← Back to Blog
NIS2 COMPLIANCE
12 min read
NIS2 Compliance Checklist: 10 Steps Every DACH Company Must Complete Before 2027
Germany, Austria, and Switzerland each implement NIS2 differently. This DACH-specific checklist gives you the exact 10 steps — with country-specific requirements, real deadlines, and penalty amounts — so you can achieve compliance before enforcement begins.
Why DACH Companies Need a Specific NIS2 Checklist
The EU NIS2 Directive (2022/2555) was supposed to be transposed by October 17, 2024. Reality looks different: Germany's NIS2UmsuCG is still working through parliament, Austria passed its NISG 2024 in mid-2025, and Switzerland — while not an EU member — has aligned its Information Security Act (ISG) with NIS2 principles.
The bottom line: enforcement is coming in 2026-2027, and companies that haven't started preparing will face fines up to €10 million or 2% of global turnover for essential entities.
This checklist is built for the DACH reality — three countries, three legal frameworks, one directive.
Step 1: Determine Your NIS2 Classification
What to do:
- Essential Entity: Energy, transport, banking, healthcare, digital infrastructure, ICT service management, public administration, space (250+ employees OR €50M+ turnover)
- Important Entity: Postal services, waste, chemicals, food, manufacturing, digital providers, research (50+ employees OR €10M+ turnover)
- Germany-specific: The NIS2UmsuCG introduces "besonders wichtige Einrichtungen" (especially important entities) and "wichtige Einrichtungen" (important entities) with slightly different thresholds
- Austria-specific: NISG 2024 follows EU thresholds closely but adds specific provisions for critical infrastructure operators already registered under NISG 1.0
- Switzerland-specific: The ISG applies to federal IT systems and critical infrastructure operators. Check BACS (Federal Cyber Security Centre) guidance for your sector
⚡ Action Item: Complete your entity classification by mapping your sector, size, and country-specific criteria. Document the result — you'll need it for registration.
Step 2: Register with Your National Authority
What to do:
- Germany: Register with BSI (Bundesamt für Sicherheit in der Informationstechnik). The NIS2UmsuCG requires registration within 3 months of being identified as in-scope
- Austria: Register with the Interior Ministry's Cybersecurity authority. Entities already registered under NISG 1.0 must update their registration
- Switzerland: Report to BACS for critical infrastructure sectors. Mandatory incident reporting was enacted via ISG amendment effective January 2025
⚡ Action Item: Identify your national competent authority, prepare registration documents, and set a deadline for submission — ideally Q1 2026.
Step 3: Appoint a Cybersecurity Governance Structure
What to do:
- Designate a CISO or equivalent with direct reporting line to the management board
- Management liability: NIS2 Article 20 makes management bodies personally liable for cybersecurity. Board members must attend cybersecurity training
- Establish a cybersecurity committee with quarterly review cadence
- Germany-specific: §38 NIS2UmsuCG explicitly requires Geschäftsleitung (management) approval of cybersecurity risk measures — and holds them personally liable
- Budget allocation: Industry benchmarks suggest 8-14% of IT budget for cybersecurity. NIS2-regulated entities in DACH should target the upper range
⚡ Action Item: Present NIS2 management liability implications to your board. Get formal acknowledgment and budget approval documented.
Step 4: Conduct a Comprehensive Risk Assessment
What to do:
- Perform an all-hazards risk assessment per NIS2 Article 21 — covering cyber threats, physical threats, and supply chain risks
- Map all critical assets: networks, information systems, APIs, cloud services, OT/ICS systems
- Use established frameworks: ISO 27005, BSI IT-Grundschutz (especially for German entities), or NIST CSF
- Include supply chain risk — NIS2 explicitly requires assessing third-party and supplier security
- Document risk appetite and acceptance criteria, approved by management
⚡ Action Item: Launch a risk assessment project. For German companies, align with BSI IT-Grundschutz. Deadline: complete initial assessment within 6 months.
Step 5: Implement Technical Security Measures
What to do (NIS2 Article 21.2 requirements):
- (a) Risk analysis & information system security policies — formalize and publish internal policies
- (b) Incident handling — deploy SIEM/SOAR, establish playbooks for common scenarios
- (c) Business continuity & crisis management — backup management, disaster recovery, crisis response plans
- (d) Supply chain security — vendor risk assessments, contractual security requirements, SBOMs for software
- (e) Security in acquisition, development & maintenance — vulnerability handling and disclosure policies
- (f) Cybersecurity risk assessment effectiveness — regular testing, metrics, KPIs
- (g) Cyber hygiene & training — security awareness programs for all employees
- (h) Cryptography & encryption — encryption at rest and in transit, key management
- (i) HR security & access control — MFA, least privilege, PAM solutions
- (j) Multi-factor authentication & secure communications — enforce MFA on all critical systems
⚡ Action Item: Map your current security controls against all 10 sub-requirements of Article 21.2. Identify and prioritize gaps.
Step 6: Establish Incident Reporting Procedures
What to do:
- Early warning: Within 24 hours of becoming aware of a significant incident — notify your national CSIRT/authority
- Incident notification: Within 72 hours — provide initial assessment including severity, impact, and IoCs
- Final report: Within 1 month — detailed description, root cause, mitigation measures, cross-border impact
- Germany: BSI is the primary recipient. Use the BSI reporting portal (to be established under NIS2UmsuCG)
- Austria: Report to CERT.at and the designated national authority
- Switzerland: BACS mandatory reporting since April 2025 for critical infrastructure; 24-hour window
⚡ Action Item: Create incident response templates for each reporting stage. Run a tabletop exercise to test your 24-hour early warning capability.
Step 7: Implement Continuous Vulnerability Management
What to do:
- Deploy continuous vulnerability scanning across all internet-facing and internal systems
- Establish patch management SLAs: Critical vulnerabilities within 48 hours, High within 7 days
- Implement vulnerability disclosure policies (NIS2 Article 21.2e explicitly requires this)
- Track Mean Time to Remediate (MTTR) as a board-level KPI
- Consider automated penetration testing to supplement periodic manual assessments
⚡ Action Item: If you're not scanning continuously, start today.
KENSAI's free scan gives you immediate visibility into your external attack surface — exactly what NIS2 auditors will check first.
Step 8: Secure Your Supply Chain
What to do:
- Inventory all critical suppliers and service providers — cloud, SaaS, managed services, software vendors
- Include cybersecurity requirements in contracts: SLAs for patch management, incident notification, audit rights
- Request ISO 27001 certificates or equivalent from critical suppliers
- Implement Software Bill of Materials (SBOM) requirements for custom software
- DACH-specific: Many German Mittelstand companies are suppliers to NIS2 essential entities — expect cascading compliance requirements
⚡ Action Item: Create a critical supplier register. Send security questionnaires to your top 20 suppliers within 30 days.
Step 9: Prepare for Audits and Supervision
What to do:
- Essential entities: Subject to proactive supervision — expect regular audits, security scans, and on-site inspections
- Important entities: Reactive supervision — audits triggered by incidents or complaints
- Maintain audit-ready documentation: risk assessments, security policies, incident logs, training records, supplier assessments
- Germany: BSI can conduct audits and issue binding instructions. Non-compliance can result in daily penalty payments
- Austria: The NISG 2024 grants inspection authorities access to premises and data
- Know the penalty framework: Essential entities face up to €10M or 2% of global turnover; Important entities up to €7M or 1.4%
⚡ Action Item: Conduct an internal NIS2 readiness assessment. Score yourself against each Article 21 requirement. Fix critical gaps before external auditors arrive.
Step 10: Build a Culture of Continuous Compliance
What to do:
- NIS2 is not a one-time project — it's an ongoing obligation. Build compliance into BAU operations
- Schedule quarterly security reviews with management board participation
- Run annual tabletop exercises simulating incident response scenarios
- Track compliance KPIs: vulnerability MTTR, training completion rates, incident response times, supplier assessment coverage
- Stay current with ENISA guidance, national authority updates, and evolving threat landscape
- Plan for NIS2 implementing acts — the European Commission will issue technical specifications for specific sectors
⚡ Action Item: Create a 12-month NIS2 compliance roadmap with quarterly milestones. Present it to the board and get sign-off.
DACH Penalty Comparison
| Country | Essential Entities | Important Entities | Management Liability |
| Germany | Up to €10M or 2% global turnover | Up to €7M or 1.4% global turnover | Personal liability for Geschäftsführer/Vorstand |
| Austria | Up to €10M or 2% global turnover | Up to €7M or 1.4% global turnover | Management body accountability per NISG 2024 |
| Switzerland | Up to CHF 100,000 (ISG) | Sector-specific penalties | Individual liability for negligent non-reporting |
Your NIS2 Timeline for 2026-2027
| Quarter | Milestone |
| Q1 2026 | Complete entity classification and registration |
| Q2 2026 | Finish risk assessment and gap analysis |
| Q3 2026 | Implement technical measures and incident reporting |
| Q4 2026 | Supply chain security and audit preparation |
| Q1 2027 | Internal audit, remediation, and continuous compliance |
Don't Wait for Enforcement
The biggest mistake DACH companies make is treating NIS2 as a future problem. With Germany's NIS2UmsuCG expected to pass in 2026 and Austria already enforcing NISG 2024, the compliance window is closing fast.
Companies that start now will have a structured, manageable path to compliance. Those that wait will face rushed implementations, higher costs, and potential penalties.
Start Your NIS2 Compliance Journey
See where your organization stands today. KENSAI's free external scan checks your attack surface against NIS2 requirements.
Run Free NIS2 Scan →
Published by KENSAI Research Team · 2026-02-28