SaaSFort The NIS2UmsuCG — Germany’s transposition of the EU NIS2 Directive — entered into force on December 6, 2025. The BSI registration deadline passed on March 6, 2026. Enforcement is active.
If your company has 50+ employees or €10M+ revenue and operates in one of 18 regulated sectors, you are likely in scope. 29,000 German companies now face mandatory cybersecurity obligations that didn’t exist 12 months ago.
This guide covers who’s affected, what Article 21 requires, and how to build compliance evidence without hiring a consultant or spending six months on paperwork.
Who Is in Scope?
NIS2 introduces two entity categories with different obligations and fine structures:
| Category | Criteria | Maximum Fine |
|---|---|---|
| Particularly important entities | 250+ employees OR €50M+ revenue in critical sectors | €10M or 2% of global annual turnover |
| Important entities | 50+ employees OR €10M+ revenue in important sectors | €7M or 1.4% of global annual turnover |
Critical Sectors (Annex I)
Energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, space.
Important Sectors (Annex II)
Postal services, waste management, chemicals, food, manufacturing, digital providers (online marketplaces, search engines, social platforms), research.
Key point: If you provide SaaS, cloud infrastructure, or managed IT services to companies in these sectors, their NIS2 obligations cascade to you as a supply chain dependency — even if your own company isn’t directly regulated. Our NIS2 vendor compliance checklist covers exactly what SaaS vendors need to demonstrate to NIS2-regulated buyers.
What Article 21 Requires: 10 Mandatory Measures
Article 21 of NIS2 defines 10 security measures every in-scope entity must implement. These aren’t optional recommendations — they carry legal weight and auditors will check for documented evidence.
Technical Measures
| Measure | Requirement | What Auditors Look For |
|---|---|---|
| 21.2e | Network and information system security | Firewall rules, TLS configuration, security headers, attack surface monitoring |
| 21.2f | Vulnerability handling and disclosure | Documented vulnerability management process, scan evidence, patch timelines |
| 21.2h | Cryptography and encryption | TLS 1.2+ enforcement, certificate validity, HTTPS on all endpoints |
| 21.2j | Multi-factor authentication | MFA enabled on all admin and privileged accounts |
Organisational Measures
| Measure | Requirement | What Auditors Look For |
|---|---|---|
| 21.2a | Risk analysis and information security policies | Written security policy, risk register, regular risk assessments |
| 21.2b | Incident handling | Incident response plan, 24-hour early warning to BSI, 72-hour full notification |
| 21.2c | Business continuity and crisis management | Backup policy, disaster recovery plan, tested restoration procedures |
| 21.2d | Supply chain security | Vendor inventory, third-party risk assessments, contractual security requirements — see our vendor security assessment checklist |
| 21.2g | Cybersecurity hygiene and training | Security awareness programme, documented training records |
| 21.2i | Human resources security and access control | Role-based access, onboarding/offboarding procedures, access reviews |
Management Liability: Why This Is Personal
NIS2 introduces personal liability for management. Under the NIS2UmsuCG, C-level executives and board members can be held accountable if their organisation fails to implement adequate cybersecurity measures.
This changes the compliance conversation fundamentally. NIS2 is not an IT project — it’s a board-level obligation. Management must:
- Approve the cybersecurity risk management measures
- Oversee their implementation
- Complete cybersecurity training themselves
- Accept liability for non-compliance
The 5-Step Compliance Path for SMBs
Most German SMBs don’t have a CISO, a GRC platform, or a six-figure consulting budget. Here’s a practical path that works with the resources you actually have.
Step 1: Confirm Your Scope
Check your employee count, revenue, and sector against the NIS2 criteria above. When in doubt, assume you’re in scope — the BSI takes a broad interpretation.
For a broader practical checklist that covers the technical baseline every SMB should verify, see our SMB security checklist for 2026.
Step 2: Run a Technical Baseline Scan
Before writing policies, understand your current security posture. An automated external scan reveals:
- TLS/certificate issues (Article 21.2h)
- Missing security headers (Article 21.2e)
- DNS misconfigurations
- Exposed services and open ports
This gives you an objective starting point — not a self-assessment, but verifiable evidence.
Step 3: Map Gaps to Article 21
Take your scan results and map each finding to the corresponding Article 21 measure. This creates your remediation priority list, ranked by regulatory impact rather than just technical severity.
Step 4: Fix Critical Gaps First
Enterprise buyers will also assess your NIS2 readiness during vendor reviews — our NIS2 vendor assessment guide explains what procurement teams look for. Focus on what auditors will check immediately:
- TLS 1.2+ everywhere — no legacy protocols
- Security headers — HSTS, X-Frame-Options, Content-Security-Policy, X-Content-Type-Options
- Incident response plan — documented, with BSI notification procedures
- Access control — MFA on all admin accounts
- Backup verification — tested restoration within your stated RTO
Step 5: Generate Audit-Ready Evidence
BSI auditors don’t accept screenshots or verbal assurances. You need:
- Timestamped scan reports showing compliance status
- Documented policies with version control
- Evidence of continuous monitoring (not just annual audits)
- Training completion records
How SaaSFort Automates NIS2 Compliance
SaaSFort scans your domain in under 60 seconds and maps every finding to NIS2 Article 21 measures — plus ISO 27001 Annex A controls. No setup, no questionnaires, no consultant calls.
What you get:
- 31 automated security checks covering TLS/PKI, DNS, HTTP headers, and more
- NIS2 Article 21 compliance mapping on every finding
- ISO 27001 Annex A cross-references for dual-framework coverage
- Audit-ready PDF report you can hand directly to BSI auditors or enterprise buyers
- Continuous monitoring — not a one-time snapshot
Pricing starts at €9/month. That’s less than one hour of consultant time.
→ Run your free NIS2 compliance scan now
Key Deadlines and Numbers
| Item | Status |
|---|---|
| NIS2UmsuCG in force | ✅ December 6, 2025 |
| BSI registration deadline | ⚠️ Expired — March 6, 2026 |
| Enforcement | 🔴 Active |
| German entities in scope | ~29,000 |
| Maximum fine (particularly important) | €10M or 2% global turnover |
| Management personal liability | Yes |
Next Steps
Frequently Asked Questions
Q: Does NIS2 apply to all German companies?
No. NIS2 applies to companies with 50+ employees or €10M+ annual revenue that operate in one of 18 regulated sectors (11 critical, 7 important). However, supply chain obligations mean that even smaller companies may need to demonstrate NIS2-aligned security practices if they provide services to in-scope entities. The BSI estimates approximately 29,000 German companies are directly in scope.
Q: What happens if my company fails to comply with NIS2 in Germany?
The BSI can impose fines of up to €10M or 2% of global annual turnover for particularly important entities, and up to €7M or 1.4% for important entities. Beyond fines, NIS2 introduces personal liability for management — C-level executives can be held individually accountable for inadequate cybersecurity measures. The BSI can also order specific remediation actions and conduct audits.
Q: Has the BSI registration deadline already passed?
Yes. The BSI registration deadline was March 6, 2026. If your company is in scope and has not yet registered, you should do so immediately — late registration is accepted but may trigger additional scrutiny. Enforcement is active, meaning the BSI can initiate audits and impose penalties now.
Q: Can I achieve NIS2 compliance without hiring a dedicated CISO?
Yes, but you need to be systematic. Start with an automated technical baseline scan to identify your current gaps, then map findings to the 10 Article 21 measures. Use compliance automation tools for continuous monitoring rather than manual audits. Many SMBs designate an existing IT lead as the responsible person and supplement with external scanning tools and occasional consultant reviews for policy documentation.
Q: How does NIS2 relate to ISO 27001?
NIS2 Article 21 measures map closely to ISO 27001 Annex A controls. If you’re already ISO 27001 certified, you have a strong foundation for NIS2 compliance — but NIS2 adds specific requirements around incident notification timelines (24h early warning, 72h full report to BSI) and management liability that ISO 27001 doesn’t cover. Many organizations pursue both simultaneously since the control overlap is approximately 70-80%.
If you’re a German SMB wondering whether you’re compliant: you probably have gaps. Most companies do — BSI’s own data suggests 67% of German SMBs have critical HTTP security header issues.
The fastest way to find out is to scan your domain. It takes 60 seconds, costs nothing, and gives you a concrete list of what needs fixing — mapped to the exact NIS2 measures your auditors will check.
Von der Theorie zur Praxis
Scannen Sie Ihre Domain kostenlos. Erste Ergebnisse in unter 10 Sekunden — ohne Registrierung.
Kostenlosen Scan starten