SaaSFort 17,500 German companies missed the BSI NIS2 registration deadline on March 6, 2026. Seven weeks later, BSI enforcement is open — and the supervisor doesn’t need a security breach to start writing fines.
This is the part most compliance teams misjudged. They planned remediation work for the October 2026 full-compliance deadline. They didn’t plan for the 7-month enforcement gap between registration (March 6) and full compliance (October). That gap is now 49 days into reality, and it’s exactly the period BSI was always going to use to clear its backlog of non-registrants.
If you’re one of the 17,500, this is what’s actually on the table.
What Just Happened
The BSIG (Bundesamt für Sicherheit in der Informationstechnik Gesetz) implementation of NIS2 set March 6, 2026 as the registration deadline for in-scope entities. Registration is the simpler half of the compliance burden — entities self-identify via the BSI MELDUNG portal, declare sector, size, and contact details. No security evidence required at registration.
Scope expanded the German cybersecurity-regulated population from approximately 4,500 entities under the previous regime to roughly 29,000 under NIS2 — a 6× expansion driven by the Directive’s broader sector list (digital infrastructure, managed services, postal/courier, food production, manufacturing of critical products, public administration).
By the deadline, only ~11,500 of the 29,000 had registered. The remaining ~17,500 — about 60% of the in-scope population — missed the cutoff. Sources: b2b-cyber-security.de, heise.de.
BSI position: the March 6 deadline was firm. There is no announced grace period. Companies that have not registered by the time BSI initiates inspection are treated as non-compliant on the registration obligation, which is independently enforceable.
What BSI Can Do Right Now
The fine for missed registration alone is up to €500,000 under NIS2UmsuCG. No breach is required. No incident is required. The trigger is simply being identified as in-scope and unregistered during a BSI inspection.
| Enforcement action | Trigger | Maximum exposure |
|---|---|---|
| Registration-failure fine | In-scope entity unregistered at inspection | €500,000 |
| Article 21 measure non-compliance | Missing or incomplete cybersecurity measures | €10M or 2% global turnover (essential) / €7M or 1.4% (important) |
| Incident reporting failure | Missed 24h or 72h CSIRT notification | Same as above |
| Management ban (Art. 32(6)) | Repeated or severe non-compliance | Temporary suspension from management functions |
The €500K registration fine matters more than the headline number suggests. Companies pursuing remediation work on Article 21 measures cannot benefit from any “we’re working on it” framing if they haven’t registered. Registration is the gateway — without it, your remediation plan has no documented recipient and no supervisor to negotiate timelines with.
§38 BSIG: Why CEOs Personally Should Care
Germany’s NIS2 implementation goes further than the Directive minimum on one specific point: §38 BSIG creates personal liability for managing directors. The duty to approve, supervise, and monitor cybersecurity risk-management measures is non-delegable. A CEO cannot point to a CTO or CISO and say “they handle that.” The legal burden stays on the person at the top.
Three concrete obligations under §38 BSIG:
- Approval: management must formally approve the cybersecurity risk-management measures (not rubber-stamp them — sources from BSI guidance suggest documented review of the actual measures, not just a general security policy).
- Supervision: ongoing oversight, not annual sign-off. Supervisors expect evidence of board-level cybersecurity discussion in meeting records.
- Training: mandatory cybersecurity training every 3 years for management, with detailed records (participants, content, trainer credentials, duration). BSI guidance is explicit that attendance certificates alone are insufficient.
For a deeper breakdown of what §38 BSIG specifically requires of managing directors, see our §38 BSIG personal liability guide.
The escalation path goes further than fines. Article 32(6) NIS2 — implemented in §32 BSIG — allows supervisors to temporarily suspend managing directors from their management functions for repeated or severe non-compliance. Sources: Greenberg Traurig analysis, Taylor Wessing NIS2 implementation review.
October 2026: The Other Deadline That Matters
Registration was the easy half. The harder half is the October 2026 full-compliance deadline for Article 21(2) measures — the 10 mandatory cybersecurity risk-management measures.
That gives unregistered companies roughly six months to:
- Register with BSI (immediately, retroactively).
- Implement Article 21 measures (risk analysis, incident handling, supply chain security, vulnerability handling, cryptography, MFA, training, business continuity).
- Document evidence (the supervisor will request it during inspections).
- Train management (§38 BSIG records).
Six months is enough time if work starts now. It is not enough time for companies that wait until September. The Article 21 evidence base for a mid-market 50–250-person entity typically requires 8–12 weeks of focused work plus contracted external scanning to produce auditor-ready documentation.
For a structured approach, see our NIS2 audit preparation guide (covers all 7 evidence domains supervisors expect) or the German-language NIS2 10-step compliance checklist.
Industry-specific deep dives:
- NIS2 for fintech and banks — essential entities, NIS2 + DORA double layer
- NIS2 for healthtech and medical devices — MDR overlap, MDCG 2019-16
- NIS2 for SaaS and cloud providers — Annex I/II classification
- NIS2 for B2B SaaS supply chain cascade — sub-50-person vendors selling to in-scope buyers
- NIS2 for MSPs — multi-tenant evidence challenges
How to Assess Your Exposure in 60 Seconds
The fastest way to start is the part most teams skip: external posture validation. Article 21(2)(a) requires documented risk analysis. Article 21(2)(h) requires cryptography. Article 21(2)(i,j) require access control and MFA. Article 21(2)(e) requires vulnerability handling.
All four of these have externally verifiable components — TLS configuration, security headers, DMARC enforcement, exposed admin panels, JavaScript library CVEs. Supervisors will check them. So will procurement teams at your enterprise customers.
A SaaSFort scan covers 66 deterministic checks across 25 categories in under 60 seconds. Each finding maps to the specific Article 21(2) measure. The output is a downloadable NIS2 compliance PDF you can attach to your audit folder.
→ Run a free scan now — no signup, no credit card.
If you create an account, you receive a 14-day Growth trial automatically: 50 scans/month, multi-domain monitoring, full NIS2 PDF export. The trial lets you scan staging, production, and customer-facing subdomains in parallel — exactly the surface auditors and procurement teams test independently.
For a more structured starting point, the NIS2 Article 21 self-audit Excel template covers all 10 measures in a single spreadsheet — status, priority, owner, deadline columns, and an auto-counted readiness percentage. Free, email-gated download.
What to Do This Week
Concrete actions, in order:
- Register with BSI today (if unregistered). The portal is at the BSI MELDUNG site. Document your registration date — it becomes evidence that you cured the registration failure as soon as practical.
- Run an external scan. Establish your baseline grade. If it’s below B, the externally verifiable parts of Article 21 need work.
- Brief management under §38 BSIG. Personal liability is non-delegable; awareness is the first documented step. Record the briefing.
- Inventory your supply chain. Article 21(2)(d) requires this. Critical vendors first — payment processor, cloud provider, identity provider.
- Document incident response. The 24-hour early warning + 72-hour full report timeline must be written down before an incident, not improvised during one. See our NIS2 incident reporting setup guide.
If you’re a sub-50-person B2B SaaS vendor selling to NIS2-scoped buyers, the cascading obligations matter just as much as direct scope. Your customer’s NIS2 audit pulls the thread on every supplier — you’ll receive the same questionnaires whether or not you’re directly regulated. See our B2B SaaS supply chain compliance guide for the specifics.
FAQ
My company has been operating since the deadline without issues. Are we safe?
No. Operating without a BSI inspection is not the same as being compliant. BSI is processing inspection sequences, not random walk-ins. The €500K registration-failure exposure persists until you register. There is no statute of limitations announced for the March 6 deadline.
What if I disagree that NIS2 applies to my company?
Self-classification is your call until BSI disputes it. The conservative path: register as the broader category if uncertain. Registration triggers no immediate Article 21 audit — it just puts you on BSI’s roster. Withdrawal is possible if classification later proves out-of-scope. Penalty for incorrect non-registration is far higher than the cost of registering and later proving out-of-scope.
Does §38 BSIG apply to small companies’ managing directors too?
Yes. §38 BSIG applies to managing directors of any in-scope entity regardless of size, provided the entity itself meets NIS2 thresholds. There is no SMB exemption from personal liability. The 50-employee / €10M threshold applies to scope determination, not liability allocation within the scoped entity.
How much will registration cost?
Registration itself is free. The cost is preparation: your designated NIS2 contact must be identified, sector classification determined, contact details validated. Realistic time investment: 2–4 hours including internal alignment. Article 21 implementation work, not registration, is where the cost concentrates — typically €15K–€80K of internal time and external assessment for a mid-market entity.
What’s the relationship between BSI registration and German state-level data protection authorities?
BSI handles NIS2 compliance. State-level authorities (Landesdatenschutzbehörden) handle GDPR. The two regimes overlap on incident reporting (NIS2: 24h to BSI; GDPR: 72h to data protection authority for personal-data breaches) but operate independently. NIS2 registration with BSI does not exempt or pre-empt GDPR obligations. For the comparison, see our NIS2 vs GDPR guide.
Validate your NIS2 readiness. Run a free scan — 66 checks across SSL, headers, DNS, OWASP, and email authentication. Get your A-F grade and downloadable NIS2 compliance PDF in under 60 seconds. New accounts get a 14-day Growth trial. Or grab the NIS2 Article 21 self-audit template to start your internal review this week.
De la lectura a la acción
Escanee su dominio gratis. Primeros resultados en menos de 10 segundos — sin registro.