Table of Contents
- Do you need to register for NIS2 in Germany in 2026? A practical guide to the BSI portal and “Mein Unternehmenskonto”
- What NIS2 means in plain language
- Germany’s timeline and what changed
- Who should pay attention now
- How registration works: the two-step route
- Step 1: Create access via “Mein Unternehmenskonto” (MUK)
- Step 2: Register in the BSI portal
- What the BSI portal provides after registration
- Reporting vulnerabilities and incidents
- Optional participation: ACS and UP KRITIS
- Practical advisor notes for a smooth start
- Official enablement materials (worth using)
Do you need to register for NIS2 in Germany in 2026? A practical guide to the BSI portal and “Mein Unternehmenskonto”
NIS2 registration in the BSI portal is now live (as of 6 Jan 2026)
The EU NIS2 Directive has applied in Germany since 6 December 2025. Under the law, the Federal Office for Information Security (BSI) had to provide a portal for reporting and information on IT security incidents. BSI has now made the next registration phase available, so organizations can register in the BSI portal.
If your organization falls within the scope, registration is not a “nice to have.” It supports legal compliance and sets up a clear channel for incident reporting.
What NIS2 means in plain language
NIS stands for Network and Information Security. NIS2 sets minimum cybersecurity requirements for certain organizations that provide important services or operate in key sectors. The aim is consistent risk management, faster incident reporting, and stronger cooperation across the EU.
NIS2 was adopted in 2022 and published in the Official Journal of the EU in December 2022. It is a framework law. Each member state implements it through national legislation and enforcement.
Germany’s timeline and what changed
Germany missed the EU implementation deadline of October 2024. The national implementation was adopted in November 2025 and entered into force on 6 December 2025.
On 6 January 2026, BSI announced that the BSI portal supports NIS2 registration in its next phase. From that point, newly applicable obligations affect around 29,500 companies and federal institutions in Germany. These obligations include registration as a NIS2 entity and reporting significant incidents to BSI.
Who should pay attention now
Organizations in covered sectors should act early, even if internal scope checks are still ongoing. NIS2 covers many areas, including energy, transport, health, and digital infrastructure. It also applies beyond classic “critical infrastructure” in many cases.
If you are unsure, treat this as a compliance triage item. Confirm whether the entity qualifies, assign an owner, and document the result.
How registration works: the two-step route
Registration is structured in two steps:
Step 1: Create access via “Mein Unternehmenskonto” (MUK)
This is a nationwide login that provides access to digital administrative services. Authentication is expected to use Elster certificates in many cases, based on the information BSI references.
Step 2: Register in the BSI portal
After MUK access exists, the organization completes registration in the BSI portal that BSI developed for NIS2-related tasks.
Plan time for identity, authorization, and role setup. These steps often take longer than the form itself, especially in larger organizations.
What the BSI portal provides after registration
The portal is designed to support regulated organizations with obligation guidance and operational security information. It includes information on duties under the BSI Act, such as the need to perform risk analyses and implement documented risk management measures.
BSI also provides daily situation reports and IT security alerts through the portal. These updates can help security teams prioritize patching and response actions.
Reporting vulnerabilities and incidents
The portal supports reporting of vulnerabilities and security gaps to BSI. BSI notes that this is possible anonymously and without registration, which can be useful for responsible disclosure.
For regulated entities, incident reporting duties under NIS2 are a separate topic from vulnerability reporting. Treat incident reporting as a controlled process with defined triggers, owners, and approval paths.
Optional participation: ACS and UP KRITIS
Organizations can join the Alliance for Cyber Security (ACS) via the BSI portal. ACS is an IT security network under BSI, with nearly 9,000 members and free membership. It offers formats for knowledge exchange and shared practices.
Eligible organizations can also participate in UP KRITIS. It connects business and public bodies in working groups that cover cybersecurity and physical security.
Practical advisor notes for a smooth start
Set up your internal approach before you click “register.” That avoids delays and reduces risk of inconsistent reporting later.
- Assign one accountable owner for NIS2 registration and reporting readiness
- Confirm legal entity data, contacts, and delegated roles in advance
- Create an incident classification rule set that matches “significant incident” thresholds in your governance
- Start a written risk analysis workflow and link it to controls you can evidence
Official enablement materials (worth using)
BSI provides an NIS2 starter kit with step-by-step guidance for registration and reporting in the portal. BSI also announced webinars under the label “#nis2know,” including sessions on 8 January, 20 January, and 3 February, with portal demonstrations and guidance for assessing NIS2 impact. Registration is available through an online form linked by BSI.