Getting Started with NIS2: How to Begin Quickly and Correctly | NIS2Compass
Guide
Getting Started with NIS2: How to Begin Quickly and Correctly
9 min readNIS2Compass Team
The NIS2UmsuCG has been in force since December 2025. Check your scope, entity class, and BSI registration obligation β a practical entry guide for SMEs.
Written by: NIS2Compass Team | Reviewed by: Dr. Markus Hartmann, Senior Compliance Consultant | Last updated: April 2026
Starting with NIS2 now is not too late β but the first steps need to be right. Around 29,000 companies in Germany are subject to the NIS2UmsuCG. With the NIS2Compass Pre-Check, you can see in just a few minutes where you stand and what needs to happen next.
NIS2 does not apply to every company. The obligation arises from two factors: the sector in which a company operates, and its size. The NIS2UmsuCG lists the affected sectors in Annexes I and II of the BSIG.
Check your sector: Annex I of the BSIG covers 11 essential sectors: energy, transport, health, drinking water, banking, financial market infrastructures, digital infrastructure, ICT service providers, space, public administration, and wastewater. Annex II lists 7 important sectors: postal and courier services, waste management, chemicals, food, manufacturing, digital services, and research.
Pay attention to size thresholds: Important entities (IE) fall under the law from 50 employees or EUR 10 million in annual turnover. Essential entities (EE) only from 250 employees or EUR 50 million in annual turnover. The 50-employee threshold surprises many: it is significantly lower than most companies expect.
Exceptions: KRITIS operators and qualified trust service providers fall under NIS2 regardless of their size. The thresholds do not apply to them.
According to estimates from the BSI and the German federal government, around 29,000 companies in Germany are affected. The BSI applicability tool helps with an initial assessment. A more detailed explanation of the criteria is available in the article .
Implement NIS2 step by step
NIS2Compass guides you step by step through implementation β with guide, templates and knowledge hub.
Once you have confirmed that your company is subject to NIS2, the next step should not be delayed: the NIS2Compass Pre-Check shows which requirements are already met and where specific gaps exist.
The NIS2UmsuCG distinguishes three entity classes: important entities (IE), essential entities (EE), and KRITIS operators. The class determines which obligations apply and how intensively the BSI supervises the entity. Β§28 BSIG requires that the classification be documented.
Essential entities (EE) are organisations from Annex I of the BSIG with 250 or more employees or EUR 50 million or more in annual turnover, recognised KRITIS operators, and qualified trust service providers. They face the strictest requirements: fines of up to EUR 10 million or 2% of global annual turnover (Β§65 BSIG).
Important entities (IE) cover two groups: entities from Annex I of the BSIG with at least 50 employees or EUR 10 million in annual turnover that are not classified as EE, and entities from Annex II of the BSIG meeting the same thresholds. Here, the maximum fine is EUR 7 million or 1.4% of global annual turnover (Β§66 BSIG). The precise fine structure and which violations are specifically sanctioned is a topic in its own right.
The classification may sound bureaucratic, but it has direct operational consequences: a company that classifies itself as IE when EE criteria apply may have assumed too low a reporting threshold and documented too little β a typical starting point for BSI audits.
"The classification documentation is frequently the first step that is missing," explains Dr. Markus Hartmann, Senior Compliance Consultant. "Companies underestimate that Β§28 BSIG explicitly requires this β regardless of how far along the implementation is."
The classification is not a self-declaration that the BSI passively accepts. It must be actively documented in writing, including the rationale for why certain thresholds apply or do not. Anyone who has not prepared this documentation should catch up β before the BSI asks.
The BSI registration deadline expired on 6 March 2026. Companies that have not yet registered should do so without delay: the registration obligation remains in full force, and violations can result in fines. The BSI reporting portal (MUK) has been open since 6 January 2026.
The key dates at a glance:
6 December 2025: NIS2UmsuCG comes into force; all obligations apply from this date
6 January 2026: BSI reporting portal (MUK) opened for initial registrations
6 March 2026: Deadline for initial registration expired
Three things are required for registration via the BSI reporting portal: an ELSTER organisation certificate for authentication, details about the company, sector, and entity class, and the contact details of a security contact point reachable around the clock.
The most common practical mistake: Companies do not underestimate the registration because of its content complexity, but because of the ELSTER organisation certificate. The registration itself takes a few minutes. The certificate, however, can take two to six weeks depending on the tax office. Anyone who does not start on this immediately risks blocking the entire process.
6 March 2026 is not a cutoff date on which the BSI automatically issues fines. Enforcement is ramping up gradually. But the obligation exists, and companies that continue to ignore it are taking a calculable risk. Fines of up to EUR 10 million are provided for in the NIS2UmsuCG for essential entities.
After registration, day-to-day operations change concretely: affected companies receive BSI warning notices and situation reports and are from that point subject to the reporting obligation for significant security incidents. The deadlines: 24 hours for the early warning, 72 hours for the initial report, one month for the final report.
After BSI registration comes the actual implementation work: building risk management, defining technical measures, and establishing an incident response process. The NIS2 Guide from NIS2Compass structures this path into 8 chapters with around 124 steps β providing clear direction even without external consultants.
Registration is the administrative entry point. What follows is technically and organisationally more demanding. Five tasks take priority:
Create an asset inventory: Which IT systems, applications, and services support regulated operations? Without a complete inventory, no meaningful risk analysis can be conducted.
Clarify responsibility: Who coordinates NIS2 implementation internally? This does not have to be a dedicated information security officer, but a clear line of responsibility is needed from the start.
Set up a risk management process: A first, simplified risk analysis is better than none. It reveals the most critical vulnerabilities and prioritises the next measures. Perfection is not a sensible goal for phase 1.
Implement technical quick wins: MFA for privileged access, structured patch management, and a documented backup strategy offer the best effort-to-benefit ratio. These three areas simultaneously cover multiple mandatory categories under Β§30 BSIG.
Build a basic incident response structure: Who reports what, to whom, within which timeframe? The statutory BSI deadlines (24h, 72h, 1 month) are fixed. The internal communication chain must be in place before an incident, not during one.
For risk analysis, information security policy, and incident response plan, NIS2Compass provides ready-to-use templates: Template Library. The legal background on individual Β§30 mandatory categories β cryptography, network security, access controls β is covered in depth in the articles in the Knowledge Hub. To work through the complete implementation path step by step: NIS2 Guide and the article Implementing NIS2: Step by Step to Compliance.
Many companies wait for the "right moment": the perfect plan, the complete budget, the ideal consultant. NIS2 compliance is not a one-off project, however, but an ongoing process. Starting today with the applicability check and registration creates the foundation on which everything else is built.
A food company from southern Germany, 80 employees, EUR 12 million in turnover β clearly subject to NIS2 as an important entity under Annex II of the BSIG. The IT manager knew this. He wanted to draw up a complete internal task list before starting implementation. The outcome was less than ideal: the BSI registration deadline passed because the ELSTER organisation certificate had never been applied for. Not due to ignorance, but due to deferred decisions.
Applying for the certificate itself takes hours. But processing by the responsible tax office takes weeks. Waiting to get started means blocking yourself through lead times that cannot be accelerated.
The most common mistake is not knowing too little. It is waiting for the moment when you know everything. That moment never comes.
For most SMEs, it pays to prioritise three areas in phase 1: the basic incident response structure (due to the statutory reporting deadlines), access controls (MFA, authorisation concept), and backup strategy. This covers the biggest operational risks. Everything else follows in a structured way afterwards.
The NIS2UmsuCG explicitly states in Β§30 that security measures must be "proportionate" β appropriate to the size, resources, and actual risk of the entity. SMEs do not need to implement everything to the standard of a large corporation. But they do need to start.
NIS2Compass offers exactly this prioritisation with the NIS2 Guide: which chapters first, which steps as quick wins β without having to work through the entire legislation yourself.
The NIS2 implementation act (NIS2UmsuCG) has been in force since 6 December 2025 β with no transition period. All cybersecurity obligations apply from this date. The BSI registration deadline expired on 6 March 2026. Affected companies that have not yet registered must do so without delay.
How do I check whether my company is subject to NIS2?
Two criteria must be met: your company operates in one of the 18 sectors listed in Annexes I or II of the BSIG, and it employs at least 50 people or generates more than EUR 10 million in annual turnover. The official BSI applicability tool at betroffenheitspruefung.bsi.bund.de provides an initial assessment. The Pre-Check from NIS2Compass also helps you identify existing gaps in your implementation.
What happens if the BSI registration deadline was missed?
The registration obligation remains in full force β it does not expire with the deadline. Complete the registration via the BSI MUK portal as quickly as possible. An immediate fine is not automatically imposed, but the risk of a fine increases the longer the non-registration continues.
What documents do I need for BSI registration?
An ELSTER organisation certificate is mandatory for authentication in the MUK portal (portal.bsi.bund.de) β the application process takes several weeks. In addition, you need details about the company, sector, and entity class, as well as a security contact point reachable around the clock.
Do I need to appoint an information security officer (ISB) immediately?
The NIS2UmsuCG does not prescribe a formal ISB obligation comparable to the data protection officer requirement under the GDPR. Β§38 BSIG assigns responsibility for cybersecurity measures to company management. A clearly designated internal point of responsibility is nevertheless advisable β but the legally required format remains open.
Metadata (for publish script)
Title Tag: Getting Started with NIS2: How to Begin Quickly and Correctly
Meta Description: The NIS2UmsuCG has been in force since December 2025. Here is how to check whether you are affected, choose the right entity class, and take the first steps.
