NIS2: Germany's grace period is ending
The grace period ends on July 31, 2026
Germany's NIS2 implementation act – the NIS2UmsuCG – has been in force since December 2025, with no transition period. Affected entities had to register with the BSI, Germany's federal cyber security authority, within three months; that deadline expired on March 6, 2026. The result was sobering: of an estimated 29,500 affected companies in Germany, only around 11,500 had registered by the cutoff.
The BSI has since made clear that it expects outstanding registrations by July 31, 2026. This grace period is an opportunity, not a free pass: the registration obligation has existed since March, and violating it alone can be fined with up to 500,000 euros.
- Law in force since December 2025, registration deadline expired on March 6, 2026
- Only about a third of affected companies registered on time
- The BSI expects stragglers by July 31, 2026
Who is affected – and how to find out
NIS2 distinguishes particularly important and important entities across 18 sectors – from energy, transport, and health to digital infrastructure and manufacturing. As a rule of thumb, companies in these sectors with 50 or more employees or more than 10 million euros in annual turnover and balance sheet total can fall within scope; some entities are covered regardless of size. For international groups, note that a German subsidiary can be in scope even if the parent is regulated elsewhere.
Do not rely on rules of thumb. The BSI provides an official NIS-2 scope check that lets you determine and document your classification in a structured way. This assessment is a management responsibility – even a documented "not affected" conclusion should be kept with its reasoning.
How registration works
Registration happens via the BSI's reporting portal, the MUK portal. Authentication requires an ELSTER organization certificate – the credential of Germany's tax administration. If your organization does not have one, apply immediately: issuance typically takes several days and becomes a bottleneck right before deadlines.
For the registration itself, have the master data ready: entity and sector, contact details of a reachable point of contact, IP address ranges, and the member states where services are provided. Well prepared, the process is done quickly.
After registration, the real work begins
The law requires affected entities to maintain a solid package of risk management measures: from risk analysis and incident handling to backup and crisis management and supply chain security. Added to this are staged reporting obligations for significant incidents – an initial report within 24 hours, a follow-up within 72 hours, and a final report after one month – as well as personal duties for management, which must approve and oversee the measures and receive training.
For violations of these obligations, the fine ranges go far beyond the registration penalty: up to 10 million euros or 2 percent of global annual turnover for particularly important entities, and up to 7 million euros or 1.4 percent for important entities.
- Risk management aligned with the state of the art, including the supply chain
- Reporting processes that can actually carry 24-hour deadlines
- Demonstrable governance: responsibility sits with management
From deadline to structure
The July cutoff is a good occasion to treat NIS2 not as a form to fill in but as a structural task: requirements, measures, owners, and evidence belong permanently linked – not in scattered spreadsheets that get re-sorted before every audit.
That is exactly what we are building Secani for: a workspace where requirements from frameworks like NIS2 or IT-Grundschutz++ are available in structured form and implementation and evidence are documented traceably. If you want to use the grace period for more than the registration itself, talk to us.
Build auditable compliance workflows
Secani connects scopes, evidence, tasks, and AI agents in one shared workspace.
Related posts
All postsWith the Stand-der-Technik-Bibliothek, IT-Grundschutz leaves the PDF behind: IT-Grundschutz++ ships as an OSCAL catalog – changing how ISMS work is organized.
With RFC-0024 and the Consolidated Rules 2026, FedRAMP makes structured authorization data mandatory. The deadlines are staggered – the direction is unambiguous.
The OSCAL ecosystem is growing fast: viewing and validating are well covered, while authoring and day-to-day workflows remain the biggest gap.