NIS2 Guide 2026: Obligations, Fines, Roadmap under § 30 BSIG

1. What is NIS2?

The Network and Information Security Directive 2 (Directive (EU) 2022/2555, the NIS-2 Directive) is the second generation of EU cybersecurity legislation for critical and important sectors. It supersedes the predecessor NIS1 Directive from 2016 and significantly extends the scope: from approximately 1,700 entities under NIS1 to about 29,500 under NIS2 in Germany (BSI estimate 2024).

National transposition came through the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), which completely rewrites the BSI Act (BSIG). Entry into force: 06.12.2025. The original EU transposition deadline was 17.10.2024 — Germany missed this deadline by 14 months, prompting the European Commission to open an infringement procedure (EU-Pilot 9930/24/CNECT) in February 2025.

NIS2 pursues four central objectives:

• Harmonisation of cybersecurity standards across the EU — ending fragmented national approaches.
• Tightening of obligations for medium-sized and large entities in critical sectors — risk-based minimum measures under Art. 21 NIS-2 Directive.
• Direct liability of management (Art. 20 NIS-2 Directive, transposed in Germany as § 38 BSIG) — personal responsibility that cannot be delegated to IT.
• Uniform notification duties with staged deadlines (24h early warning, 72h notification, 1-month final report).

Critical: NIS2 is not a voluntary security standard, but a law subject to fines with personal management liability. Anyone operating in one of the 18 sectors and meeting the size criteria is obligated to implement the 10 minimum measures — regardless of whether an incident has occurred.

2. Who is affected by NIS2?

The scope is defined in § 28 BSIG (structured by sectors and size criteria). Three categories of affected entities:

2.1 Essential entities

Large companies (≥250 staff or ≥€50M annual turnover and balance sheet ≥€43M) in the 11 high-criticality sectors per Annex 1 BSIG:

• Energy (electricity, gas, oil, district heating, hydrogen)
• Transport (aviation, rail, maritime, road)
• Banking (credit institutions)
• Financial market infrastructures
• Health (incl. pharma, medical device manufacturers)
• Drinking water
• Wastewater
• Digital infrastructure (telecoms, DNS, TLD registries, cloud, data centres)
• ICT service management (managed services, managed security services)
• Public administration (federal and state)
• Space

2.2 Important entities

Medium-sized companies (50–249 staff or €10M–€50M turnover) in the 18 sectors per Annexes 1 and 2 BSIG. In addition to the 11 high-criticality sectors, 7 more apply:

• Postal and courier services
• Waste management
• Chemical production, manufacturing, trade
• Food production, processing, distribution
• Manufacturing (incl. medical devices, computers, electrical equipment, machinery, vehicles)
• Digital providers (online marketplaces, search engines, social networks)
• Research

2.3 KRITIS operators (special category)

Operators of critical infrastructure under the KRITIS umbrella act are automatically essential entities regardless of size criteria. Thresholds follow the KRITIS Ordinance (e.g. electricity supply from 100,000 households, hospitals from 30,000 inpatient cases per year).

2.4 Sector special rules (size irrelevant)

In certain sectors NIS2 applies regardless of size (§ 28 (3) BSIG):

• Qualified trust service providers (eIDAS)
• TLD registries + DNS service providers
• Providers of publicly available electronic communication services
• Providers of publicly available electronic communication networks
• Certain public administration providers

Practical note: For corporate group structures, § 28 (4) BSIG applies: affiliated entities are assessed jointly. A subsidiary with only 30 staff may fall under NIS2 through group affiliation.

3. The 10 mandatory measures under § 30 BSIG

§ 30 BSIG ("risk-management measures") is the operational heart of NIS2. It implements Art. 21 NIS-2 Directive and requires every essential and important entity to implement the following 10 minimum measures — risk-based, demonstrable, regularly reviewed:

Importantly: proportionality depends on size, risk exposure and sector (§ 30 (1) BSIG: "appropriate, proportionate technical and organisational measures"). Smaller important entities need not implement everything at large-corporation depth — but each of the 10 measures must be documented and demonstrable.

4. Deadlines 2024–2027

Reality Q1 2026: only ~38.5% of approximately 29,500 affected entities are registered with the BSI (source: Bitkom survey February 2026, n=1,002). 12% report full implementation, 25% have not yet started. Registering now is late — but better than not at all.

5. Fines and management liability (§ 38 BSIG)

NIS2 has introduced personal management liability into German cybersecurity law for the first time. This is a qualitative leap compared to NIS1, which only sanctioned the legal entity.

5.1 Fines against the entity (§ 60 BSIG)

Sanctionable offences include: violation of § 30 BSIG (10 measures), violation of § 32 BSIG (notification duties), failure to register with the BSI, false or delayed authority communications.

5.2 Management liability under § 38 BSIG

§ 38 BSIG is the German transposition of Art. 20 NIS-2 Directive. The provision requires:

• § 38 (1): Management approves the risk-management measures under § 30 BSIG personally — delegation to CIO/CISO is insufficient.
• § 38 (2): Management oversees the implementation of measures.
• § 38 (3): Management must complete regular cybersecurity training — documented.

Consequence: with proven breach of duty by management, personal liability with private assets applies, analogous to § 43 GmbHG. This is not covered by D&O insurance when the violation rests on omission — many D&O policies exclude wilful breach of duty.

Practical implication: Managers must formally approve the § 30 measures (board resolution, MD sign-off), have implementation audited annually, and document their own training. Those who don't are personally liable — even if they "don't understand cybersecurity".

6. 12-step roadmap for NIS2 implementation

A pragmatic roadmap for medium-sized entities (50–250 staff) without dedicated CISO function. Timeframe: 4–6 months with prioritised implementation, 8–10 months with limited resources.

1. Scoping (week 1): § 28 BSIG check, sector classification, size criteria, corporate-group affiliation review.
2. BSI registration (week 2): Sign up via BSI reporting portal, designate contact person.
3. Gap analysis (weeks 3–4): Current state vs. § 30 BSIG measures 1–10. Which policies and processes are missing?
4. Management resolution + training (week 4): Board resolution on NIS2 roadmap, complete first management training and document it.
5. ISMS build (weeks 5–10): Information-security policy, risk-management process, risk register, security organisation.
6. Incident-response plan (weeks 8–10): Reporting chain for 24h/72h/1-month deadlines, emergency contacts, escalation matrix, test scenarios.
7. BCM plan (weeks 10–14): Business Impact Analysis, define RTO/RPO, emergency-recovery plan, DR tests.
8. Supply-chain audit (weeks 10–16): List of all ICT suppliers, risk classification, contract amendments with 6 NIS2 clauses.
9. Technical measures (weeks 12–20): MFA across all systems, encryption, access matrix, logging concept, patch management.
10. Awareness training (weeks 14–20): Staff training (annual), phishing simulations, awareness campaigns.
11. Internal audits (weeks 20–24): Effectiveness assessment of measures, vulnerability analysis, management review.
12. Continuous improvement: Quarterly reviews, annual risk updates, adaptation to BSI sector guidance.

7. The most common NIS2 implementation mistakes

1. "We're below the threshold" — without group check. § 28 (4) BSIG includes affiliated entities. A 30-staff subsidiary can fall under NIS2 through group affiliation.
2. ISO 27001 certification treated as NIS2 compliance. ISO 27001 covers ~70–80% of § 30 BSIG requirements — but not § 32 BSIG notification duties, supply-chain audit and § 38 management training.
3. Delegation of management duties to IT leadership. § 38 BSIG requires self-approval by management. A written power of attorney to the CISO is insufficient.
4. Suppliers not adequately assessed. § 30 (2) No. 4 BSIG requires risk-based supplier assessment — not just direct providers, but their sub-processors for critical services.
5. Notification duties underestimated. The 24-hour early warning begins with awareness of the incident (§ 32 (1) BSIG). Weekends and holidays count — emergency readiness is mandatory.
6. Documentation for audits missing. Verbal agreements and "we do that anyway" are not audit evidence. Each of the 10 measures requires a documented policy + implementation evidence.
7. BSI registration forgotten. § 33 BSIG is independently sanctionable — even without an incident.

8. NIS2 vs. ISO 27001 — what covers what?

A common question: does existing ISO 27001 certification suffice for NIS2 compliance? Short answer: no, but it's a strong foundation. Longer answer:

Conclusion: ISO 27001 certification fulfils 70–80% of NIS2. The missing 20–30% is qualitatively critical (notification duties, management liability, BSI registration). Those with ISO 27001 build on top — those without can implement NIS2 directly per BSIG specifications, without needing to pursue certification.

9. Sector practice: NIS2 in different industries

9.1 Healthcare (hospitals, medical centres, care services)

Hospitals from 30,000 inpatient cases are KRITIS operators (BSI-Krit-V § 6) and automatically essential entities. Specifics:

• Ransomware risk significantly elevated — in 2024 at least 18 German hospitals were attacked (BSI Lagebericht 2024)
• 3-2-1 backup strategy mandatory, with offline backup copy (ransomware-resistant)
• Emergency plan with IT-outage scenario for 7–21 days (typical recovery time after ransomware)
• Medical-device cybersecurity (MDR + IEC 62304) integrated with NIS2
• Personnel security enhanced — patient data = Art. 9 GDPR + § 30 (2) No. 9 BSIG

9.2 Energy supply (electricity, gas, heating)

Energy providers from 100,000 households are KRITIS-mandatory. § 30 BSIG complements existing IT security catalogue requirements § 11 (1a) EnWG. Specifics:

• OT/IT convergence: SCADA systems, smart-meter gateways, remote-control technology
• IEC 62443 Industrial Cybersecurity as complementary standard
• Supply-chain audit particularly critical (hardware manufacturers, maintenance providers)
• BNetzA as additional sector supervisor

9.3 Mechanical engineering / Industry 4.0

Mid-sized engineering with IIoT, networked equipment or predictive-maintenance cloud falls under Annex 2 BSIG (manufacturing). Specifics:

• OT cybersecurity (machine tools, PLCs, robot cells) — IEC 62443 as standard
• Cyber Resilience Act (CRA, Regulation 2024/2847, from December 2027) supplements for connected products
• Supply chains particularly complex (tier-2/3 suppliers from Asia)
• Patent + know-how protection integrated (GeschGehG + NIS2 personnel security)

9.4 IT service providers + MSPs

ICT service providers are in Annex 1 BSIG and potentially essential. Specifics:

• Dual role: own NIS2 compliance + supplier duties towards own customers (B2B compliance chain)
• Cloud service providers additionally C5 requirements + EU Cloud Code of Conduct
• Incident response extended: not only own incidents, also client incidents
• Penetration tests annually + after each major change

9.5 Cloud providers + data centres

Cloud providers are automatically essential regardless of size (§ 28 (3) BSIG). Specifics:

• Multi-tenant security + tenant separation must be documented
• EU data-residency concept (Schrems II-compliant)
• Lift-and-shift providers are liable for security defaults

10. Anonymised case studies from practice

11. 7 NIS2 conflict cases 2024–2026

NIS2 is theory until it becomes practice. The following seven cases from the DACH region and its immediate surroundings show how cyber incidents unfold concretely within the NIS2 mechanics — from initial awareness through the 24-hour early-warning duty under § 32 BSIG to potential § 38 BSIG management liability. Each case includes the facts, the deadline assessment, the liability consequence and the operational lesson. Where NIS2 was not yet formally in force at the time of the incident, the case is treated as a pre-NIS2 precedent — illustrating how today's regime would assess that same incident now.

Cross-cutting lesson from all seven cases: NIS2 compliance is not decided at the moment of the incident, but in the weeks before — through the quality of the risk analysis, patch discipline, supplier contracts and escalation playbooks. Organisations that have documented this groundwork survive the incident in terms of both liability and reputation. Those who have not are caught under double pressure: technical crisis plus § 38 liability exposure.

12. Statistical NIS2 market data 2025/2026

The following figures are drawn from the BSI annual threat report 2024, complemented by the Bitkom NIS2 survey of February 2026 (n=1,002) and the ENISA Threat Landscape 2025. They show what the NIS2 scope looks like operationally — and where the largest implementation gaps lie.

• 70 attacked KRITIS operators in Germany during the 2024 reporting year (BSI Lagebericht 2024). The range spans short DDoS waves through multi-week ransomware events. Sectors with the highest incident density: healthcare, energy supply and municipal administration.
• €4.45M average recovery cost per NIS2-relevant incident (estimate from IBM Cost of a Data Breach Report 2025, DACH sample). The range goes from €0.8M (small important entity with good preparation) to >€50M (large corporate without a BCM plan).
• 89% of essential entities have a documented ISMS — but only a fraction have an active effectiveness review under § 30 (2) No. 6 BSIG. The gap between documentation and lived practice is the most frequent audit finding.
• 23% have multi-factor authentication on all privileged accounts — § 30 (2) No. 10 requires MFA across the board, not just for admins. Closing this gap is the most cost-efficient immediate measure for risk reduction.
• 1.2 million phishing incidents in DACH SMBs in 2024 (extrapolation from the Telekom security report and ENISA Threat Landscape). Phishing remains the dominant entry vector — the cyber-hygiene training prescribed by § 30 (2) No. 7 is therefore not a tick-box exercise but measurably effective.
• 38.5% BSI registration rate as of Q1 2026 (Bitkom). The gap corresponds to roughly 18,000 unregistered affected entities — an independently sanctionable breach of duty under § 33 BSIG.

The operational meaning: anyone implementing the § 30 minimum measures today is operating in a market where roughly 60% of competitors have the same gap. That is risk and opportunity simultaneously — incidents will continue at high frequency, but documented and prepared organisations reduce their expected loss costs by orders of magnitude.

13. 6 NIS2 myths in DACH

Every second initial consultation surfaces the same misconceptions. Six of them cost time, money and potentially the personal existence of management.

Myth 1: "We are not KRITIS — therefore no NIS2"

Wrong. § 28 BSIG knows two NIS2 categories beyond KRITIS: essential entities (from 250 staff or €50M turnover in 11 sectors) and important entities (50–249 staff or €10–50M turnover in 18 sectors). KRITIS is a subset, not a synonym. The majority of the ~29,500 NIS2-bound entities in Germany are important entities — not KRITIS.

Myth 2: "Compliance is owned by the IT department"

Wrong. § 38 BSIG explicitly anchors responsibility with management. Management approves, oversees and trains itself — not the CIO or CISO. Delegation of execution is possible, delegation of responsibility is not. Where duty is breached, management is personally liable with private assets (analogous to § 43 GmbHG).

Myth 3: "ISO 27001 is automatically enough"

Wrong — and at the same time not entirely wrong. ISO 27001:2022 covers approximately 80% of the § 30 BSIG minimum measures, in particular ISMS, risk management, access control and personnel security. The missing 20% is qualitatively decisive, however: the § 32 notification duties, § 33 BSI registration, the specific § 38 management training and the concrete supply-chain audit depth under § 30 (2) No. 4. For ISO-certified organisations, NIS2 compliance is therefore 80% mapping, 20% gap — and the gap is decisive.

Myth 4: "24-hour notification only applies to large incidents"

Wrong. § 32 BSIG knows no uniform threshold in euros or hours of outage. The duty applies to significant incidents, defined by the capacity to cause severe operational disruption or financial losses, or to materially affect other natural or legal persons. Even an apparently minor incident with plausible escalation falls under the notification duty — the assessment is performed ex ante, not ex post.

Myth 5: "In an acquisition, the buyer inherits no NIS2 duty"

Wrong. Asset deals and share deals are treated differently, but in both cases the NIS2 status transfers to the buyer where the acquired unit continues to operate in one of the 18 sectors above the thresholds. § 33 BSIG requires re-registration within 3 months of a significant structural change. Anyone who forgets NIS2 due diligence in an M&A transaction buys an immediately due compliance obligation plus potential legacy exposure.

Myth 6: "Cloud providers are only processors"

Wrong. Cloud service providers are themselves essential entities under § 28 BSIG, regardless of their role in the data-protection mechanic. Additionally, § 30 (2) No. 4 BSIG requires a principal-side supply-chain risk analysis — transferring responsibility via processor clauses alone does not satisfy NIS2. NIS2 and GDPR operate in two layers, both of which must be served.

Cross-cutting observation: All six myths have the same root — the assumption that NIS2 is a technical IT compliance task. In reality it is a governance task of management, in which IT teams perform the execution but do not carry the responsibility.

14. NIS2 across the DACH countries — status 2026

The NIS-2 Directive is European law; its transposition is a national prerogative. The DACH countries have moved along the transposition path at different speeds and with different supervisory structures — which means that organisations operating across borders must serve several compliance mechanics simultaneously.

Germany

The NIS2UmsuCG entered into force on 06.12.2025 and rewrote the BSI Act (BSIG-new, BGBl. 2025 I No. 285). Supervision lies with the BSI as central authority, complemented by sector-specific responsibilities of BNetzA (telecommunications, energy), BaFin (finance) and the state data-protection authorities (GDPR interface). The BSI portal for § 32 incident notifications has been productive since 01.01.2026 and accepts 24-hour early warnings, 72-hour incident notifications and 1-month final reports through a single interface. The registration deadline under § 33 BSIG ended on 06.03.2026; late registration is treated since then as an independently sanctionable breach.

Austria

The NISG 2026 is expected to enter into force on 01.10.2026, replacing the NIS legislation of 2018. The point of contact and supervisor is the Datenschutzbehörde (DSB) in Vienna, complemented by Austria's GovCERT in an operational CSIRT role. The Austrian transposition closely follows the German model for thresholds and sectors, but diverges in places on supply-chain obligations and notification mechanics — organisations operating across borders must serve both regimes in parallel. Transition periods largely mirror the German pattern with a 3-month registration window.

Switzerland

As a non-EU state, Switzerland is not directly bound by the NIS-2 Directive, but has a functionally comparable regime in preparation through the ISG Ordinance (ISG-V) (Information Security Act Ordinance). Entry into force is expected in Q4 2026, delayed against the original plan. Supervision will be carried out by the NCSC (National Cybersecurity Centre), which emerged from the former MELANI structure. Swiss companies with EU subsidiaries are nevertheless within NIS2 scope through § 28 BSIG or the Austrian NISG — the Swiss ISG-V adds a second layer, it does not replace.

Practical consequence for DACH groups: a NIS2 compliance architecture must address all three regimes simultaneously — a shared ISMS foundation, sector- and country-specific notification channels, harmonised supplier contracts. NIST CSF 2.0 has emerged as the bridging standard, because it connects to ISO 27001:2022 and to the § 30 BSIG measure logic alike, and is recognised across both EU member states and Switzerland.