Goals
- Cybersecurity and consumer protection
- Unified reporting obligations at federal and EU level
- Risk management and supply chain security
- Preventing attacks through technical measures such as MFA
NIS2 Compliance
Implement NIS2 Efficiently, Leverage AI Act Synergies – Build Trust and Competitive Advantages with ISO 27001/42001
From applicability analysis through governance and technology to audit-ready implementation – efficient, integrated, and regulatory compliant. Per the German Federal Government's decision, the NIS2 directive came into force on December 6, 2025.
10 Requirements of the NIS2 Directive
The EU NIS2 directive ensures responsible cybersecurity, protecting companies and consumers from cyberattack risks without hindering digital innovation and competitiveness.
With the NIS2 directive, the EU is tightening cybersecurity requirements for companies and organizations in critical and important sectors. For affected companies, this means: expanded obligations, stricter liability, and higher fines.
10Minimum measures per Art. 21
18affected sectors in the EU
10M€max. fine for violations
Background
Why do we need NIS2?
Cyber attacks on critical infrastructure hit supply, the economy, and trust alike. NIS2 establishes a unified European framework to address these risks in a binding way.
Attack types
- Extortion (ransomware, e.g. WannaCry)
- Espionage (state actors, e.g. Stuxnet)
- Sabotage (disrupting supply chains)
- Data manipulation (falsified measurements, targeted disruption)
Consequences of attacks
- Service outages
- Economic damage in the billions
- Threats to human life
- Loss of trust in institutions
YouTube · VamiSec
NIS2 & ISMS — live talk
Operational implementation of NIS2 based on ISO/IEC 27001 — gap analysis, governance, supply chain, and audit preparation in practice.
Art. 21 NIS2
10 Minimum Measures of the NIS2 Directive
The NIS2 directive defines ten mandatory minimum measures that every affected company must demonstrably implement.
01Risk Analysis & IT Security Concepts
02Incident Management
03Crisis Management & Business Continuity
04Supply Chain Security
05Cyber Hygiene & Training
06Cryptography & Encryption
07MFA & Emergency Communication
08Access Control & Asset Management
09Secure System Development & Maintenance
10Effectiveness Assessment of Measures
Scope
10 critical sectors
NIS2 covers entities from ten sectors of particular societal and economic importance — across industries, from energy to public administration.
Water
Energy
Health
Transport
Digital infrastructure
Public administration
Space
Finance
Food & agriculture
Chemical industry
Incident Response24 h 72 h 1 month
Notification obligations for security incidents
NIS2 mandates a binding three-stage reporting corridor — from early warning to final report. The deadlines start when the incident becomes known.
Early warning
Initial notification to BSI/authority — nature and presumed cause, affected services, and cross-border impact.
Incident report
Detailed assessment — severity, impact, containment measures taken, and indicators of compromise (IoCs).
Final report
Complete analysis — root cause, course of events, final impact, and protective and improvement measures taken.
Our Services
Your NIS2 Compliance at a Glance
NIS2 Gap Analysis
With the NIS2 gap analysis, we identify existing gaps between your ISMS and the EU NIS2 directive requirements. We examine all relevant areas, from risk management to incident reporting and supply chain documentation obligations. We also consider ISO 27001 and AI Act requirements to leverage synergies.
Governance Structure & Responsibilities
Building clear responsibilities and decision-making pathways. NIS2 requires management accountability, training, and personal liability – we support you in building a robust NIS2 governance structure that can be combined with ISO 27001 and AI Act requirements.
Synergistic Integration Concept
Integrating NIS2 requirements into your existing ISMS per ISO 27001 and KIMS per ISO 42001 – with focus on efficiency and reuse of existing structures (asset, risk, supplier management, policies, awareness, audits). This creates an integrated approach that also considers the AI Act.
Technology & Organization in Harmony
Implementing proven security measures from ISO 27001 combined with NIS2-specific controls, training, and reporting obligations. These synergies facilitate the parallel fulfillment of AI Act and NIS2 requirements.
Operations & Improvement
Establishing an integrated, audited, and auditable management system for continuous improvement and sustainable NIS2 readiness.
Integrated NIS2 & AI Act Implementation
Rather than treating NIS2 and EU AI Act in isolation, we pursue an integrated approach that unifies governance, risk, audit, and reporting processes. This creates scalable compliance structures that meet regulatory requirements while remaining operationally viable.
Standards & Frameworks
Integrated into Your Existing Compliance Structures
KertosOneTrustVantaTrustSpaceInterValidServiceNowAtlassianDrataSecfixISMS.onlineKertosOneTrustVantaTrustSpaceInterValidServiceNowAtlassianDrataSecfixISMS.online
WizMicrosoft PurviewSAP GRCRSA ArcherMetricStreamLogicGateQualysCompliance.aiNAVEX GlobalDiligentWizMicrosoft PurviewSAP GRCRSA ArcherMetricStreamLogicGateQualysCompliance.aiNAVEX GlobalDiligent
5-Step Process
Our Synergistic Approach – in 5 Steps
01
NIS2 Gap Analysis
We identify existing gaps between your ISMS and the EU NIS2 directive requirements, examining all relevant areas including risk management, incident reporting, and supply chain documentation.
02
Governance Structure & Responsibilities
Building clear responsibilities and decision-making pathways. NIS2 requires management accountability, training, and personal liability.
03
Synergistic Integration Concept
Integrating NIS2 requirements into your existing ISMS per ISO 27001 and KIMS per ISO 42001, with focus on efficiency and reuse of existing structures.
04
Technology & Organization in Harmony
Implementing proven measures from ISO 27001 combined with NIS2-specific controls, training, and reporting obligations.
05
Operations & Improvement
Establishing an integrated, audited, and auditable management system for continuous improvement and sustainable NIS2 readiness.
Visual Overview
NIS2 & ISO 27001 — Integrated Implementation
Overview of NIS2 requirements mapped to ISO 27001 controls and the integrated management system.
Regulatory Roadmap
Deadlines and milestones for NIS2, AI Act, CRA, and ISO 27001 at a glance.
NIS2 Compliance
Fines under NIS2 Art. 34
Harmonized fines under NIS2 (Art. 34)
The NIS2 directive introduces a unified European fines regime that significantly tightens previous national practice. Entities that fail to meet their statutory obligations face substantial financial sanctions.
Annex I
Essential entities
Entities from the sectors in Annex I (e.g. energy, transport, health, digital infrastructure) face the highest fines:
up to€10M
or2 %of global annual turnover
Whichever is higher applies.
Annex II
Important entities
Entities from the Annex II sectors also face substantial sanctions:
up to€7M
or1.4 %of global annual turnover
Whichever is higher applies.
This split derives from Art. 3 in conjunction with Annexes I and II of the NIS2 directive. In Germany, implementation is via the NIS2UmsuCG (§ 60).
Compliance Services
Our Services for Your NIS2 Compliance
Personal Liability of Management
NIS2 directly obligates management: governing bodies must approve risk management measures, oversee their implementation, and participate in regular cybersecurity training. Violations can result in fines of up to EUR 10 million or 2% of global annual revenue.
Timeline
NIS2 timeline
From political agreement to national implementation — the key milestones of the NIS2 directive.
Dec 13, 2022
Political agreement
EU Council and Parliament agree on the final NIS2 text.
Jan 16, 2023
Directive enters into force
NIS2 officially enters into force; the 21-month period for national implementation begins.
Jul 3, 2024
Federal Cabinet approval
Germany’s NIS2 implementation act (NIS2UmsuCG) is approved by the Cabinet.
Nov 13, 2025
Bundestag passes the law
The Bundestag adopts the implementation act including obligations and supervisory structure.
Dec 6, 2025
National implementation effective
NIS2 obligations apply bindingly in Germany to all covered entities.
Practice
Key challenges
Four areas where organizations typically have the biggest NIS2 gaps — and what we see most often in the field.
Management responsibility & governance
NIS2 obligates executive management to clear responsibility, decision-making capability, and demonstrable steering — with personal liability risks.
Risk management & technical measures
Complete, traceable risk register and comprehensive technical safeguards along ISO/IEC 27001 and NIS2 minimum requirements.
Supply chain & third-party risks
Assessment and protection of service providers, cloud and IT vendors with contractual requirements and continuous monitoring.
Incident response, BCM & reporting
Meeting the 24h / 72h / 1-month deadlines and operating BCP/DRP structures with regular exercises.
Audit readiness
Definition of Done for controls
A NIS2 control is only "done" once it has passed all four stages — documented, operational, demonstrable, and effective.
01
Policy approved
Documented, versioned, approved by management, and communicated to the workforce.
02
Process anchored in the ISMS
Operationally implemented, mapped in systems, standardized, and repeatable.
03
Evidence created
Evidence generated, versioned, centrally stored, and archived in an audit-proof manner.
04
KPI & effectiveness reviewed
Effectiveness measured via KPIs — deviations automatically trigger escalation.
FAQ
Frequently Asked Questions
Protect Your Organization Now!
Contact us for an individual consultation and security solution tailored to your requirements.
Valeri Milke, CEO of VamiSec
"Only when all instruments are well-tuned does your organization become secure and compliant."