With the NIS 2 Directive, the European Union adopted legislation in December 2022 to ensure a high level of cybersecurity in Europe. The scope of affected sectors has been expanded compared to the NIS Directive, with a distinction made between ‘essential entities’ and ‘important entities’. Different requirements and sanctions apply to each category. DNS service providers fall under the category of ‘essential entities, which means that, regardless of the size of the organisation, strict requirements are imposed on risk management and reporting obligations.
Since 6 December 2025, the NIS 2 Directive has also been transposed into national law – through the Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Regelung wesentlicher Grundzüge des Informationssicherheitsmanagements in der Bundesverwaltung. Affected entities are obliged to register via a two-stage process. The first step is to register with the BSI’s digital service ‘Mein Unternehmenskonto’. To ensure the secure exchange of cybersecurity information between the relevant organisations, the (BSI) has also set up a portal which, amongst other things, serves as a reporting centre for serious security incidents. Registration tot he BSI portal is the second step oft he registration process. The registration deadline for expired on 6 March – three months after the national law came into force.
So far, far fewer companies than expected have registered with the BSI, so the BSI has set a new deadline of the end of July. Companies that have not registered by then may face a substantial fine. If there is still uncertainty as to whether a company is affected by the new legislation, a non-binding impact assessment provided by the BSI {https://betroffenheitspruefung-nis-2.bsi.de/} can be carried out. DENIC points out that, according to its cautious assessment, providers of DNS services for third parties may be subject to a registration requirement with the BSI under NIS 2. This assessment does not constitute legal advice; the responsibility for assessing individual compliance and any obligations lies with the respective company. You should therefore check now whether you fall within the scope of the NIS 2 regulations and whether the required registration and organisational measures have already been implemented.
