NIS2 Compliance: A Step-by-Step Guide | NIS2Compass | NIS2Compass
Guide
NIS2 Compliance: A Step-by-Step Guide
8 min readNIS2Compass Team
Implement NIS2 compliance in 8 structured steps: From impact assessment through risk management and technical measures to security culture.
The NIS2 implementation law (NIS2UmsuCG) has been in force since December 2025. Around 29,500 companies in Germany must now take action. The good news: NIS2 compliance can be built in 8 structured steps. The Pre-Check from NIS2Compass shows where your organization stands today. The NIS2 Guide then walks you through the entire implementation path.
The NIS2 requirements are extensive, but manageable with a structured approach. 8 chapters cover the entire compliance path: from the applicability assessment through technical measures to security culture. The key is not to get stuck on individual measures, but to understand the overall path.
Since the law entered into force on December 6, 2025, all obligations apply without any transition period. The BSI registration deadline expired on March 6, 2026. Companies that have not yet registered already face potential fines.
The 8 chapters at a glance: Applicability and Registration, Risk Management, Technical Security Measures, Incident Management and Reporting Obligations, Governance and Accountability, Supply Chain Security, , and . This structure follows the requirements of the NIS2UmsuCG and forms a complete implementation path.
Implement NIS2 step by step
NIS2Compass guides you step by step through implementation β with guide, templates and knowledge hub.
Before you begin, you should clarify two questions: Am I affected by NIS2? And if so, where do I stand today? The Pre-Check from NIS2Compass provides an initial assessment in just a few minutes.
A typical scenario: A manufacturing company with 150 employees in the manufacturing sector faces exactly this situation. No information security officer, no asset inventory, no defined reporting processes. The IT department of six staff has NIS2 as yet another topic on their plate.
With a structured 8-chapter path, implementation can be completed in approximately six months. The typical hurdles: missing documentation of existing measures and getting management buy-in. The result: a functioning security management system, completed BSI registration, and documented processes for when incidents occur.
Whether your organization falls under the NIS2 implementation law depends on two factors: sector and company size. Organizations with 50 or more employees or EUR 10 million in annual revenue in one of the 14 regulated sectors are affected. BSI registration is mandatory for all affected companies.
The BSIG distinguishes between Annex 1 (high criticality, e.g. energy, healthcare, transport) and Annex 2 (other critical sectors, e.g. food, chemicals). Depending on the classification, your organization qualifies as an "essential entity" or an "important entity," which determines the scope of your obligations.
To register with the BSI, you need an ELSTER certificate and a MUK account. The BSI applicability check helps with the initial classification. The registration deadline expired on March 6, 2026. A detailed explanation of NIS2 applicability can be found in the article Am I affected by NIS2?.
Risk management forms the foundation of NIS2 compliance. Before implementing measures, you need to know which assets require protection, which threats exist, and where gaps to the legal requirements remain. Only this analysis enables targeted investments.
The process follows four steps:
Create an asset inventory: Record all IT systems, applications, and data flows.
Conduct a threat analysis: Identify relevant risks for your industry and infrastructure.
Build a risk matrix: Assess likelihood and impact, then set priorities.
Gap assessment: Compare your current state against the legal requirements.
Β§30 Abs. 2 BSIG defines 12 measure categories that serve as the assessment baseline for the gap assessment. A detailed comparison of NIS2 and existing standards can be found in the article NIS2 vs. ISO 27001. NIS2Compass provides templates for all four steps in the Template Library.
The NIS2 implementation law requires specific technical safeguards in four core areas: access control with multi-factor authentication, encryption, vulnerability and patch management, and network security. These areas form the technical foundation of your NIS2 compliance.
Access control and MFA: Role-based access rights ensure that employees can only access the systems they need for their work. Multi-factor authentication provides additional protection for critical access points. According to Microsoft, MFA prevents 99.9% of all account takeovers.
Encryption: Sensitive data must be encrypted both in transit and at rest. This applies equally to emails, databases, and mobile storage devices.
Vulnerability and patch management: Regular vulnerability scans and defined timelines for security updates prevent known vulnerabilities from being exploited.
Network security: A documented network topology and segmentation limit the damage in the event of a successful attack.
NIS2Compass guides you through each of these areas with concrete action steps and ready-made templates.
In the event of significant security incidents, affected companies must notify the BSI in three stages: early warning within 24 hours, initial report within 72 hours, and final report within one month. Without a functioning incident response plan, meeting these deadlines is nearly impossible.
Create an incident response plan: Document in advance who is responsible for which tasks in an emergency. Clear responsibilities prevent chaos in the critical first hours.
Define the reporting chain: Establish how information is escalated internally and who submits the BSI notification. All relevant staff should be familiar with the BSI reporting portal.
Practice regularly: Tabletop exercises simulate incidents at the conference table. This helps you uncover gaps in the process before a real incident occurs.
The legislator takes reporting failures seriously. Violations of reporting obligations can result in fines of up to EUR 10 million.
Three chapters form the organizational framework of your NIS2 compliance: Governance establishes responsibilities and policies, supply chain security addresses external dependencies, and business continuity prepares your organization for emergencies. Together, they cover the non-technical obligations of the NIS2UmsuCG.
The first step is appointing an information security officer (ISO) to coordinate the implementation. Building on this, you develop a policy framework including an information security policy, risk policy, and reporting procedures. Particularly relevant: Β§38 BSIG establishes personal liability for management in the event of a breach of duty. This makes NIS2 a boardroom issue.
Many security incidents originate not within your own organization, but at suppliers. The NIS2UmsuCG therefore requires a supplier inventory, a criticality assessment, and contractual security requirements. If you do not know your dependencies, you cannot secure them.
This chapter prepares for emergencies: business impact analysis, a documented business continuity plan (BCP), and a backup strategy following the 3-2-1 rule. Detailed instructions for all three chapters can be found in the Knowledge Hub from NIS2Compass.
Technical measures only take effect when all employees understand and apply them. Training and awareness form the foundation on which all other chapters build. That is why this chapter is deliberately placed at the end of the implementation path.
The law mandates compulsory training for management and all employees. In practice, this means: regular awareness training, phishing simulations, and building a sustainable security culture. According to Bitkom, 84% of all cyberattacks begin with social engineering, targeting the human factor.
"In our work with mid-sized companies, we consistently find that technical measures only reach their full potential when staff are properly trained," says Dr. Markus Hartmann, Compliance Consultant at NIS2Compass.
The NIS2 Guide from NIS2Compass walks you through all eight chapters, from the initial assessment to training, with concrete checklists and templates for every step.
The timeline depends on your starting point. Companies with an existing ISMS (such as ISO 27001) can close NIS2-specific gaps in 3-4 months. Without prior groundwork, you should plan for 6-12 months.
Do I have to follow all 8 steps in this exact order?
The order is a recommendation, not a requirement. Step 1 (applicability assessment and BSI registration) should always come first. After that, multiple steps can be worked on in parallel, for example risk management and technical measures simultaneously. What matters is that all areas are fully covered.
Do I need an external consultant for NIS2?
Not necessarily. Structured guides enable many SMEs to implement NIS2 independently. For complex edge cases, such as OT security or sector-specific requirements, targeted consulting may be worthwhile. A detailed cost comparison can be found in the article NIS2 consultant or DIY? A cost comparison.
What happens if I don't complete the NIS2 implementation?
The NIS2UmsuCG provides for fines of up to EUR 10 million or 2% of global annual revenue. For essential entities, the BSI can temporarily prohibit management from exercising their leadership role. All penalty tiers are explained in the article NIS2 fines: What penalties apply?.
