Compliance according to NIS2/CER: From impact analysis to audit preparation

The European Union's NIS2 Directive, which came into force in January 2023, regulates the cybersecurity requirements for companies in all sectors considered critical. It distinguishes between "essential" and "important" organisations that are subject to regulation of their information security, risk management and reporting obligations. The directive prescribes binding measures to ensure the resilience of organisations:

• Concepts relating to risk analysis and security for information systems
• Management of security incidents
• Business continuity, such as backup management and disaster recovery, and crisis management
• Security of the supply chain, including security-related aspects of the relationships between individual organisations and their direct suppliers or service providers
• Security measures in the acquisition, development and maintenance of network and information systems, including management and disclosure of vulnerabilities
• Concepts and procedures for assessing the effectiveness of risk management measures in the area of cyber security
• Basic cyber hygiene procedures and cyber security training
• Concepts and procedures for the use of cryptography and, where applicable, encryption
• Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communication and, where appropriate, secure emergency communication systems within the organisation

Like every European directive, NIS2 must also be transposed into the German legal framework by law. This took place on 6 December 2025, see law came into force. Since then, operators of the affected facilities must be prepared to demonstrate compliance with these requirements.

As a cyber security directive, NIS2 is flanked by the CER Directive, which came into force at the same time and is also due to be implemented in Germany as the "KRITIS Dachgesetz". CER stands for "Critical Entities Resilience" and forms the superstructure for sabotage protection and physical security of critical facilities.

While the NIS2 regulates the area of cyber security, the "Critical Entities Resilience" (CER) is the centrepiece of the reform for the regulation of physical security for providers of critical services. Above all, it regulates the obligation to introduce risk management with an "all-hazards approach", i.e. taking into account all factors that could jeopardise ongoing operations.

Three fundamental changes will be relevant for the companies affected by NIS2:

• The number of sectors affected will increase from eight to 18, bringing the total number of companies affected to around 30,000 (from only around 3,000 under the previous regulation)
• The catalogue of fines for non-compliance with the regulations now also provides for penalties that are not capped at an absolute fine but can amount to up to 2.4 percent of the global annual turnover of the company that is fined.
• For the first time, manager liability is introduced, which can be enforced against personal assets in the event of a breach of the regulations.

In addition to these already considerable extensions and tightening, certain sectors are subject to particularly strict regulations. Domain name services, trust service providers and similar "super-critical" services, for example, are subject to even stricter rules than other sectors.

As with operators previously categorised as KRITIS companies, there are several competent supervisory authorities tasked with enforcing the requirements and, if necessary, imposing fines. Depending on the sector and criticality, these include:

• Bundesamt für Bevölkerungsschutz und Katastrophenhilfe (BBK)
• Bundesnetzagentur (für Telekommunikations- und Stromnetzbetreiber)
• Bundesamt für Sicherheit in der Informationstechnik (BSI)
• Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin)