NIS2 Compliance Guide: What You Need to Know

## Introduction The NIS2 Directive (Directive (EU) 2022/2555) is the European Union's updated framework for cybersecurity across critical and important sectors. It replaces the original NIS Directive from 2016 and significantly expands the scope, tightens requirements, and introduces personal liability for management. NIS2 entered into force on January 16, 2023. EU member states were required to transpose it into national law by October 17, 2024. In Germany, the implementing law (NIS2UmsuCG) entered into force on December 6, 2025. The BSI registration deadline passed on March 6, 2026. Organizations that are not yet prepared should act now. ## Who Is Affected? NIS2 uses a size-and-sector approach. Your organization is likely in scope if it operates in one of the listed sectors AND meets the size threshold. ### Essential Entities (Wesentliche Einrichtungen) Larger organizations in critical sectors face stricter oversight: - Energy (electricity, oil, gas, hydrogen, district heating) - Transport (air, rail, water, road) - Banking and financial market infrastructure - Health (hospitals, laboratories, medical device manufacturers) - Drinking water and wastewater - Digital infrastructure (IXPs, DNS providers, TLD registries, cloud, data centers) - ICT service management (managed service providers, managed security service providers) - Public administration - Space ### Important Entities (Wichtige Einrichtungen) Smaller organizations and additional sectors: - Postal and courier services - Waste management - Chemical manufacturing and distribution - Food production and distribution - Manufacturing (medical devices, electronics, machinery, motor vehicles) - Digital providers (online marketplaces, search engines, social networks) - Research organizations ### Size Thresholds - **Medium enterprises**: 50-249 employees OR EUR 10-50 million turnover - **Large enterprises**: 250+ employees OR EUR 50 million+ turnover Some entities are in scope regardless of size, for example, DNS providers, TLD registries, and providers of public electronic communications networks. ## What Does NIS2 Require? Article 21 of NIS2 defines 10 minimum cybersecurity risk management measures that all entities must implement: 1. **Risk analysis and information security policies**. Establish and maintain policies based on a risk-based approach 2. **Incident handling**. Procedures for detecting, managing, and reporting security incidents 3. **Business continuity and crisis management**. Backup management, disaster recovery, and crisis response plans 4. **Supply chain security**. Assess and manage security risks from suppliers and service providers 5. **Security in network and information systems**. Secure acquisition, development, and maintenance of systems, including vulnerability management 6. **Policies for assessing cybersecurity measures**. Procedures to evaluate the effectiveness of your security measures 7. **Cybersecurity hygiene and training**. Basic cyber hygiene practices and regular security awareness training 8. **Cryptography and encryption**. Policies and procedures for the use of cryptography and, where appropriate, encryption 9. **Human resources security and access control**. Asset management, identity management, and access control policies 10. **Multi-factor authentication and secure communications**. Use of MFA, continuous authentication, and encrypted voice/video/text where appropriate ## Incident Reporting Obligations NIS2 introduces strict incident reporting timelines: - **Early warning**: Within 24 hours of becoming aware of a significant incident - **Incident notification**: Within 72 hours, including an initial assessment of severity and impact - **Final report**: Within one month, including root cause analysis and mitigation measures A "significant incident" is one that causes or is capable of causing severe operational disruption or financial loss, or affects other organizations. ## Management Liability One of NIS2's most impactful changes is the introduction of personal liability for management bodies. Article 20 requires that management: - Approves the cybersecurity risk management measures - Oversees their implementation - Undergoes cybersecurity training - Can be held personally liable for non-compliance This means board members and C-level executives can face personal consequences if their organization fails to meet NIS2 requirements. Fines can reach up to EUR 10 million or 2% of global annual turnover for essential entities. ## How NIS2 Maps to Existing Frameworks If your organization already follows an established security framework, you have a significant head start: - **ISO 27001**. Covers most NIS2 requirements. Key gaps are typically in incident reporting timelines and supply chain security specifics. - **BSI IT-Grundschutz**. Strong alignment, particularly for German organizations. The BSI has published guidance on mapping Grundschutz to NIS2. - **SOC 2**. Partial overlap in security and availability. NIS2 requires more explicit supply chain and incident reporting measures. Using a platform like KaitoSec that supports multi-framework mapping allows you to see exactly where your existing controls satisfy NIS2 and where gaps remain. ## Preparing for NIS2: A Practical Roadmap ### Phase 1: Scoping (Weeks 1-2) - Determine whether your organization is an essential or important entity - Identify which national laws apply (e.g., Germany's NIS2UmsuCG) - Brief management on their personal liability obligations ### Phase 2: Gap Analysis (Weeks 3-4) - Map your current security controls against the 10 NIS2 measures - Identify gaps in incident reporting, supply chain security, and governance - Prioritize based on risk and regulatory exposure ### Phase 3: Implementation (Weeks 5-12) - Establish or update incident response procedures to meet 24/72-hour timelines - Conduct supply chain risk assessments for critical suppliers - Implement MFA and encryption where not already in place - Develop management training and approval workflows ### Phase 4: Validation (Weeks 13-16) - Test incident response procedures through tabletop exercises - Conduct an internal audit against NIS2 requirements - Document compliance evidence for potential regulatory review ## Key Takeaways NIS2 is not optional, it is law. The expanded scope means thousands of organizations that were not covered by the original NIS Directive are now in scope. The combination of strict incident reporting deadlines, management liability, and significant fines makes compliance a board-level priority. Start with a gap analysis, build on your existing framework certifications, and use multi-framework mapping to avoid duplicate work. The organizations that prepare now will be in the strongest position when enforcement begins.