Last Call for NIS2: BSI Sets Final Deadline for the End of July
The Federal Office for Information Security (BSI) has set a new registration deadline for organizations subject to the Network and Information Security Directive 2 (NIS2): the end of July 2026. Those required to register who missed the original deadline at the end of March 2026 are thus granted a final extension until the end of July.
Important: This is merely an extension of the deadline, not a permanent exemption. In its communication, the BSI makes it clear what this reminder means: The registration requirement still applies. Those who ignore it risk fines and regulatory orders. This is relevant for company executives because NIS2, through the NIS2 Implementation Act (NIS2UmsuCG), has been in effect in Germany since December 2025 and explicitly provides for personal liability at the executive level.
Why Many Companies Missed the Deadline
The registration requirement is new for many organizations. The NIS2UmsuCG significantly expands the scope of affected organizations compared to the previous KRITIS regulation: According to estimates by the BSI, approximately 30,000 companies in Germany fall under the directive. A significant portion of these had not previously been regulated as “critical” or “important”—and simply had not yet initiated the registration process.
Added to this is a technical hurdle: Registration takes place via the BSI portal and initially requires an ELSTER organizational certificate. Those who had not prepared this have fallen behind, even with the best of intentions.
Who NIS2 Affects—and Who Feels Wrongly Secure
NIS2 applies to organizations with 50 or more employees or an annual turnover of 10 million euros that operate in one of the 18 regulated sectors. This includes critical infrastructure such as energy, healthcare, financial market infrastructures, digital infrastructure, and public administration—as well as key sectors such as postal and courier services, the food industry, mechanical engineering, cloud service providers, and digital platforms.
There is no provision for notification by authorities. Each organization must determine for itself whether it is affected. This is where many companies fall short: they believe they are not affected—and have never systematically verified this.
How Registration Relates to the Actual Compliance Obligation
Registration with the BSI is only the first step. It demonstrates that an organization has recognized that it falls under NIS2. The actual compliance work begins afterward: risk management, incident response processes, supply chain security, reporting security incidents within 24 hours—and providing evidence of all of this during an audit.
For organizations that missed the March deadline and are now responding to the July extension, this means time is running out. The NIS2 requirements cannot be fully implemented in four weeks. However, this time can be used to assess where the organization stands—and which measures need to be prioritized.
When selecting cloud infrastructure, there is one particular point to consider: NIS2 requires organizations to also assess the security of their service providers and suppliers. Organizations that process critical data on platforms subject to U.S. law must assess an additional layer of risk posed by the U.S. CLOUD Act, which NIS2 explicitly addresses.
What Needs to Be Done Now
The two weeks remaining until the end of July are not a timeframe for full NIS2 implementation. They are a timeframe for an honest assessment of your current status.
SecureCloud’s NIS2 Readiness Quick Check provides an initial structured assessment in about two minutes: whether your organization is likely to be affected, in which areas action is needed, and which measures should be prioritized. No endless forms, no upfront commitments—just a concrete basis for discussions with senior management, IT leadership, or data protection officers.
Check your current NIS2 compliance status for free now (in German language only):
Interessiert Sie die souveräne Cloud?
Hier geht's zur kostenlosen Testphase
Sebastian Deck
Sebastian Deck is Chief Marketing Officer (CMO) at SecureCloud and is responsible for brand strategy, communications and marketing. He has many years of experience in building and leading international marketing teams in consulting, fintech and technology companies. At SecureCloud, he drives brand positioning, thought leadership and lead generation. He also manages go-to-market initiatives and campaigns to position SecureCloud as a leading provider of cyber security and secure cloud services.