If you operate critical infrastructure in Germany, you already know that regulatory compliance is part of doing business. You have dealt with KRITIS requirements, implemented security measures, and probably achieved ISO 27001 certification along the way. But NIS2 changes the game in ways that catch many operators off guard.
The NIS2 Directive is not simply an update to existing rules. It fundamentally expands what regulators expect from you, introduces personal liability for your executive team, and demands capabilities that most KRITIS operators have not yet built. Think of it this way: if KRITIS was about protecting critical systems, NIS2 is about proving you can protect them, respond when things go wrong, and demonstrate continuous oversight at the board level.
This guide walks you through NIS2 implementation for KRITIS operators step by step. You will learn exactly what changes, what you can carry forward from existing compliance efforts, and how to close the gaps efficiently. Whether you are starting from scratch or building on established security programs, this is your roadmap to compliance.
What Is NIS2 and Why Does It Transform KRITIS Compliance?
The Network and Information Security Directive 2 (EU Directive 2022/2555) represents the European Union's comprehensive overhaul of cybersecurity regulation. The original NIS Directive from 2016 had good intentions but suffered from inconsistent implementation across member states, narrow scope, and enforcement mechanisms that lacked real teeth. NIS2 addresses all of these shortcomings.
Germany transposed NIS2 into national law through the NIS2 Implementation Act, which entered into force in late 2024 and became fully applicable in 2025. For KRITIS operators, this means your existing regulatory framework now sits within a broader European structure that brings additional requirements and significantly higher stakes.
The key differences matter enormously for your implementation approach. Where KRITIS focused primarily on technical security measures, NIS2 demands documented governance processes with clear management accountability. Where KRITIS allowed reasonable timeframes for incident notification, NIS2 requires you to issue an early warning within 24 hours of becoming aware of a significant incident. Where KRITIS implied that executives should care about cybersecurity, NIS2 makes them personally liable if they fail to oversee it properly.
Consider the practical implications. Your Geschäftsführer or Vorstand can no longer simply delegate cybersecurity to the IT department and move on. Article 20 of NIS2 requires management bodies to approve cybersecurity risk management measures, oversee their implementation, and complete cybersecurity training themselves. In Germany, Section 38 of the revised BSIG makes this liability non-waivable, meaning your company cannot indemnify executives even if it wants to.
Who Must Comply With NIS2 for KRITIS?
Understanding your classification under NIS2 is the essential first step because it determines the intensity of regulatory supervision you will face and the specific requirements that apply to your situation.
How Does NIS2 Classify KRITIS Operators?
The German NIS2 implementation creates a layered system that preserves KRITIS designations while adding new categories. If you are already a KRITIS operator, you remain regulated under that framework, but NIS2 requirements now apply on top of your existing obligations. You do not get to choose one or the other.
KRITIS operators are defined using the established methodology and thresholds you already know. These include operators in energy, water, healthcare, transport, finance, and other sectors that meet specific supply thresholds. What changes is that you now also fall under NIS2's "essential entity" classification, which brings proactive regulatory supervision rather than the reactive approach applied to smaller entities.
Particularly important entities (besonders wichtige Einrichtungen) represent the new upper tier under NIS2. These are typically large companies in core sectors with 250 or more employees or annual turnover exceeding 50 million EUR. Unlike KRITIS, NIS2 thresholds are defined in number of employees and annual turnover.
Some large companies that were not previously regulated under KRITIS now find themselves in scope. While it’s clear that if you’re impacted by NIS2, you fall under KRITIS.
Important entities (wichtige Einrichtungen) cover medium and large companies across an expanded set of sectors including manufacturing, chemicals, waste management, and research. These entities face lighter supervision but still must meet the core NIS2 requirements.
Federal administrative bodies above certain criteria also fall under NIS2, which matters if your KRITIS operation involves public sector partnerships or government contracts.
What Sectors Does NIS2 Cover Beyond Traditional KRITIS?
NIS2 expands EU cybersecurity regulation to 18 sectors, significantly broader than the original KRITIS scope. This expansion affects you even if your core operations remain focused on traditional critical infrastructure, because your supply chain likely includes companies that are now regulated for the first time.
The high criticality sectors under NIS2 Annex I include energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. If you operate in any of these, you are likely classified as an essential entity with the highest level of regulatory attention.
Other critical sectors under Annex II include postal and courier services, waste management, manufacture and distribution of chemicals, food production and distribution, manufacturing of medical devices, computers, electronics, machinery, motor vehicles, and other transport equipment. Digital providers and research organizations also fall into this category.
For KRITIS operators, the practical impact comes through supply chain requirements. Your cloud providers, managed service providers, and critical suppliers may now face their own NIS2 obligations, which creates both opportunities and responsibilities. You can expect suppliers to have better security practices, but you must also verify this through your own third party risk management program.
What Are the Core NIS2 Implementation Requirements?
Article 21 of NIS2 specifies ten security domains that every regulated entity must address. These requirements are not optional checkboxes but rather mandatory elements of your cybersecurity program that regulators will verify through inspections and audits.
How Should You Approach Risk Management Under NIS2?
Risk management forms the foundation of everything else in NIS2 compliance. Article 21(2)(a) requires "policies on risk analysis and information system security," but the directive expects much more than a document in a folder. You need a living risk management process that drives actual security decisions.
The approach must be "all hazards," meaning you consider not just cyber threats but also physical risks, environmental factors, and human elements. A comprehensive risk assessment for a NIS2 operator should include threats like ransomware and data theft alongside considerations such as flood risk to data centers, pandemic impacts on staff availability, and the consequences of key personnel leaving the organization.
Your risk management framework needs several documented components. Start with a risk assessment methodology that specifies how you identify assets, evaluate threats and vulnerabilities, and calculate risk levels. Define clear scales for likelihood and impact that make sense for your organization. A regional energy supplier faces different impact scenarios than a national healthcare provider, and your methodology should reflect your specific context. There is no specific reference on which Risk Modelling needs to be used.
Conduct regular risk assessments, keeping significant changes in mind. New systems, organizational restructuring, emerging threat intelligence, and regulatory changes could all trigger reassessment. Document everything thoroughly because regulators may want to see not just current risk assessments but evidence of how your risk picture has evolved over time.
Risk treatment decisions require particular attention under NIS2. According to most of the Risk Management methods, when you identify a risk above your tolerance threshold, you must decide whether to mitigate it through additional controls, transfer it through insurance or contractual arrangements, accept it with documented justification, or avoid it by eliminating the risky activity. Whatever you choose, document the rationale and obtain management approval. Risk acceptance decisions are especially scrutinized because they require explicit sign off from your management body.
What Governance and Accountability Requirements Apply?
NIS2 transforms cybersecurity governance from a best practice into a legal requirement with personal consequences. Article 20 creates explicit accountability for management body members, and Germany's implementation in Section 38 BSIG makes this liability impossible to waive or transfer.
Your management body must approve cybersecurity risk management measures. This means board members or executive directors cannot simply rubber stamp proposals from the security team. They must understand what they are approving well enough to make informed decisions. When something goes wrong, "I trusted my CISO" is not a defense if the board failed to exercise meaningful oversight.
Oversight responsibility extends beyond initial approval. Management must monitor implementation of the measures they approved, track whether remediation activities are completed, and respond appropriately when issues arise. This requires regular reporting mechanisms that actually reach the board level, not just occasional updates buried in operational reviews.
The training requirement catches many executives off guard. Article 20(2) explicitly requires management body members to "follow training" to gain "sufficient knowledge and skills" to identify risks and assess risk management practices. In Germany, guidance suggests training at least every three years, though annual refreshers represent best practice. This training must be documented with records of content covered and attendance.
For your implementation, establish clear governance structures that define who approves what, how decisions are documented, and how oversight occurs. Create reporting templates that present security posture in terms executives can understand and act upon. Schedule regular board level security reviews rather than treating cybersecurity as an occasional agenda item.
How Does the 24-Hour Incident Reporting Work?
The incident reporting requirements under NIS2 represent one of the most operationally challenging changes for KRITIS operators. Where previous rules allowed more generous timeframes, NIS2 demands an early warning within 24 hours of becoming aware of a significant incident.
The reporting structure has three stages. Within 24 hours, you must submit an early warning to your national competent authority, which in Germany is the BSI. This initial notification does not require complete information, but it must indicate whether the incident is suspected to be caused by unlawful or malicious acts and whether it could have cross border impact.
Within 72 hours, you must provide a detailed notification that updates the early warning with an initial assessment of the incident, including its severity and impact. This should cover the nature of the incident, what systems or services are affected, and preliminary information about what happened.
Within 30 days, you submit a final report that provides a detailed description of the incident including its severity and impact, the type of threat or root cause that likely triggered it, applied and ongoing mitigation measures, and where applicable, the cross-border impact.
What counts as a "significant incident" that triggers these obligations? The directive defines it as an incident that causes or may cause severe operational disruption, financial loss, or considerable damage to other parties. For KRITIS operators, most incidents affecting your critical services will likely meet this threshold.
The 24-hour timeline creates serious operational challenges. You need detection capabilities that identify incidents quickly, classification procedures that determine significance within hours rather than days, pre-authorized personnel who can submit reports without waiting for multiple approvals, and tested communication channels to reach the BSI at any hour. Most organizations that have not specifically prepared for this requirement will fail to meet it when a real incident occurs.
What Supply Chain Security Requirements Do You Need to Meet?
Article 21(2)(d) of NIS2 explicitly requires "supply chain security, including security related aspects concerning the relationships between each entity and its direct suppliers or service providers." For KRITIS operators who depend on extensive vendor ecosystems, this creates significant compliance obligations.
You must identify and assess cybersecurity risks from your suppliers. This goes beyond checking whether a vendor has ISO 27001 certification, though that helps. You need to understand what access suppliers have to your systems, what data they process on your behalf, how their security failures could impact your operations, and what controls they have in place to prevent those failures.
Security requirements must be included in contracts with suppliers. These contractual provisions should specify the security measures suppliers must maintain, audit rights that allow you to verify compliance, incident notification obligations when suppliers experience security events, and termination rights if security standards are not met.
Ongoing monitoring of supplier security is mandatory. Initial assessment is not enough. You need processes to track whether suppliers maintain their security posture over time, respond appropriately to new threats, and continue to meet contractual obligations. This might include periodic reassessments, continuous monitoring through security rating services, or regular attestations from suppliers.
The supply chain requirement cascades through your vendor ecosystem. Your regulated suppliers face pressure from you, and they in turn must assess their own suppliers. Even companies that are not directly regulated under NIS2 will feel its effects through contractual requirements from customers who are.
How Do You Implement NIS2 for KRITIS Step by Step?
With the requirements understood, let us walk through a practical implementation roadmap. This framework applies whether you are building from minimal security maturity or enhancing an established program. The timeline and effort will vary, but the sequence remains consistent.
Step 1: How Do You Determine Your Scope and Classification?
Before implementing anything, you must confirm exactly what regulations apply to your organization. This sounds simple but often reveals complexity that affects your entire approach.
Start by documenting your KRITIS classification. Which sectors do you operate in? What thresholds do you meet? What facilities are designated as critical? This information forms the baseline for your NIS2 analysis.
Cross reference your KRITIS status with NIS2 entity definitions. As a KRITIS operator, you almost certainly qualify as an essential entity, but confirm this by checking the size thresholds and sector definitions in the German NIS2 implementation. Document your analysis so you can demonstrate to regulators how you determined your classification.
Register with the BSI within required timeframes. The registration process requires information including your company name and legal form, contact details, sector classification, entity type, member states of operation, and technical details like IP ranges and domain names. Missing registration deadlines creates immediate compliance exposure.
Map your organizational boundaries carefully. If your company operates multiple business units, subsidiaries, or facilities, determine which fall within NIS2 scope and which might be excluded. This boundary definition affects everything that follows.
Step 2: How Do You Conduct an Effective Gap Analysis?
With scope determined, assess your current position against NIS2 requirements. A thorough gap analysis reveals exactly what you need to build, enhance, or create from scratch.
Map your existing policies, controls, and processes against NIS2's ten security domains. For each requirement, ask three questions. Do we have something in place that addresses this? Does what we have meet the specific NIS2 standard? Can we document and demonstrate our compliance?
If you already have ISO 27001 certification, you have a significant head start. ISO 27001 addresses approximately 70 to 80 percent of NIS2 requirements. However, specific gaps will exist around incident reporting timelines, management liability provisions, registration requirements, and the explicit documentation standards NIS2 demands.
Your KRITIS compliance also provides a foundation. You likely have risk assessment processes, incident response procedures, and technical security measures. But NIS2 extends these with more demanding governance requirements, faster reporting timelines, and explicit supply chain obligations that KRITIS did not emphasize.
Document gaps with specific remediation requirements. For each gap, note what capability is missing, what evidence would demonstrate compliance, who owns the remediation, and what timeline is realistic for closure. Prioritize gaps based on risk and regulatory significance rather than simply working through a list in order.
Step 3: How Should You Design Your Risk Management Framework?
With gaps identified, establish or enhance your formal risk management framework. This framework drives your entire security program and demonstrates the systematic approach regulators expect.
If you lack a documented risk assessment methodology, create one that specifies your scope, risk scales, calculation approach, and tolerance thresholds. Use standard frameworks as references but customize them for your organization. A methodology copied directly from a template without adaptation will not reflect your actual risk context.
Build your asset inventory if you have not already. You cannot assess risks to assets you do not know about. Include hardware, software, data, services, people, and facilities. For KRITIS operators, pay particular attention to operational technology assets that might not appear in traditional IT inventories but are critical to your essential services.
Conduct a comprehensive risk assessment using your methodology. Identify threats beyond just cyber-attacks. Consider physical risks, environmental factors, human errors, and supply chain dependencies. For each significant risk, document the asset affected, the threat scenario, existing controls, likelihood and impact ratings, and overall risk level.
Design risk treatment approaches for everything above your tolerance threshold. Some risks require new controls. Some might be accepted with documented justification and management approval. Whatever you decide, the documentation trail must demonstrate thoughtful decision making rather than arbitrary choices.
Step 4: How Do You Implement Technical and Organizational Measures?
Based on your risk assessment and gap analysis, implement the specific measures needed to meet NIS2 requirements. This is where abstract requirements become concrete controls.
Network security measures should segment critical systems from general corporate networks, control traffic flows, and detect anomalous activity. For KRITIS operators, this often means separating operational technology networks from IT networks with controlled interconnection points.
Authentication and access control must meet NIS2's explicit requirements for multi-factor authentication. Implement MFA for all administrative access to critical systems, remote access, and ideally for all user access to sensitive resources. Role based access control ensures users have only the permissions necessary for their functions.
Logging, monitoring, and detection capabilities must support your incident response and 24-hour reporting obligations. If you cannot detect incidents quickly, you cannot report them within required timelines. Implement security information and event management, establish monitoring procedures, and ensure alerts reach the right people promptly.
Secure development and change management practices apply if you develop software internally or manage your own systems. Changes to critical systems require documented approval, testing, and rollback procedures. Vulnerabilities in code must be identified and remediated before deployment.
Business continuity and disaster recovery capabilities ensure you can maintain essential services during incidents and recover rapidly afterward. NIS2's Article 21(2)(c) explicitly requires these capabilities, including backup management, disaster recovery, and crisis management procedures.
Step 5: How Do You Build Incident Response and Reporting Capabilities?
Your incident response process must support NIS2's demanding reporting timelines. Most organizations that have not specifically prepared for 24-hour reporting will fail when a real incident occurs.
Detection and classification mechanisms must operate quickly. When something happens, how long does it take to determine if an incident has occurred? How do you classify whether it is significant? Build clear criteria that allow rapid classification without requiring lengthy analysis.
Triage workflows and containment playbooks guide your response once an incident is confirmed. These should be documented, tested, and available to responders without requiring them to figure out procedures during a crisis. Include specific steps for common incident types you might face.
Reporting templates aligned with BSI requirements ensure you can meet notification obligations without scrambling to create documentation under pressure. Prepare templates for the 24-hour early warning, 72-hour detailed notification, and 30-day final report. Know who has authority to submit these reports and ensure they have access to necessary systems around the clock.
Regular exercises test your incident response capabilities before a real incident forces you to use them. Tabletop exercises walk through scenarios without actual system changes. Functional exercises test specific capabilities like backup restoration or failover procedures. Full scale exercises simulate actual crisis conditions. Document the results and improve your procedures based on what you learn.
Step 6: How Do You Verify Compliance Through Testing?
NIS2 requires you to assess the effectiveness of your security measures. This means testing, not just checking that controls exist.
Penetration testing evaluates whether technical controls actually prevent or detect attacks. The Commission's Implementing Regulation specifies testing requirements, with threat led penetration testing required for some entities. Even if full penetration testing is not mandated for your classification, regular security testing demonstrates the effectiveness assessment NIS2 requires.
Internal audits verify that documented procedures are actually followed. Review evidence of control operation, interview personnel about their practices, and identify gaps between documented and actual security posture. Document findings and track remediation of identified issues.
Evidence collection for compliance verification should be ongoing rather than a pre-audit scramble. Implement systems that automatically capture evidence of control operation, maintain audit trails, and organize documentation for regulatory review. When an inspection occurs, you should be able to produce evidence quickly because you have been collecting it all along.
Step 7: How Do You Maintain Continuous Compliance?
NIS2 compliance is not a one-time project. It requires ongoing attention to maintain your security posture as your organization and the threat landscape evolve.
Monitor regulatory changes that might affect your obligations. The Commission may issue additional implementing acts. German authorities may release updated guidance. Your responsibilities may change as the regulatory framework matures.
Track threat intelligence relevant to your sector. New attack techniques, vulnerabilities in products you use, and incidents at peer organizations all provide information that should inform your risk assessment and security measures.
Integrate lessons learned from your own incidents, near misses, and exercises. Every incident response provides opportunities to improve. Document what worked, what did not, and what you will change for next time.
Conduct periodic reassessments of your risk posture. Annual comprehensive risk assessments at minimum, with more frequent updates when significant changes occur. Your risk register should be a living document that reflects current reality, not a snapshot from months ago.
How Does ISO 27001 Certification Support NIS2 for KRITIS?
If you already have ISO 27001 certification, you have a substantial foundation for NIS2 compliance. The frameworks overlap significantly, and work you have already done transfers directly.
ISO 27001 addresses approximately 70 to 80 percent of NIS2 requirements. Your information security management system, risk assessment processes, control implementation, and internal audit procedures all apply. The documentation disciplines you developed for ISO 27001 certification prepare you for NIS2's evidence requirements.
However, certification alone does not equal compliance. Specific gaps remain that you must address separately.
Incident reporting timelines under NIS2 are more detailed compared to ISO 27001 expects. Your incident management process needs enhancement to support 24-hour early warnings and the specific notification stages NIS2 requires.
Management liability provisions in NIS2 go beyond ISO 27001's leadership requirements. You need explicit documentation of management approval for security measures, evidence of ongoing oversight, and records of management training completion.
Registration requirements with national authorities have no ISO 27001 equivalent. You must complete the BSI registration process regardless of your certification status.
Supply chain requirements in NIS2 are more explicit and demanding than ISO 27001's supplier management controls. You likely need to enhance your third-party risk assessment and monitoring procedures.
The practical approach is to use ISO 27001 as your implementation framework while adding NIS2 specific elements. Many organizations find this more efficient than building separate compliance programs for each requirement.
What Penalties Apply for NIS2 Non-Compliance?
The consequences of failing to meet NIS2 obligations are severe enough that they should drive urgency in your implementation. This is not an area where risk-acceptance makes business sense.
Financial penalties scale with company size. For essential entities, which includes KRITIS operators, maximum fines reach €10 million or 2 percent of global annual turnover, whichever is higher. For important entities, the maximum is € 7 million or 1.4 percent of global annual turnover.
These percentages matter enormously for large organizations. A KRITIS operator with €500m annual turnover faces potential penalties up to €10m, the higher of the two calculations. This is not a rounding error that can be absorbed as a cost of doing business.
Beyond financial penalties, regulators can impose binding instructions, mandatory audits, public disclosure of violations, and temporary suspension of certifications. For essential entities, regulators can also temporarily ban executives from management positions, a career ending consequence.
Personal liability for executives adds another dimension of risk. Under German implementation, management body members who fail to fulfill their approval and oversight obligations can be held personally liable for resulting damages. This liability cannot be waived by the company, meaning D&O insurance becomes critically important but may have exclusions that limit coverage.
Proactive supervision applies to essential entities. Regulators can audit you at any time without waiting for an incident or complaint to trigger investigation. This contrasts with important entities, which face investigation only when problems emerge. As a KRITIS operator classified as essential, you should expect regulatory attention regardless of your incident history.
Frequently Asked Questions About NIS2 for KRITIS
Does Existing KRITIS Compliance Satisfy NIS2 Requirements?
Not entirely. Your KRITIS compliance provides a foundation, but NIS2 adds requirements in governance, incident reporting, supply chain security, and documentation that go beyond what KRITIS specified. Think of NIS2 as building on KRITIS rather than replacing it. You must meet both sets of requirements, and the areas where NIS2 is more demanding require specific attention.
When Did German NIS2 Law Take Effect?
The NIS2 Implementation Act was transposed into German national law in late 2024 with full applicability from 2025. Registration deadlines and compliance obligations are now in effect. Organizations that have not begun implementation are already behind the regulatory timeline.
Can ISO 27001 Certification Demonstrate NIS2 Compliance?
Partially. ISO 27001 certification provides documented evidence of security practices that address most NIS2 requirements. However, you need additional measures for NIS2 specific elements including incident reporting timelines, management liability documentation, registration with authorities, and explicit supply chain security requirements. Certification helps significantly but does not eliminate the need for NIS2 specific implementation work.
How Long Does NIS2 Implementation Take for KRITIS Operators?
For organizations starting with established security programs including KRITIS compliance and ISO 27001 certification, expect 2 to 4 months of focused effort to close NIS2 specific gaps, with dedicated time and resources. Organizations starting from minimal security maturity should plan for 6 to 12 months of comprehensive implementation work. The timeline depends heavily on your starting position and the resources you can dedicate.
What Should KRITIS Operators Do First?
Confirm your classification by documenting your KRITIS status and mapping it to NIS2 entity definitions. Complete BSI registration within required timeframes. Conduct a gap assessment against NIS2's ten security domains. Brief your management body on their personal liability and approval obligations. Prioritize incident response capabilities because the 24-hour reporting requirement is operationally demanding. Start supply chain assessment early because it takes time to evaluate and contract with suppliers.
Moving Forward with NIS2 Implementation
NIS2 compliance is mandatory, not optional. The question is not whether to implement but how to implement efficiently while achieving genuine security improvement rather than mere checkbox compliance.
For KRITIS operators, the path forward builds on what you have already established. Your existing security programs, risk assessment processes, and regulatory experience provide a foundation. The work ahead involves closing specific gaps, enhancing governance structures, and building operational capabilities for faster incident response.
The organizations that approach NIS2 strategically will emerge with stronger security postures and clearer compliance documentation. Those that delay or treat compliance as a checkbox exercise will face regulatory scrutiny, potential penalties, and security gaps that real attackers will exploit.
Start with scope determination and gap analysis. Brief your executives on their personal obligations. Prioritize the operational capabilities that NIS2 demands, particularly 24-hour incident reporting. Build from your existing ISO 27001 and KRITIS foundations rather than starting from scratch. Document everything because evidence of compliance matters as much as compliance itself.
The deadline is not coming. It has arrived and authorities are already making sure companies enforce compliance. What you do now determines whether you’ll succeed or not in meeting all the requirements.
Kertos provides compliance automation built specifically for European requirements, including NIS2 for KRITIS operators. Our platform reduces implementation effort by 80% compared to manual approaches, with prebuilt templates for German regulatory requirements and integrated evidence collection for audit readiness.
Start with your free NIS2 assessment and check if your company is impacted by the new EU directive.
