Secani
Secani
  • Company
  • Roadmap
Request demo

Summarize with AI

Open in ChatGPTOpen in ClaudeOpen in PerplexityOpen in MistralOpen in Grok
SIBB Startups
Berlin
Kofinanziert von der Europäischen Union
Secani

Jonathan Bezdek

Wörther Straße 9

10435 Berlin


hello@secani.com

Product

  • Security
  • Roadmap
  • Documentation
  • OSCAL

Legal

  • Privacy Policy
  • Terms
  • Cookie settings
  • Legal Notice

Company

  • Company
  • Contact
  • Blog

Support

  • Help
    Blog

    NIS2: Germany's grace period is ending

    Derya AltinayCEO
    6 min read
    July 18, 2026

    Explore with AI

    Open in ChatGPTOpen in ClaudeOpen in PerplexityOpen in MistralOpen in Grok

    On this page

    The grace period ends on July 31, 2026Who is affected – and how to find outHow registration worksAfter registration, the real work beginsFrom deadline to structure

    The grace period ends on July 31, 2026

    Germany's NIS2 implementation act – the NIS2UmsuCG – has been in force since December 2025, with no transition period. Affected entities had to register with the BSI, Germany's federal cyber security authority, within three months; that deadline expired on March 6, 2026. The result was sobering: of an estimated 29,500 affected companies in Germany, only around 11,500 had registered by the cutoff.

    The BSI has since made clear that it expects outstanding registrations by July 31, 2026. This grace period is an opportunity, not a free pass: the registration obligation has existed since March, and violating it alone can be fined with up to 500,000 euros.

    • Law in force since December 2025, registration deadline expired on March 6, 2026
    • Only about a third of affected companies registered on time
    • The BSI expects stragglers by July 31, 2026

    Who is affected – and how to find out

    NIS2 distinguishes particularly important and important entities across 18 sectors – from energy, transport, and health to digital infrastructure and manufacturing. As a rule of thumb, companies in these sectors with 50 or more employees or more than 10 million euros in annual turnover and balance sheet total can fall within scope; some entities are covered regardless of size. For international groups, note that a German subsidiary can be in scope even if the parent is regulated elsewhere.

    Do not rely on rules of thumb. The BSI provides an official NIS-2 scope check that lets you determine and document your classification in a structured way. This assessment is a management responsibility – even a documented "not affected" conclusion should be kept with its reasoning.

    How registration works

    Registration happens via the BSI's reporting portal, the MUK portal. Authentication requires an ELSTER organization certificate – the credential of Germany's tax administration. If your organization does not have one, apply immediately: issuance typically takes several days and becomes a bottleneck right before deadlines.

    For the registration itself, have the master data ready: entity and sector, contact details of a reachable point of contact, IP address ranges, and the member states where services are provided. Well prepared, the process is done quickly.

    Registration is the smallest NIS2 obligation

    Registering proves no cyber security – it merely reports your existence. Risk management, incident reporting processes, and governance duties apply independently of registration and are what gets scrutinized first when something goes wrong.

    After registration, the real work begins

    The law requires affected entities to maintain a solid package of risk management measures: from risk analysis and incident handling to backup and crisis management and supply chain security. Added to this are staged reporting obligations for significant incidents – an initial report within 24 hours, a follow-up within 72 hours, and a final report after one month – as well as personal duties for management, which must approve and oversee the measures and receive training.

    For violations of these obligations, the fine ranges go far beyond the registration penalty: up to 10 million euros or 2 percent of global annual turnover for particularly important entities, and up to 7 million euros or 1.4 percent for important entities.

    • Risk management aligned with the state of the art, including the supply chain
    • Reporting processes that can actually carry 24-hour deadlines
    • Demonstrable governance: responsibility sits with management

    From deadline to structure

    The July cutoff is a good occasion to treat NIS2 not as a form to fill in but as a structural task: requirements, measures, owners, and evidence belong permanently linked – not in scattered spreadsheets that get re-sorted before every audit.

    That is exactly what we are building Secani for: a workspace where requirements from frameworks like NIS2 or IT-Grundschutz++ are available in structured form and implementation and evidence are documented traceably. If you want to use the grace period for more than the registration itself, talk to us.

    Build auditable compliance workflows

    Secani connects scopes, evidence, tasks, and AI agents in one shared workspace.

    Request demo

    Related posts

    All posts
    IT baseline protection
    IT-Grundschutz++ meets OSCAL

    With the Stand-der-Technik-Bibliothek, IT-Grundschutz leaves the PDF behind: IT-Grundschutz++ ships as an OSCAL catalog – changing how ISMS work is organized.

    Read
    OSCAL
    FedRAMP goes machine-readable

    With RFC-0024 and the Consolidated Rules 2026, FedRAMP makes structured authorization data mandatory. The deadlines are staggered – the direction is unambiguous.

    Read
    OSCAL
    The OSCAL tools landscape

    The OSCAL ecosystem is growing fast: viewing and validating are well covered, while authoring and day-to-day workflows remain the biggest gap.

    Read