All Frameworks

NIS2 compliance for essential and important entities

The NIS2 Directive raises the bar for cybersecurity across the EU. Matproof helps you meet the new requirements — from risk management to 24-hour incident reporting.

Key Features

Cybersecurity Risk Management

Implement the risk management measures required by Article 21. Automated risk assessments, treatment plans, and continuous monitoring.

Incident Reporting (24h/72h)

Meet NIS2's strict reporting timelines: early warning within 24 hours, full incident notification within 72 hours to your national CSIRT.

Supply Chain Security

Assess and monitor ICT supply chain risks. Track supplier security postures and contractual requirements.

Management Accountability

Document management body oversight, training requirements, and personal liability compliance as required by Article 20.

Business Continuity

Backup management, disaster recovery, and crisis management plans. Document and test your resilience measures.

Security Policies & Training

AI-generated cybersecurity policies and employee awareness training programs aligned to NIS2 requirements.

Why Matproof

Covers all Article 21 risk management measures
24h/72h incident reporting workflows built in
Supply chain risk management included
Management accountability documentation

NIS2 compliance across Germany

Find city-specific compliance guidance for your financial institution.

View all cities & frameworks

Ready to get started?

See how Matproof automates compliance for your organization.

Request a demo

What is the NIS2 Directive?

The NIS2 Directive (EU Directive 2022/2555) is the European Union's comprehensive cybersecurity legislation that replaces and significantly strengthens the original NIS Directive from 2016. Adopted in December 2022, NIS2 establishes a high common level of cybersecurity across the EU by imposing uniform risk management and incident reporting obligations on a vastly expanded scope of sectors and entities. Member states were required to transpose the directive into national law by October 17, 2024.

The original NIS Directive suffered from inconsistent implementation across member states, limited scope, and insufficient enforcement mechanisms. NIS2 addresses these shortcomings by covering 18 sectors (up from 7), introducing size-based criteria for determining which entities are in scope, harmonizing cybersecurity requirements, establishing stricter incident reporting timelines, and creating a meaningful enforcement regime with significant penalties for non-compliance.

One of NIS2's most significant innovations is the explicit introduction of management accountability. Article 20 requires management bodies to approve and oversee cybersecurity risk management measures, undergo regular cybersecurity training, and bear personal liability for compliance failures. This represents a fundamental shift from treating cybersecurity as a purely technical function to recognizing it as a board-level governance responsibility.

In Germany, the NIS2 Directive is being implemented through the NIS2UmsuCG (NIS-2-Umsetzungs- und Cybersicherheitstaerkungsgesetz), which amends the existing BSI Act (BSIG). The Bundesamt fuer Sicherheit in der Informationstechnik (BSI) serves as the national competent authority and single point of contact. The German implementation adds national provisions in areas such as registration obligations, specific technical requirements, and enforcement procedures, building on Germany's existing critical infrastructure protection framework (KRITIS).

Who Needs NIS2 Compliance?

NIS2 uses a size-based approach combined with sector classification to determine which entities are in scope. Generally, medium-sized organizations (50+ employees or EUR 10M+ annual turnover) and large organizations in the 18 designated sectors fall within scope. The directive distinguishes between essential entities (subject to proactive supervision) and important entities (subject to reactive supervision).

Essential Entity Sectors

  • Energy (electricity, oil, gas, hydrogen, district heating)
  • Transport (air, rail, water, road)
  • Banking and financial market infrastructure
  • Health (hospitals, labs, pharma, medical devices)
  • Drinking water and waste water
  • Digital infrastructure (IXPs, DNS, TLDs, cloud, data centers)
  • ICT service management (B2B) and public administration
  • Space

Important Entity Sectors

  • Postal and courier services
  • Waste management
  • Chemical manufacturing and distribution
  • Food production, processing, and distribution
  • Manufacturing (medical devices, electronics, machinery, vehicles)
  • Digital providers (marketplaces, search engines, social networks)
  • Research organizations

Some entities are covered regardless of their size, including providers of public electronic communications networks, DNS service providers, TLD name registries, and entities that are the sole provider of a critical service in a member state. Organizations in the supply chain of essential and important entities may also be indirectly affected, as NIS2 requires in-scope entities to manage cybersecurity risks in their supply chains. In Germany, the BSI estimates that approximately 30,000 entities will fall within the scope of the NIS2UmsuCG.

NIS2 Key Requirements in Detail

1. Cybersecurity Risk Management Measures (Article 21)

Essential and important entities must take appropriate and proportionate technical, operational, and organizational measures to manage cybersecurity risks. Article 21(2) specifies minimum measures including risk analysis and information system security policies, incident handling, business continuity and crisis management, supply chain security, security in network and information systems acquisition, policies for assessing the effectiveness of measures, basic cyber hygiene practices and training, cryptography and encryption policies, human resources security, and multi-factor authentication.

2. Incident Reporting (Articles 23-24)

NIS2 introduces a structured multi-step incident reporting process. Organizations must submit an early warning to the competent authority or CSIRT within 24 hours of becoming aware of a significant incident. An incident notification with an initial assessment must follow within 72 hours. A final report with root cause analysis, impact assessment, and remediation measures must be submitted within one month. An incident is considered significant if it causes or may cause severe operational disruption or financial loss, or affects other persons by causing considerable material or non-material damage.

3. Management Accountability (Article 20)

NIS2 explicitly requires management bodies to approve cybersecurity risk management measures, oversee their implementation, and be accountable for non-compliance. Management members must undergo regular and adequate cybersecurity training to develop sufficient knowledge and skills to identify risks, evaluate cybersecurity management practices, and assess their impact on services. This obligation cannot be delegated, and management can face personal sanctions for failures to comply.

4. Supply Chain Security (Article 21(2)(d))

Entities must address cybersecurity risks in their supply chains and relationships with suppliers. This includes assessing the security posture of direct suppliers, incorporating cybersecurity requirements into contractual arrangements, monitoring supplier compliance, and managing risks arising from the use of ICT products and services. Supply chain risk assessments should consider the overall quality and resilience of products, the cybersecurity practices of suppliers, and any country-specific risks associated with supplier locations.

5. Business Continuity and Crisis Management (Article 21(2)(c))

Organizations must implement business continuity management including backup management and disaster recovery, and crisis management procedures. Plans must cover the continuity of critical services, define roles and responsibilities during incidents, establish communication procedures, and include regular testing and exercise programs. Business continuity plans should consider dependencies on third-party service providers and include alternative arrangements for critical services.

6. Vulnerability Management and Disclosure (Articles 12-13)

NIS2 establishes a coordinated vulnerability disclosure framework through the EU Agency for Cybersecurity (ENISA). Entities must implement vulnerability handling and disclosure procedures, conduct regular vulnerability assessments, and apply security patches in a timely manner. ENISA maintains a European vulnerability database, and CSIRTs serve as trusted intermediaries for coordinated vulnerability disclosure. Organizations must also participate in vulnerability notification processes when notified by authorities.

7. Registration and Cooperation (Articles 3, 25-29)

Essential and important entities must register with the competent authority, providing information about their entity, sector, sub-sector, contact details, and IP ranges. The directive establishes a cooperation framework including the Cooperation Group (strategic guidance), CSIRTs Network (operational cooperation), and EU-CyCLONe (crisis management). Entities must cooperate with authorities during supervisory activities and incident investigations.

8. Multi-Factor Authentication and Access Control

NIS2 explicitly requires the use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems where appropriate. Access control policies must follow the principle of least privilege, and organizations must implement identity management systems, privileged access management, and regular access reviews. These requirements apply to both internal systems and external-facing services.

Penalties for NIS2 Non-Compliance

NIS2 introduces a significantly strengthened enforcement regime compared to the original NIS Directive. Competent authorities have broad supervisory powers, and penalties are designed to be effective, proportionate, and dissuasive. The directive differentiates penalties between essential and important entities.

Up to EUR 10M / 2%

Maximum fines for essential entities: EUR 10 million or 2% of total annual worldwide turnover, whichever is higher

Up to EUR 7M / 1.4%

Maximum fines for important entities: EUR 7 million or 1.4% of total annual worldwide turnover, whichever is higher

Personal Liability

Management body members can be held personally liable and face temporary bans from exercising managerial functions for essential entities

Service Suspension

For essential entities, authorities can temporarily suspend or prohibit a natural person from exercising managerial functions and suspend certifications or authorizations

Essential entities face proactive supervision, meaning authorities can conduct regular audits, security scans, on-site inspections, and request evidence of compliance at any time. Important entities are subject to reactive supervision — authorities intervene based on evidence of non-compliance, such as incident reports or complaints. In Germany, the BSI has additional enforcement powers under the NIS2UmsuCG, including the ability to issue binding instructions, appoint monitoring officers, and restrict or prohibit the provision of services.

How to Achieve NIS2 Compliance

With the national transposition deadline having passed in October 2024, organizations in scope should be actively working toward full NIS2 compliance. Here is a structured approach:

  1. 1

    Scoping and Self-Assessment

    Determine whether your organization falls within NIS2 scope by assessing your sector, size (employees and turnover), and service criticality. Classify yourself as an essential or important entity based on the directive's criteria. Review the national implementing law (NIS2UmsuCG in Germany) for any additional national requirements. Register with the competent authority (BSI in Germany) as required.

  2. 2

    Gap Analysis Against Article 21 Requirements

    Assess your current cybersecurity posture against the 10 minimum measures specified in Article 21(2). Identify gaps in risk management policies, incident handling, business continuity, supply chain security, vulnerability management, cryptography, access control, and employee training. Prioritize remediation based on risk and regulatory expectations. Map existing controls from ISO 27001, DORA, or other frameworks to NIS2 requirements.

  3. 3

    Management Body Engagement and Training

    Brief the management body on NIS2 obligations, including their personal accountability under Article 20. Arrange cybersecurity training for all management members. Establish governance processes for management approval of risk management measures and regular reporting on cybersecurity status. Document management decisions and oversight activities to demonstrate compliance.

  4. 4

    Implement Cybersecurity Risk Management Measures

    Implement or strengthen the 10 minimum measures required by Article 21. This includes deploying multi-factor authentication, implementing network segmentation and encryption, establishing vulnerability management processes, creating business continuity and disaster recovery plans, and building a comprehensive supply chain security program. Ensure all measures are proportionate to your risk profile and the criticality of your services.

  5. 5

    Establish Incident Reporting Capabilities

    Build incident detection, classification, and reporting processes that meet NIS2's strict timelines: 24-hour early warning, 72-hour incident notification, and one-month final report. Establish communication channels with the competent authority (BSI) and relevant CSIRTs. Define what constitutes a "significant incident" for your organization and create pre-approved notification templates. Conduct tabletop exercises to test your ability to meet reporting deadlines.

  6. 6

    Continuous Compliance and Monitoring

    Implement continuous monitoring of your cybersecurity posture, supply chain risks, and control effectiveness. Conduct regular security assessments, vulnerability scans, and penetration tests. Review and update risk management measures based on evolving threats, incidents, and regulatory guidance. Use Matproof to automate control monitoring, evidence collection, and compliance reporting, ensuring ongoing readiness for supervisory activities.

Frequently Asked Questions about NIS2

What is the NIS2 Directive?

NIS2 (EU Directive 2022/2555) is the European Union's updated directive on the security of network and information systems. It replaces the original NIS Directive from 2016 and significantly expands its scope, covering 18 sectors and introducing stricter cybersecurity requirements, incident reporting obligations, and management accountability. Member states were required to transpose NIS2 into national law by October 17, 2024.

What is the difference between essential and important entities under NIS2?

NIS2 categorizes entities into two groups based on sector and size. Essential entities include sectors like energy, transport, banking, financial market infrastructure, health, drinking water, digital infrastructure, and public administration. Important entities cover sectors like postal services, waste management, food production, manufacturing, and digital providers. Essential entities face stricter supervision (proactive) and higher penalties (EUR 10M or 2%), while important entities are supervised reactively with lower penalties (EUR 7M or 1.4%).

What are the NIS2 incident reporting deadlines?

NIS2 introduces a multi-step reporting process: an early warning within 24 hours of becoming aware of a significant incident, an incident notification within 72 hours with an initial assessment of severity and impact, an intermediate report upon request by the competent authority, and a final report within one month of the incident notification detailing root cause, impact, and remediation measures. Cross-border incidents must also be reported to the relevant CSIRTs.

Does NIS2 apply to my organization?

NIS2 applies to medium and large organizations (50+ employees or EUR 10M+ turnover) in 18 designated sectors: energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management (B2B), public administration, space, postal services, waste management, chemicals, food, manufacturing, digital providers, and research. Some entities are covered regardless of size, including DNS providers, TLD registries, and providers of public electronic communications networks.

What is the NIS2UmsuCG?

The NIS2UmsuCG (NIS-2-Umsetzungs- und Cybersicherheitstaerkungsgesetz) is Germany's national law implementing the NIS2 Directive. It amends the existing BSI Act (BSIG) and introduces national requirements aligned with NIS2, including registration obligations with the BSI (Bundesamt fuer Sicherheit in der Informationstechnik), incident reporting to the BSI, and specific cybersecurity measures. The German implementation adds some national provisions beyond the minimum NIS2 requirements.

Can management be held personally liable under NIS2?

Yes. NIS2 explicitly introduces management accountability in Article 20. Management bodies of essential and important entities must approve cybersecurity risk management measures, oversee their implementation, and can be held liable for infringements. Management members must also undergo cybersecurity training. In Germany, the NIS2UmsuCG further clarifies that management cannot delegate this accountability and that directors may face personal financial liability for compliance failures.