NIS2 Directive Compliance in Germany

The NIS2 Directive (Directive 2022/2555) requires essential and important entities to implement risk management measures (Article 21) including incident handling, supply chain security, access control, and cryptography; and incident reporting within 24 hours (early warning) and 72 hours (initial notification) to the national CSIRT. Management bodies are personally liable for NIS2 compliance (Article 20). Medium and large companies in energy, transport, banking, health, digital infrastructure, ICT services, water, and space are in scope.

A 40-person SaaS company likely qualifies as an important entity under NIS2 if it operates in digital infrastructure or ICT service management sectors. Required actions: (1) Register with the national authority — BSI in Germany, ANSSI in France, NCSC in the Netherlands; (2) Implement Article 21 risk management measures; (3) Establish incident response and 24-hour reporting capability; (4) Assess supply chain security. EuroComply's NIS2 module covers scope assessment, risk register, incident response templates, and regulatory monitoring from €49/month, without requiring dedicated security staff.

EU member states were required to transpose the NIS2 Directive into national law by 17 October 2024. Germany's NIS2UmsuCG (NIS2 Implementation Act) entered into force in November 2024, with BSI as the primary enforcement authority. France, the Netherlands, Belgium, Austria, and Ireland met or were close to the October 2024 deadline. Companies in Germany should register with BSI and implement Article 21 risk measures. Failure to register or implement required measures exposes management boards to personal liability.

NIS2 is an EU law requiring medium and large companies in critical sectors to strengthen their cybersecurity. Adopted in January 2023 and replacing the original NIS Directive, it covers 18 sectors including energy, transport, banking, health, digital infrastructure, cloud, ICT services, and public administration. Key obligations: appoint a responsible manager with personal liability; implement security measures; report incidents within 24 hours; assess supply chain risk. Fines reach €10M or 2% of global turnover for essential entities (Article 34(4)), and €7M or 1.4% for important entities (Article 34(5)).

The NIS2 Directive is the European Union's updated cybersecurity framework enacted to strengthen the security of network and information systems across critical sectors. It expands on the original NIS Directive (2016/1148) with broader scope, stricter requirements, and significantly higher penalties. NIS2 applies to: (1) Essential entities in 11 sectors (energy, transport, water, health, banking, financial markets, DNS/TLD, public administration, space, chemicals, food); (2) Important operators in 7 sectors (digital services, cloud, CDN, managed security providers, social media, online marketplaces, search engines); (3) DNS service providers and critical infrastructure providers regardless of sector. The directive is applicable across all 27 EU member states.

NIS2 applies to two primary categories: (1) Essential entities are large organizations in critical sectors whose failure would significantly impact essential services. Article 2 defines essential entities by sector (Annex I) and size (≥250 employees or €50M annual turnover). Examples: energy utilities, hospitals, banks, airports, national defense networks. (2) Important entities are medium and large organizations (≥50 employees or €10M annual turnover) in sectors listed in Annex II, including digital service providers offering cloud computing, DNS, CDN, managed security, social media, or online marketplaces. Your organization must comply if it fits either category. Most commercial organizations in covered sectors do not qualify for exemptions. If you operate in critical infrastructure or provide digital services at scale, you almost certainly must comply.

NIS2 requires four main compliance areas: (1) ICT Risk Management: Implement policies, procedures, and technical measures to manage cybersecurity risks. This includes asset inventories, vulnerability management, access controls, encryption, incident response plans, and business continuity measures per Article 21 and Annex I. (2) Incident Reporting: Notify your national competent authority within 24 hours of discovering a significant incident; notify affected customers within 72 hours per Article 23. (3) Supply Chain Security: Assess third-party risks, include security clauses in vendor contracts, monitor supplier performance per Article 21. (4) Board Accountability: Senior management (board/executive level) is personally liable for approving cybersecurity measures and ensuring implementation per Article 20. Failure to meet these obligations triggers penalties up to €10M or 2% global revenue.