What is NIS2? Obligations, Deadlines, Fines

Who is in scope?

NIS2 covers 18 sectors split into essential and important entities. Thresholds: from 50 employees or 10 M EUR turnover. In critical sectors such as energy, banking, drinking water or telecommunications, special rules apply on top.

Essential entities: energy (electricity, gas, oil, district heating, hydrogen), transport (air, rail, water, road), banking and financial market infrastructure, health, drinking water, waste water, digital infrastructure (cloud, data center, DNS, CDN), ICT service management, public administration, space.

Important entities: postal and courier services, waste management, chemicals, food, manufacturing (medical devices, computers, electronics, optics, machinery, motor vehicles), digital service providers (online marketplaces, search engines, social networks), research.

Important: suppliers to essential entities indirectly fall under the supply-chain due-diligence in Art. 21(4). Even if a company is formally out of scope, contractual clauses from customers can de facto force NIS2 compliance.

The ten minimum measures under Art. 21

1. Risk analysis and information system security policies.

2. Incident handling.

3. Business continuity, backup management, crisis management.

4. Supply chain security, including security aspects of supplier relationships.

5. Security in the acquisition, development and maintenance of network and information systems (vulnerability management, updates, testing).

6. Policies and procedures to assess the effectiveness of cyber risk-management measures.

7. Basic cyber hygiene and training.

8. Policies and procedures for the use of cryptography and, where appropriate, encryption.

9. Personnel security, access control and asset management.

10. Multi-factor or continuous authentication, secured voice/video/text communications, secured emergency communications.

Reporting deadlines for incidents

Early warning: within 24 hours of becoming aware of a significant incident. Content: whether the incident is suspected of being caused by unlawful or malicious acts and whether it could have cross-border impact.

Incident notification: within 72 hours of becoming aware. Content: initial assessment of the incident, severity, impact, indicators of compromise.

Final report: at the latest one month after the incident notification. Content: detailed description, severity, impact, threat or root cause, applied and ongoing mitigations, any cross-border impact.

Reporting authority in Germany: the BSI, via the BSI reporting portal. Be aware of parallel reporting duties under GDPR, the Major Accidents Ordinance, KritisV or DORA, which may apply simultaneously.

Personal liability of management bodies

Art. 20 NIS2 requires management bodies to approve cyber risk-management measures, oversee their implementation and attend relevant training. Failures can trigger personal liability; in severe cases the supervisory authority can temporarily prohibit the exercise of management duties.

Fines

Essential entities: up to 10 M EUR or 2% of global annual turnover, whichever is higher.

Important entities: up to 7 M EUR or 1.4% of global annual turnover.

Additional sanctions: public disclosure of violations, suspension of certifications or authorisations, prohibition of management duties for senior officers in severe cases.

Status of German transposition

The EU transposition deadline was 17 October 2024. The NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG) is still in legislative process. As of 2026, entry into force is expected within the next months. The BSI is already preparing and reviewing companies' readiness. A wait-and-see strategy is risky: compliance programmes take 6-12 months, and there is no grace period after entry into force.

What companies should do now

1. Check applicability: am I essential, important, or a supplier to an in-scope entity?

2. Run a gap assessment against Art. 21, ideally as a delta to existing ISO 27001 controls.

3. Make structured decisions on the largest investments: EDR/XDR, IAM with MFA, SIEM/SOC, backup/DR, supplier management.

4. Test reporting paths technically and organisationally, including the 24 h early warning.

5. Train management bodies and document board approvals of the cyber risk-management strategy.

6. Document each of these decisions in a way that survives BSI scrutiny: weighted criteria, dealbreakers, stakeholder alignment, residual risks. That is exactly what a decision memo provides.

DecisionOS and NIS2

We build DecisionOS as the decision infrastructure for exactly these NIS2-driven investment decisions. Each memo maps to Art. 21 minimum measures, documents stakeholder alignment, exposes residual risks and produces a Readiness Score that signals true audit readiness. EU-hosted in Nuremberg, Germany. Book a demo at nexalign.io/book.