BSI Act Germany: One Month Post-Deadline — Who's Registered, Who's Not

A month after the April 2026 registration deadline under Germany's new BSI Act, the picture is clearer than many expected, and in places rather less reassuring. Industry estimates suggest that only around 60 to 70 percent of newly in-scope organisations completed registration with the Bundesamt für Sicherheit in der Informationstechnik by the cut-off. That leaves somewhere between 8,000 and 12,000 German businesses operating outside the law, in many cases without fully realising it.

This is not a theoretical concern. The BSI Act, which transposes the EU NIS 2 Directive, carries fines of up to ten million euros or two percent of global turnover for particularly important entities. It also introduces personal liability for management bodies. Enforcement has not yet begun in earnest, but the direction of travel from BaFin, the BSI, and the Federal Ministry of the Interior is unmistakable.

What the BSI Act Requires

The amended BSI Act (BSIG) entered into force on 6 December 2025. It expands the scope of Germany's cybersecurity regulation from approximately 4,500 KRITIS operators to nearly 29,500 organisations across 18 sectors, including energy, transport, banking, health, digital infrastructure, ICT service management, public administration, food, chemicals, waste management, and the manufacture of critical products.

The law creates two tiers of regulated entity. Besonders wichtige Einrichtungen (particularly important establishments) are large organisations in critical sectors with more than 250 employees or annual turnover exceeding 50 million euros. Wichtige Einrichtungen (important establishments) are medium-sized organisations in the same sectors. Both categories must register with the BSI, implement appropriate technical and organisational measures, report significant incidents within 24 hours, and undergo periodic compliance demonstrations.

Unlike some European implementations of NIS 2, the German approach leans on the principle of Stand der Technik, state of the art, rather than prescribing specific controls. In practice, the BSI interprets this to include regular penetration testing, particularly for internet-facing systems and those processing sensitive data. KRITIS operators must demonstrate compliance every three years through audits, inspections, or certifications, and pen testing is a standard component.

The State of Registrations

The BSI has not yet published official figures, and likely will not do so for several months. But conversations with providers, law firms, and trade associations paint a consistent picture.

Larger KRITIS operators and those already subject to the previous BSIG regime were, for the most part, ready. They had existing compliance programmes, established relationships with BSI-certified testing providers, and dedicated legal and security teams capable of interpreting the new requirements. Most of these organisations registered well before the deadline.

Mid-sized manufacturers, particularly those producing critical products under the new scope, appear to have struggled. Many only discovered they were in-scope in early 2026, leaving them a matter of weeks to interpret the law, conduct gap assessments, commission penetration testing, and register. A significant number missed the deadline entirely, or registered without having completed the underlying security work.

Smaller organisations in newly regulated sectors, particularly in waste management, food production, and chemicals, are the most exposed. Anecdotal reports suggest registration rates in these sectors are well below the overall average. Many affected businesses have been waiting to see what enforcement actually looks like before committing resources.

Common Gaps in Pen Testing Documentation

Providers currently supporting German clients with post-deadline catch-up work consistently identify the same weaknesses.

Inadequate scope definition is the most common issue. Pen test reports commissioned before 2026 often cover a narrow slice of the corporate network, typically the public-facing web presence, and miss the operational technology, internal systems, and cloud workloads that the BSI expects to see addressed. A 2023 external network test on a SaaS login page does not satisfy a 2026 compliance review for a particularly important entity.

Missing red team or threat-led testing is a frequent gap for larger organisations. Where the BSI's interpretation of Stand der Technik leans on realistic adversary simulation, simple vulnerability-focused pen tests fall short. This is particularly the case for energy, banking, and digital infrastructure operators, where the BSI increasingly expects red team exercises aligned with frameworks like TIBER-EU.

Stale retest evidence is another common finding. A pen test report from 2024 that identified critical findings, followed by no documented remediation or retest, is worse than no report at all. It establishes that the organisation knew of vulnerabilities and failed to address them, which is directly relevant to any enforcement action.

Unclear tester credentials appear in many documentation sets. Pen test reports without named testers, without evidence of individual certifications such as OSCP, GPEN, or CREST CRT, and without a clear methodology section are difficult to defend under regulatory scrutiny. The BSI maintains a list of certified providers for a reason.

What a BSI-Compliant Engagement Looks Like

Organisations now scrambling to meet the standard should expect a different engagement than a traditional web application test.

Scope should cover the full corporate network including internal infrastructure, cloud environments, operational technology where relevant, and segmentation controls. For KRITIS operators, this includes industrial control systems and any SCADA environments.

Methodology should follow a recognised framework. The BSI's own penetration testing model, OWASP Testing Guide, PTES, and NIST SP 800-115 are all acceptable. The report must explicitly state which methodology was used and why.

Individual testers should hold BSI-accepted certifications. The BSI recognises OSCP, OSWE, GPEN, GXPN, CRTO, CPTS, CompTIA PenTest+, CREST CRT, and EC-Council CEH Practical and CPENT. These certifications must include at least 60 percent practical assessment with a hands-on final exam and be no older than three years.

Reporting should be in German where the organisation operates in German, and should include an executive summary suitable for the management body, given the new personal liability provisions. The technical section must include proof-of-concept evidence, CVSS scoring aligned with the BSI's risk framework, and specific remediation guidance.

Providers Specialising in BSI Work

Our directory lists penetration testing providers across Germany, with dedicated pages for Berlin, Munich, Frankfurt, and Hamburg. For BSI-specific engagements, look for providers that appear on the BSI's official list of certified testing companies. As of early 2026 this list includes 18 firms including SySS, secuvera, USD AG, HiSolutions, Deutsche Telekom Security, PwC, and EY. Several Berlin-based specialists, including Cure53 and SCHUTZWERK, are also well regarded for BSI-aligned work.

Beyond the BSI list, CREST-accredited providers with German offices are increasingly common choices. CREST's methodology aligns well with BSI expectations, and several providers hold both accreditations.

What Happens Next

Enforcement signals are becoming clearer. In late March, the BSI confirmed that it would begin issuing compliance requests to non-registered in-scope entities from May 2026 onwards, starting with sectors where registration rates are lowest. These requests carry legal weight. Organisations that fail to respond within 30 days face formal investigation.

The Federal Ministry of the Interior has indicated that the first round of fines is expected in the second half of 2026. Based on precedent from other EU member states that implemented NIS 2 earlier, initial fines are likely to target flagship non-compliance cases rather than sweeping enforcement. But the examples set in these cases will shape corporate behaviour for years.

Comparisons to the ICO's approach to GDPR are instructive. Early GDPR enforcement focused on headline cases, with fines escalating once precedent was established. Expect the same pattern under the BSI Act: a slow start, then sharpening as case law develops.

For organisations that are behind, the priority now is registration, followed immediately by a pen test that covers the full scope the BSI expects to see. The penalty for non-compliance is significantly higher than the cost of catching up.