Missed NIS2 deadline? These fines and liability risks will be imposed from March 2026

The clock is ticking: 29,000 companies, a deadline, no excuses

On March 6, 2026the registration period with the BSI expires.Since the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) came into force on December 6, 2025, affected companies have had three months to register in the BSI portal. Anyone who misses this deadline not only risks fines - but also personal liability.

The most important thing: Registration is a debt of collection. The BSI will not approach you. You must check for yourself whether you are affected and take active action.

What happens if you miss the deadline?

The fines are severe: up to10 million euros or 2% of global annual sales— whichever is greater. And that's just the beginning.

In the event of violations of the registration requirement, the BSI can:

• Issue warnings and orders

• Order audits and security checks

• Impose fines — even without there being a security incident

• In extreme cases, prohibit the operation of certain services

Crucial:The reporting requirements (24-hour initial notification of security incidents) have been in effect since December 2025 - regardless of whether you are registered.

Managing directors are personally liable - with private assets

The NIS2UmsuCG introduces explicit management responsibility. Section 38 of the law makes it clear: Management must monitor and approve the implementation of risk management measures - and is personally liable for breaches of duty.

Specifically, this means:

• Personal liability with private assetsaccording to Section 43 Paragraph 2 GmbHG or Section 93 Paragraph 2 AktG

• Responsibility cannot be delegated to the IT manager or CISO

• Managing directors must have verifiably attended NIS2 training courses

• In the event of intent or gross negligence, there may also be criminal consequences

A CISO can take over the operational implementation - but the ultimate responsibility remains with the management. This is new and many managers are not aware of it.

The registration process in 5 steps

Step 1: Impact assessment

Use thatBSI impact check. Affected are companies with 50 or more employees OR €10 million in sales in defined sectors (energy, transport, health, digital infrastructure, finance, and much more).

Step 2: Apply for ELSTER organization certificate

Registration in the BSI portal requires an ELSTER organization certificate. Attention: The application can take several weeks. If you don't have a certificate yet, act immediately.

Step 3: Register in the BSI portal

In the portal you specify: company size, legal form, sector, responsible federal authority and an NIS2 contact point (including representative).

Step 4: Designate NIS2 point of contact

You must designate a contact point that the BSI can reach – around the clock. This office receives warnings and information from the BSI.

Step 5: Establish reporting processes

Parallel to registration, you must set up processes for reporting obligations: 24 hours for the initial report, 72 hours for an update, 30 days for the final report.

After registration: what’s next?

Registration is just the first step. Afterwards, affected companies must:

• Build or expand an information security management system (ISMS).

• Implement risk management measures according to §30 NIS2UmsuCG

• Secure the supply chain (supply chain security is checked)

• Conduct regular training for management and employees

• Establish business continuity management

• Prepare for BSI audits

Reality:According to Computerwoche, two thirds of the affected companies have not yet fully implemented NIS2. The backlog is enormous.

The 3 biggest mistakes in thinking

Mistake 1: “We are too small”

NIS2 doesn't just affect large corporations. The thresholds are 50 employees or €10 million in sales. In addition, if you are part of the supply chain of an affected company, you too may be held liable.

Mistake 2: “The IT department takes care of it”

IT can implement — but management must approve, monitor, and be personally liable. NIS2 explicitly makes cybersecurity a top priority.

Mistake 3: “Registration = Compliance”

Registration with the BSI is the beginning, not the end. Without ISMS, without reporting processes, without training, you are still not compliant — and liable.

Frequently asked questions

Can I still register after March 6th?

Technically yes, the BSI portal remains open. But you will be in default from March 7th and risk regulatory action and fines.

How much does registration cost?

Registration itself is free. However, the subsequent implementation of the NIS2 requirements (ISMS, training, audits) requires budget and resources.

We already have ISO 27001 – is that enough?

ISO 27001 is an excellent basis, but does not cover all NIS2 requirements. In particular, the reporting obligations (24-hour deadline), management responsibility and supply chain requirements go beyond ISO 27001.

Does NIS2 also apply to cloud providers and SaaS?

Yes. Providers of digital infrastructure and digital services (cloud computing, data centers, DNS, CDN) are explicitly in the scope.

Conclusion: act now

The NIS2 registration deadline of March 6, 2026 is not a recommendation — it is a legal requirement.Anyone who does not act now risks fines of up to €10 million, personal liability on the part of the management and BSI supervisory measures.

ADVISORI supports you with NIS2 compliance: from the impact check through registration to the complete ISMS setup.Arrange a free initial consultation now.

📖 Also read:NIS2: Registration required by March 6, 2026

📖 Also read:NIS2: Registration required by March 6, 2026