NIS2 registration with BSI: Complete instructions in 3 steps

NIS2 registration with BSI: Complete instructions in 3 steps

Avatar of Boris Friedrich
Boris Friedrich
27. Februar 2026
6 min Lesezeit
Informationssicherheit

Am I affected? The impact test

TheNIS2 policyNIS2-Guideline applies to essential and important facilities. Crucial: The affected person is not automatically determined. Companies must check for themselves whether they fall within the scope.

You are affected if your company:

- operates in a covered sector (e.g. IT services, health, energy, transport, digital infrastructure, manufacturing, finance)

- employs at least 50 people

- At least EUR 10 million in annual sales or balance sheet total has been achieved

Important: Calculate the threshold values including partner and affiliated companies, unless they are legally, economically and technically independent.

Document your impact assessment - it is the first proof of compliance.

The registration process: step-by-step instructions

The NIS2 registration withBSItakes place in two stages. Plan at least 1-2 weeks if you do not yet have an ELSTER organization certificate.

Step 1: Secure ELSTER organization certificate

The ELSTER organization certificate is the basis for everything else. Registration is not possible without this certificate.

- Check immediately whether your company already has an ELSTER organization certificate (usually in the tax department or from the tax advisor).

- If available: Make sure you have access to the certificate file and its password.

- If not available: Apply for the certificate immediately at mein-unternehmenskonto.de. The application can take several days to weeks.

Time required: Can be checked immediately, new application takes 3-14 days.

Step 2: Set up my business account (MUK).

The MUK is the cross-agency company account that you use to authenticate yourself on the BSI portal.

1. Go to portal.bsi.bund.de.

2. Click on 'Log in with MUK' - you will be redirected to the ELSTER website.

3. Upload your ELSTER organization certificate and enter the password.

4. Confirm the transfer of your company master data to the BSI.

5. You will be automatically redirected to the BSI portal.

The company data (name, legal form, address, register information) are automatically taken from the ELSTER certificate. If data is incorrect, it must first be corrected at My ELSTER.

Time required: 15-30 minutes.

Step 3: Complete NIS2 registration in the BSI portal

After successful MUK registration, navigate to the NIS 2 area in the BSI portal:

1. Click on 'Go to NIS-2' under the specialist procedures or use the vertical navigation bar.

2. Select 'To NIS-2 Registration'.

The following information is requested:

- Federal bodies: Choose whether your institution is a federal authority or a comparable body.

- CRITICAL status: Indicate whether you are registered as an operator of a critical system (including institution ID).

- Company size: employees, annual sales and total assets.

- Sector and industry: Use the dropdown to select your sector, industry and facility type.

- EU Member States: Specify all the countries in which your organization provides services.

- Supervisory authorities: Name all responsible federal and state authorities.

- Classification: The portal automatically classifies you as an important or particularly important facility.

- Contact point: Designate a 24/7 contact point for security incidents.

- IP address ranges: Specify your company's publicly accessible IP ranges.

Time required: 30-60 minutes (depending on the complexity of your organization).

Responsibility of management

With the NIS2 implementation lawCybersecurityexpressly for the management task. Management bears legal responsibility for the approval, monitoring and effectiveness of the measures. She must actively monitor implementation and undergo demonstrable further training.

The operational implementation can be delegated - but the overall legal responsibility cannot. Violations of registration, security or reporting requirements can result in significant fines.

After registration: What applies immediately

Registration is not the end, but the starting point of your NIS2 compliance.

Obligation to report security incidents

When there are significant security incidents, the clock is ticking:

- 24 hours: First report (early warning) after it becomes known

- 72 hours: Detailed assessment of the incident

- 30 days: Final root cause analysis report

Your incident response processes must be so robust that reports can be made in a legally secure manner via the BSI portal, even on holidays and weekends.

Other duties

- Evidence of risk management measures

- Implementation of operational continuity management (BKM)

- Determination of responsibilities and responsibilities

- Creation and maintenance of verifiable documentation

- Regular training and sensitization of employees

Common mistakes and pitfalls

- No ELSTER certificate available: The application takes days to weeks. If you don't have one yet, you need to act immediately.

- Incorrect thresholds: Partner and affiliated companies are forgotten in the calculation.

- Incorrect sector classification: Companies with activities in multiple sectors must register each type of facility separately.

- No 24/7 contact point: The BSI requires a contact person who can be reached around the clock.

- Affect not documented: The check as to whether you fall under NIS2 must be verifiable.

What happens if you miss the deadline?

Companies that do not register on time are violating their legal obligations under Sections 33 and 34 BSIG. The possible consequences:

- Fines of up to EUR 10 million or 2% of global annual turnover (for particularly important institutions)

- Fines up to EUR 7 million or 1.4% of annual worldwide turnover (for essential establishments)

- Personal liability of the management

- Supervisory measures by the BSI

Your checklist: Act now

1. Check ELSTER organization certificate - is it available? Do you have the password?

2. Document the impact assessment - in which sector, which thresholds?

3. Set up MUK at portal.bsi.bund.de

4. Complete NIS2 registration in the BSI portal

5. Name the 24/7 contact point and store it in the portal

6. Prepare incident response process for 24-hour reporting period

7. Inform management and set up a governance process

Also read our overview article on strategic classification:NIS2: Registration requirement by March 6, 2026 - Why cybersecurity is a top priority

Conclusion

NIS2 registration is not a technical ticket, but your digital insurance policy. Anyone who misses the March 6th deadline creates an avoidable regulatory risk with potential fines and liability consequences.

Act now: Check ELSTER availability today.

Do you need support with NIS2 implementation? ADVISORI accompanies you from the impact assessment through registration to the complete security concept. Talk to us.

Hat ihnen der Beitrag gefallen? Teilen Sie es mit:

Ihr strategischer Erfolg beginnt hier

Unsere Kunden vertrauen auf unsere Expertise in digitaler Transformation, Compliance und Risikomanagement

Bereit für den nächsten Schritt?

Vereinbaren Sie jetzt ein strategisches Beratungsgespräch mit unseren Experten

30 Minuten • Unverbindlich • Sofort verfügbar

Zur optimalen Vorbereitung Ihres Strategiegesprächs:

Ihre strategischen Ziele und Herausforderungen
Gewünschte Geschäftsergebnisse und ROI-Erwartungen
Aktuelle Compliance- und Risikosituation
Stakeholder und Entscheidungsträger im Projekt

Bevorzugen Sie direkten Kontakt?

Direkte Hotline für Entscheidungsträger

Strategische Anfragen per E-Mail

Detaillierte Projektanfrage

Für komplexe Anfragen oder wenn Sie spezifische Informationen vorab übermitteln möchten