Is my SaaS startup in scope of NIS2?

It depends on what you build, not what you call yourself. Pure B2C SaaS in a non-listed sector usually stays out. B2B SaaS that operates as a managed service provider, managed security service provider, cloud computing service, data centre, or content delivery network is in scope under the digital-infrastructure category once you cross 50 employees or EUR 10 million turnover.

I missed the 6 March 2026 BSI registration deadline. What now?

Late registration via portal.bsi.bund.de is still possible and strongly advisable. Non-registration is itself a separate fineable offence. The BSI has signalled it is moving from outreach to supervisory action under § 64 BSIG; replying to a request for information with a registration already in hand is materially better than ignoring it.

What happens if my managing director skips the § 38 BSIG training?

§ 38(3) BSIG makes regular cybersecurity training a personal obligation of every member of the executive board. It is not delegable to IT or compliance. A breach exposes the director to personal liability under standard corporate-law principles (e.g. § 43 GmbHG) for damages caused to the company.

How fast must I report a security incident?

§ 32 BSIG sets a three-stage cadence for significant incidents: an early warning to the BSI within 24 hours, a fuller incident notification within 72 hours, and a final report within one month. The clock starts when you become aware that the incident qualifies as significant under § 32(1) BSIG, not when you finish your internal triage of the underlying technical event.

We are below 50 employees and EUR 10 million turnover. Are we safe?

Not automatically. The size cap is disapplied for qualified trust services, TLD registries, DNS, and electronic communications providers. You can also be drawn in if you are the sole provider of a service essential for critical activities in Germany, or if a customer in scope contractually pushes the obligations down their supply chain.

Compliance

NIS2 for German Startups: Who Must Register, What to Do, What It Costs

NIS2 is in force since 6 December 2025. The BSI registration deadline (6 March 2026) has lapsed. Here is the founder-first scoping and action playbook.

Immo Ait Stapelfeld·Rechtsanwalt·April 27, 2026·8 min read

Key Summary

The German NIS2 implementation law (NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz, NIS2UmsuCG) entered into force on 6 December 2025. Affected entities had to register with the BSI by 6 March 2026; according to press reporting in April 2026, roughly 18,500 of the estimated 30,000 in-scope entities missed that deadline, and the BSI has signalled the move from outreach to supervisory action under § 64 BSIG. Essential entities face fines up to EUR 10 million or 2 percent of global annual turnover under § 65 BSIG; important entities up to EUR 7 million or 1.4 percent. § 38 BSIG makes the executive board personally responsible for approving and monitoring the risk-management measures, with a non-delegable training duty.

NIS2 has been live German law since 6 December 2025. The registration deadline at the Bundesamt für Sicherheit in der Informationstechnik (BSI) was 6 March 2026. It has lapsed. Press reporting in April 2026 puts the gap between in-scope entities (around 30,000) and registered entities at roughly 18,500. The BSI has signalled the move from outreach to supervisory action under § 64 BSIG. If your startup might be in scope, the next decision is not whether to comply but in what order.

NIS2-UmsuCG

The German NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG) transposes Directive (EU) 2022/2555 and rewrites the BSI-Gesetz to impose risk management, registration, and incident reporting on roughly 30,000 German entities across 18 sectors.

The first thing to understand is that this is not a successor to the old IT-Sicherheitsgesetz with a few new sectors. The NIS2UmsuCG expands the regulated population in Germany from around 4,500 to roughly 30,000 entities, and it makes cybersecurity a board-level legal duty under § 38 BSIG. The directive itself is not new (in force at EU level since January 2023), but Germany only finalised its transposition in late 2025.

Are you in scope?

The scoping rule has three layers. You are in scope if all three apply: your activity falls within Annex 1 or Annex 2 of the BSIG, you exceed the size threshold, and no specific exemption applies.

Entscheidungsbaum

Is your startup in scope of NIS2?

Do your services fit any of the 18 sectors in Annex 1 (high criticality) or Annex 2 (other critical) of the BSIG — for example digital infrastructure, ICT B2B service management, online marketplaces, food, manufacturing of medical or electronic devices, research, postal services?

For a typical Berlin or Munich startup, the trapdoors are more important than the size cap.

The first trapdoor is the digital-infrastructure category in Annex 1. It catches cloud-computing service providers, data-centre operators, content delivery networks, and DNS providers. The second trapdoor is the new ICT B2B service management category, which catches managed service providers (MSPs) and managed security service providers (MSSPs). The MSP/MSSP definition turns on whether you actively manage the customer's ICT environment (administration, monitoring, maintenance), not on whether you call yourself a SaaS company. Pure B2B SaaS that the customer operates itself is generally outside the MSP category. The closer you come to "we run your cloud, your endpoints, or your security stack," the closer you come to NIS2.

The third trapdoor is the size-independent list in § 28(7) BSIG. Qualified trust services (e.g. eIDAS providers), TLD registries, DNS service providers, and electronic communications providers are in scope regardless of headcount, among other categories named in the statute. A two-person eIDAS qualified-signature startup is regulated the same way as a 5,000-person telco for these purposes.

The fourth trapdoor is the supply chain. § 30(2) lit. d BSIG requires in-scope entities to manage their supply-chain risk, and they discharge that duty by pushing contractual flow-down of security expectations to their suppliers. The flow-down is contractual, not a direct statutory obligation on you, but the practical effect is the same. The common pattern in German startup practice is that vendor questionnaires from regulated buyers have grown substantially since the law took effect, and unprepared SaaS vendors get filtered out earlier in procurement.

What you must do now

There are three live obligations, not one. Registration is the most visible, but it is the smallest of the three.

Registration under § 33 BSIG. The portal sits at portal.bsi.bund.de. You log in via "Mein Unternehmenskonto" (MUK), which itself requires an ELSTER organisational certificate. If you do not have ELSTER set up, plan one to two weeks. The form asks for your sector classification, size, the EU member states where you operate, your competent supervisory authorities, a 24/7 incident contact, and your public IP ranges in CIDR notation. Updates must be filed within two weeks (§ 33(5) BSIG).

Risk-management measures under § 30 BSIG. This is where the real work sits. § 30(2) BSIG requires an all-hazards approach with ten minimum measures. The implementation curve is steeper than founders expect.

Checkliste

The ten § 30(2) BSIG measures

0/10

Incident reporting under § 32 BSIG. The reporting cadence is unforgiving for an under-resourced team. You owe the BSI an early warning within 24 hours of becoming aware of a significant incident, a fuller incident notification within 72 hours, and a final report within one month. "Significant" is defined in § 32(1) BSIG and tracks the EU directive: an operational disruption, a financial loss, or harm to other natural or legal persons.

What it costs and who is on the hook

§ 65 BSIG sets offence-specific maxima. The headline ceilings of EUR 10 million or 2 percent of global annual turnover (essential entities) and EUR 7 million or 1.4 percent (important entities) apply to the most serious breaches under the "whichever is higher" rule. Less serious violations carry lower offence-specific ceilings. Non-registration is its own offence; missing § 32 deadlines is another; failing to implement § 30 measures is a third.

The harder lever sits in § 38 BSIG. The executive board must personally approve the risk-management measures, supervise their implementation, and complete regular cybersecurity training. The training duty is explicitly non-delegable. § 38 BSIG itself does not create a direct personal liability claim. Liability runs the ordinary corporate-law route: a § 38 BSIG breach is a breach of the managing director's duty of care, which then triggers internal liability towards the company under § 43 GmbHG for GmbH managing directors (or § 93 AktG for AG board members). The duty is statutory; the liability is derivative. In practice this means a D&O policy needs to be re-papered to confirm coverage of NIS2-related claims, and training records need to be retained.

The order I would do this in

If you missed the deadline, the priority sequence is registration first, then risk-management baseline, then incident-reporting tabletop. Registration is administrative and removes the cleanest enforcement target. The § 30 baseline takes weeks to design and months to implement, so starting it the week after registration is normal. The § 32 cadence assumes the incident-response runbooks exist; building those alongside the § 30 work is fine.

Most founders underestimate how much of the work is upstream of the BSI portal. The recurring pattern is the same: the company knows it is "probably in scope," nobody has documented the § 28 BSIG analysis, the § 38 training is unscheduled, and a customer-driven supply-chain questionnaire has stalled a sales cycle. Solving the questionnaire ends up being a forcing function for the rest. That is fine. Pick the forcing function and ride it.

Bottom line

NIS2-UmsuCG is in force, the BSI registration deadline has passed, and enforcement has started. If your startup is in any of the 18 sectors and crosses 50 employees or EUR 10 million turnover, you are most likely an important entity at minimum. Register late rather than not at all, build the § 30 measures into your existing security programme rather than as a parallel compliance project, and put the § 38 training on the next board agenda. The cost of doing this poorly under § 65 BSIG runs into seven figures; the cost of doing it now is mostly time.

If your product touches the Cyber Resilience Act regime or the AI Act, align the security programmes early. The § 30 BSIG measures, the CRA Annex I requirements, and the AI Act risk-management system overlap by design; a single security policy can carry all three if you write it once with all three in mind.

Legal Sources

§§ 28 BSIG — Scope and size thresholds for essential and important entities
§§ 30 BSIG — Risk-management measures (all-hazards approach, ten minimum technical and organisational measures)
§§ 32 BSIG — Incident reporting cadence to the BSI
§§ 33 BSIG — Registration obligation; updates within two weeks
§§ 38 BSIG — Executive-board duties to approve and supervise risk-management measures; non-delegable training duty; personal liability
§§ 65 BSIG — Administrative fines tiered by entity classification
§Directive (EU) 2022/2555 — NIS2 Directive (Annex I, Annex II) transposed by NIS2UmsuCG
§§ 43 GmbHG — Managing-director liability standard that backstops § 38 BSIG
•BSI Geschäftsleitungsschulung guidance (NIS-2 Schulung, 2026) — BSI publishes an official curriculum and guidance for the § 38(3) executive-board training duty; available via the BSI's NIS-2 information packages.
•BSI registration guidance for portal.bsi.bund.de (with MUK/ELSTER setup) — BSI step-by-step instructions for the registration portal, including the ELSTER organisational certificate path.

Frequently Asked Questions

Is my SaaS startup in scope of NIS2?: It depends on what you build, not what you call yourself. Pure B2C SaaS in a non-listed sector usually stays out. B2B SaaS that operates as a managed service provider, managed security service provider, cloud computing service, data centre, or content delivery network is in scope under the digital-infrastructure category once you cross 50 employees or EUR 10 million turnover.
I missed the 6 March 2026 BSI registration deadline. What now?: Late registration via portal.bsi.bund.de is still possible and strongly advisable. Non-registration is itself a separate fineable offence. The BSI has signalled it is moving from outreach to supervisory action under § 64 BSIG; replying to a request for information with a registration already in hand is materially better than ignoring it.
What happens if my managing director skips the § 38 BSIG training?: § 38(3) BSIG makes regular cybersecurity training a personal obligation of every member of the executive board. It is not delegable to IT or compliance. A breach exposes the director to personal liability under standard corporate-law principles (e.g. § 43 GmbHG) for damages caused to the company.
How fast must I report a security incident?: § 32 BSIG sets a three-stage cadence for significant incidents: an early warning to the BSI within 24 hours, a fuller incident notification within 72 hours, and a final report within one month. The clock starts when you become aware that the incident qualifies as significant under § 32(1) BSIG, not when you finish your internal triage of the underlying technical event.
We are below 50 employees and EUR 10 million turnover. Are we safe?: Not automatically. The size cap is disapplied for qualified trust services, TLD registries, DNS, and electronic communications providers. You can also be drawn in if you are the sole provider of a service essential for critical activities in Germany, or if a customer in scope contractually pushes the obligations down their supply chain.