What Is the NIS2 Directive?
The NIS2 Directive (Network and Information Security Directive 2) is the revised EU directive on network and information security. It replaces the original NIS Directive from 2016 and places significantly stricter cybersecurity requirements on companies and organizations across the European Union.
Germany transposed NIS2 into national law in December 2025. An estimated 29,000 German companies are now directly affected — many without knowing it.
Who Is Affected by NIS2 in Germany?
NIS2 applies to organizations in 18 sectors, divided into two categories:
Essential Entities (Wesentliche Einrichtungen)
- Energy (electricity, oil, gas, hydrogen)
- Transport (air, rail, water, road)
- Banking and financial market infrastructure
- Healthcare
- Drinking water and wastewater
- Digital infrastructure (DNS, TLD registries, cloud providers, data centers)
- Public administration
- Space
Important Entities (Wichtige Einrichtungen)
- Postal and courier services
- Waste management
- Chemical manufacturing
- Food production and distribution
- Manufacturing (medical devices, electronics, machinery, vehicles)
- Digital providers (online marketplaces, search engines, social networks)
- Research organizations
Size thresholds: Companies with 50+ employees OR €10M+ annual revenue in these sectors are generally covered. Some critical entities are covered regardless of size.
The Complete NIS2 Compliance Checklist
1. Determine If You're Affected
- [ ] Check if your sector is listed above
- [ ] Verify size thresholds (employees, revenue)
- [ ] Check supply chain obligations (even smaller companies may be affected as suppliers)
- [ ] Register with the BSI (Bundesamt für Sicherheit in der Informationstechnik) if required
2. Governance & Leadership Responsibility
- [ ] Board-level responsibility for cybersecurity established
- [ ] Management trained in cybersecurity risk management
- [ ] Cybersecurity budget allocated
- [ ] Regular reporting to leadership on security posture
- [ ] Personal liability acknowledged (NIS2 introduces director liability)
3. Risk Management (Article 21)
NIS2 Article 21 requires measures across 10 categories:
- [ ] Risk analysis and information system security policies
- [ ] Incident handling — detection, response, and reporting procedures
- [ ] Business continuity — backup management, disaster recovery, crisis management
- [ ] Supply chain security — vendor risk assessment, contractual security requirements
- [ ] Security in network and information systems — acquisition, development, maintenance
- [ ] Vulnerability management — policies and procedures for handling and disclosure
- [ ] Cybersecurity assessment — effectiveness testing of risk management measures
- [ ] Cryptography and encryption — policies for use of cryptographic controls
- [ ] Human resources security — access control, asset management
- [ ] Multi-factor authentication (MFA) — secured communications, emergency access
4. Incident Reporting
NIS2 mandates strict reporting timelines:
- [ ] 24 hours: Early warning to CSIRT/BSI after becoming aware of a significant incident
- [ ] 72 hours: Full incident notification with initial assessment
- [ ] 1 month: Final report with root cause analysis and remediation measures
- [ ] Internal incident classification process established
- [ ] Reporting templates prepared
5. Technical Security Measures
- [ ] Network segmentation implemented
- [ ] Intrusion detection/prevention systems (IDS/IPS) deployed
- [ ] Endpoint detection and response (EDR) on all critical systems
- [ ] Regular vulnerability scanning and penetration testing
- [ ] Patch management process with defined SLAs
- [ ] Secure configuration baselines for all systems
- [ ] Logging and monitoring across all critical infrastructure
6. Dark Web & Breach Monitoring
- [ ] Continuous monitoring for leaked credentials
- [ ] Dark web surveillance for company data
- [ ] Stealer log monitoring for compromised sessions
- [ ] Automated alerting on new exposures
- [ ] Regular breach assessment reports
Nullbreach provides automated dark web monitoring, breach detection, and NIS2 compliance reporting. Start your free scan →
7. Supply Chain Security
- [ ] Vendor security assessment process established
- [ ] Contractual cybersecurity requirements for suppliers
- [ ] Regular third-party audits
- [ ] Incident notification requirements in supplier contracts
- [ ] Supply chain risk monitoring
8. Documentation & Evidence
- [ ] Information security management system (ISMS) documented
- [ ] Risk assessment reports maintained
- [ ] Incident response plans documented and tested
- [ ] Training records kept
- [ ] Audit trail for all security-relevant decisions
- [ ] Compliance evidence ready for BSI inspection
Penalties for Non-Compliance
NIS2 introduces significant penalties:
| Entity Type | Maximum Fine |
|---|---|
| Essential entities | €10 million or 2% of global annual revenue |
| Important entities | €7 million or 1.4% of global annual revenue |
Additionally, management can be held personally liable and temporarily suspended from executive functions.
Timeline
| Date | Milestone |
|---|---|
| December 2025 | NIS2 transposed into German law |
| Q1 2026 | BSI begins registration process |
| Q2 2026 | First compliance audits expected |
| Ongoing | Continuous compliance required |
How Nullbreach Helps with NIS2 Compliance
Nullbreach covers several NIS2 Article 21 requirements out of the box:
- Risk analysis: Automated attack surface scanning and risk scoring
- Incident detection: Real-time breach and dark web monitoring
- Vulnerability management: Continuous CVE detection and alerting
- Supply chain monitoring: Vendor security posture assessment
- Compliance reporting: NIS2-aligned PDF reports for auditors
Conclusion
NIS2 is not optional. With penalties up to €10 million and personal liability for directors, German businesses must act now. Start with this checklist, implement the required measures systematically, and use automated tools like Nullbreach to maintain continuous compliance.