NIS 2
April 2026
NIS 2 is law. What German companies need to do now.
By Swapna De., Managing Director, AuditVantage® GmbH
The NIS 2 Directive became binding in Germany on 6 December 2025, transposed through the NIS2UmsuCG. Unlike some EU regulations, it arrived without a transition period. If your organisation is in scope, the obligations apply now.
Management can be held personally liable for compliance failures under the NIS2UmsuCG. This is written into the law.
Are you in scope?
NIS 2 applies to organisations operating in covered sectors with at least 50 employees or annual turnover exceeding EUR 10 million. Covered sectors include energy, transport, healthcare, digital infrastructure, IT service providers, managed security services, manufacturing, and food production.
The NIS2UmsuCG applies different obligation levels to essential entities and important entities. Your classification determines both the measures required and the potential penalties for non-compliance.
What the law requires
Article 21 measures include: risk analysis policies, incident handling procedures, business continuity and crisis management, supply chain security, security in system acquisition and development, cryptography policies, human resources security, access control, and multi-factor authentication.
Incident reporting
Significant incidents must be reported to the BSI on a regulated multi-stage timeline starting from the point an entity becomes aware of an incident. The Directive sets the specific deadlines for each reporting stage; organisations should verify the exact hours and days against the version of the NIS2UmsuCG in force at the time of the incident. These are enforceable deadlines, not targets, and they should be verified against the version of the law in force at the time of an incident.
What to do first
The starting point is entity classification. Determine whether your organisation falls into the essential or important category and confirm which specific measures apply. A structured gap analysis against Article 21 measures will identify what is in place and what is missing.
AuditVantage® provides NIS 2 classification support, gap analysis, and implementation roadmaps for organisations across Germany and the EU. Get in touch to arrange a discovery call.
Frequently asked questions
Related questions on this topic, answered from the audit chair.
Am I in scope of NIS 2?+
Scope depends on three factors: sector (Annex I or Annex II of the Directive), size (essential entities are generally large enterprises in critical sectors; important entities are medium-sized in covered sectors), and operational role (digital infrastructure, providers of essential services). The Directive sets a default size threshold of 50 employees or EUR 10 million turnover, with exceptions for specific entity types regardless of size. Scoping is case-by-case under the NIS2UmsuCG.
What are the penalties for NIS 2 non-compliance?+
Under Article 34, essential entities face administrative fines up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. Important entities face fines up to EUR 7 million or 1.4% of total worldwide annual turnover. Member States can also impose additional sanctions, and Article 20 management body liability creates personal exposure for senior leadership in cases of serious or repeated failure.
How fast must I report a security incident under NIS 2?+
Article 23 establishes a three-stage reporting timeline: an early warning, a formal incident notification, and a final report, each with a specific deadline measured from the moment the entity becomes aware of the incident. The exact hours and days for each stage are set in the Directive and the German NIS2UmsuCG; organisations should verify the current deadlines against the version in force at the time of the incident. Failure to meet the prescribed deadlines is itself a basis for enforcement.
What is the difference between NIS and NIS 2?+
NIS 2 substantially expands scope (more sectors, more entities), tightens cybersecurity risk management measures (Article 21 lists ten specific measures), introduces management body liability (Article 20), strengthens supply chain requirements (Article 21(2)(d)), and creates a harmonised incident reporting timeline. The original NIS Directive was minimum-harmonisation; NIS 2 is closer to maximum-harmonisation. Penalties are significantly higher.
Does my organisation need a designated cybersecurity lead under NIS 2?+
NIS 2 does not mandate a CISO title, but it requires that management bodies oversee and approve cybersecurity risk-management measures, take training, and bear personal liability for failures. In practice, most in-scope organisations designate a senior individual to own cybersecurity strategy and reporting. For smaller organisations without a full-time CISO, a vCISO arrangement is a common and accepted approach.
How does NIS 2 interact with ISO 27001?+
NIS 2 sets legal obligations; ISO 27001 provides a management system structure that supports compliance with many of those obligations. An ISO 27001 certified ISMS does not by itself fulfil NIS 2 compliance, particularly the supply chain (Article 21(2)(d)), training (Article 21(2)(g)), and incident reporting (Article 23) elements. However, organisations with mature ISO 27001 are typically much closer to NIS 2 readiness than organisations without.