Tech trends7. July 20264 min. Reading time

The registration portal of the BSI has been open since June 2026 – and for around 29,500 companies in Germany, NIS2 is thus becoming a concrete obligation from an abstract EU topic. Anyone affected as a “particularly important” or “important” institution must register within three months. Failures threaten fines in the double-digit million range – and personal liability of the management. It is therefore high time to clarify matters.

What is NIS2 – and why is it now affecting SMEs?

NIS2 is the revised EU directive on network and information security. It is incorporated into German law by the NIS2 Implementation and Cybersecurity Strengthening Act. The decisive difference to the previous regulation: The circle of affected companies is growing significantly. Previously, large operators of “critical infrastructure” were mainly meant, now about 18 sectors and many medium-sized companies are included – according to BSI for the first time about 29,500 “particularly important” and “important” institutions.

The reason for the tightening is real: According to the situational picture of the BSI, almost 80 percent of all ransomware attacks are now targeted at SMEs. Attackers know that here often tangible values meet lean IT security budgets.

Cybersecurity is no longer a question of company size – but a question of supply chain. Anyone who produces or supplies software for an affected company becomes part of its security requirements.

Registration with the BSI: Portal open, deadline runs

The first tangible step is registration. Since June 2026, the BSI has provided a portal for this purpose; the registration runs through the organization account (“My company account” / ELSTER) and then the BSI portal. Important: There is no official invitation – affected companies must themselves report, usually within three months of being first affected.

This is exactly where the pitfall lies: Many SMEs are simply not sure whether they are meant at all – and therefore do not even become active. Registration is only the formal beginning. The actual requirements for risk management, reporting channels and securing the supply chain apply independently.

Am I affected? Three Rules of Thumb

A legally secure classification always needs the individual case, but these clues help with the first self-assessment:

  • Size: Usually from 50 employees or 10 million euros in annual turnover – combined with belonging to one of the regulated sectors.
  • Sector: From energy, health and transport to mechanical engineering and automotive to digital services and IT service providers, the spectrum extends significantly further than before.
  • Supply chain: Even those who are below the thresholds themselves can indirectly come under the obligation – namely as a supplier or IT service provider of an affected company.

What to do now

Those who want to use the time wisely should proceed pragmatically:

  • Clarify Concern: Scrutinise the sector, size and corporate structure properly – accounting issues in particular often lead to miscalculations.
  • Registration: If affected, make the notification via the BSI portal on time.
  • Setting up risk management: Document technical and organizational measures – from access concepts to backups to emergency planning.
  • Establish reporting channels: In the future, security incidents must be reported on time. The internal processes should stand for this.
  • Secure software and supply chain: Which applications and service providers process sensitive data? One cleanly built, maintainable software landscape this is half the rent.

Where NIS2 and Artificial Intelligence Meet

With the rapid spread of generative AI in business processes, the attack surface has shifted noticeably. A vivid example: A sales team that dumps customer data into a public chatbot without a processing contract produces a reportable security incident in case of doubt – not just a data protection problem.

For companies that use AI, NIS2 and the EU AI regulation interlock. And the calendar does not make it any easier: On August 2, 2026, the transparency obligations of the EU AI Act apply. Thinking about both topics together saves duplication of work and closes gaps before they become risks.

Conclusion: making a head start out of duty

NIS2 is annoying – but the core requirements are simply good IT operations: clear responsibilities, clean processes, secured software and a resilient supply chain. Companies that are now approaching this in a structured manner not only fulfill a legal obligation, but also become more resistant to the very attacks that are currently hitting the middle class the hardest. If you need support with the impact assessment, the protection of your software landscape or the evaluation of service providers, talk to us.

Additional sources

Note: This article reflects the publicly reported status and does not replace individual legal advice. Whether and to what extent your company is affected should be examined in individual cases.

From practice to practice

Would you like to implement this in your company? We support you pragmatically – from the idea to the operation.