NIS2 Registration with BSI: Step-by-Step Guide

BSI Registration: Why Register Now?

The official registration deadline for entities covered by NIS2 was 06 March 2026. Organisations that missed this deadline face significant fines: under § 65 para. 2 no. 6 BSIG in conjunction with § 33 up to EUR 500,000. In case of repeated or structural violations, the upper cap under § 65 para. 5 BSIG applies (up to EUR 10 million or 2 % of group turnover). Nevertheless, registering now demonstrates cooperative behaviour towards the BSI and can lead to more lenient treatment. Catching up on registration is therefore not optional but urgent. This article walks you through the complete process, from the ELSTER application to receiving your registration number.

Who Must Register?

Registration is mandatory under § 33 para. 1 BSIG for all important and particularly important entities within the scope of the NIS2 Implementation Act. This includes entities in the 18 sectors listed in Annexes I and II of the NIS2 Directive that meet the relevant size thresholds for number of employees or annual turnover. Particularly important entities are generally operators of critical infrastructure and large companies in sectors such as energy, transport, water, banking, or healthcare. Important entities are medium-sized and large companies in other regulated sectors.

If you are unsure whether your organisation is covered, start with our NIS2 applicability checker. The calculator guides you through the relevant thresholds for your industry and delivers a traffic-light classification as important or particularly important entity.

Prerequisites Before Registration

Before opening the BSI portal, you should prepare four things. This saves time and prevents interruptions in the middle of the form.

• 1.ELSTER Organisation Certificate: This is the digital identity document for your organisation across all federal authority portals. The application takes up to 5 working days because the activation PIN is sent by postal mail. Start this step first, as it determines your earliest possible start date.
• 2.Mein Unternehmenskonto (MUK): The central business administration portal of the German federal government at service.mein-unternehmenskonto.de. You need the ELSTER certificate to set it up.
• 3.IT baseline data: IP address ranges in CIDR notation (e.g. 192.0.2.0/24), all DNS domains you operate or use, and your sector classification under Annex I or II of NIS2.
• 4.24/7 contact point: Name, mobile number, and business email of an operational IT security person who is reachable around the clock. The BSI also sends warnings at night and on weekends.

Step 1: Apply for the ELSTER Organisation Certificate

The ELSTER Organisation Certificate is the key to all federal authority portals. Without it, neither MUK nor the BSI portal can be used. The application is completely online, but the final step (activation PIN) arrives by postal mail and takes 3 to 5 working days. Factor in this buffer without fail.

1. Go to elster.de and select "Create account".
2. Choose the account type "Organisation" (not "Private individual").
3. Enter your company tax number and postal address. The tax number must exactly match the company name registered with the tax authority.
4. Confirm your email address and wait for the activation letter.
5. Activate the certificate using the PIN and download it as a .pfx file. Store this file securely (e.g. in a password manager).

Common mistakes: Wrong account type selected (private individual instead of organisation), tax number does not match the official company name, or the .pfx file was not stored securely and is lost after changing computers. Store the certificate in a secure, access-controlled location immediately.

Step 2: Set Up Mein Unternehmenskonto (MUK)

Mein Unternehmenskonto (MUK) is the central business administration portal of the German federal government. It links the ELSTER certificate to your company identity and enables single-sign-on access to all connected federal authority portals, including the BSI portal. BSI registration is not possible without MUK.

1. Go to service.mein-unternehmenskonto.de.
2. Sign in using your ELSTER Organisation Certificate.
3. Complete the company details: legal form, commercial register number, business address.
4. Confirm the link. Your MUK account is immediately usable afterwards.

MUK is not only relevant for BSI registration. It will be the central access point for all digital government services at federal level in the long term. Set it up carefully and designate a responsible person internally for managing access.

Step 3: Register in the BSI Portal

The BSI portal at portal.bsi.bund.de is the actual registration location. Allow 30 to 45 minutes to complete the form once all information is ready.

1. Go to portal.bsi.bund.de and sign in via the MUK login.
2. Select "Register entity" in the dashboard.
3. Enter complete company details: company name, legal form, commercial register number, address, contact person.
4. Select the applicable sector under Annex I or II of the NIS2 Directive and the entity category (important or essential).
5. Enter all IP address ranges in CIDR notation that your entity uses or operates (e.g. 192.0.2.0/24). Missing IP ranges can be added later but should be complete from the start.
6. List all DNS domains you operate or manage.
7. Enter the 24/7 contact point with name, mobile number, and business email.
8. Submit the form. The BSI typically confirms registration by email within a few working days.

Important note on IP ranges: Use only CIDR notation (e.g. 10.0.0.0/8 or 203.0.113.0/24). A single IP address is written as /32. IPv6 ranges can also be entered. Separate multiple entries with line breaks, not commas.

Step 4: Set Up the Contact Point and Reporting Channels

§ 33 para. 3 BSIG requires designating a contact point reachable 24/7. The BSI uses this channel not only for registration confirmations but also to send active security warnings when attacks target your IP range or domains. The contact point must be operational and capable of responding to warnings.

Important: The contact point must not consist solely of the managing director. § 33 para. 3 BSIG refers to an operational IT security role that can act on a technical level. A managing director without an IT background cannot meaningfully assess or respond to a security warning. Instead, designate an information security officer, IT director, or an external managed CISO partner.

The BSI portal provides an incident reporting form under § 32 BSIG. The reporting chain runs in three stages: early warning within 24 hours of discovering a significant incident, notification within 72 hours with initial assessments, and a final report within 30 days. Run a test submission before a real incident occurs to make sure all responsible parties know the process.

After Registration: The First 30 Days

Together with the BSI confirmation, you receive a registration number that uniquely identifies your organisation in the BSI system. You will need this number for all future notifications and authority contacts.

• •Internal documentation: Store the registration number, registration date, and designated contact point in your compliance system. This is the first piece of evidence for your NIS2 compliance file.
• •Communication to senior management: Under § 38 BSIG, senior management must be demonstrably informed about NIS2 obligations and participate in training. Use the successful registration as an occasion for a first management briefing session.
• •Document the first risk management cycle: Under § 30 BSIG you are obliged to implement appropriate risk management measures. Document the start of your first risk assessment cycle immediately after registration. Even an initial informal risk workshop counts as evidence.
• •Test the reporting process: Simulate a hypothetical security notification internally to ensure all responsible parties know the 24h/72h/30d chain. Document the test.

Avoid Common Mistakes in BSI Registration

These five mistakes come up most frequently when we support organisations through the registration process:

1. 1.ELSTER applied for too late: Postal delivery of the activation letter takes 3 to 5 working days. Underestimating this costs you a full week. Apply for ELSTER first, before collecting any other documents.
2. 2.Wrong sector classification: Incorrect assignment to Annex I instead of Annex II or vice versa can lead to the wrong entity category with different (higher or lower) obligations. Review the BSI sector definitions and seek legal advice if in doubt.
3. 3.IP ranges entered incorrectly: The form expects CIDR notation. Single IPs without /32, IP ranges with hyphens, or missing subnet masks cause validation errors. Prepare the list in a text editor beforehand.
4. 4.Contact point = managing director (operationally unsuitable): The BSI expects someone who can act technically when a security warning arrives at 3 AM. The managing director is usually not suitable. Designate an IT security role.
5. 5.24/7 availability not actually set up: A landline number or office email without emergency forwarding does not meet the requirement. Ensure that warnings genuinely reach an actionable person around the clock.

Fine Framework for Missing Registration

Failure to register or registering incorrectly is subject to a fine of up to EUR 100,000 under § 65 para. 1 no. 1 BSIG. If an organisation does not remedy the issue following a BSI order, the BSI can impose enforcement fines or penalty orders. At the escalation stage, § 65 para. 2 BSIG applies with up to EUR 10 million or 2% of global annual turnover. Personal executive liability is also explicitly anchored in BSIG. Full details on sanctions and liability can be found on our NIS2 Penalties and Sanctions page.