NIS2 Checklist 2026: What Companies Need to Implement Now

1 min Reading Time

The NIS2 Implementation Act comes into force in 2025 and affects an estimated 30,000 companies in Germany. Many are still unsure if they are affected and what exactly needs to be done. This checklist summarizes the most important obligations and deadlines.

TL;DR

30,000 companies affected: Significantly more than under the old NIS Directive – including many medium-sized enterprises.
Personal liability for executives: Fines up to €10 million or 2% of annual turnover.
24-hour reporting obligation: Significant security incidents must be reported within one day.
Supply chain security becomes mandatory: Companies must assess the security of their suppliers.
Start now: Implementation takes 6-18 months – those who wait risk violations from day one.

Who is Affected?

NIS2 distinguishes between “essential” and “important” entities across 18 sectors. Thresholds: at least 50 employees or €10 million in annual turnover. Some sectors are affected regardless of size.

Essential Entities: Energy, transport, banking, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space.

Important Entities: Postal services, waste management, chemicals, food, manufacturing, digital services, research.

The NIS2 Checklist: 10 Obligations

1. Determine Applicability: Compare sector, size, and turnover against NIS2 criteria. Seek legal advice if in doubt.

2. Risk Management: Establish, document, and regularly update a systematic cybersecurity risk management system.

3. Incident Response: Initial notification within 24 hours, detailed report within 72 hours, final report within one month to the BSI (Federal Office for Information Security). Define and practice the process.

4. Involve Management: Approve measures, monitor implementation, and participate in training. Personal liability applies.

5. Supply Chain Security: Identify critical suppliers, assess their security posture, and secure requirements contractually.

6. Business Continuity: Regularly test backup strategies, disaster recovery plans, and crisis management protocols.

7. Encryption and Access Control: Encrypt sensitive data, enforce multi-factor authentication for critical systems, and apply the principle of least privilege.

8. Vulnerability Management: Conduct vulnerability scans and penetration tests, and maintain disciplined patch management with defined service-level agreements.

9. Training: Train all employees regularly – and provide targeted cybersecurity training for executives and senior leadership.

10. BSI Registration: Register with the BSI and designate a dedicated cybersecurity contact person.

Deadlines and Fines

The NIS2 Implementation Act is expected to come into force in mid-2025. Fines: up to €10 million or 2% of global annual turnover. Higher fines and proactive supervisory audits apply to essential entities.

Key Facts at a Glance

Affected DE: ~30,000 companies (previously ~4,500)

Sectors: 18 (11 essential, 7 important)

Reporting Obligation: 24h → 72h → 1 month

Fines: Up to €10 million or 2% of annual turnover

Implementation Duration: 6-18 months depending on starting position

Fact: According to the BSI Situation Report 2025, around 30,000 companies in Germany are subject to regulation for the first time due to NIS2 – six times more than under the previous KRITIS regulation.

Fact: The NIS2 reporting obligation requires an initial report within 24 hours – according to ENISA, fewer than 40% of affected organizations currently meet this threshold in test scenarios.

Frequently Asked Questions

Does NIS2 apply to companies with fewer than 50 employees?

Generally, no. Exceptions include digital infrastructure providers, DNS service operators, and qualified trust service providers – these are covered regardless of size.

Is ISO 27001 sufficient for NIS2 compliance?

ISO 27001 covers many foundational elements – but not all. NIS2 adds specific requirements: strict incident reporting timelines, executive-specific cybersecurity training, formal supplier security assessments, and mandatory registration with the BSI.

What happens in case of violations?

Fines of up to €10 million or 2% of global annual turnover – and personal liability for executives. Essential entities also face proactive supervisory audits and stricter enforcement.

How do I start the implementation?

First, confirm applicability. Then conduct a gap analysis, develop a prioritized action plan, secure budget and resources, and bring in external expertise where needed. Leverage official BSI guidance documents and Bitkom’s practical implementation handbooks.

What is the difference to DORA?

DORA is a financial-sector-specific regulation that goes beyond NIS2 in scope and stringency – especially regarding operational resilience, third-party risk, and incident reporting. For financial institutions, DORA takes precedence over NIS2.