The bottom line: 11,000 of 29,500 companies met the NIS2 registration deadline; the 63 percent shortfall indicates implementation and classification challenges.
By the registration deadline for the NIS2 Directive, only 11,000 of 29,500 in-scope companies nationally registered. This corresponds to a rate of approximately 37 percent and signals significant compliance gaps in the critical infrastructure and operator sectors.
After the NIS2 Directive registration deadline expired, an implementation gap has become apparent: Of 29,500 companies in total that fall under the reporting obligation of the Directive, 11,000 have registered. This corresponds to approximately 37 percent of affected organizations.
For CISOs, this rate poses significant governance risks. Unregistered companies are not only in direct violation of the regulation but also potentially exposed to sanctions from authorities such as the Federal Network Agency. Additionally, unclear cases are missing from the rate: it remains unclear how many of the 18,500 unregistered companies are actually required to register or whether an exemption applies.
The low registration rate points to challenges in practical implementation: companies may have been unclear about self-assessment (whether they classify as an “essential entity” or “important entity”), may have underestimated administrative hurdles, or may not have completed restructuring yet. CISOs should clarify the registration issue and submit any missing documentation if not already done.
Source: news.google.com · Published May 25, 2026
Lumi AI News — AI-assisted curation according to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.