Back to Insights
NIS2ComplianceDACHRegulation

NIS2 Readiness: What German CISOs Actually Need to Do

January 28, 2026 · 6 min read

If you’re a CISO at a German enterprise, you’ve been hearing about NIS2 for two years. The directive entered into force in January 2023. Member states had until October 17, 2024 to transpose it into national law. Germany, characteristically, is late — but the NIS2UmsuCG (NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz) is coming, and when it lands, there won’t be a grace period.

Here’s what you actually need to do. Not the jargon-filled version. The practical one.

18
Sectors in scope
24h
Incident reporting deadline
€10M
Max fine (essential)
60-70%
ISO 27001 overlap

Who’s in Scope? Probably You.

NIS2 massively expanded the scope compared to NIS1. If your organisation operates in one of 18 sectors and meets the size threshold, you’re in scope:

Essential entities (stricter requirements, proactive supervision):

  • Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, space

Important entities (lighter touch, reactive supervision):

  • Postal services, waste management, chemicals, food, manufacturing, digital providers, research

Size thresholds:

  • Medium: 50+ employees OR €10M+ turnover
  • Large: 250+ employees OR €50M+ turnover

If you’re a Mittelstand company with 50+ employees in manufacturing — congratulations, you’re in scope. Many organisations don’t realise this yet.

Article 21: The 10 Minimum Measures

Article 21 is the heart of NIS2. It requires “appropriate and proportionate technical, operational and organisational measures” across 10 areas:

  1. Risk analysis and information system security policies
  2. Incident handling (detection, response, reporting)
  3. Business continuity and crisis management (backup, disaster recovery)
  4. Supply chain security (including vendor risk management)
  5. Security in network and information systems acquisition, development, and maintenance (including vulnerability handling)
  6. Policies and procedures to assess the effectiveness of cybersecurity risk management measures
  7. Basic cyber hygiene practices and cybersecurity training
  8. Policies on the use of cryptography and encryption
  9. Human resources security, access control, and asset management
  10. Multi-factor authentication, secured communications, and secured emergency communications

If you’re already ISO 27001 certified, you’ll recognise most of these. That’s intentional — NIS2 explicitly references international standards. But there are gaps, and they matter.

Where ISO 27001 Isn’t Enough

Having ISO 27001 certification gives you a head start, but NIS2 adds requirements that go beyond the standard:

Incident reporting timelines are aggressive:

  • 24 hours: Early warning to the competent authority (BSI in Germany)
  • 72 hours: Full incident notification with initial assessment
  • 1 month: Final report with root cause, impact, and remediation

Your current incident response process probably doesn’t hit these timelines. Most don’t.

Supply chain security gets specific: NIS2 requires you to assess the cybersecurity posture of your direct suppliers and service providers. Not just a questionnaire — actual assessment of their security measures, product quality, and cybersecurity practices.

Management body accountability: This is the one that gets board attention. NIS2 makes management bodies (Geschäftsführung/Vorstand) personally accountable for cybersecurity measures. They must approve the risk management measures, oversee implementation, and undergo cybersecurity training. This isn’t optional.

Fines are real:

  • Essential entities: Up to €10M or 2% of global annual turnover
  • Important entities: Up to €7M or 1.4% of global annual turnover

These are GDPR-level fines. Applied to cybersecurity.

The Practical Roadmap

Here’s what I recommend to every German CISO:

Phase 1
Scope & Gap
Weeks 1–4
Phase 2
Remediate
Weeks 5–12
Phase 3
Sustain
Ongoing
Phase 1 — Scope & Gap
Confirm your classification
Essential or important entity? Which sector(s)? This determines your supervision regime and reporting obligations.
Phase 1
Map Article 21 to existing controls
If you have ISO 27001, you're 60-70% there. Document the gaps explicitly.
Phase 1
Assess incident reporting capability
Can you realistically notify BSI within 24 hours? Most organisations can't today.
Phase 1
Review supply chain security
How do you currently assess vendor cybersecurity? NIS2 requires more rigour than most organisations have.
Phase 2 — Remediate
Update incident response process
Build the 24h/72h/1month reporting workflow. Test it. Automate notifications where possible.
Phase 2
Establish management accountability
Brief the Geschäftsführung. Get formal approval of risk management measures. Schedule cybersecurity training for the board.
Phase 2
Strengthen supply chain security
Implement tiered vendor risk assessment. Critical suppliers get deep assessment. Others get standardised questionnaires.
Phase 2
Address technical gaps
MFA everywhere it's not. Encryption policies documented. Vulnerability management tightened.
Phase 3 — Sustain
Continuous monitoring
NIS2 isn't a point-in-time compliance exercise. Build continuous assessment into your operations.
Phase 3
Regular testing
Test your incident response. Test your business continuity. Test your supply chain resilience. Document everything.

How AI Accelerates NIS2 Compliance

This is where it gets interesting. The 10 Article 21 requirements generate enormous amounts of work — documentation, assessment, monitoring, reporting. AI can compress months of effort into weeks:

❌ Without AI
Vendor assessment: 2–3 weeks
Incident report draft: 4–6 hours
Policy gap analysis: 2 weeks
Compliance checks: Quarterly
Board reporting: Manual, monthly
✓ With AI Agents
Vendor assessment: 3 hours
Incident report draft: Minutes
Policy gap analysis: 2 hours
Compliance checks: Continuous
Board reporting: Real-time
💡 Key Insight
AI doesn't replace your compliance team — it removes the grunt work. Your GRC analyst stops manually filling vendor questionnaires and starts making risk decisions. Your CISO gets real-time dashboards instead of stale quarterly reports.

The Bottom Line

NIS2 is coming to Germany. The exact timeline is uncertain, but the requirements are not. If you’re in scope — and if you have 50+ employees in any of the 18 sectors, you probably are — start now.

The good news: if you have ISO 27001, you’re 60-70% there. The bad news: the remaining 30-40% includes the hardest parts — incident reporting timelines, supply chain security, and management accountability.

Don’t wait for the Umsetzungsgesetz to be finalised. The requirements from the directive are clear. Start your gap analysis today, and consider where AI can compress your timeline from months to weeks.

Your board will thank you when the law lands and you’re already compliant.

Need help with this?

We help enterprise security teams implement what you just read — from strategy through AI-powered automation. First strategy session is free.

Book a Free Call → Or explore the platform
Share: LinkedIn X / Twitter

More Insights

AI Agents

We Replaced Our Team of 6 with AI Agents — Here's What Actually Happened
AI Governance

Shadow AI Is Your Biggest Blind Spot — Here's How to Fix It
Book a Free Call Contact Us