Germany’s NIS2 Implementation Act (BSIG) entered into force in December 2025. The original registration deadline of March 6, 2026 has passed; yet compliance remains critically low. Following a letter from the Federal Office for Information Security (BSI) to industry associations, affected companies are now expected to complete their registration by July 31, 2026. After this date, increased regulatory scrutiny and enforcement action should be expected.

Key Facts at a Glance:

• BSIG in force since December 2025
• Original registration deadline: March 6, 2026 (expired)
• New BSI-expected completion date: July 31, 2026
• Increased audits and enforcement measures anticipated thereafter

The BSI’s communication to industry associations makes clear that the new date is not a formal extension but rather a firm expectation: companies that fail to register by July 31, 2026 should anticipate heightened regulatory attention.

Broader Scope Than Many Expect

Many organizations underestimate whether they fall within scope of NIS2. The NIS2 Implementation Act applies to a wide range of sectors, including:

• Online platforms and digital marketplaces
• SaaS providers and cloud services
• Companies in the healthcare sector
• Food companies and food & drink tech
• Mechanical engineering and manufacturing

What You Should Do Now

This revised timeline offers a final window to assess your status and take the necessary steps. We strongly encourage all potentially affected companies to conduct a thorough NIS2 applicability analysis without delay. 

Reed Smith stands ready to support you in evaluating your company’s classification under the NIS2 requirements and developing a tailored compliance approach.

For further background on the NIS2 implementation and registration in Germany, see our detailed analysis: https://www.reedsmith.com/articles/germany-implements-nis2-immediate-effect-broad-scope-near-term-registration/