The deadline to register for NIS-2 with the German Federal Office for Information Security (BSI) was March 6, 2026. The result? Only about 11,500 of an estimated 29,850 affected German companies registered on time. (Source: Security Insider, March 10, 2026) Many commentaries point to negligence. However, a closer look reveals a different pattern, particularly in the healthcare sector.
At first glance, the figures seem alarming: 61.5 percent of affected companies are missing from the BSI portal. However, the BSI itself acknowledges that assessing an organization’s eligibility and completing the two-step registration process can be time-consuming. This is particularly true for many healthcare facilities.
Hospitals, larger medical practices, and care facilities that fall under the NIS-2 Directive face a specific challenge in that they rarely have a dedicated IT security team. Often, there is no dedicated compliance function. Management is busy with day-to-day patient care and does not have time to interpret European directives. Therefore, the lack of registration is not necessarily a sign of a lack of awareness. Rather, it is a symptom of a capacity gap.
This distinction is important, but it does not change the consequences. Organizations that miss the deadline can expect fines. The BSI can order compliance audits and scrutinize an organization’s entire security framework in serious cases.
Furthermore: Registration was only the first step. Most organizations still have their actual NIS-2 obligations ahead of them. Significant security incidents must be reported within 24 hours. Regular security audits will also become mandatory. Employees must be trained. For organizations that were unable to handle registration on their own, implementing these requirements without external support is hardly realistic.
The good news is that: The BSI is open to late registrations. The significant increase in registrations in the final days before the deadline suggests that there is a fundamental willingness to comply. The key now is to catch up systematically, not haphazardly.
An external perspective can help you realistically assess your NIS-2 status and prioritize next steps. No one-time consultation can replace developing your own expertise within the organization. However, structured support creates the foundation upon which all further measures are built.
For healthcare organizations facing this exact challenge, sepp.med offers cybersecurity consulting focused on NIS-2 compliance. The focus is on pragmatic implementation, including gap analysis, registration, and preparation for incident reporting and audit requirements.
Healthcare organizations fall under NIS-2 if they exceed certain size thresholds. The first necessary step is to check whether your organization is affected, which can be done via the BSI portal.
The BSI can impose fines and order compliance audits. Prompt retroactive registration significantly reduces the risk.
Key obligations include reporting incidents within 24 hours, conducting regular security audits, and providing employee training.
It depends on your internal capabilities. Organizations without an IT security team benefit from structured guidance that builds knowledge rather than creating dependencies.
Yes, the NIS-2 Directive provides for the direct liability of management for compliance with cybersecurity obligations.
Firstname:
Lastname:
E-Mail Address:
Phone:
Subject:
Your message:
Yes, I consent to my personal data being collected and stored electronically. My data will only be used for the purpose of responding to my inquiry. I have taken note of the privacy policy.
You are currently viewing a placeholder content from OpenStreetMap. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
You need to load content from hCaptcha to submit the form. Please note that doing so will share data with third-party providers.
You are currently viewing a placeholder content from Google Maps. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.