NIS2

NIS2 & Cybersecurity

NIS2UmsuCG in force since 06 December 2025 (Germany), NISG 2026 in Austria from 01 October 2026: 10 Section 30 BSIG (German IT Security Act) obligations, Section 38 management liability, ISMS build-up, supply chain security, incident response 24/72/30.

View NIS2 Kit Top articles
Scope

Who is subject to NIS2 in Germany?

The German implementation act (NIS2UmsuCG) distinguishes two tiers in § 28 BSIG. Essential Entities are organisations with at least 250 employees or annual turnover exceeding EUR 50 million operating in one of the 18 sectors listed in Annex I — including energy, transport, banking, health, water, digital infrastructure and cloud providers. Important Entities cover medium-sized organisations (50 employees or EUR 10 million turnover and above) in the sectors of Annex II, such as postal services, waste management, food and manufacturing. In addition, micro-enterprises with 50 employees or more fall within scope where they operate in high-risk sectors such as qualified trust services or DNS services. Crucially, there is no official BSI list of NIS2-regulated entities — each organisation must self-assess whether it falls within scope. Where this is uncertain, formal self-registration through the BSI reporting portal under § 33 BSIG is recommended.

Obligations

The 10 mandatory measures under § 30 BSIG

§ 30 BSIG transposes Art. 21 NIS2 Directive into German law and obliges regulated entities to implement ten technical and organisational measures:

  1. Risk analysis and information security policies covering all information systems.
  2. Incident handling including detection, response and recovery procedures.
  3. Business continuity through backup management, disaster recovery and crisis management.
  4. Supply-chain security covering relationships with direct suppliers and service providers.
  5. Security in acquisition, development and maintenance of IT systems, including vulnerability management.
  6. Policies to assess the effectiveness of risk management (security reviews, audits).
  7. Training and cyber hygiene for all staff, including the management body.
  8. Cryptography and encryption according to the state of the art.
  9. Access control and asset management (personnel security, authorisation concepts, inventory).
  10. Multi-factor authentication and secured communication systems.

Detailed guidance with ISO 27001 mapping and 22 templates is available in the Section 30 BSIG pillar article.

Reporting

Reporting deadlines

§ 32 BSIG codifies a tiered reporting regime for significant incidents. Within 24 hours of becoming aware of an incident, an Early Warning must be submitted to the BSI — it contains an initial assessment of whether the incident was caused by unlawful or malicious acts and whether cross-border impact is suspected. Within 72 hours, the Incident Notification follows with an updated situation assessment, a first evaluation of severity and impact, and indicators of compromise where available. No later than one month after the notification, the Final Report must be filed, providing a detailed description of the incident, root causes, mitigation measures taken and any cross-border consequences. Alongside this, § 38 BSIG imposes personal management liability: managing directors and board members must actively approve the risk-management measures, supervise their implementation and attend regular training. In the event of breaches of duty, they are personally liable with their private assets towards the company — a waiver by shareholder resolution is excluded.

Pillar articles

The most important NIS2 topics in detail

Step-by-step guides with templates, regulatory references and audit checklists.

NIS2 implementation Germany (NIS2UmsuCG)

10 obligations + Section 38 management liability + 12-step roadmap

Section 30 BSIG: 10 mandatory measures

ISO 27001 mapping + 22 templates (Section 30 BSIG subset of the 72-template NIS2 Kit)

Build an ISMS

10-week plan for SMEs + 12 mandatory policies

NIS2 supply chain security

8-step supplier audit + 6 contract clauses

BCM under NIS2

BIA, RTO/RPO, emergency plan, DR tests

NIS2 Austria (NISG 2026)

Austrian cybersecurity obligations from 01 October 2026
Quick overviews

Listicles & top lists

Compact overviews — perfect for board meetings, newsletters or as an A4 print template.

NIS2 top 7 quick wins

→ Listicle / Quick overview

NIS2 Section 30 BSIG: 10 obligations overview

→ Listicle / Quick overview
Deep dive

Practice clusters & glossary

Special topics by industry, use case and mandatory terminology.

12 practice clusters

Industry-specific deep dive (law firm, hospital, SaaS, e-commerce, association, trades …)

→ All NIS2 articles in the Knowledge Hub

20 NIS2 glossary entries

Technical terms with regulatory references and practical examples.

→ Open glossary
New May 2026

New practice templates & sector guides

Regulation-compliant professional templates for the core obligations under § 30 BSIG and sector-specific implementation.

NIS2 Templates Overview

All 72 documents categorised by § 30 BSIG + usage notes per domain.

→ Practice template / guide

NIS2 Risk Management Art. 21

Editable risk matrix + assessment form + treatment plan for Art. 21 NIS2 Directive.

→ Practice template / guide

NIS2 Disaster Recovery Plan

DR plan template with RTO/RPO definition, emergency scenarios and test protocols.

→ Practice template / guide

NIS2 Mechanical Engineering / Industry

IEC 62443, OT cybersecurity, supply-chain risks for mid-sized industrial SMEs.

→ Practice template / guide

Audit-ready in 2-4 hours

Instead of months of research: deployable templates, personalised with your company name, one-off investment instead of consultancy fees.

View NIS2 Kit →

Sources

As of: 02 May 2026