Entrepreneurship

Telekom MMS: NIS-2 implementation – focus on registration, mandatory reporting and risk management

February 6, 2026. The NIS-2 Directive is in full swing: The law came into force on December 6, 2025, meaning that registration, reporting obligations, management training and the individual implementation of risk management are now mandatory. Find out in this article what your company needs to do and why it is crucial to act quickly. With the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS-2UmsuCG) coming into force, a new era of cybersecurity begins for thousands of companies. Around 29,000 “particularly important” and “important institutions” will be regulated by the Federal Office for Information Security (BSI) for the first time – and will have to fulfill binding obligations.

Photo: Telekom MMS

1. Registration obligation: Who has to register – and by when?

All affected institutions are obliged to register with the BSI registration office. The deadline is clear: no later than three months after an organization falls under the NIS 2 regulation for the first time or again. The registration for affected companies must therefore be received by the BSI by March 6, 2026 at the latest. As the registration obligation begins immediately when the implementation law comes into force, companies should take action now and prepare the necessary information.

Registration is not just a formality – it forms the basis for official communication and the fulfillment of other obligations. The BSI provides details and assistance on its information pages.

-> Up-to-date FAQs on registration and the obligation to notify the BSI.

2. Reporting obligation: The central obligation under NIS-2

In addition to registration, the reporting obligation for significant security incidents is at the heart of the new regulation.

Significant security incidents include incidents that have led or may lead to serious service disruptions or financial losses for the organization. Reportable incidents also include incidents that may cause significant material or immaterial damage to other persons or operators. Affected facilities must report these incidents to the Federal Office and strictly adhere to the following deadlines:

Initial report: within 24 hours of becoming aware that a significant security incident has occurred
Follow-up report: Within 72 hours as an update to the initial notification, including severity, impact, indicators of compromise and contact information
Final notification: after 30 days at the latest, including a detailed description of the incident, nature of the threat and cause, and remediation actions

Those who ignore these requirements risk severe fines and regulatory orders.

3. Management training obligation

With the implementation of the NIS 2 Directive, the requirements for companies to systematically plan, implement and monitor their cyber security measures are increasing. There is a particular focus on the responsibility of the management: they must ensure that cyber security is an integral part of the company’s business and risk management. This special responsibility is prescribed by law, as is a training obligation for management.

NIS-2 thus makes holistic cybersecurity a top priority: management is personally responsible for approving and monitoring risk management measures, otherwise fines and even personal liability may be imposed.

At the same time, the directive forces companies to take a holistic view of their cybersecurity level – from attack detection systems and supply chain security to strict reporting obligations. Those who see this change as an opportunity can not only optimize internal processes, but also secure a competitive edge in the market through demonstrable digital trust expertise and strengthen the relationship of trust with customers, partners and supervisory authorities.

-> The complete handout on NIS-2 management training is provided by the BSI.

4. Individual implementation: both an obligation and an opportunity

NIS-2 requires more than minimum technical standards: companies must implement and document suitable, risk-based, proportionate and effective measures.

Risk management must cover all systems, components and processes used for the provision of services. The aim is to avoid disruptions to availability, integrity and confidentiality and to minimize the impact of security incidents.

The assessment is risk-based – taking into account the size of the company, risk exposure, probability of occurrence and severity of possible incidents. Measures must correspond to the state of the art and take into account relevant European and international standards. The BSI provides a wide range of different information, such as a roadmap with the most important guidance.

Conclusion: Act now before the deadlines run out

With the implementation of the NIS-2UmsuCG, cyber security is becoming a top priority. Those who tackle registration, reporting obligations and risk management early on will not only avoid fines and liability risks, but also strengthen their own resilience and the trust of customers and partners.

Use the time remaining to review processes, clearly define responsibilities and prepare your organization for the new obligations. NIS-2 is not a bureaucratic obstacle, but an opportunity to strategically anchor cyber security, develop it further and thereby secure competitive advantages.

Now is the right time to take action – before legal obligations lead to crises.

– – – – – –