The BSI reporting portal
One platform, two NIS 2 obligations: first-time registration as an entity and notification of significant incidents. Access via the ELSTER organisation certificate.
What it is
The BSI portal is where two of your most important NIS 2 obligations come together. First-time registration as an entity on one side, notification of significant incidents on the other. Both routes land behind the same login.
The duties come from §32 and §33 BSIG. §33 says: three months for registration from the moment you fall in scope of NIS 2. §32 says: in a significant incident, four notification stages with hard deadlines, 24 hours early warning, 72 hours follow-up, intermediate report on CSIRT request, final report within one month. Both clocks start at awareness, not at the damage occurring.
The most common stumbling block is not the portal itself but access to it. You need an ELSTER organisation certificate. It arrives by post in two letters, certificate letter plus PIN, processing in practice two to three weeks. If you cut the three-month §33 BSIG deadline close and start the ELSTER application in parallel, you have a timing problem.
§32 BSIG (notification duties) + Art. 23 NIS 2
Essential and important entities shall notify the Federal Office of significant security incidents without undue delay, at the latest within 24 hours of becoming aware, via the single notification point.
The single notification point is the BSI portal. The duty applies to all essential and important entities, regardless of sector or size within the NIS 2 thresholds. The clock starts on becoming aware, not on the damage occurring.
§33 BSIG (registration duty) + Art. 27 NIS 2
Essential and important entities shall register with the Federal Office within three months of first meeting the conditions. Changes shall be notified within two weeks.
The three-month deadline applies to first registration. The two-week deadline under §33(5) BSIG applies to any later change (contact person, sector, activity). Both steps run through the portal.
First-time registration
Under §33 BSIG: master data, sector, contact person, scope of activity, size class. Three months from the moment you first fall in scope of NIS 2.
Early warning, 24 hours
Under §32 BSIG and Art. 23(4)(a) NIS 2: initial notification indicating suspected unlawful or malicious cause and cross-border impact. Those are the only content items the directive explicitly names for the 24h early warning.
Notification, 72 hours
Under §32 BSIG and Art. 23(4)(b) NIS 2: initial assessment of severity and impact, indicators of compromise where available. The 72h clock runs from awareness, not from the 24h mark.
Intermediate report on request
Under §32 BSIG and Art. 23(4)(c) NIS 2: only on request of the CSIRT or competent authority. You do not submit the intermediate report on your own initiative.
Final report, 1 month
Under §32 BSIG and Art. 23(4)(d) NIS 2: detailed description, cause, mitigation measures, cross-border impact. One-month deadline from the 72h follow-up notification.
Data update within 2 weeks
Under §33(5) BSIG and Art. 27(2) NIS 2: two weeks to update registration data. The most common trigger is a staffing change for the contact person.
Access to warnings and situational reports
The portal also bundles BSI publications, warnings and sectoral situational reports. Useful when you are signed in anyway.
The application runs via Mein Unternehmenskonto at mein-unternehmenskonto.de. Prerequisite: a German tax number for your organisation. The certificate itself arrives by post, the activation PIN arrives in a separate letter. That is not random, it is part of the authentication.
Processing in practice: two to three weeks. Most management teams underestimate this step because it sounds like an IT thing but depends on a postal delivery. To meet the three-month §33 BSIG deadline, apply for ELSTER first, register with the BSI afterwards.
Without ELSTER access is currently only possible in exceptional cases, for instance via electronic delegation. The BSI website documents the permissible paths in detail.
ELSTER application started too late
Two to three weeks of processing time do not stretch if you start the application near the deadline. Result: §33 BSIG deadline missed. A fine under §65 BSIG can follow.
Contact person not updated
Staffing changes are the most common silent breach of NIS 2. Under §33(5) BSIG and Art. 27(2) NIS 2 you have two weeks to update the registration data. If that is forgotten, BSI inquiries go nowhere and you only notice at the next escalation.
No dry-run of the notification
24 hours is tight. Opening the portal for the first time in the middle of an incident burns hours you do not have. Recommendation: log in once in calm conditions, walk the structure, store contacts, long before you need to use it.
- Act on the Federal Office for Information Security (BSIG), §§32, 33, 65, www.gesetze-im-internet.de
- Directive (EU) 2022/2555 (NIS 2), Art. 23, Art. 27, www.eur-lex.europa.eu
- Mein Unternehmenskonto (ELSTER organisation certificate): mein-unternehmenskonto.de
- BSI website linking to the portal: www.bsi.bund.de
This page provides structured guidance based on publicly available sources (NIS 2 Directive, BSIG, ELSTER documentation, BSI publications). It does not constitute legal advice within the meaning of §2 RDG. Procedural details of the BSI portal and the ELSTER application may change; the current BSI and ELSTER documentation is authoritative. As at 2026-06-04.