InfoSec

The NIS2 Deadline Is Now July 31, 2026: What Your Company Must Do Before the BSI Acts

Germany's BSI has drawn a final line for registration. Here is what is at stake, and how to be ready before the clock runs out.

Author
Andy Mura
Date
29.6.2026
Updated on
29.6.2026
The NIS2 Deadline Is Now July 31, 2026: What Your Company Must Do Before the BSI Acts

The NIS2 deadline has shifted, but not in the way most companies hoped. The statutory registration date of March 6, 2026 has already passed, and Germany's Federal Office for Information Security (BSI) has now set a firm grace period that ends on July 31, 2026. If your organization falls within scope and has not yet registered, this is the window you cannot afford to ignore. The BSI has been explicit that leniency has limits, and the work required to register properly takes longer than most teams expect. The good news is that with the right approach to NIS2 compliance, readiness is achievable well before the date arrives.

This article explains what the new deadline means, who it applies to, what happens if you miss it, and how to move from a one-time registration to the continuous compliance that NIS2 actually demands.

What the new NIS2 deadline actually means

The new NIS2 deadline is a grace period, not a fresh start. The legal obligation to register took effect months ago, and July 31, 2026 is the date by which the BSI expects outstanding registrations to be completed before it begins enforcing.

Germany transposed the EU directive into national law through an updated BSI Act that became effective on December 6, 2025. There is no transition period built into the text, which means the obligations applied from day one. You can read the directive's full legal text through the official EU law database to see how little room it leaves for delay.

The numbers explain why the BSI stepped in. By late May 2026, only around 18,500 of an estimated 29,000 to 40,000 affected organizations had registered. More than half of the companies in scope were still non-compliant. Faced with that gap, the authority chose a final reminder rather than immediate penalties, and that reminder carries the July 31 date. For deeper background on the obligations that sit behind registration, our guide to NIS2 requirements walks through the full picture.

Treat the extension as breathing room, not as a signal that enforcement is soft. The legal violation for a late registration still exists; the grace period simply delays the consequences.

Who has to register before the NIS2 registration deadline

You must register if your organization qualifies as an essential or important entity under NIS2, operates in one of the regulated sectors, and meets the size threshold. In practice that means 50 or more employees, or annual revenue and balance sheet totals above 10 million euros, across 18 defined sectors.

NIS2 splits affected organizations into two tiers, and the distinction shapes how closely the BSI will watch you. Essential entities face stricter supervision and proactive oversight, while important entities are supervised reactively after an incident. Both must register, and both carry the same risk-management duties. The European cybersecurity agency's overview sets out how member states are expected to apply these categories.

A critical detail trips up many teams: there is no official letter telling you that you are in scope. The duty to self-identify rests entirely with you, and getting it wrong in either direction carries cost. If you are unsure where you stand, the NIS2 Checker gives you a fast, structured read on your applicability before you commit time to the BSI portal.

The table below summarizes the two tiers and the sectors that most commonly catch growing technology companies by surprise.

Dimension Essential entities (wesentliche Einrichtungen) Important entities (wichtige Einrichtungen)
Typical sectors Energy, healthcare, financial market infrastructure, digital infrastructure, public administration, water Postal and courier, food, manufacturing, chemicals, cloud and digital service providers, digital platforms, research
Size threshold 250+ employees or above large-enterprise financial limits (sector-dependent) 50+ employees or 10M euros+ in revenue and balance sheet
Supervision Proactive, including audits and inspections Reactive, triggered by incidents or evidence of non-compliance
Registration duty Mandatory before July 31, 2026 Mandatory; the same date applies
If your company sells cloud software, runs a managed platform, or supplies a regulated customer base, assume you are in scope until a proper assessment proves otherwise.

What happens if you miss the deadline

Missing the NIS2 deadline exposes your company to fines, official orders, and personal liability for your management team. Late registration alone can trigger penalties of up to 500,000 euros, and breaches of other NIS2 obligations carry higher ceilings.

The financial exposure is only the headline. NIS2 explicitly attaches accountability to leadership, which means directors and managing officers can be held personally responsible for failures in cyber risk governance. This is a deliberate design choice in the law, intended to move security from a back-office concern to a board-level one. Our breakdown of management liability under NIS2 explains exactly where that responsibility lands and how to discharge it.

Beyond fines, the BSI can issue binding orders, demand evidence of compliance, and escalate supervision. For an essential entity, that can include inspections and external audits at your expense. The federal authority lays out its enforcement posture in its official guidance for regulated companies, and the tone has hardened noticeably since the spring.

There is also a quieter cost. Enterprise buyers, insurers, and partners increasingly ask for proof of NIS2 standing during procurement. A missing registration becomes a deal blocker long before a regulator ever knocks, and re-opening a stalled enterprise contract is far more expensive than registering on time. For a regulated customer, your compliance gap is their compliance gap, which is exactly why they screen for it.

Registration is the start, not the finish: building continuous NIS2 compliance

Registering with the BSI satisfies one obligation, but NIS2 is a continuous program, not a single form. The directive requires ongoing risk management, incident reporting, supply chain security, and demonstrable governance that holds up over time.

The reporting duty is the sharpest edge. NIS2 mandates an early warning within 24 hours of becoming aware of a significant incident, followed by a fuller notification and a final report. Meeting that timeline is impossible to improvise under pressure, which is why incident response and business continuity have to be built in advance. Our guide to NIS2 incident response and business continuity shows what a working plan looks like in practice.

Then there is the substance of the security measures themselves. The law expects risk analysis, access control, cryptography, supplier assessment, employee training, and regular testing of how well your controls actually perform. Many of these map closely onto established standards, and reading NIS2 through the lens of ISO 27001 is one of the most efficient ways to satisfy both at once.

Supply chain security deserves particular attention, because it is where many organizations underestimate their exposure. NIS2 holds you responsible for the security posture of your direct suppliers and service providers, not just your own systems. That means contractual security clauses, vendor risk assessments, and a clear view of which third parties could become an entry point for an attack. If you depend on cloud providers or managed services, their weaknesses become your regulatory problem, and the BSI will expect you to have evidence that you assessed and managed that risk.

A realistic path to readiness looks like this:

  1. Confirm whether you are in scope and which tier applies.
  2. Register in the BSI portal before July 31, 2026.
  3. Run a gap analysis against the NIS2 security measures.
  4. Close the gaps with documented policies, technical controls, and supplier checks.
  5. Stand up a 24-hour incident reporting process and test it.
  6. Keep evidence current so you can prove compliance on demand.

The European Commission frames NIS2 as a baseline that rises over time, and its policy summary makes clear that supervision will only tighten as the regime matures.

How to reach NIS2 readiness before July 31 with Kertos

Kertos exists to make this exact race winnable. The platform combines agentic automation with accredited compliance experts, so you can move from uncertain scope to a defensible NIS2 program inside the window the BSI has set.

Speed matters most right now, and this is where automation changes the math. Kertos automates evidence collection, control mapping, and documentation, which compresses the manual work that usually stretches a NIS2 project across many months. Teams using the Kertos platform typically cut the effort of reaching readiness by a large margin while keeping a single source of truth for every control.

Just as important, Kertos treats NIS2 as continuous compliance rather than a one-off project. Once you are registered, the platform keeps your risk register, policies, and incident processes live, so the 24-hour reporting clock and the next audit never catch you unprepared. If you want a concrete starting point, the NIS2 FAQ answers the questions most teams raise in their first week, and a tailored NIS2 readiness demo maps the platform to your specific scope.

The companies that will clear the July 31 deadline comfortably are the ones treating the next few weeks as decisive. With expert guidance and automation working together, NIS2 readiness becomes a manageable sprint instead of an open-ended scramble.

Frequently asked questions about the NIS2 deadline

When is the NIS2 registration deadline in Germany? The BSI has set July 31, 2026 as the grace-period deadline for registration. The original statutory date of March 6, 2026 has already passed, so any registration now is technically late even if penalties are deferred until after July 31.

What is the fine for missing the NIS2 deadline? Late registration alone can cost up to 500,000 euros. Breaches of other NIS2 duties, such as risk management or incident reporting failures, carry higher maximum penalties, and management can be held personally liable.

Will the BSI notify me if my company is affected? No. There is no official notification. Your organization must self-assess whether it qualifies as an essential or important entity. Running a structured applicability check is the safest first step.

Is registering with the BSI enough to be NIS2 compliant? No. Registration is one obligation among many. You must also implement risk-management measures, supplier security checks, employee training, and a 24-hour incident reporting process, then maintain them continuously.

How long does it take to get NIS2 ready? Done manually, a full program can take six to twelve months. With automation and expert support, organizations that start now can reach a defensible position before the July 31, 2026 deadline.

The NIS2 deadline is no longer an abstract policy date on a distant horizon. It is a few weeks away, the penalties are real, and the registration gap means the BSI is watching closely. The companies that act this month will not just avoid a fine; they will build the continuous compliance posture that turns NIS2 from a threat into a credential. Start by confirming your scope, then move.

The Founder's Guide about NIS2: Prepare your company Now before

Protect your startup: Discover how NIS2 can impact your business and what you need to consider now. Read the free white paper now!

The Founder's Guide about NIS2: Prepare your company Now before

Protect your startup: Discover how NIS2 can impact your business and what you need to consider now. Read the free white paper now!

The NIS2 Deadline Is Now July 31, 2026: What Your Company Must Do Before the BSI Acts
Ready, your compliance to put on autopilot?
Dr. Kilian Schmidt

Dr. Kilian Schmidt

CEO & Co-Founder, Kertos GmbH

Dr. Kilian Schmidt developed a strong interest in legal processes early on. After studying law, he began his career as Senior Legal Counsel and Data Protection Officer at the Home24 Group. After working at Freshfields Bruckhaus Deringer, he moved to TIER Mobility, where, as General Counsel, he was significantly involved in expanding the legal and public policy department - and grew the company from one to 65 cities and from 50 to 800 employees. Motivated by limited technological advances in the legal sector and inspired by his consulting work at Gorillas Technologies, he co-founded Kertos to develop the next generation of European data protection technology.

About Kertos

Kertos is the modern backbone of the data protection and compliance activities of scaling companies. We enable our customers to implement integrated data protection and information security processes in accordance with GDPR, ISO 27001, TISAX®, SOC2 and many other standards quickly and cheaply through automation.

Ready to simplify GDPR compliance?

CTA Image

📅 Schedule Your 5min Compliance Check

Please enter your business email to continue. We require a company email address to ensure we can best serve your organization.

📞 5min Compliance Check