NIS2 Security Checklist

The NIS2 Directive has been in force as German implementing legislation (NIS2UmsuCG) since 6 December 2025, defining ten mandatory measures under Article 21 that apply with no transition period. Around 29,500 companies in Germany with 50 or more employees or €10M in revenue across 18 sectors are affected, including SaaS providers and digital platforms. OpenKRITIS: NIS2 Implementation Act in Germany This checklist translates the legal requirements into concrete technical measures for web platforms.

29,500

affected companies in Germany (across 18 sectors)

€10M

maximum fine for essential entities

24h

deadline for the initial incident report to the BSI

~11,500

of 29,500 companies were registered by the BSI deadline (6 March 2026)

Am I affected? The quick scope check

Your company falls under NIS2 if it has at least 50 employees or €10M in annual revenue and operates in one of the 18 regulated sectors, which include digital infrastructure, IT services, cloud computing, and SaaS platforms, among others. Secjur: The NIS2 Directive 2026 Suppliers to critical entities can also be affected indirectly, since NIS2 mandates a supply chain risk assessment.

The 10 mandatory measures under Article 21, translated into engineering terms

1. Risk analysis and information security

Build an asset inventory of all systems, databases, and interfaces
Conduct formal threat modelling for critical application paths
Document the risk assessment and update it at least annually
Have the information security policy approved by senior management

2. Incident response and reporting obligations

Implement a SIEM system (e.g. Grafana Loki + Prometheus Alertmanager)
Document an incident response plan with clear escalation levels
Set up the BSI reporting chain: an early warning within 24 hours, a detailed report (follow-up notification) within 72 hours, and a final report within one month of the follow-up notification NIS2 Directive: Article 23, Reporting Obligations
Run regular incident response drills (tabletop exercises)

3. Business continuity and crisis management

Define an RTO (Recovery Time Objective) and RPO (Recovery Point Objective) for every critical system
Maintain an automated backup strategy with encrypted off-site backups
Create disaster recovery runbooks and test them at least every six months
Provide redundant infrastructure for business-critical services

4. Supply chain security

Run a vendor assessment for all third parties and data processors
CLOUD Act check: Is your cloud provider subject to US jurisdiction? Wire: CLOUD Act & EU Data Sovereignty
Review data processing agreements (DPAs) for NIS2 compliance
Maintain a Software Bill of Materials (SBOM) for every component in use

5. Secure development and maintenance

Integrate SAST (Static Application Security Testing) into the CI/CD pipeline
Run DAST (Dynamic Application Security Testing) before every release
Use automated dependency scanning (e.g. Dependabot, Snyk)
Require code review by at least one additional engineer
Apply secure configuration standards across all environments

6. Effectiveness testing

Penetration tests at least annually, more frequently for critical systems or where risk is elevated, and after any significant change Sectricity: NIS2 Penetration Testing 2026
Automated vulnerability scans on a weekly or monthly basis
Document results, track remediation, and run retests
Retain evidence for auditors (not just reports, but proof of remediation)

7. Cyber hygiene and training

Mandatory security awareness training for all staff
Regular phishing simulations (at least quarterly)
A patch management process with defined SLAs (critical: 48h, high: 7 days)
Management must attend cybersecurity training in person. Delegating to the CISO is not enough Greenberg Traurig: NIS2 – Cybersecurity as a Board-Level Issue

8. Cryptography

Enforce TLS 1.3 for all external and internal connections
Apply encryption at rest for all personal and business-critical data
Run a key management process with regular key rotation
Use certificate management with automated renewal (Let's Encrypt, cert-manager)

9. Access control and asset management

RBAC (Role-Based Access Control) with a documented role model
Least-privilege principle: minimal permissions by default
Mandatory MFA for all administrative and remote access
Regular access reviews (at least quarterly)
Immediate deactivation when employees leave

10. Secure communication

End-to-end encryption for internal communication involving sensitive data
Secure channels for emergency communication (even during a system outage)
Encrypted email for external communication with partners
A documented policy for communication channels based on data classification

Personal liability of management

This liability cannot be excluded by contract. Cybersecurity training for management is mandatory and must be refreshed every three years.

The particular risk with vibe-coded platforms

Platforms generated with AI tools such as Cursor, Lovable, or v0 routinely fall short on measures 2, 5, 6, and 9: incident response, secure development, effectiveness testing, and access control. Veracode has shown that AI-generated code contains security flaws in 45% of cases. Veracode: GenAI Code Security Report 2025 Specifically, vibe-coded platforms regularly lack:

Incident response breaks down: without logging and alerting, an attack goes unnoticed and the 24-hour reporting deadline is effectively impossible to meet
No access control: missing or incomplete authentication and authorization
No testing at all: neither unit nor security tests run in the pipeline, so regressions ship unchecked
Hardcoded secrets: roughly 40% more exposed API keys in repositories that use AI assistance (6.4% vs. 4.6%) GitGuardian: GitHub Copilot and the Risk of Leaked Secrets
No dependency management: outdated and vulnerable dependencies

Operating a platform like this under NIS2 risks a fine of up to €10 million and, as a Managing Director, personal liability under Section 38 BSIG. Gaps of this kind surface within hours in a penetration test.

In a free intro call, we assess your platform for NIS2 relevance and identify the most critical gaps. We deliver the full hardening for a fixed price of €36,000. The result is a working app on EU-sovereign infrastructure, complete with audit-proof documentation, not a report that ends up in a drawer.

Frequently asked questions

What are the 10 mandatory NIS2 measures?

Article 21 requires: risk analysis, incident response, business continuity, supply chain security, secure development, effectiveness testing, cyber hygiene and training, cryptography, access control, and secure communication.

How quickly must I report a security incident?

An early warning to the BSI within 24 hours, a detailed report within 72 hours, and a final report including root-cause analysis within one month of the follow-up notification.

Is management personally liable?

Yes. Section 38 of the new BSIG requires Managing Directors to approve the security measures and oversee their implementation. Delegating to the CISO does not release them from liability. Cybersecurity training is mandatory.

Are vibe-coded platforms NIS2-compliant?

Usually not. Vibe-coded platforms typically lack logging, access control, and testing, which are three of the mandatory NIS2 measures. On top of that, AI-generated code contains security flaws in 45% of cases.

How often do I need to run penetration tests?

At least annually, and more frequently for critical systems or where risk is elevated. NIS2 does not prescribe a fixed cadence but requires regular, risk-based testing. Results must be documented, remediation tracked, and retests performed.

What does NIS2 compliance cost for a web platform?

The assessment is free. NIS2-compliant hardening (remediation, verification, and audit-proof documentation) is part of our fixed-price delivery (€36,000), which is an order of magnitude cheaper than a fine of up to €10 million.