SaaSFort Germany’s NIS2 transposition (NIS2UmsuCG) is law since December 6, 2025. The BSI registration deadline expired on March 6, 2026. Full enforcement hits October 2026 — seven months from now.
29,000 German companies are in scope. Most don’t have a CISO or a GRC platform. If that’s you, this checklist is your compliance roadmap.
Each step maps to a specific NIS2 Article 21 measure. Skip the consultant — start here.
Who Needs This Checklist?
NIS2 applies if your company meets both conditions:
- Size threshold: 50+ employees OR €10M+ annual revenue
- Sector: one of 18 regulated industries (energy, transport, healthcare, digital infrastructure, manufacturing, food, chemicals, and more)
Even if you fall below these thresholds, NIS2 obligations cascade through supply chains. If you provide SaaS or IT services to an in-scope company, expect their procurement team to audit your security posture. Our NIS2 SaaS vendor compliance checklist covers the vendor-side requirements in detail.
| Category | Size Criteria | Max Fine |
|---|---|---|
| Particularly important entities | 250+ employees OR €50M+ revenue | €10M or 2% global turnover |
| Important entities | 50+ employees OR €10M+ revenue | €7M or 1.4% global turnover |
The 10-Step NIS2 Compliance Checklist
Step 1: Confirm Scope and Register with BSI
Article: NIS2UmsuCG §33-34 | Effort: 1-2 hours
Check your employee count, revenue, and NACE sector code against the BSI’s scope criteria. If you’re in scope and haven’t registered yet, do it immediately — the deadline was March 6, 2026, but late registration is accepted.
Action items:
- Verify your NACE sector code at the Federal Statistical Office
- Register via the BSI’s online portal
- Designate a contact person for BSI communications
- Document your scope assessment rationale (keep it — auditors ask for this)
Tip: When in doubt, register. The BSI interprets scope broadly, and failing to register when required carries its own penalties.
Step 2: Run an External Security Baseline Scan
Article 21 measures: 21.2e (network security), 21.2h (cryptography) | Effort: 5 minutes
You can’t fix what you can’t measure. Before writing a single policy document, scan your public-facing infrastructure to find out where you actually stand.
An automated external scan reveals TLS misconfigurations, missing security headers, DNS issues, exposed services, and certificate problems — all of which map directly to Article 21 requirements.
Action items:
- Scan your primary domain and all customer-facing subdomains
- Document the baseline score and findings
- Export the report for your compliance file
SaaSFort runs 60 security checks across 21 categories in under 60 seconds, with each finding mapped to NIS2 Article 21 and ISO 27001 controls. Run your free scan now — the report becomes your first compliance artifact.
Step 3: Write Your Information Security Policy
Article 21 measure: 21.2a (risk analysis and security policies) | Effort: 4-8 hours
BSI auditors expect a formal, written security policy approved by management. A 5-10 page document covering your approach to risk management, asset classification, and security responsibilities.
Minimum content:
- Security objectives and scope
- Roles and responsibilities (who owns what)
- Risk assessment methodology
- Acceptable use rules
- Review schedule (minimum annual, quarterly is better)
Don’t overthink this. A clear, honest 8-page policy beats a 60-page document nobody reads.
Step 4: Build Your Incident Response Plan
Article 21 measure: 21.2b (incident handling) | Effort: 4-6 hours
NIS2 has non-negotiable incident reporting timelines:
| Deadline | Requirement |
|---|---|
| 24 hours | Early warning to BSI after becoming aware of a significant incident |
| 72 hours | Full incident notification with initial assessment |
| 1 month | Final report with root cause analysis and remediation |
Action items:
- Define what constitutes a “significant incident” for your organization
- Create an escalation matrix (who calls whom, in what order)
- Draft notification templates for BSI reporting
- Test the plan with a tabletop exercise at least once before October 2026
- Establish a communication plan for affected customers
Step 5: Document Business Continuity and Backup Procedures
Article 21 measure: 21.2c (business continuity) | Effort: 3-5 hours
Auditors want specific numbers, not vague assurances. Define your RTO (Recovery Time Objective) and RPO (Recovery Point Objective) for each critical system.
Action items:
- List all critical systems and their dependencies
- Set RTO and RPO targets for each
- Document backup frequency, retention, and encryption method
- Verify backup restoration works (run a test restore)
- Store backups in a separate location from production
Step 6: Assess Your Supply Chain
Article 21 measure: 21.2d (supply chain security) | Effort: 4-8 hours
NIS2 requires you to assess the security posture of your suppliers — SaaS tools, cloud providers, payment processors, everyone who touches your data or infrastructure.
Action items:
- Create an inventory of all third-party services and subprocessors
- Classify each by data access level (critical, standard, minimal)
- Request security documentation from critical suppliers
- Add security requirements to vendor contracts
- Schedule annual vendor reviews
For practical guidance on building a vendor assessment process, see our vendor security assessment checklist and the third-party risk management checklist.
Step 7: Enforce Multi-Factor Authentication
Article 21 measure: 21.2j (MFA and secure communication) | Effort: 2-4 hours
MFA on all admin and privileged accounts is a baseline expectation. SMS-based MFA is considered weak — use TOTP apps or hardware keys.
Action items:
- Enable MFA on all admin accounts (cloud, email, code repos, infrastructure)
- Enforce MFA for all employees accessing sensitive systems
- Document your MFA policy and exception process
- Disable SMS as an MFA factor where possible
Step 8: Implement Vulnerability Management
Article 21 measure: 21.2f (vulnerability handling and disclosure) | Effort: 3-6 hours setup, then ongoing
You need a documented process for finding, triaging, and fixing vulnerabilities — with defined timelines.
Recommended SLAs:
| Severity | Remediation Target |
|---|---|
| Critical (CVSS 9.0+) | 24 hours |
| High (CVSS 7.0-8.9) | 7 days |
| Medium (CVSS 4.0-6.9) | 30 days |
| Low (CVSS 0.1-3.9) | 90 days |
Action items:
- Set up automated scanning (external + dependency) on a weekly schedule
- Publish a security.txt file per RFC 9116
- Create a responsible disclosure page
- Track vulnerabilities in a central register with SLA compliance metrics
For a deeper breakdown, see our vulnerability management guide.
Step 9: Train Your Team
Article 21 measure: 21.2g (cybersecurity hygiene and training) | Effort: 2-3 hours setup
NIS2 requires documented training — and specifically requires management to complete cybersecurity training (Article 20).
Action items:
- Run annual security awareness training for all employees
- Conduct phishing simulation exercises (at least quarterly)
- Provide role-specific training for developers and IT staff
- Mandatory: ensure C-level and board members complete cybersecurity training
- Keep training completion records (auditors check these)
Step 10: Set Up Continuous Monitoring and Evidence Collection
Article 21 measure: 21.2a, 21.2e, 21.2f (ongoing) | Effort: 1-2 hours setup
Annual audits aren’t enough for NIS2. The BSI expects continuous risk management, which means ongoing monitoring with timestamped evidence.
Action items:
- Schedule automated security scans at minimum weekly
- Set up alerts for certificate expiry, TLS changes, and header modifications
- Maintain a compliance dashboard accessible to management
- Archive scan reports monthly for audit trail
SaaSFort’s continuous security monitoring generates timestamped, NIS2-mapped reports automatically — the kind of evidence BSI auditors actually accept.
Timeline: What to Do When
| Period | Priority Actions |
|---|---|
| Now (March 2026) | Register with BSI (if not done). Run baseline scan. Start security policy. |
| April-May 2026 | Complete incident response plan. Document business continuity. Assess supply chain. |
| June-July 2026 | Enforce MFA across all systems. Set up vulnerability management. Train team. |
| August-September 2026 | Enable continuous monitoring. Run tabletop exercise. Compile evidence package. |
| October 2026 | Full compliance required. BSI inspections begin. |
Management Liability: This Is Personal
NIS2 introduces personal liability for executives. Under the NIS2UmsuCG, C-level and board members face individual accountability for inadequate cybersecurity measures.
This isn’t just about fines for the company. Management must:
- Personally approve the cybersecurity risk management measures
- Oversee implementation (not just delegate to IT)
- Complete cybersecurity training themselves
- Accept liability for compliance failures
For more on management obligations and the broader regulatory framework, read our NIS2 compliance guide for German SMBs.
Cost Comparison: DIY vs. Consultant vs. Automated
| Approach | Cost | Time to Compliance | Ongoing Effort |
|---|---|---|---|
| External consultant | €15,000-€50,000 | 3-6 months | Annual re-engagement |
| In-house CISO hire | €80,000-€120,000/year | 2-4 months | Full-time role |
| Automated scanning + self-service policies | €9-€29/month | 2-4 weeks | 2-3 hours/month |
Most SMBs with 50-250 employees don’t need a full-time CISO for NIS2 compliance. An automated scanning tool for the technical baseline, combined with clear policy templates, covers 80% of what auditors check — at 1% of the consultant cost.
Frequently Asked Questions
My company has exactly 50 employees. Am I in scope?
Yes, if you meet the revenue threshold (€10M+) OR the employee threshold (50+) AND operate in a regulated sector. The thresholds are inclusive — 50 employees puts you in scope. Check both criteria; meeting either one is sufficient.
We registered late with BSI. What happens now?
Late registration is accepted. The BSI prioritizes getting organizations into the system over penalizing late registration. Register immediately and document the reason for delay. Focus your energy on implementing the Article 21 measures — that’s what auditors will actually assess.
Do we need ISO 27001 certification for NIS2?
No. ISO 27001 is not required by NIS2, but it helps significantly. About 70-80% of ISO 27001 Annex A controls map to NIS2 Article 21 measures. If you already have ISO 27001, you’re ahead — but you still need to address NIS2-specific gaps like incident notification timelines and management liability. See our ISO 27001 vendor certification guide for the full mapping.
What evidence does the BSI actually check during audits?
BSI auditors focus on: written security policies with management approval, incident response plans with documented test exercises, scan reports showing continuous monitoring, backup restoration test results, MFA enforcement evidence, training completion records, and supply chain assessment documentation. Timestamped, automated evidence carries more weight than manual spreadsheets.
Can a free security scan count as NIS2 evidence?
A single scan is a starting point, not compliance evidence. NIS2 requires continuous risk management. However, your initial scan report documents your baseline — which is exactly what auditors want to see as step one. Pair it with regular automated scans to build the ongoing evidence trail the BSI expects.
NIS2 compliance doesn’t require a six-figure budget. SaaSFort scans 60 security checks across 21 categories, maps findings to NIS2 Article 21, and generates audit-ready reports — starting at €9/month. Start your free compliance scan.
Dalla lettura all'azione
Scansionate il vostro dominio gratuitamente. Primi risultati in meno di 10 secondi — senza registrazione.