NIS2 Compliance for Critical Infrastructure
The NIS2 Directive (EU 2022/2555) obliges up to 29,000 entities in Germany to implement comprehensive cybersecurity measures. KO‑MO‑TEL supports you in implementation – from GAP analysis to ongoing compliance operations.
What is NIS2?
NIS2 (Network and Information Security Directive, Directive EU 2022/2555) is the EU directive for cybersecurity of critical infrastructure. It replaces the predecessor NIS Directive (2016) and significantly tightens requirements. Germany transposed NIS2 into national law on December 5, 2025 through the NIS2 Implementation Act (NIS2UmsG). The requirements apply to affected entities from publication in the Federal Law Gazette without a transition period.
The scope has been expanded from approximately 4,500 to up to 29,000 regulated entities in Germany. Registration with the BSI (Federal Office for Information Security) is required within 3 months. Initial proof of implementation of measures must be provided by 2027. KO‑MO‑TEL GmbH from Munich has been supporting companies with cybersecurity and compliance for over 30 years.
EU Directive
(EU) 2022/2555, adopted December 14, 2022
German Implementation
NIS2UmsG, published December 5, 2025
Affected Entities
Approx. 29,000 in Germany (previously 4,500)
Supervisory Authority
BSI (Federal Office for Information Security)
Is your company affected by NIS2?
NIS2 distinguishes between essential entities and important entities across 18 sectors as defined in Annex I and II of the directive. Classification depends on the sector and size criteria.
Size Criteria (Art. 2 para. 2 NIS2)
- 50 or more employees
- EUR 10 million or more annual turnover
- EUR 10 million or more annual balance sheet total
Certain entities (DNS service providers, TLD registries, trust service providers, public communications networks) are covered regardless of size.
Essential Entities (Annex I)
Stricter supervision, proactive audits by the BSI. Proof of effectiveness required at least every 3 years.
Energy
Electricity, district heating/cooling, oil, gas, hydrogen
Transport
Aviation, rail, shipping, road transport
Banking
Credit institutions per Art. 4 CRR
Financial Market Infrastructures
Payment systems, central counterparties
Healthcare
Hospitals, laboratories, pharmaceutical manufacturers
Drinking Water
Water supply and distribution
Wastewater
Collection, disposal, treatment
Digital Infrastructure
Cloud, data centers, DNS, TLD registries, CDN, trust services
ICT Service Management
Managed Service Providers (MSP), Managed Security Service Providers (MSSP)
Public Administration
Federal and state government entities
Space
Operators of ground infrastructure
Important Entities (Annex II)
Event-driven audits by the BSI. Also subject to extensive obligations.
Postal and courier services
Waste management
Production, manufacturing and distribution of chemicals
Food production, processing and distribution
Manufacturing (medical devices, electronics, machinery, vehicles)
Digital services (online marketplaces, search engines, social networks)
Research institutions
11 Security Measures under Art. 21 NIS2
Art. 21 para. 2 of the NIS2 Directive defines eleven categories of technical and organizational measures that essential and important entities must implement. These measures form the foundation of NIS2 compliance.
a) Risk analysis and information security policies
Annual risk analysis following recognized standards (ISO 27005, BSI IT-Grundschutz). Identification of assets, threats, vulnerabilities. Information security policy (ISMS) per ISO 27001.
b) Incident handling
Incident response plan per NIST SP 800-61 or ISO 27035. 24/7 availability of an incident response team. Escalation processes with defined responsibilities. Forensic capabilities for root cause analysis.
c) Business continuity and crisis management
Business Impact Analysis (BIA) to identify critical business processes. Business Continuity Plan (BCP) per ISO 22301. Defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). Regular emergency exercises.
d) Supply chain security
Assessment of cybersecurity of suppliers and service providers. Contractually agreed security requirements (e.g., ISO 27001). Annual audits of critical suppliers. Contingency plans for supplier failures.
e) Security in acquisition, development and maintenance of systems
Security by Design and Security by Default. Secure Software Development Lifecycle (SSDLC). Patch management: critical patches within 48h, regular within 30 days. Vulnerability management with quarterly scans.
f) Assessment of the effectiveness of risk management measures
Key Performance Indicators (KPIs) for cybersecurity (MTTD, MTTR). Annual internal audits of the ISMS. External certification audits (ISO 27001 every 3 years). Annual penetration tests by certified experts.
g) Cyber hygiene and training
Mandatory security awareness training for all employees (annually, min. 2 hours). Quarterly phishing simulations. Password policy (min. 12 characters). Clean desk and clear screen policy.
h) Use of cryptography and encryption
TLS 1.3 for data transmissions. AES-256 for data at rest. IPsec VPN for site-to-site connections. Full disk encryption for mobile devices. Hardware Security Modules (HSM) for key management.
i) Personnel security, access controls, asset management
Background checks for security-relevant positions. Least privilege principle (minimal rights). Role-Based Access Control (RBAC). Quarterly recertification of user permissions. Complete IT inventory.
j) Multi-factor authentication (MFA)
Mandatory MFA for VPN, remote access, admin accounts and external email. Supported methods: hardware tokens (FIDO2/U2F), authenticator apps (TOTP), biometrics. Conditional Access Policies.
k) Secured voice, video and text communications
Encrypted voice, video and text communications. Emergency communication systems (out-of-band channels, satellite telephony). Secure messaging platforms with end-to-end encryption.
Reporting obligations for security incidents
Significant security incidents must be reported to the BSI in three stages according to NIS2 Art. 23. An incident is considered significant in case of system outage exceeding 4 hours, data breaches, successful cyberattacks, or impact on a significant number of users.
Early Warning (Art. 23 para. 4)
Within 24 hours of becoming aware of the incident: notification to the BSI via the reporting portal (meldung.bsi.bund.de). Content: Is the incident presumably attributable to unlawful or malicious action? Does the incident have cross-border impact?
Incident Notification (Art. 23 para. 5)
Within 72 hours: update with initial assessment. Severity, indicators of compromise (IoCs), affected systems and services, remediation measures taken or planned.
Final Report (Art. 23 para. 6)
No later than 1 month after the incident notification: detailed description, root cause analysis, chronology, remediation measures taken and their impact, lessons learned and planned long-term measures.
Reports are submitted to the BSI via the reporting portal (meldung.bsi.bund.de). In case of concurrent data breaches, the data protection authority (BayLDA) must additionally be informed within 72h per GDPR Art. 33.
Penalties for non-compliance
Violations of NIS2 carry significant fines per Art. 34 NIS2 (transposed in Section 56 BSIG). Sanctions follow the GDPR model and are intended to have a deterrent effect.
Essential Entities
Up to EUR 10M
or 2% of global annual turnover – whichever is higher.
Important Entities
Up to EUR 7M
or 1.4% of global annual turnover – whichever is higher.
Personal liability of management
NIS2 Art. 20 makes management personally responsible for implementing cybersecurity measures. Violations of duty of care can result in temporary activity bans and disqualification of executives. Management must complete at least 8 hours of cybersecurity training annually.
How KO‑MO‑TEL supports NIS2 compliance
KO‑MO‑TEL GmbH has been supporting companies with IT security and compliance for over 30 years. Our structured NIS2 consulting approach guides you efficiently through all phases of implementation – from the initial assessment to ongoing compliance.
NIS2 Readiness Assessment
2–4 weeksApplicability review (sector, size criteria, classification as essential or important entity). Complete GAP analysis (current vs. target comparison against Art. 21 NIS2 requirements). Risk analysis per ISO 27005 with Business Impact Analysis. GAP report with prioritized measures.
Measures Planning & Roadmap
1–2 weeksPrioritized measures catalog (technical, organizational, personnel). Identify quick wins within 3 months (MFA rollout, patch management, basic SIEM). Resource planning and budget estimation. Timeline with milestones.
Technical Implementation
3–6 monthsNext-generation firewall and network segmentation. SIEM implementation (central log aggregation, correlation, alerting). Endpoint security (EDR, full disk encryption). MFA rollout for VPN, email and admin access. Encryption (TLS 1.3, IPsec VPN, AES-256). Backup and disaster recovery (3-2-1 rule, offsite backup).
Organizational Implementation
3–6 monthsISMS setup per ISO 27001. Incident response plan with escalation levels and responsibilities. Business Continuity Plan (BCP) with RTO/RPO definitions. Policies (password policy, clean desk policy, change management). BSI registration and reporting processes.
Training & Awareness
OngoingSecurity awareness training for all employees (4h per group). Specialized training for IT administrators (incident response, forensics). Management training on NIS2 responsibilities (8 hours). Quarterly phishing simulations.
Ongoing Compliance & Audits
AnnualAnnual internal audits of the ISMS. Annual penetration tests by certified experts. Quarterly vulnerability scans. Annual business continuity exercises. Support during BSI audits. Adaptation to regulatory changes.
Frequently asked questions about NIS2
Answers to the most important questions about the NIS2 directive and its implementation in Germany.
Ready for the next step?
Let's find out together how we can advance your IT and AI strategy.