← Back to Blog
Research 18 min read

NIS2 Compliance: The Complete Guide for European Companies

Germany's NIS2 transposition law entered force on December 5, 2025. BSI registration deadlines arrive in March 2026. This guide covers everything CISOs, IT Directors, and compliance officers need to know: who must comply, what the obligations are, what penalties look like, and how to build a practical compliance roadmap.

160K+
EU Entities in Scope
€10M
Max Fine
18
Sectors Covered
24h
Incident Reporting

What Is the NIS2 Directive?

ℹ️ Context

The NIS2 Directive (Directive (EU) 2022/2555) replaces the original NIS Directive of 2016, which was widely regarded as insufficient in scope and enforcement. It dramatically expands coverage from ~10,000 entities under NIS1 to an estimated 160,000+ entities across the EU.

NIS2 was designed to address three fundamental weaknesses: inconsistent transposition across Member States, limited scope covering only narrow sectors, and weak enforcement with penalties too low to drive change.

In Germany, the NIS2UmsuCG (NIS2 Implementation and Cybersecurity Strengthening Act) entered into force on December 5, 2025. The BSI is the designated supervisory authority, and registration deadlines begin March 6, 2026.


Who Must Comply with NIS2?

NIS2 shifted from a designation-based approach to a size-cap mechanism. Organisations are automatically in scope if they meet sector and size criteria.

Annex I — Sectors of High Criticality (11 sectors)

SectorExamples
EnergyElectricity, oil, gas, hydrogen, district heating
TransportAir, rail, water, road transport
BankingCredit institutions
Financial market infrastructureTrading venues, central counterparties
HealthHospitals, laboratories, pharma, medical devices
Drinking waterSupply and distribution
WastewaterCollection, disposal, treatment
Digital infrastructureIXPs, DNS, TLD registries, cloud, data centres, CDNs
ICT service management (B2B)MSPs, MSSPs
Public administrationCentral government entities
SpaceGround-based infrastructure operators

Annex II — Other Critical Sectors (7 sectors)

SectorExamples
Postal and courier servicesPostal service providers
Waste managementCollection, transport, treatment
Chemical manufacturingProduction, distribution
Food productionProcessing, distribution (large-scale)
ManufacturingMedical devices, electronics, machinery, vehicles
Digital providersMarketplaces, search engines, social networks
ResearchResearch organisations with significant impact

Size Thresholds

⚠️ Size-Independent Coverage

Certain entities are in scope regardless of size: qualified trust service providers, TLD registries, DNS providers, telecommunications providers, public administration, and sole providers of essential services.


Essential vs Important Entities

AspectEssential EntitiesImportant Entities
SupervisionProactive (ex-ante)Reactive (ex-post)
Max fine€10M or 2% of global turnover€7M or 1.4% of global turnover
AuditsRegular, mandatoryOn evidence of non-compliance
Security requirementsIdenticalIdentical

Key Insight

The security obligations are the same for both tiers. The difference lies only in supervision intensity and penalty caps.


Key NIS2 Requirements (Article 21)

10 Mandatory Obligations

Incident Reporting Timeline

DeadlineRequirementPurpose
24 hoursEarly warning to CSIRTSignal that a significant incident occurred
72 hoursIncident notification with assessmentSeverity, impact, indicators of compromise
1 monthFinal reportRoot cause analysis, impact, mitigation measures

⚠️ Board-Level Personal Liability

Article 20 requires management bodies to approve cybersecurity measures, undergo training, and bear personal responsibility. Under Germany's NIS2UmsuCG, executives face personal fines and potential temporary suspension from management roles. This liability cannot be fully delegated.


NIS2 Penalties and Enforcement

€10M
Essential Entity Fine
2%
of Global Turnover
€7M
Important Entity Fine
1.4%
of Global Turnover

Beyond fines, authorities can issue binding instructions, order cessation of activities, require public disclosure of non-compliance, suspend certifications, and — for essential entities — temporarily prohibit management functions for responsible individuals.

⚠️ GDPR-Scale Penalties for Cybersecurity

For a company with €1 billion revenue, the maximum essential entity fine is €20 million. D&O insurance policies should be reviewed for coverage gaps — personal liability cannot be fully insured away.


NIS2 Timeline: Critical Dates

DateMilestone
Dec 27, 2022NIS2 published in the Official Journal of the EU
Jan 16, 2023NIS2 enters into force
Oct 17, 2024Transposition deadline for all Member States
Dec 5, 2025Germany: NIS2UmsuCG enters into force
Mar 6, 2026Germany: BSI registration deadline
Oct 17, 2027European Commission reviews NIS2 functioning

BSI Deadline Approaching

March 2026 registration is weeks away. Identify compliance gaps before you register.

Start Free NIS2 Scan →

NIS2 Compliance Step-by-Step

10-Step Compliance Roadmap

ℹ️ ISO 27001 ≠ NIS2 Compliance

ISO 27001 provides a strong foundation but NIS2 adds specific requirements: mandatory incident reporting timelines (24h/72h/1 month), personal liability for management, and detailed supply chain security obligations. Certification alone does not guarantee compliance.


How KENSAI Automates NIS2 Compliance

Automated Attack Surface Discovery

KENSAI continuously scans your external attack surface — domains, subdomains, IPs, cloud services, exposed APIs — and maps assets against your NIS2 scope. Real-time inventory of what you need to protect.

CVE-Based Vulnerability Mapping

With 332,000+ CVEs, KENSAI identifies known vulnerabilities and correlates them with NIS2 requirements. Each finding is prioritised by CVSS score, NIS2 relevance, and remediation urgency based on threat intelligence.

NIS2 Compliance Gap Analysis

AI maps your security posture against all Article 21 requirements: compliance score, gap report, prioritised remediation, and evidence documentation suitable for regulators and auditors.

Supply Chain Risk Visibility

Scan suppliers' external infrastructure to identify exposed services, vulnerabilities, certificate issues, DNS misconfigurations, and data breach history — the supply chain visibility NIS2 demands.

Pricing for NIS2 Compliance

Starter: €990/month — Medium enterprises entering NIS2 scope. Professional: €1,490/month — Complex infrastructure and supply chains. Enterprise: €2,490/month — Full-scope compliance automation with dedicated support.


FAQ: NIS2 Compliance

What is the NIS2 Directive?

The EU's updated cybersecurity regulation (Directive (EU) 2022/2555) replacing the original NIS Directive. It establishes mandatory risk-management measures, incident reporting, and supply chain security requirements across 18 critical sectors.

Who must comply?

Organisations in 18 designated sectors meeting medium enterprise (50+ employees or €10M+ turnover) or large enterprise (250+ employees or €50M+ turnover) thresholds. Certain entities like DNS providers and telecoms are covered regardless of size.

What are the penalties?

Essential entities: up to €10M or 2% of global turnover. Important entities: up to €7M or 1.4% of global turnover. Plus binding instructions, public disclosure, suspension of certifications, and personal management liability.

What are the incident reporting requirements?

Three stages: early warning within 24 hours, incident notification within 72 hours, final report within 1 month.

How does NIS2 affect board members?

Article 20 requires boards to approve cybersecurity measures, undergo training, and bear personal responsibility. Under Germany's law, executives face personal fines and potential temporary suspension.

Does NIS2 apply to small businesses?

Generally no (under 50 employees / €10M turnover are excluded). Exceptions exist for trust service providers, TLD registries, DNS providers, and telecoms.

How does NIS2 relate to ISO 27001?

Significant overlap, but NIS2 adds mandatory incident reporting timelines, personal management liability, and detailed supply chain requirements. ISO 27001 certification alone doesn't guarantee NIS2 compliance.

How does NIS2 interact with GDPR and DORA?

NIS2 focuses on network/system security; GDPR on personal data protection — both may apply to a cyber incident. DORA takes precedence for financial entities under the lex specialis principle.


This guide is for informational purposes and does not constitute legal advice. Consult qualified legal and cybersecurity professionals for your specific NIS2 obligations.

Start Your NIS2 Compliance Journey

See your compliance gaps in minutes. AI-powered scanning with NIS2, DSGVO, and DORA mapping built in.

Start Free Scan →

Security is not optional.

🗡️ The KENSAI Team