NIS2 Frequently Asked Questions

What is the difference between NIS2 essential and important entities?

Essential entities (besonders wichtige Einrichtungen) are companies in high-criticality sectors like energy, transport, banking, health, water, and digital infrastructure (NIS2 Annex I). Important entities (wichtige Einrichtungen) are in other critical sectors like waste management, food, manufacturing, postal, and chemicals (Annex II). The key differences: essential entities face higher maximum fines (€10M / 2% turnover vs €7M / 1.4%), proactive BSI audits (the BSI can inspect at any time without a trigger), and stricter supervision. Important entities are only audited reactively — after an incident or on evidence of non-compliance. Both must implement the same 10 cybersecurity measures under §30 BSIG.

How many companies are affected by NIS2 in Germany?

The BSI estimates approximately 29,500 companies in Germany fall under NIS2 scope. This is a massive expansion from the previous KRITIS regime, which covered only about 2,000 operators. The increase comes from lower size thresholds (50+ employees instead of hundreds of thousands of people served) and seven newly added sectors including waste management, food production, manufacturing, postal services, chemicals, research, and expanded digital services.

When did NIS2 become law in Germany?

The German NIS2 transposition law (NIS2UmsuCG) was passed by the Bundestag on 13 November 2025, approved by the Bundesrat on 21 November 2025, published in the Bundesgesetzblatt on 5 December 2025, and entered into force on 6 December 2025. The BSI registration portal went live on 6 January 2026, with the registration deadline on 6 March 2026. Germany missed the original EU transposition deadline of 17 October 2024 by over a year.

Is there a transition period for NIS2 in Germany?

No. There is no transition period. All obligations — risk management measures, incident reporting, management liability, and BSI registration — applied from the day the law entered into force on 6 December 2025. The BSI registration deadline was 6 March 2026 (3 months after entry into force). Companies that have not yet started compliance work are already technically non-compliant.

Does NIS2 apply to small companies with fewer than 50 employees?

Generally no. NIS2 uses the EU SME definition (Recommendation 2003/361/EC): companies need at least 50 employees OR more than €10M annual turnover AND €10M balance sheet to be in scope. Both financial thresholds must be met — high revenue alone is not enough if the balance sheet is below €10M. However, certain entity types are in scope regardless of size: DNS providers, TLD registries, qualified trust service providers, KRITIS operators, and sole providers of essential services in a region. If you are close to the 50-employee threshold, check whether linked group companies push you over the limit. See our entity types article for 10 real-world edge case examples.

Which sectors are covered by NIS2?

NIS2 covers 18 sectors in total. Annex I (high-criticality, essential entities): energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space. Annex II (other critical, important entities): postal and courier services, waste management, chemicals, food production and distribution, manufacturing (medical devices, electronics, machinery, vehicles), digital providers (marketplaces, search engines, social networks), and research organizations.

What is the difference between NIS2 Annex I and Annex II sectors?

Annex I lists 11 'sectors of high criticality' — companies here are classified as essential entities (besonders wichtige Einrichtungen) if they are large, or as important entities if medium-sized. Annex II lists 7 'other critical sectors' — companies here are classified as important entities regardless of whether they are medium or large. This means a chemical distributor with 180 employees, €70M revenue, and €50M balance sheet is still classified as important — not essential — because chemicals are Annex II. The practical difference: Annex I essential entities face proactive BSI audits, higher fines (€10M vs €7M), and stricter supervision. Annex II important entities face reactive supervision only.

Does NIS2 apply to manufacturing companies?

Yes, if you manufacture medical devices, computers, electronics, optical products, electrical equipment, machinery, motor vehicles, or other transport equipment and have 50+ employees or €10M+ revenue. Manufacturing is listed in NIS2 Annex II, making affected companies 'important entities' (wichtige Einrichtungen). A significant number of German Mittelstand companies fall into this category. All 10 cybersecurity measures under §30 BSIG apply.

We outsource all IT to a managed service provider. Does NIS2 still apply?

Yes, fully. NIS2 applies to the entity providing the regulated service, regardless of who manages the IT. You can outsource operations but not accountability (§30 BSIG). Your IT provider becomes your most critical supplier: document the relationship, include cybersecurity requirements in the contract, and verify their security measures. If they get breached, your reporting obligation triggers — not theirs. Management remains personally liable under §38 BSIG.

Our company operates in multiple EU countries. Do we need to comply with each country's NIS2 law?

Yes. An incident at a company with operations in multiple member states may trigger reporting obligations in each country where affected services are provided. By early 2026, only about 6-8 of 27 EU member states had fully transposed NIS2. Each country has its own registration portal and procedures. Germany's BSIG is among the most detailed implementations. For cross-border operations, comply with each national law where you provide services.

What is the difference between NIS2 and KRITIS?

NIS2 does not replace KRITIS — it extends it dramatically. KRITIS covered roughly 2,000 operators with high thresholds (e.g., 500,000 people served). NIS2 covers approximately 30,000 entities with much lower thresholds (50+ employees). NIS2 adds seven new sectors, personal management liability (§38 BSIG), mandatory BSI registration, structured incident reporting (24h/72h/1 month), and significantly higher penalties (up to €10M vs €100K). KRITIS operators are automatically classified as essential entities under NIS2.

Does an ISO 27001 certification mean I'm NIS2 compliant?

No. ISO 27001 covers approximately 70% of NIS2 technical requirements, but it misses the areas with the highest enforcement risk: BSI registration (§33), incident reporting timelines (24h/72h/1 month under §32), management personal liability (§38), enhanced supply chain due diligence, and the statutory penalty framework. ISO 27001 is a voluntary management standard; NIS2 is a legal obligation with government reporting and personal liability. Your ISO certification is a strong foundation, but you need gap-filling for the NIS2-specific regulatory requirements.

What is IT-Grundschutz and why does it matter for NIS2?

IT-Grundschutz is the BSI's own cybersecurity methodology — a comprehensive framework with step-by-step implementation guidance. §44(2) BSIG explicitly recognizes Grundschutz implementation as proof of NIS2 compliance. This is a legal shortcut: the BSI both publishes Grundschutz and enforces NIS2, so using their methodology means you are audited against a standard the auditor knows inside out. Grundschutz covers 100% of CIR 2024/2690 requirements and is more detailed than ISO 27001 for NIS2 purposes.

What is CIR 2024/2690 and how does it relate to NIS2?

CIR 2024/2690 is the EU Implementing Regulation published on 17 October 2024 that specifies the exact technical and methodological requirements for NIS2 compliance. Unlike the NIS2 Directive, it applies directly in all EU member states without national transposition. It answers the question 'what exactly do we have to implement?' by breaking the 10 measure areas into specific, auditable requirements. In Germany, the BSIG extends these technical requirements to all NIS2-covered sectors, making the CIR the de facto technical standard for everyone.

What are the three management duties under §38 BSIG?

§38 BSIG defines three personal duties for management (Geschäftsleitung) that cannot be delegated: (1) Approval (Billigung) — formally approve cybersecurity risk management measures with documented, traceable sign-off. (2) Oversight (Überwachung) — actively monitor implementation through regular status reviews, not passive awareness. (3) Training (Schulung) — personally complete cybersecurity training to develop sufficient knowledge to evaluate risks. Failing any one of these creates personal liability exposure — even if the company has implemented reasonable measures.

Can I delegate NIS2 responsibility to my IT department?

You can delegate execution, but not responsibility. §38 BSIG explicitly names Geschäftsleiter — not IT managers, CISOs, or external consultants. You must personally approve measures, oversee their implementation, and complete cybersecurity training. Your IT team implements; you approve and monitor. Claiming you delegated everything to IT is not a defense — it is proof of an oversight violation.

Does D&O insurance cover NIS2 liability?

Most D&O policies exclude regulatory fines and penalties — these are typically uninsurable under German law. The civil liability under §38 BSIG (damages claims from your own company) may be covered, depending on your policy terms. Insurers can also deny claims if management knowingly failed to comply with statutory duties. Check your specific policy's exclusion clauses — 'failure to comply with mandatory regulations' is a standard exclusion in German D&O policies. Do not assume coverage exists — ask for written confirmation.

Can shareholders waive management liability for NIS2?

No. §38(2) BSIG explicitly states that claims for damages arising from violations of §30 BSIG duties cannot be waived by shareholders, nor can they be settled in a manner that is disproportionate to the company's financial situation. This overrides the normal GmbHG §43 rules. Even in an owner-managed GmbH where the Geschäftsführer is the sole shareholder, the liability exists. If the company goes bankrupt due to a cyber incident, the insolvency administrator can come after your personal assets.

I'm not technical — can I really be held liable for cybersecurity?

Yes. §38(3) BSIG imposes the training obligation precisely to eliminate this defense. The law assumes that after completing adequate cybersecurity training, management has sufficient knowledge to fulfill their duties. 'I don't understand technology' is not a defense — it is proof of a training violation. The training does not require you to become an IT expert, but you must understand your company's risk profile and the measures in place.

How do I register with the BSI for NIS2?

Registration uses a two-step process: (1) Create an account via Mein Unternehmenskonto (MUK) using your ELSTER business certificate at muk.bsi.bund.de. (2) Log in and complete the NIS2 registration form, providing your company details, sector classification, contact person for cybersecurity matters, and IP address ranges. The process takes 30-60 minutes if you have everything prepared. You will need your ELSTER certificate, commercial register number, and a designated cybersecurity contact person.

I missed the BSI registration deadline. Is it too late?

No. The portal is still open — register immediately. The March 6, 2026 deadline has passed, but a significant number of the estimated 30,000 in-scope companies have still not registered. The BSI has signaled that it will prioritize enforcement against companies that ignore obligations entirely — not those who registered late but are acting in good faith. The fine for non-registration is up to €500,000, but the BSI considers circumstances. Late registration with visible compliance progress is fundamentally different from no registration at all.

What is the fine for not registering with the BSI?

§65 BSIG provides for fines of up to €500,000 specifically for registration violations. This is a standalone violation — separate from any penalties for failing to implement security measures. You can be fined for non-registration even if your actual cybersecurity measures are adequate. However, fines are assessed on a case-by-case basis considering severity, duration, and good faith.

Can I register if I'm not sure my company is in scope?

Yes, and the BSI recommends erring on the side of registration if you are uncertain. Registering when you turn out to be out of scope has no negative consequences — the registration can be corrected. Not registering when you are in scope carries real legal risk. When in doubt, register.

Does BSI registration mean I'm NIS2 compliant?

No. Registration fulfills one obligation (§33 BSIG) but does not satisfy the substantive requirements: cybersecurity measures (§30), incident reporting (§32), or management liability duties (§38). Think of registration like filing a tax return — you still have to pay the tax. After registering, you need to implement all 10 mandatory security measures, set up incident reporting processes, and ensure management fulfills their personal duties.

What is the NIS2 incident reporting timeline?

NIS2 requires a three-stage reporting cascade to the BSI: (1) Early warning within 24 hours — confirm a significant incident has occurred, whether it is malicious, and whether it could have cross-border impact. (2) Incident notification within 72 hours — severity assessment, indicators of compromise, initial root cause analysis, and measures taken. (3) Final report within 1 month — detailed description, confirmed root cause, mitigation measures, and lessons learned. If the incident is still ongoing at the one-month mark, an interim report is required.

What counts as a 'significant' incident under NIS2?

An incident is significant if it: causes severe operational disruption to services, causes financial loss exceeding €500,000 or 5% of annual turnover, affects other natural or legal persons with considerable damage, involves unauthorized access or alteration of data, or causes an extended service outage. CIR 2024/2690 adds that recurring minor incidents can be aggregated and treated as significant if they collectively meet the criteria within a six-month period. Not every phishing email triggers reporting — only events crossing these severity thresholds.

Where do I report NIS2 incidents?

All incident reports must be submitted via the BSI's official reporting portal under the NIS2 section. The BSI does not accept reports by email, telephone, or letter as a substitute for portal submission. Access requires prior registration under §33 BSIG — which means unregistered entities face a compounded problem: they cannot file incident reports through the proper channel. Telephone contact with CERT-Bund is appropriate for coordinating response in parallel.

What happens if I don't report an incident to the BSI?

Failure to report is penalized independently of the incident itself. Each missing stage (24h, 72h, 1 month) is a separate violation with fines up to €500,000. For essential entities, the broader penalty framework (up to €10M) can also apply. If management was aware of an incident and failed to ensure reporting, this constitutes a personal oversight violation under §38 BSIG. Non-reporting also raises questions about your entire compliance posture, potentially triggering a broader BSI audit.

Does NIS2 incident reporting replace GDPR breach notification?

No. NIS2 incident reporting under §32 BSIG is separate from and additional to GDPR breach notification under Articles 33/34 GDPR. Both obligations may apply simultaneously to the same incident. If a cyberattack exposes personal data and disrupts services, you must report to the BSI under NIS2 AND to the data protection authority under GDPR. Different timelines, different authorities, different forms.

What is the maximum NIS2 fine for my company?

It depends on your entity classification. Essential entities (Annex I sectors): the higher of €10M or 2% of global annual turnover. Important entities (Annex II sectors): the higher of €7M or 1.4% of global annual turnover. For most mid-market companies under €500M turnover, the fixed amount applies because the percentage is lower. Separate penalties of up to €500,000 apply for registration and reporting violations. Multiple violations can compound.

Can I be personally fined as a managing director (Geschäftsführer)?

The administrative fines under §65 BSIG are levied against the company, not the individual. However, §38 BSIG creates personal civil liability for damages resulting from failure to approve and oversee cybersecurity measures. This means you face personal liability for the company's losses — not a government fine, but potentially a damages claim from your own company. In an insolvency scenario, the insolvency administrator can pursue this claim against you personally.

Are NIS2 penalties proportional to company size?

Yes, by design. The percentage-of-turnover calculation ensures penalties scale with company size. For a €15M-turnover company, the maximum essential entity fine is €10M (the fixed cap, since 2% is only €300K). For a €600M company, the maximum is €12M (2% exceeds the €10M floor). The BSI is also required to consider proportionality: company size, severity, duration, and good faith efforts all factor into the actual penalty amount.

What triggers BSI enforcement action?

For essential entities: the BSI can conduct proactive audits and inspections without a specific trigger — risk-based spot checks. For important entities: enforcement is reactive — triggered by a reported incident, third-party complaint, media coverage of a breach, or failure to register. The BSI also cross-references commercial registers and sector databases to identify entities that should be registered but are not. The BSI has indicated it will prioritize companies that have not registered at all.

How do NIS2 penalties compare to GDPR fines?

NIS2 penalties are modeled on the GDPR structure. Maximum NIS2 fines (€10M / 2% turnover for essential entities) are comparable to GDPR Tier 1 fines (€10M / 2% turnover). GDPR Tier 2 fines go higher (€20M / 4%). The key difference: NIS2 adds personal management liability (§38 BSIG) which GDPR does not have. Also, NIS2 fines can compound — non-registration, non-reporting, and non-compliance with measures are separate violations with separate penalties.

How long does NIS2 compliance take for a mid-market company?

For a company with 50-250 employees starting from scratch, expect 3-6 months to reach a solid baseline: BSI registration (week 1), asset inventory and risk assessment (weeks 2-6), incident reporting process (weeks 4-8), access control improvements (weeks 6-12), and policy documentation (ongoing). Most of the 49 BSIG requirements are write-once documentation — policies, risk assessments, procedures. Only a handful require ongoing operational processes. The BSI evaluates trajectory and good faith, not perfection on day one.

How much does NIS2 compliance cost?

For a 50-250 employee company: management consultants cost €150K-500K, enterprise GRC platforms €100K+/year, US compliance tools (Vanta, Drata) from €7,500/year but lack BSIG specifics, and DIY approaches €20K-80K in staff time. Realistic first-year costs for a 100-person company: gap assessment (€5K-15K), policy documentation (€10K-30K), technical measures (€15K-50K), training (€3K-8K), totaling €33K-103K one-time plus €20K-53K annually. Companies with existing security measures are at the lower end.

What are the 10 mandatory NIS2 cybersecurity measures?

§30(2) BSIG defines 10 mandatory measures: (1) Risk analysis and information security policies, (2) Incident handling, (3) Business continuity and crisis management, (4) Supply chain security, (5) Security in acquisition, development, and maintenance, (6) Effectiveness assessment, (7) Cybersecurity training and awareness, (8) Cryptography and encryption, (9) Personnel security, access control, and asset management, (10) Multi-factor authentication and secured communications. All essential and important entities must implement all 10 measures, proportionate to their risk profile.

What does an asset inventory look like for a mid-market company?

Simpler than you think. A typical 100-person company has about 10-15 grouped asset entries. IT-Grundschutz explicitly allows grouping identical assets: '45 Windows laptops' is one entry, not 45. Typical categories: ERP/billing system, email and collaboration (Microsoft 365), network infrastructure per site, standard endpoints (grouped), servers and databases, cloud services, and any operational technology. For waste companies add fleet management and weighbridge systems, for manufacturers add production line controls.

Do I need to hire a CISO or security team for NIS2?

No. For mid-market companies (50-250 employees), NIS2 compliance is manageable with existing staff in part-time roles: a compliance lead (4-8 hours/week, usually the IT manager or quality manager), an IT contact (2-4 hours/week), and a management sponsor (1-2 hours/week, required by §38 BSIG). The law requires 'appropriate and proportionate' measures — a 100-person waste company does not need a SOC or a SIEM. Match controls to your actual risk profile, not Fortune 500 infrastructure.

What is the recommended priority order for implementing NIS2 measures?

Start immediately with measures 1 (risk analysis), 2 (incident handling), and 9 (access control and assets) — these are foundational and everything else builds on them. Weeks 3-6: measures 3 (business continuity), 4 (supply chain), and 7 (training), which require the asset inventory from measure 1. Weeks 7-12: measures 5 (procurement security), 6 (effectiveness assessment), 8 (cryptography), and 10 (MFA). The sequence matters because later measures depend on earlier ones.