NIS2 for Web Platforms & SaaS

The NIS2 directive is Germany's most comprehensive cybersecurity regulation, and it now affects 29,500 companies – including every SaaS company and every web platform that provides digital infrastructure. Here is what you need to do now.

What is NIS2?

The NIS2 directive (Network and Information Security Directive 2) is the revised EU cybersecurity directive, transposed into German law by the NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG). It replaces the previous NIS directive and dramatically expands the scope of who is covered.

29,500

companies affected in Germany (previously: 4,500)

€10M

maximum fine or 2% of global annual revenue

€2.3B

estimated annual compliance cost for the economy

24h

deadline for the initial report of a security incident

Does NIS2 apply to my company?

NIS2 applies to you if your company:

operates SaaS platforms that other businesses rely on
offers online marketplaces or e-commerce platforms
provides managed IT services or cloud services
runs digital infrastructure that other businesses use
has more than 50 employees or generates more than €10M in annual revenue

The 10 mandatory measures under Article 21

NIS2 Article 21 requires at least these ten cybersecurity measures:

Risk analysis and security concepts for information systems
Incident response – handling security incidents
Business continuity – backup management and disaster recovery
Supply chain security – security across the supply chain and with suppliers, including GDPR-compliant vendor management
Security in procurement – development and maintenance of systems
Effectiveness assessment – evaluating the cybersecurity measures
Cyber hygiene and training – fundamental practices and awareness
Cryptography – policies for encryption
Personnel security and access control – asset management
Multi-factor authentication – secure communication systems

In the German transposition, these measures are codified in Section 30 BSIG. BSI: NIS-2 Risk Management Measures (Section 30 BSIG)

Incident reporting obligations

Deadline	Obligation
24 hours	Early warning to the BSI
72 hours	Detailed incident notification
1 month	Final report with root-cause analysis

Personal liability of management

A critical difference from previous regulations: members of management are personally liable for damages arising from a culpable failure to implement cybersecurity measures. This cannot be delegated to the CISO or the IT department.

How AnvilStack helps

We use AI tools to develop quickly – but every line of code is reviewed by senior engineers and made NIS2-compliant:

Free assessment: We test your existing platform against all 10 NIS2 mandatory measures – you will find the full technical breakdown in our NIS2 Security Checklist
Security-by-architecture: NIS2 compliance is built into the system architecture, not bolted on afterwards
Incident response setup: We implement the reporting infrastructure for the 24h/72h/30d deadlines
EU-sovereign hosting: Hetzner, Germany – no CLOUD Act, no US jurisdiction
Documentation: Auditable evidence for the BSI, not just technical measures

In a free initial consultation, we assess your platform for NIS2 relevance and show you concretely where action is needed – from the assessment through to a hardened, EU-sovereign production platform.

Frequently asked questions

Does NIS2 apply to my SaaS company?

If your company has more than 50 employees or generates more than €10M in annual revenue and provides digital services to other businesses, then yes. SaaS platforms, online marketplaces, managed IT services and cloud services all fall under NIS2.

What penalties apply for NIS2 violations?

Fines of up to €10 million or 2% of global annual revenue for essential entities, and €7 million or 1.4% for important entities. Managing Directors are personally liable for damages caused by a culpable failure to implement cybersecurity measures.

Do I have to register with the BSI?

Yes. The NIS2 transposition requires registration with the BSI. The deadline passed on 6 March 2026 (three months after the law took effect on 6 December 2025). Failure to register exposes you to additional sanctions; a late registration is still possible and advisable.

What are the 10 mandatory measures under NIS2?

Article 21 requires: risk analysis, incident response, business continuity, supply chain security, security in procurement, effectiveness assessment, cyber hygiene and training, cryptography policies, access control and multi-factor authentication.

How quickly must I report a security incident?

Within 24 hours you must send an early warning to the BSI. Within 72 hours a detailed incident notification follows. After one month, a final report with a root-cause analysis is due.

Does NIS2 also apply to AI-built platforms?

Yes. If your platform, built with Lovable, v0 or Bolt, provides digital services to other businesses, you fall under NIS2 – regardless of how the platform was developed.