← 블로그로 돌아가기
NIS2 COMPLIANCE
12분 읽기
NIS2 규정 준수 체크리스트: 모든 DACH 기업이 2027년까지 완료해야 할 10단계
Germany, Austria, and Switzerland each implement NIS2 differently. This DACH-specific checklist gives you the exact 10 steps — with country-specific requirements, real deadlines, and 벌금 amounts — so you can achieve compliance before enforcement begins.
DACH 기업에 특화된 NIS2 체크리스트가 필요한 이유
The EU NIS2 Directive (2022/2555) was supposed to be transposed by October 17, 2024. Reality looks different: Germany's NIS2UmsuCG is still working through parliament, Austria passed its NISG 2024 in mid-2025, and Switzerland — while not an EU member — has aligned its Information Security Act (ISG) with NIS2 principles.
The bottom line: enforcement is coming in 2026-2027, and companies that haven't started preparing will face fines up to €10 million or 2% of global turnover for essential entities.
This checklist is built for the DACH reality — three countries, three legal frameworks, one directive.
1단계: NIS2 분류 결정
What to do:
- Essential Entity: Energy, transport, banking, healthcare, digital infrastructure, ICT service management, public administration, space (250+ employees OR €50M+ turnover)
- Important Entity: Postal services, waste, chemicals, food, manufacturing, digital providers, research (50+ employees OR €10M+ turnover)
- Germany-specific: The NIS2UmsuCG introduces "besonders wichtige Einrichtungen" (especially important entities) and "wichtige Einrichtungen" (important entities) with slightly different thresholds
- Austria-specific: NISG 2024 follows EU thresholds closely but adds specific provisions for 핵심 인프라 운영자 already registered under NISG 1.0
- Switzerland-specific: The ISG applies to federal IT systems and 핵심 인프라 운영자. Check BACS (Federal Cyber Security Centre) guidance for your sector
⚡ Action Item: Complete your entity classification by mapping your sector, size, and country-specific criteria. Document the result — you'll need it for registration.
2단계: 국가 기관 등록
What to do:
- Germany: Register with BSI (Bundesamt für Sicherheit in der Informationstechnik). The NIS2UmsuCG requires registration within 3 months of being identified as in-scope
- Austria: Register with the Interior Ministry's Cybersecurity authority. Entities already registered under NISG 1.0 must update their registration
- Switzerland: Report to BACS for critical infrastructure sectors. Mandatory 사고 보고 was enacted via ISG amendment effective January 2025
⚡ Action Item: Identify your national competent authority, prepare registration documents, and set a deadline for submission — ideally Q1 2026.
3단계: 사이버보안 거버넌스 구조 지정
What to do:
- Designate a CISO or equivalent with direct reporting line to the management board
- Management liability: NIS2 Article 20 makes management bodies personally liable for cybersecurity. Board members must attend cybersecurity training
- Establish a cybersecurity committee with quarterly review cadence
- Germany-specific: §38 NIS2UmsuCG explicitly requires Geschäftsleitung (management) approval of cybersecurity risk measures — and holds them personally liable
- Budget allocation: Industry benchmarks suggest 8-14% of IT budget for cybersecurity. NIS2-regulated entities in DACH should target the upper range
⚡ Action Item: Present NIS2 management liability implications to your board. Get formal acknowledgment and budget approval documented.
4단계: 종합 위험 평가 실시
What to do:
- Perform an all-hazards 위험 평가 per NIS2 Article 21 — covering cyber threats, physical threats, and supply chain risks
- Map all critical assets: networks, information systems, APIs, cloud services, OT/ICS systems
- Use established frameworks: ISO 27005, BSI IT-Grundschutz (especially for German entities), or NIST CSF
- Include supply chain risk — NIS2 explicitly requires assessing third-party and supplier security
- Document risk appetite and acceptance criteria, approved by management
⚡ Action Item: Launch a 위험 평가 project. For German companies, align with BSI IT-Grundschutz. Deadline: complete initial assessment within 6 months.
5단계: 기술적 보안 조치 구현
What to do (NIS2 Article 21.2 requirements):
- (a) Risk analysis & information system security policies — formalize and publish internal policies
- (b) Incident handling — deploy SIEM/SOAR, establish playbooks for common scenarios
- (c) Business continuity & crisis management — backup management, disaster recovery, crisis response plans
- (d) Supply chain security — vendor 위험 평가s, contractual security requirements, SBOMs for software
- (e) Security in acquisition, development & maintenance — 취약점 handling and disclosure policies
- (f) Cybersecurity 위험 평가 effectiveness — regular testing, metrics, KPIs
- (g) Cyber hygiene & training — security awareness programs for all employees
- (h) Cryptography & encryption — encryption at rest and in transit, key management
- (i) HR security & access control — MFA, least privilege, PAM solutions
- (j) Multi-factor authentication & secure communications — enforce MFA on all critical systems
⚡ Action Item: Map your current security controls against all 10 sub-requirements of Article 21.2. Identify and prioritize gaps.
6단계: 사고 보고 절차 수립
What to do:
- Early warning: Within 24 hours of becoming aware of a significant incident — notify your national CSIRT/authority
- Incident notification: Within 72 hours — provide initial assessment including severity, impact, and IoCs
- Final report: Within 1 month — detailed description, root cause, mitigation measures, cross-border impact
- Germany: BSI is the primary recipient. Use the BSI reporting portal (to be established under NIS2UmsuCG)
- Austria: Report to CERT.at and the designated national authority
- Switzerland: BACS 의무 보고 since April 2025 for critical infrastructure; 24-hour window
⚡ Action Item: Create incident response templates for each reporting stage. Run a tabletop exercise to test your 24-hour early warning capability.
7단계: 지속적 취약점 관리 구현
What to do:
- Deploy continuous 취약점 scanning across all internet-facing and internal systems
- Establish patch management SLAs: 치명적 취약점 within 48 hours, 높음 within 7 days
- Implement 취약점 disclosure policies (NIS2 Article 21.2e explicitly requires this)
- Track Mean Time to Remediate (MTTR) as a board-level KPI
- Consider automated penetration testing to supplement periodic manual assessments
⚡ Action Item: If you're not scanning continuously, start today.
KENSAI's free scan gives you immediate visibility into your external attack surface — exactly what NIS2 auditors will check first.
8단계: 공급망 보안
What to do:
- Inventory all critical suppliers and service providers — cloud, SaaS, managed services, software vendors
- Include cybersecurity requirements in contracts: SLAs for patch management, incident notification, audit rights
- Request ISO 27001 certificates or equivalent from critical suppliers
- Implement Software Bill of Materials (SBOM) requirements for custom software
- DACH-specific: Many German Mittelstand companies are suppliers to NIS2 essential entities — expect cascading 규정 준수 요구사항
⚡ Action Item: Create a critical supplier register. Send security questionnaires to your top 20 suppliers within 30 days.
9단계: 감사 및 감독 준비
What to do:
- Essential entities: Subject to proactive supervision — expect regular audits, security scans, and on-site inspections
- Important entities: Reactive supervision — audits triggered by incidents or complaints
- Maintain audit-ready documentation: 위험 평가s, security policies, incident logs, training records, supplier assessments
- Germany: BSI can conduct audits and issue binding instructions. 아니오n-compliance can result in daily 벌금 payments
- Austria: The NISG 2024 grants inspection authorities access to premises and data
- Know the 벌금 framework: Essential entities face up to €10M or 2% of global turnover; Important entities up to €7M or 1.4%
⚡ Action Item: Conduct an internal NIS2 readiness assessment. 점수 yourself against each Article 21 requirement. Fix critical gaps before external auditors arrive.
10단계: 지속적 규정 준수 문화 구축
What to do:
- NIS2 is not a one-time project — it's an ongoing obligation. Build compliance into BAU operations
- Schedule quarterly security reviews with management board participation
- Run annual tabletop exercises simulating incident response scenarios
- Track compliance KPIs: 취약점 MTTR, training completion rates, incident response times, supplier assessment coverage
- Stay current with ENISA guidance, national authority updates, and evolving threat landscape
- Plan for NIS2 implementing acts — the European Commission will issue technical specifications for specific sectors
⚡ Action Item: Create a 12-month NIS2 compliance roadmap with quarterly milestones. Present it to the board and get sign-off.
DACH 벌금 비교
| Country | Essential Entities | Important Entities | Management Liability |
| Germany | Up to €10M or 2% global turnover | Up to €7M or 1.4% global turnover | Personal liability for Geschäftsführer/Vorstand |
| Austria | Up to €10M or 2% global turnover | Up to €7M or 1.4% global turnover | Management body accountability per NISG 2024 |
| Switzerland | Up to CHF 100,000 (ISG) | Sector-specific 벌금 | Individual liability for negligent non-reporting |
2026-2027 NIS2 타임라인
| Quarter | Milestone |
| Q1 2026 | Complete entity classification and registration |
| Q2 2026 | Finish 위험 평가 and gap analysis |
| Q3 2026 | Implement technical measures and 사고 보고 |
| Q4 2026 | Supply chain security and audit preparation |
| Q1 2027 | Internal audit, remediation, and continuous compliance |
시행을 기다리지 마세요
The biggest mistake DACH companies make is treating NIS2 as a future problem. With Germany's NIS2UmsuCG expected to pass in 2026 and Austria already enforcing NISG 2024, the compliance window is closing fast.
Companies that start now will have a structured, manageable path to compliance. Those that wait will face rushed implementations, higher costs, and potential 벌금.
Start Your NIS2 Compliance Journey
See where your organization stands today. KENSAI's free external scan checks your attack surface against NIS2 requirements.
Run Free NIS2 Scan →
Published by KENSAI Research Team · 2026-02-28