compliance failures
- Public disclosure: BSI can publicly name non-compliant entities
- Operational restrictions: In extreme cases, BSI can suspend business operations
Upcoming Audit Requirements
BSI has indicated that systematic audits will begin in the second half of 2026 for essential entities. Important entities will be subject to reactive supervision — audits triggered by incidents, complaints, or random selection.
Prepare for audits by ensuring:
- Your BSI registration is complete and accurate
- Risk assessments are documented according to BSI-Standard 200-3
- Incident response plans include the 24h/72h/1-month NIS2 reporting cadence
- Supply chain security measures are documented for all critical vendors
- Management body training on cybersecurity obligations is completed and recorded
FAQ
Q: Can an existing ISO 27001 certificate satisfy NIS2 requirements in Germany?
Partially. ISO 27001 (especially on the basis of IT-Grundschutz) covers approximately 70-80% of NIS2 requirements. Gaps typically exist in incident reporting timelines, management body accountability, and supply chain documentation depth. Use a framework overlap analysis to identify your specific gaps.
Q: Do I need to register with BSI even if my company is subject to DORA via BaFin?
Yes. NIS2UmsuCG requires separate BSI registration for all in-scope entities, including those supervised by BaFin under DORA. The two authorities coordinate their supervisory activities, but registration obligations are independent.
Q: What happens if my company falls below the 50-employee threshold but operates in a critical sector?
Generally, entities below the size thresholds are not in scope. However, exceptions exist for DNS providers, TLD registries, trust service providers, telecommunications operators, and sole providers of essential services. Additionally, individual German states (Laender) may designate smaller entities as in scope based on their criticality.
Q: Is IT-Grundschutz certification mandatory under NIS2UmsuCG?
No. IT-Grundschutz certification is not mandatory, but it is strongly recommended and serves as a recognized compliance benchmark. BSI has stated that IT-Grundschutz-certified organizations will have a streamlined audit process. Organizations can also demonstrate compliance through other recognized frameworks such as ISO 27001 or sector-specific standards.
Ready to assess your NIS2 readiness?
Use our free self-assessment tool or speak with our compliance team.