The clock is ticking: NIS2 registration deadline at BSI expires on March 6, 2026
TÜV SÜD warns that the registration deadline for NIS2-obligated companies at the BSI ends in two weeks. Around 29,000 German companies are affected.
(Image: Ivan Marc/Shutterstock.com)
By March 6, 2026, approximately 29,000 German companies and organizations subject to NIS2 must register with the Federal Office for Information Security (BSI). As reported by TÜV SÜD, the three-month period for implementing the NIS2 directive, which came into force on December 6, 2025, will expire. This affects companies with 50 or more employees or with annual revenues exceeding 10 million euros in critical sectors such as energy, health, transport, digital infrastructure, and public administration.
“Many companies underestimate the importance of formal obligations such as registration, ongoing updating of company data, and timely reporting of security incidents,“ warns Richard Skalt, Advocacy Manager Cybersecurity Office at TÜV SÜD. Registration takes place via the portal launched by the BSI in early 2026, which serves as a central point of contact for all NIS-2 obligations.
ELSTER certificate requires lead time
For registration, companies need an ELSTER organizational certificate, the processing of which, according to TÜV SÜD, takes five to ten working days. Companies should therefore not wait until the last day. Information on company size, legal form, NIS-2 contact point, sector, and responsible federal authority must be provided in the BSI portal. Changes to this data must be reported within two weeks.
Videos by heise
The BSI portal is not only used for initial registration but also for the mandatory reporting of security incidents. Further functional features are to be added in the coming months, including a standardized reporting format and real-time data exchange to increase awareness of acute threats.
Personal liability of management
The NIS-2 directive not only brings formal obligations but also significant consequences for non-compliance. Managing directors can be held personally liable if implementation is inadequate. “Organizations need practical, actionable action plans for NIS 2,“ emphasizes Skalt.
BSI President Claudia Plattner expressed confidence: “NIS2 has been implemented comparatively quickly despite the change of government, and we are ready. We can get started.“ She hopes for significant effects from the German implementation law. Various service providers offer support with implementation, including TÜV SÜD with impact assessments, training, and assessments, as well as the heise academy with special training courses.
(odi)
