NIS2 Directive: The Complete Guide for Businesses in Germany
NIS2 has been in effect since October 2024 and affects up to 30,000 German companies. This guide explains who is affected, all 10 security requirements under Article 21, reporting obligations, fines, and how to implement NIS2 step by step.
Chris Wojzechowski Geschäftsführender Gesellschafter TL;DR
The NIS2 Directive (EU 2022/2555) has been German law since October 2024 through the NIS2UmsuCG and affects up to 30,000 companies - a 15-fold expansion compared to the previous KRITIS regulation. Affected entities must register with the BSI, implement ten security measures under Art. 21, and submit an early warning to the BSI within 24 hours for significant incidents. Fines can reach up to EUR 10 million or 2% of global annual revenue. Management bears personal liability.
Table of Contents (10 sections)
The NIS2 Directive is in effect, the implementation deadline has passed—and many companies still aren’t sure whether or how they are affected. This article provides complete clarity: Who is required to do what, which sectors and thresholds apply, what do the ten security measures under Article 21 entail, how do reporting obligations work, what penalties apply, and how does NIS2 relate to BSI IT-Grundschutz and ISO 27001.
Internal links to relevant AWARE7 services: NIS2 Consulting and Gap Analysis, ISMS and ISO 27001 Consulting.
What is NIS2?
NIS2 (Network and Information Security Directive 2, EU 2022/2555) is the most comprehensive EU cybersecurity legislation in years. It replaced the original NIS Directive of 2016 and entered into force in October 2022. Member states had until October 2024 to transpose NIS2 into national law. In Germany, implementation was carried out through the NIS2UmsuCG (NIS-2 Implementation and Cybersecurity Strengthening Act). The competent authority in Germany is the BSI (Federal Office for Information Security).
The core of the directive: mandatory cybersecurity measures and reporting obligations for operators of critical and important facilities. The scale: Instead of the approximately 4,500 companies that fell under the previous NIS1 Directive, the BSI estimates that NIS2 will affect around 29,000 to 30,000 companies—an increase by a factor of 15. Many of these are small and medium-sized enterprises that have had little to no experience with regulated security standards to date.
A key feature of NIS2 compared to previous regulations is the personal liability of management bodies. Managing directors and board members must actively approve and monitor security measures, participate in information security training themselves, and can be held personally liable in cases of gross negligence. Cybersecurity has thus become a top priority in the legal sense.
Who is affected? Sectors and thresholds
NIS2 distinguishes between essential entities and important entities. The classification depends on the sector and the size of the company. Both categories must implement appropriate security measures, but differ in the intensity of oversight and the scope of potential sanctions.
The Size Threshold
| Category | Criteria | NIS2 Status |
|---|---|---|
| Large enterprises | ≥ 250 employees OR revenue ≥ 50 million EUR OR balance sheet total ≥ 43 million EUR | Essential entity (if in a critical sector listed in Annex I) |
| Medium-sized enterprises | 50–249 employees OR revenue of 10–50 million EUR OR balance sheet total of 10–43 million EUR | Essential or important facility depending on sector |
| Small enterprises | 10–49 employees OR revenue/balance sheet total of 2–10 million EUR | Annex I: important facility; Annex II: only in exceptional cases |
| Microenterprises | < 10 employees AND revenue/total assets < 2 million EUR | Generally exempt |
High-Criticality Sectors (Annex I)
Enterprises in these sectors qualify as essential facilities under NIS2 if they meet the size thresholds:
Energy: Electricity (generators, transmission, distribution), oil (pipelines, transport, storage), gas (suppliers, transmission, distribution), district heating, hydrogen.
Transport: Air (airports, airlines, air traffic control), rail (infrastructure operators, rail companies), water (maritime and inland waterway transport), road (road authorities, ITS operators).
Banking: Credit institutions under CRR.
Financial market infrastructures: Trading venues, central counterparties (CCPs).
Healthcare: Hospitals and healthcare providers, laboratories, research institutions (pharmaceutical research), manufacturers of critical-class medical devices.
Drinking water: Water utilities.
Wastewater: Wastewater utilities.
Digital infrastructure: Internet Exchange Points (IXPs), public DNS resolvers, TLD registrars, cloud computing services, data center services, CDN services, trust service providers, providers of public electronic communications networks.
ICT Service Management (B2B): Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs), Security Operations Centers (SOCs).
Public Administration: Central and regional authorities.
Space: Operators of ground infrastructure.
Other Critical Sectors (Annex II)
Companies in these sectors are considered critical infrastructure if they have at least 50 employees or more than EUR 10 million in revenue:
Postal and courier services, waste management, chemicals (manufacturers and distributors of hazardous chemicals), food (wholesale and industrial production), manufacturing (medical devices, computers and electronics, electrical equipment, mechanical engineering, motor vehicles, other vehicle manufacturing), digital services (online marketplaces, online search engines, social network platforms), research institutions.
Special Rules: Smaller Companies May Also Be Affected
Regardless of size, the following are always affected: qualified trust service providers, TLD registrars and public DNS resolvers, providers of public communications networks, as well as critical infrastructure entities specifically designated by the state—for example, if a company is the sole provider of an essential service in a Member State.
Essential vs. Important: The implications of classification
| Aspect | Essential facilities | Important facilities |
|---|---|---|
| Supervision | Proactive: BSI may conduct inspections without cause | Reactive: only upon suspicion or following a report |
| Fines | Up to 10 million EUR or 2% of global annual turnover | Up to 7 million EUR or 1.4% of global annual turnover |
The Self-Check: 3 Questions
1. Am I large enough? More than 50 employees or more than 10 million EUR in revenue?
2. Am I in the right sector? One of the sectors listed in Annex I or Annex II?
3. Am I a supplier? Even if you are not directly affected yourself: Your customers must be NIS2-compliant and will pass on security requirements to their supply chain.
Registration Requirement with the BSI
Both essential and important entities must register with the BSI no later than three months after determining that they are affected. Registration is done via the portal bsi.bund.de.
The following information must be provided: name and address of the entity, sector and type of entity (essential or important), contact details including 24/7 availability, IP address ranges of public systems, and the EU member states in which services are provided.
The 10 Security Measures under Art. 21 NIS2
Art. 21(2) of the NIS2 Directive defines ten minimum measures. The wording is intentionally kept technology-neutral—the outcome is what matters, not the specific technology. Recognized standards such as ISO 27001 or BSI IT-Grundschutz can serve as proof of compliance.
1. Risk Analysis and Security Policy
Organizations must conduct a systematic risk analysis for all network and information systems, develop a security policy based on this analysis, and regularly review and update it. The best practice is based on ISO 31000 and ISO 27005: create an asset inventory, identify threats (threat modeling), assess vulnerabilities (CVSS scoring), evaluate risks based on probability of occurrence and impact, and create a documented risk treatment plan.
Required documentation: risk register, risk treatment plan with responsible parties and deadlines, annual management review.
2. Incident Response
Every affected company needs an incident response plan that includes a classification scheme (what constitutes a significant incident?), an escalation matrix (who informs whom?), a communication plan (internal, external, authorities), forensic procedures, and the defined reporting process to the BSI. For technical detection, SIEM solutions (e.g., Microsoft Sentinel, Splunk) and EDR systems (e.g., Microsoft Defender, CrowdStrike) are recommended on all endpoints.
The plan must be documented and tested regularly. A designated Incident Commander and the contacts for the BSI, CERT-Bund, and law enforcement agencies must be established in advance.
3. Business Continuity and Crisis Management (BCM)
Organizations must define RTO (Recovery Time Objective) and RPO (Recovery Point Objective) for critical systems, implement a robust backup strategy (recommended: 3-2-1-1-0 rule), and conduct annual disaster recovery tests. A documented Business Continuity Plan (BCP) and crisis management processes are mandatory.
4. Supply Chain Security
NIS2 requires security throughout the entire supply chain, including relationships with direct suppliers. Companies must classify suppliers by criticality:
| Tier | Description | Assessment Requirement |
|---|---|---|
| TIER 1 (Critical) | Supplier has access to production systems | Full assessment prior to contract conclusion |
| TIER 2 (Important) | Supplier processes sensitive data | Assessment prior to contract conclusion |
| TIER 3 (Standard) | Standard supplier without IT access | Basic check |
All relevant supplier contracts must include a security requirements appendix that governs audit rights, reporting obligations (supplier must report incidents within 24 hours), NDAs, and data protection (AVV, if personal data is processed). Responsibility always remains with the company itself—external partners do not relieve the company of its obligations.
5. Security in the Acquisition, Development, and Maintenance of IT Systems
Security requirements must be defined prior to IT procurements. A Secure Development Lifecycle (SDLC) must be implemented for in-house software development. Systematic vulnerability management with defined patch SLAs (critical patches within 48 hours) and regular automated vulnerability scans are mandatory.
6. Measuring the effectiveness of security measures
Companies must regularly review their security measures and demonstrate that they are effective. This includes annual internal security audits, external penetration tests every one to two years, regular automated vulnerability scans, and a management review of security key performance indicators (KPIs). The BSI may request all relevant evidence during an audit.
7. Training and Basic Cybersecurity Hygiene (Security Awareness)
Security awareness training for all employees, as well as specialized training for the IT department and management, is mandatory. Specifically: annual security awareness training for all employees, regular phishing simulations, orientation for new employees, and continuing education for the CISO and IT management on the NIS2 requirements. Participation must be verifiably documented.
For executive management, Section 38 of the BSIG expressly stipulates that they must verifiably participate in information security training.
8. Cryptography and Encryption
Sensitive data must be encrypted both at rest and in transit. Minimum standards: TLS 1.2, TLS 1.3 recommended for all web communication; AES-256 for hard drives (BitLocker/LUKS/FileVault), databases (TDE), and backups; VPN connections with AES-256-GCM and IKEv2/IPsec. Outdated protocols (TLS 1.0, TLS 1.1, SSL 3.0) and insecure cipher suites (RC4, 3DES) must be disabled. A documented cryptography policy with key management processes (key rotation, HSM, or KMS) is required.
9. Personnel Security, Access Control, and Asset Management
Identity & Access Management based on the least privilege principle, Privileged Access Management (PAM) for privileged accounts, and regular access reviews (at least quarterly) are mandatory. A complete IT asset inventory (hardware, software, cloud resources) with defined asset owners must be maintained. The offboarding process must ensure that all access is revoked on the last day of employment. Background checks must be conducted for employees with privileged access (to the extent legally possible).
10. Multi-Factor Authentication (MFA) and Communication Security
Art. 21(2)(j) is an explicit requirement: MFA must be enabled at a minimum for all remote access (VPN, RDP, web portal), cloud services (Microsoft 365, AWS, Azure), privileged accounts (admins, root access), critical applications (ERP, SCADA, production systems), and remote maintenance access.
NIS2 recommends phishing-resistant MFA, particularly FIDO2/passkeys for privileged accounts. The security hierarchy of MFA methods ranges from SMS OTP (weak, but better than no MFA) to TOTP apps (good standard) and push notifications with number matching, up to hardware tokens (Yubikey) and FIDO2/passkeys (best option, phishing-resistant, and domain-bound).
In addition, secure emergency communication channels must be provided—in the event of a ransomware attack, the email system may be encrypted, which is why out-of-band communication (Signal group, personal emails) must be set up in advance.
Reporting Requirements: Deadlines and Process (Art. 23 NIS2)
NIS2 contains one of the strictest deadlines in European IT law. In the event of significant security incidents, affected companies are required to follow this three-step plan:
What constitutes a "significant incident"?
An incident is considered significant if it meets at least one of the following criteria: significant disruption of operations (actual or imminent), significant financial losses expected (including recovery costs, data loss, contractual penalties), or harm to third parties (especially if customer data is affected or partner systems are compromised).
Examples that likely must be reported: ransomware attack on production systems, data leak involving customer data (starting at approximately 1,000 records), DDoS attack that halts critical services for more than two hours, compromise of a production environment, supplier compromise affecting one’s own systems.
Examples that likely do not need to be reported: a single unsuccessful phishing attempt, external port scans, malware on a single workstation without propagation.
When in doubt, report it. The BSI does not impose penalties for unnecessary early warnings.
The Reporting Timeline
| Deadline | Content | Recipient |
|---|---|---|
| 24 hours | Early warning: type of incident, affected systems, initial assessment of whether the incident is still active | BSI (meldungen@bsi.bund.de or BSI Portal) |
| 72 hours | Follow-up report: complete description, severity and impact, probable cause, corrective measures taken | BSI |
| 1 month | Final report: complete root cause analysis, measures taken, preventive measures | BSI |
Parallel Reporting Obligations
If personal data is affected, the GDPR reporting obligation also applies: the competent data protection authority must also be notified within 72 hours. Cyber insurance providers must be informed immediately—delayed reporting may result in the denial of insurance benefits. Banks and financial service providers must additionally notify BaFin (BAIT/VAIT/DORA), in some cases with shorter deadlines.
Preparing the Reporting Process
The following preparatory measures must be completed before an incident occurs:
- Set up a BSI reporting portal account (portal.bsi.bund.de – registration takes several days, so set it up now)
- CISO or person responsible for reporting appointed (including a deputy for vacation/sick leave)
- Contact list for crisis communication created: BSI, data protection authority, cyber insurance provider, IT lawyer, press spokesperson, CEO
- Reporting templates created: template for 24-hour early warning, 72-hour follow-up report, and GDPR report
- Incident log process established: document everything with UTC timestamps
- Out-of-band communication channel provided
Implementation Roadmap: From Gap Analysis to NIS2 Compliance
Step 1: Determine and classify impact
Use the sector tables and thresholds to check whether your company is affected, and classify yourself as a significant or important entity. This step determines the scope of oversight and potential fines.
Step 2: Conduct a gap analysis
A thorough gap analysis reveals which of the ten Article 21 measures have already been implemented and where improvements are needed. Typical gaps for companies affected for the first time include: lack of defined roles for information security, undocumented processes, unclear reporting channels, no structured supplier management, and lack of MFA for remote access.
Step 3: Define Responsibilities and Role Model
NIS2 requires clearly defined roles for technical, organizational, and strategic tasks. Often, there is no central body to coordinate implementation. Companies should clearly define roles such as Information Security Officers, Incident Managers, and Risk Management Officers and grant them sufficient authority.
Step 4: Establish or Adapt an ISMS
An Information Security Management System (ISMS) provides the structured foundation. NIS2 is heavily based on ISO 27001—companies with existing certification have a clear advantage but must fulfill additional obligations regarding reporting channels, supplier assessments, and management responsibility. Companies without an existing structure should start with ISO 27001 or BSI IT-Grundschutz.
Step 5: Implement technical and organizational measures
MFA for all remote access and privileged accounts, network segmentation (VLANs, DMZ), SIEM/EDR monitoring, encryption at rest and in transit, a patch management process with SLAs, vulnerability scans, and the incident response plan are the priority technical measures. At the same time, security policies must be adopted, training conducted, and supplier contracts amended.
Step 6: Complete BSI registration
Registration with the BSI is done via the online portal. It must be completed no later than three months after determining that the organization is affected.
Step 7: Establish a continuous improvement process
NIS2 views cybersecurity as an ongoing task. Regular audits, penetration tests, training, and management reviews ensure that the security level is maintained and improved over time.
Consequences of Non-Compliance
Fines
- Critical facilities: up to 10 million EUR or 2% of global annual turnover (whichever is higher)
- Important entities: up to €7 million or 1.4% of global annual turnover
Even inadequate documentation of security measures can trigger a fine, even if no security incident has yet occurred.
Regulatory Measures
Regulatory authorities are granted extensive oversight powers: unannounced inspections (for critical entities), ordering of security measures, audit reports by external auditors, prohibition of activities in extreme cases, and public disclosure of violations.
Personal Liability of Management
Executives may be held personally liable if cybersecurity is not actively monitored and documented. In extreme cases, a temporary ban on holding a management position is possible.
Civil Liability
Injured third parties may claim damages if a breach of NIS2 obligations is proven. In addition to legal consequences, there is significant reputational damage, operational downtime, and data loss—the financial consequences of an inadequately handled incident generally far exceed the costs of proper implementation.
NIS2 and BSI IT-Grundschutz – how do they relate to each other?
NIS2 does not prescribe how the ten measures under Article 21 are to be implemented in practice. Recognized security standards such as ISO 27001 and BSI IT-Grundschutz are accepted as suitable frameworks.
ISO 27001: A well-implemented ISMS according to ISO 27001 already covers most NIS2 requirements. Gaps typically arise in NIS2-specific reporting processes, supply chain security, and the explicit MFA requirement. A gap analysis identifies the additional need for adaptation.
BSI IT-Grundschutz: Directly compatible with NIS2 – companies that have implemented IT-Grundschutz are largely NIS2-ready. Additions are also required for reporting processes, supply chain security, and management liability.
Former KRITIS operators (IT-SiG 2.0): Already largely compliant. NIS2 adds: supply chain security, MFA requirement, personal management liability.
No prior certification: ISO 27001 is the internationally recognized starting point for NIS2 compliance. Those without an ISMS should start early, as establishing fundamental structures takes time.
How AWARE7 supports NIS2
AWARE7 guides companies every step of the way toward NIS2 compliance:
NIS2 Gap Analysis: In a structured workshop, we analyze your current status against all ten Article 21 requirements and create a prioritized action plan with realistic implementation deadlines. You can see at a glance what has already been met and where urgent action is needed.
ISMS Implementation and ISO 27001 Support: We guide you through the implementation of your information security management system—from the initial risk analysis to certification readiness. An ISO 27001-compliant ISMS is the most efficient path to NIS2 compliance.
Technical Implementation: From network segmentation and MFA implementation to SIEM deployment, we support the technical measures required under Article 21 with practical experience gained from hundreds of client projects.
NIS2 Training for Executives: NIS2 mandates verifiable training for management (§ 38 BSIG). Our compact one-day seminar covers all legal requirements and protects against personal liability.
Incident Response Preparation: We create incident response plans, define reporting processes for the 24-hour early warning to the BSI, and simulate emergency scenarios through tabletop exercises.
Learn more about our services: NIS2 Consulting and Gap Analysis and ISMS and ISO 27001 Consulting.
Frequently Asked Questions about NIS2 (FAQ)
Does NIS2 apply to my company even if we have fewer than 50 employees? In general, companies with fewer than 50 employees and less than EUR 10 million in revenue are exempt from NIS2. Exceptions apply to qualified trust service providers, TLD registrars, DNS operators, and companies that are considered the sole provider of an essential service in an EU member state. Additionally, your company may be indirectly affected if your customers are subject to NIS2 and impose security requirements on their supply chain.
What happens if I miss the 24-hour deadline for the early warning? Failing to meet the 24-hour reporting obligation constitutes a separate breach of duty and may result in a fine—regardless of how serious the actual incident was. It is therefore advisable to set up the reporting process and all contact details (BSI reporting portal account, CISO, deputy) in advance and have reporting templates ready.
Is ISO 27001 certification sufficient for NIS2 compliance? An ISO 27001-certified ISMS covers the majority of NIS2 requirements. Additionally, NIS2-specific obligations must be addressed: the reporting processes to the BSI (24h/72h/30 days), explicit supply chain security evidence for suppliers, and the MFA requirement under Art. 21 j. A gap analysis will reveal the specific additional effort required.
Do we need to register with the BSI? Yes. Both essential and important facilities must register with the BSI no later than three months after determining that they are affected. Registration is done via bsi.bund.de.
What is the difference between essential and important facilities in practice? Essential facilities are subject to proactive supervision—the BSI can conduct inspections without cause and order audits. Important entities are subject to reactive supervision, i.e., only in cases of concrete suspicion or following a report. The ranges of fines also differ: up to 10 million EUR (or 2% of turnover) for essential entities, up to 7 million EUR (or 1.4% of turnover) for important entities.
Does NIS2 apply if we don’t operate anything “critical” ourselves, but supply critical companies? NIS2 requires companies to assess the security of their own supply chain and impose contractual requirements on their suppliers. If, as a supplier, you have access to production systems or sensitive data of a company subject to NIS2, your customers will require security evidence (e.g., ISO 27001 certification, security questionnaires, audit rights) from you—even if your own company is not directly subject to NIS2.
Unsure whether and how NIS2 affects you? In a structured NIS2 gap analysis, we assess your current status against all requirements and work with you to develop a prioritized action plan.
Monthly Threat Report
Chris Wojzechowski bewertet einmal im Monat die aktuelle Bedrohungslage aus Sicht eines Informationssicherheitsexperten. Sein 30-köpfiges Team ist näher an realen Cyberbedrohungen dran als kaum jemand sonst - mit konkreten Handlungsempfehlungen, die Sie am nächsten Morgen umsetzen können.
Bestseller-Autor (Wiley-VCH) · M.Sc. Internet-Sicherheit · Bekannt aus Handelsblatt & WamS
Zuletzt behandelt
1x im Monat · Kein Spam · Jederzeit abbestellbar · Datenschutz
Next Step
Our certified security experts will advise you on the topics covered in this article — free and without obligation.
Free · 30 minutes · No obligation
