The NIS2 Directive (Directive (EU) 2022/2555) represents the most significant overhaul of European cybersecurity legislation in a decade. With NIS2UmSatzG now in force since March 6, 2026, German organizations face binding legal obligations—and personal liability for executive management bodies.
As a former head of IT in a regulated company, I have resolved both external and internal cyber incidents and know from first hand how cybersecurity frameworks like ISO 27001 only provide a limited basis for real cybersecurity. Here's what you need to know.
Understanding NIS2 Scope: Are You Affected?
The first critical question: does NIS2 apply to your organization?
Essential Entities (EU-wide mandatory)
- Energy (electricity, district heating/cooling, oil, gas, hydrogen)
- Transport (air, rail, road, maritime, inland waterways)
- Banking and financial market infrastructure
- Healthcare (hospitals, medical device manufacturers, laboratories)
- Drinking water and wastewater
- Digital infrastructure (cloud providers, data centers, DNS)
- Public administration (central and regional governments)
Important Entities (Member States decide on application)
- Postal and courier services
- Waste management
- Chemical production
- Food production, processing, and distribution
- Manufacturing (computers, electronics, machinery, motor vehicles)
- Research institutions
The SME Exemption Trap
Organizations with fewer than 50 employees AND annual turnover below €10 million may qualify for exemption. However, this is not automatic:
- Count all employees across parent and subsidiary companies
- Calculate turnover based on EU-wide consolidated figures
- The exemption applies to the entire corporate group, not individual entities
If your organization provides services to critical infrastructure operators, you may still be subject to supply chain security requirements regardless of size.
The 10 NIS2 Security Categories
Article 21 of NIS2 mandates specific security measures across these domains:
1. Risk Analysis and Security Policy
- Documented risk assessments covering all critical functions
- Security policies reviewed annually and after significant changes
- Business continuity and disaster recovery plans
2. Incident Handling
- Documented incident response procedures
- 24-hour notification to national authority for significant incidents
- 72-hour submission of incident report with initial assessment
3. Business Continuity
- Quarterly tested backup and recovery procedures
- Crisis communication plans
- Redundancy for critical systems
4. Supply Chain Security
- Security requirements in vendor contracts
- Third-party security assessments
- Dependency mapping for critical suppliers
5. Security in Network Acquisition
- Security-by-design requirements
- Vulnerability management for all acquired systems
- Patch management procedures
6. Cyber Hygiene and Training
- Annual security awareness training
- Phishing simulation exercises
- Role-specific training for security personnel
7. Asset Management
- Comprehensive inventory of IT assets
- Configuration Management Database (CMDB)
- Asset classification based on criticality
8. Access Control
- Zero-trust architecture principles
- Multi-factor authentication enforced
- Privileged Access Management (PAM)
9. Cryptography
- Encryption standards meeting current best practices
- Key management procedures
- Cryptographic agility for algorithm transitions
10. Physical Security
- Access controls for server facilities
- Environmental controls
- Visitor management
Personal Liability: What Executives Need to Understand
This is critical: Under NIS2 Article 20, management bodies can face personal liability for compliance failures.
What This Means Practically
- Fines: Up to €10 million or 2% of global annual turnover (whichever is higher) for essential entities
- Reputational damage: Public disclosure of non-compliance
- Operational restrictions: Competent authorities can mandate temporary restrictions on business activities
- Personal liability: Individual executives can be held accountable
Your Fiduciary Duty
As a management body member, you are personally responsible for:
- Approving and overseeing implementation of security measures
- Ensuring adequate budget allocation for cybersecurity
- Receiving regular briefings on security posture
- Including cybersecurity in risk management oversight
The "I didn't know" defense is not acceptable. Regulators expect executives to demonstrate active engagement with cybersecurity governance.
The 72-Hour Timeline: Incident Response Reality
When a significant security incident occurs, NIS2 mandates strict timelines:
| Phase | Deadline | Action |
|---|
| Initial notification | Within 24 hours | Early warning to BSI-CERT |
| Incident report | Within 72 hours | Initial assessment, severity classification |
| Final report | Within 1 month | Detailed report with root cause analysis |
| Interim updates | Ongoing | Any significant developments |
What Constitutes a "Significant Incident"?
An incident is significant if it:
- Causes severe operational disruption or financial loss
- Affects other natural or legal persons (e.g., supply chain impact)
- Has resulted or may result in substantial harm (data breaches affecting personal data)
Document everything from the first moment of suspicion. Your incident response documentation will be scrutinized.
Supply Chain Security: The Often-Ignored Requirement
Organizations often focus on internal security while neglecting the supply chain—a critical vulnerability.
Practical Steps
-
Map your critical dependencies
- Identify all vendors with access to your systems
- Classify vendors by criticality
- Document data flows with external parties
-
Contractual security requirements
- Include security SLAs in all vendor agreements
- Require vulnerability disclosure procedures
- Mandate incident notification within defined timeframes
-
Ongoing monitoring
- Annual security questionnaires
- Penetration test results sharing requirements
- Right to audit clauses
From Paper Compliance to Verified Security Posture
Many organizations achieve "paper compliance"—they have the documentation but cannot demonstrate actual security effectiveness.
The Problem
NIS2 requires proof of execution, not just existence of policies. When regulators audit, they look for:
- Evidence that controls were tested
- Metrics demonstrating security effectiveness
- Documented remediation of findings
- Continuous improvement over time
The GAMP 5 Approach
Drawing from pharmaceutical validation methodology, I apply a rigorous evidence-based approach:
- Requirements specification: What must the security posture achieve?
- Design qualification: How does the security architecture address these requirements?
- Installation qualification: Are security controls properly implemented?
- Operational qualification: Do controls function as designed?
- Performance qualification: Is the security posture demonstrably effective?
This isn't about creating mountains of documentation—it's about creating actionable evidence that proves your security posture works.
How I Can Help
My approach combines extensive IT security experience with the validation rigor required in regulated industries. I offer:
NIS2 Compliance Assessment
A comprehensive gap analysis against all 10 NIS2 security categories, with prioritized remediation recommendations and executive-level reporting.
Executive Briefing
For management bodies who need to demonstrate active oversight without becoming technical experts. Clear, actionable guidance on your fiduciary responsibilities.
Incident Response Planning
Documented procedures designed for the 24/72-hour NIS2 timeline, including tabletop exercises to test your team's readiness.
Supply Chain Security Review
Vendor assessment frameworks and contractual templates to strengthen your supply chain security without disrupting operations.
Every engagement includes fixed pricing—no surprises, no scope creep, no hourly billing surprises.
Need help with your NIS2 compliance journey? Connect with me on LinkedIn to discuss your specific situation, or visit CZECURE.eu for a free initial consultation.
