NIS2 Directive: Scope, Obligations, Deadlines

Q: Who is affected by NIS2?

The NIS2 Directive distinguishes between essential entities (Annex I, for example energy providers, banks, hospitals, drinking water providers, providers of digital infrastructure such as DNS, cloud, data centres and telecom networks) and important entities (Annexes I and II where not essential, for example postal and courier services, waste management, food production, manufacturing, online marketplaces, search engines, research). Sector and company size are the main criteria: large enterprises in Annex I sectors are typically essential if they have 250+ employees or annual turnover above €50 million and a balance sheet total above €43 million. Medium-sized enterprises in the relevant sectors are typically important if they have 50+ employees or annual turnover above €10 million and a balance sheet total above €10 million. Specific providers (for example qualified trust service providers, DNS and TLD registries) fall within scope regardless of size. In addition , operators of critical installations (“Betreiber kritischer Anlagen”) (installations in Annex I or II sectors that exceed the BSI-KritisV thresholds) are automatically classified as essential entities, regardless of employee count or turnover . As a result, a waste management entity in Annex II can fall into the essential category via this pathway, even though the size criteria alone would not place it there. The BSI’s official impact assessment gives an initial, non-binding indication.

Q: What sanctions does NIS2 provide for non-compliance?

For essential entities , the directive provides for fines of up to €10 million or 2% of global annual turnover (whichever is higher). For important entities , fines reach up to €7 million or 1.4% of global annual turnover . In addition, NIS2 explicitly anchors management responsibility for compliance with the cybersecurity requirements, which can lead to personal liability where duties of care are breached. The actual amount depends on the severity, duration and culpability of the violation, the damage caused, and the entity’s cooperation. The detailed fine framework in Germany is set out in the NIS-2 Implementation Act.

What is the Network and Information Security Directive (NIS2)?

The NIS2 Directive represents a significant evolution in the European Union’s cybersecurity framework, building upon the existing Network and Information Security (NIS) Directive. The EU directive was to be transposed into national law by all member states by October 17, 2024. In Germany, the NIS-2 Implementation Act (NIS2UmsuCG) entered into force on December 6, 2025. NIS2 introduces more stringent cybersecurity obligations and expands its scope to cover a broader range of sectors and entities. This enhanced directive aims to establish a unified security standard across all member states and strengthen the cyber resilience of critical infrastructure and digital services against increasingly sophisticated cyber threats.

NIS2 in Germany: The NIS-2 Implementation Act

With the entry into force of the NIS-2 Implementation Act (NIS2UmsuCG) on December 6, 2025, new obligations apply to affected organizations in Germany:

Registration requirement: Affected entities must register in the BSI Portal ( portal.bsi.bund.de ). Authentication uses Germany’s digital service account “Mein Unternehmenskonto” (MUK) ( mein-unternehmenskonto.de ), which provides the ELSTER organisation certificate required for login ( BSI step-by-step registration guide ).
Reporting obligations: Significant security incidents must be reported to the BSI within specified timeframes.
Management responsibility: Management bears explicit responsibility for compliance with cybersecurity requirements and can be held personally liable for violations.
Risk management: Organizations must implement and document comprehensive risk management measures.

An impact assessment can be conducted via the official NIS-2 impact assessment from the BSI .

NIS2’s scope encompasses a wide range of organizations across various sectors, categorized as either “essential” or “important” entities based on their criticality and size. Essential entities include organizations in sectors such as energy, transport, banking, healthcare, and digital infrastructure, while important entities cover areas like postal services, waste management, food production, and research. This expanded scope reflects the growing interconnectedness of our digital economy and the need for comprehensive cybersecurity measures across all critical sectors.

At SCHUTZWERK, we understand the complexities of implementing NIS2 requirements and their impact on your organization’s security posture. Our team of security experts provides comprehensive support with initial security assessments as well as in establishing and maintaining compliance with NIS2’s enhanced security measures, risk management requirements, and incident reporting obligations. We help organizations not only achieve compliance but also build robust cybersecurity capabilities that protect their operations and stakeholders.

Objective

Support in implementing and maintaining compliance with the NIS2 Directive through specialized security assessments

Question

How can we effectively meet the requirements of the NIS2 Directive?

Scope

IT systems and processes of organizations within the scope of NIS2 requirements

Comprehensive NIS2 Framework

The NIS2 Directive establishes a comprehensive framework for cybersecurity, focusing on several key areas that organizations must address to ensure compliance and enhance their security posture. This framework represents a significant advancement in EU cybersecurity regulation, requiring organizations to implement robust security measures and maintain active oversight of their cybersecurity status.

Risk Management and Security Measures

Organizations must implement comprehensive risk management practices that encompass all aspects of network and information system security. This includes regular risk assessments, implementation of appropriate security controls, and continuous monitoring of security measures. We help organizations develop and maintain effective risk management processes that align with NIS2 requirements while supporting operational efficiency.

Supply Chain Security

NIS2 places significant emphasis on supply chain security and thus addresses the risks arising from the numerous dependencies and relationships with suppliers of modern digital systems and infrastructure. We assist organizations in developing robust supply chain security frameworks, including vendor assessment methodologies, security requirements for suppliers, and ongoing monitoring processes. Our expertise helps ensure that your supply chain meets NIS2 requirements while maintaining operational effectiveness.

Incident Reporting and Response

The directive mandates strict incident reporting requirements and robust incident response capabilities. We help organizations establish efficient incident management processes , including incident classification systems, reporting procedures, and response protocols. Our expertise ensures that your incident handling capabilities meet both regulatory requirements and operational needs.

Governance and Risk Oversight

NIS2 requires organizations to establish clear governance structures and maintain active oversight of cybersecurity risks. We support the development of effective governance frameworks, including policies, procedures, and reporting mechanisms that ensure appropriate management of cybersecurity risks and compliance obligations.

Security Testing and Assessment

Regular security testing is essential under NIS2 to verify the effectiveness of implemented security measures. Our testing framework includes various assessment types, from vulnerability analysis to advanced penetration testing , helping organizations validate their security controls and identify areas for improvement.

Scope: Essential and Important Entities

NIS2 distinguishes between two categories of affected organisations. Whether an entity counts as “essential” or “important” depends on sector and company size:

Category	Example sectors / installations	General thresholds / conditions
Essential entities (Annex I)	Energy (electricity, gas, oil, district heating, hydrogen), transport (air, rail, water, road), banking and financial market infrastructure, health, drinking water and waste water, digital infrastructure (DNS, cloud, data centres, telecom networks), ICT service management (B2B), public administration, space	Large enterprises (generally 250+ employees or annual turnover above €50 million and balance sheet total above €43 million)
Important entities (Annexes I and II, where not essential and not operator of a critical installation)	Postal and courier services, waste management, chemicals (manufacture and distribution), food production and distribution, manufacturing (medical devices, computers and electronics, machinery, motor vehicles, other), digital providers (online marketplaces, search engines, social networks), research	Medium-sized enterprises (generally 50+ employees or annual turnover above €10 million and balance sheet total above €10 million)
Operators of critical installations (from Annex I or II sectors; German: “Betreiber kritischer Anlagen”)	Installations providing essential supply services (typically energy and water supply, hospitals, telecom networks, food supply, waste disposal, in each case once the German KRITIS thresholds are met)	Independent of employee count or turnover. Thresholds are defined in the BSI-KritisV (sector-specific volume thresholds for essential supply services). Operators of critical installations are automatically classified as essential entities and are additionally subject to KRITIS-specific obligations (e.g. regular certification)

The sector lists describe Annexes I and II of the NIS2 Directive. The German implementation (BSIG as amended by NIS2UmsuCG, in particular § 28 BSIG) sets out three classification pathways, derived from sector, company size and KRITIS status:

By company size: large enterprises in Annex I sectors (e.g. energy, transport, digital infrastructure, space) generally qualify as essential; medium-sized enterprises in Annex I or II sectors generally as important.
By KRITIS status: any installation that exceeds the thresholds set out in the German BSI-KritisV qualifies as an operator of a critical installation (“Betreiber kritischer Anlagen”), and is then automatically treated as an essential entity, regardless of employee count, turnover or balance sheet. This pathway also applies in Annex II sectors: a waste management entity, for example, cannot reach essential status via the size criteria alone, but does so once it exceeds the KritisV thresholds and is classified as an operator of a critical installation. Operators of critical installations are additionally subject to KRITIS-specific requirements on top of the essential-entity obligations.
By special rules: specific entity types (e.g. qualified trust service providers, DNS and TLD registry operators) fall in scope regardless of size.

The German BSI’s official NIS-2 impact assessment provides an initial, non-binding indication of whether an organisation is in scope.

Legal Opinion on NIS2 Scope by a Specialised Lawyer

If you need a formal legal assessment beyond the BSI’s non-binding self-check, for example to present to your management board, supervisory board or a regulator, we can include, on request, a legal opinion on NIS2 scope by a lawyer specialised in IT and cybersecurity regulation.

Background: in Germany, the Rechtsdienstleistungsgesetz (RDG) reserves the provision of legal advice for admitted lawyers. In practice, a well-founded scope determination requires both technical fact-finding and legal evaluation. The usual setup (your technical consultant going back and forth with your external lawyer, often with you as an intermediary) is slow and lossy.

Our model: we work with a law firm specialised in regulatory and IT law whose lawyer can act directly as part of our project team and, on request, be billed through SCHUTZWERK. No additional vendor needs to be set up or onboarded on your side. The legal advice itself is delivered in an RDG-compliant manner on the basis of a client mandate agreement (“Mandatsvereinbarung”) between you and the law firm directly, so the opinion is clearly documented and cleanly embedded in your SCHUTZWERK engagement. Outcome: a single consolidated technical-legal NIS2 scope assessment from one point of contact, with no whisper-down-the-lane between consultants.

Frequently Asked Questions About the NIS2 Directive

Who is affected by NIS2?

The NIS2 Directive distinguishes between essential entities (Annex I, for example energy providers, banks, hospitals, drinking water providers, providers of digital infrastructure such as DNS, cloud, data centres and telecom networks) and important entities (Annexes I and II where not essential, for example postal and courier services, waste management, food production, manufacturing, online marketplaces, search engines, research). Sector and company size are the main criteria: large enterprises in Annex I sectors are typically essential if they have 250+ employees or annual turnover above €50 million and a balance sheet total above €43 million. Medium-sized enterprises in the relevant sectors are typically important if they have 50+ employees or annual turnover above €10 million and a balance sheet total above €10 million. Specific providers (for example qualified trust service providers, DNS and TLD registries) fall within scope regardless of size. In addition, operators of critical installations (“Betreiber kritischer Anlagen”) (installations in Annex I or II sectors that exceed the BSI-KritisV thresholds) are automatically classified as essential entities, regardless of employee count or turnover. As a result, a waste management entity in Annex II can fall into the essential category via this pathway, even though the size criteria alone would not place it there. The BSI’s official impact assessment gives an initial, non-binding indication.

What deadlines apply under NIS2?

The EU deadline for transposition into national law expired on 17 October 2024. In Germany, the NIS-2 Implementation Act (NIS2UmsuCG) entered into force on 6 December 2025. Affected entities must register in the new BSI portal from January 2026. For ongoing incident reporting, staged deadlines apply: an early warning to the BSI within 24 hours of becoming aware of a significant incident, an incident notification with a first assessment within 72 hours and a final report within one month. For ongoing incidents, an intermediate report is added.

What measures does NIS2 set out?

NIS2 Article 21 names ten minimum risk-management measures: risk analysis and security measures for IT systems, incident handling, business continuity including backup management and crisis management, supply chain security, security in the acquisition, development and maintenance of IT systems, policies for assessing the effectiveness of cybersecurity measures, basic cyber hygiene and training, cryptography and encryption, human resources security, access control and asset management, and the use of multi-factor authentication together with secured voice, video and text communication. The concrete implementation depends on the entity’s size, sector and risk exposure. An information security maturity analysis is a typical starting point to identify gaps against these requirements.

What sanctions does NIS2 provide for non-compliance?

For essential entities, the directive provides for fines of up to €10 million or 2% of global annual turnover (whichever is higher). For important entities, fines reach up to €7 million or 1.4% of global annual turnover. In addition, NIS2 explicitly anchors management responsibility for compliance with the cybersecurity requirements, which can lead to personal liability where duties of care are breached. The actual amount depends on the severity, duration and culpability of the violation, the damage caused, and the entity’s cooperation. The detailed fine framework in Germany is set out in the NIS-2 Implementation Act.

How does NIS2 differ from the original NIS Directive?

NIS2 (Directive (EU) 2022/2555) builds on the original NIS Directive (2016/1148) and extends it substantively in several areas: the scope grows from seven to 18 sectors across eleven “essential” and seven “important” categories; the addressee logic shifts from “operators of essential services” to a sector- and size-based scheme that captures considerably more organisations; the minimum measures (Article 21) are more concrete and detailed; reporting deadlines are unified across the EU for the first time (24 h early warning, 72 h incident notification, one-month final report); and sanctions are significantly higher, with explicit personal liability for management. The original NIS-1 Directive (Directive (EU) 2016/1148) is fully replaced.

From Scope to Implementation: NIS2 Support by SCHUTZWERK

Both the NIS2 Directive and the German BSI recommend aligning the required cybersecurity and risk-management measures with established standards, in practice typically IT-Grundschutz (BSI-Standards 200-1 through 200-3) or the ISO/IEC 27000 family, with ISO/IEC 27001 as the central framework for information security management systems. SCHUTZWERK supports NIS2-affected organisations along these standards with certified ISO 27001 Lead Auditors and long-standing experience in Grundschutz and ISMS projects.

A typical NIS2 package consists of four building blocks that build on each other and can be commissioned individually or as a single engagement:

Scope determination: combined technical and legal assessment of NIS2 applicability, optionally extended with a formal legal opinion via our specialised law firm partner (see section above).
Position assessment: for larger organisations, a broad information security maturity analysis across all relevant security domains; for medium-sized organisations targeting certification, an ISO/IEC 27001 audit by our Lead Auditors.
Technical assessment: focused vulnerability analyses and penetration tests to validate implemented security measures, scoped to the systems and applications in question.
Implementation support and ongoing operations: setup and operation of the information security management system (ISMS) , including continuous guidance on the risk-management and incident reporting obligations under the NIS2 transposition.

Which building blocks are required and in what depth depends on your organisation’s maturity, existing structures and certification strategy.

Our Services

Security Assessment

Our comprehensive security assessments help identify gaps in your current security posture against NIS2 requirements. We provide detailed insights and practical recommendations for improvement.

Risk Management

We help you develop and implement a robust risk management process that meets NIS2 requirements.

Vulnerability Analysis

Through a broad analysis of exposed IT systems, we identify vulnerabilities that can serve as an entry point for further attacks.

Penetration Testing

Our specialized penetration testing services help assess the security of your critical systems and identify potential vulnerabilities.

Incident Response

We help you develop and implement effective incident response processes that meet NIS2 requirements.

Implementation Approach

Our approach to NIS2 implementation combines technical expertise with practical experience in cybersecurity regulation. We work closely with your team to:

Assess your current security posture against NIS2 requirements
Develop a tailored implementation roadmap
Support the implementation of required security measures
Provide ongoing guidance and support for maintaining compliance

First Step: Maturity Level Analysis

For organizations newly affected by NIS2, we recommend starting with an Information Security Maturity Analysis . This provides a comprehensive 360-degree overview of your current cybersecurity status across all relevant areas:

Governance and Organization
Technology and Operations
Business Continuity Management and Emergency Planning
Physical Security
Contractual Relationships
Additional specific areas as needed

The analysis helps you understand your current position against NIS2 requirements and identifies where investments and improvements are most urgently needed. Results are visualized in clear spider diagrams and complemented with concrete recommendations for action.

Benefits of Working with SCHUTZWERK

When partnering with SCHUTZWERK for NIS2 compliance, you benefit from:

Deep understanding of both technical security requirements and regulatory frameworks
Practical experience in implementing cybersecurity measures across various sectors
Comprehensive testing and assessment capabilities
Ongoing support and guidance throughout your compliance journey
Independent and objective security expertise

Our goal is to help you not only achieve NIS2 compliance but also build lasting cybersecurity capabilities that protect your organization and support your business objectives. We understand that effective cybersecurity is not just about meeting regulatory requirements but about building genuine resilience against evolving threats.

NIS2