← Back to Blog
NIS2 COMPLIANCE 12 min read

NIS2 Compliance Checklist: 10 Steps Every DACH Company Must Complete Before 2027

Germany, Austria, and Switzerland each implement NIS2 differently. This DACH-specific checklist gives you the exact 10 steps — with country-specific requirements, real deadlines, and penalty amounts — so you can achieve compliance before enforcement begins.


Why DACH Companies Need a Specific NIS2 Checklist

The EU NIS2 Directive (2022/2555) was supposed to be transposed by October 17, 2024. Reality looks different: Germany's NIS2UmsuCG is still working through parliament, Austria passed its NISG 2024 in mid-2025, and Switzerland — while not an EU member — has aligned its Information Security Act (ISG) with NIS2 principles.

The bottom line: enforcement is coming in 2026-2027, and companies that haven't started preparing will face fines up to €10 million or 2% of global turnover for essential entities.

This checklist is built for the DACH reality — three countries, three legal frameworks, one directive.


Step 1: Determine Your NIS2 Classification

What to do:

⚡ Action Item: Complete your entity classification by mapping your sector, size, and country-specific criteria. Document the result — you'll need it for registration.

Step 2: Register with Your National Authority

What to do:

⚡ Action Item: Identify your national competent authority, prepare registration documents, and set a deadline for submission — ideally Q1 2026.

Step 3: Appoint a Cybersecurity Governance Structure

What to do:

⚡ Action Item: Present NIS2 management liability implications to your board. Get formal acknowledgment and budget approval documented.

Step 4: Conduct a Comprehensive Risk Assessment

What to do:

⚡ Action Item: Launch a risk assessment project. For German companies, align with BSI IT-Grundschutz. Deadline: complete initial assessment within 6 months.

Step 5: Implement Technical Security Measures

What to do (NIS2 Article 21.2 requirements):

⚡ Action Item: Map your current security controls against all 10 sub-requirements of Article 21.2. Identify and prioritize gaps.

Step 6: Establish Incident Reporting Procedures

What to do:

⚡ Action Item: Create incident response templates for each reporting stage. Run a tabletop exercise to test your 24-hour early warning capability.

Step 7: Implement Continuous Vulnerability Management

What to do:

⚡ Action Item: If you're not scanning continuously, start today. KENSAI's free scan gives you immediate visibility into your external attack surface — exactly what NIS2 auditors will check first.

Step 8: Secure Your Supply Chain

What to do:

⚡ Action Item: Create a critical supplier register. Send security questionnaires to your top 20 suppliers within 30 days.

Step 9: Prepare for Audits and Supervision

What to do:

⚡ Action Item: Conduct an internal NIS2 readiness assessment. Score yourself against each Article 21 requirement. Fix critical gaps before external auditors arrive.

Step 10: Build a Culture of Continuous Compliance

What to do:

⚡ Action Item: Create a 12-month NIS2 compliance roadmap with quarterly milestones. Present it to the board and get sign-off.

DACH Penalty Comparison

CountryEssential EntitiesImportant EntitiesManagement Liability
GermanyUp to €10M or 2% global turnoverUp to €7M or 1.4% global turnoverPersonal liability for Geschäftsführer/Vorstand
AustriaUp to €10M or 2% global turnoverUp to €7M or 1.4% global turnoverManagement body accountability per NISG 2024
SwitzerlandUp to CHF 100,000 (ISG)Sector-specific penaltiesIndividual liability for negligent non-reporting

Your NIS2 Timeline for 2026-2027

QuarterMilestone
Q1 2026Complete entity classification and registration
Q2 2026Finish risk assessment and gap analysis
Q3 2026Implement technical measures and incident reporting
Q4 2026Supply chain security and audit preparation
Q1 2027Internal audit, remediation, and continuous compliance

Don't Wait for Enforcement

The biggest mistake DACH companies make is treating NIS2 as a future problem. With Germany's NIS2UmsuCG expected to pass in 2026 and Austria already enforcing NISG 2024, the compliance window is closing fast.

Companies that start now will have a structured, manageable path to compliance. Those that wait will face rushed implementations, higher costs, and potential penalties.

Start Your NIS2 Compliance Journey

See where your organization stands today. KENSAI's free external scan checks your attack surface against NIS2 requirements.

Run Free NIS2 Scan →

Published by KENSAI Research Team · 2026-02-28

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →