A practical guide for German, Austrian, and Swiss businesses navigating Europe's most significant cybersecurity regulation.
On October 17, 2024, the NIS2 directive became enforceable across the European Union. For the DACH region — Germany, Austria, and Switzerland — the implications are enormous, and many businesses are still unprepared.
This isn't another legal summary. This is a practical guide for business leaders who need to understand what NIS2 means for their organization, what they need to do, and how to avoid the most common pitfalls.
The biggest surprise about NIS2 isn't its requirements — it's its scope. The original NIS directive (2016) affected a relatively small number of critical infrastructure operators. NIS2 expanded that scope dramatically.
In Germany alone, the NIS2UmsuCG brings an estimated 30,000 additional organizations under regulatory oversight. Across the EU, that number approaches 160,000.
Who's affected in the DACH region:
Germany: Essential and important entities across 18 sectors. The threshold is generally 50+ employees or €10M+ annual revenue in covered sectors. The BSI (Bundesamt für Sicherheit in der Informationstechnik) is the supervisory authority.
Austria: Similar transposition with the NISG 2024. The Austrian cybersecurity authority oversees compliance. Austrian companies in covered sectors face equivalent requirements.
Switzerland: Not an EU member, but Swiss companies doing business with EU clients face NIS2 requirements through supply chain obligations. If you're a Swiss company providing IT services to German or Austrian clients, your customers' NIS2 obligations become your problem.
This last point catches many Swiss companies off guard. NIS2's supply chain requirements mean that compliance extends beyond EU borders.
Stripped of legal language, NIS2 requires organizations to:
This includes:
- Policies on risk analysis and information system security
- Incident handling procedures
- Business continuity and crisis management
- Supply chain security
- Security in network and information systems acquisition, development, and maintenance
- Vulnerability handling and disclosure
- Cybersecurity training
- Cryptography and encryption policies
- Human resources security, access control, and asset management
- 24 hours: Early warning to the competent authority
- 72 hours: Full incident notification with initial assessment
- 1 month: Final report with root cause analysis and remediation measures
For organizations used to handling incidents quietly, this transparency requirement is a cultural shift.
Article 20 of NIS2 explicitly requires management bodies to approve cybersecurity risk management measures and oversee their implementation. Management must undergo training. And critically — they can be held personally liable for non-compliance.
This moves cybersecurity from "IT's problem" to "board-level responsibility."
NIS2 penalties are designed to be dissuasive:
- Essential entities: Up to €10 million or 2% of total worldwide annual turnover, whichever is higher
- Important entities: Up to €7 million or 1.4% of total worldwide annual turnover
For a German Mittelstand company with €100M revenue, that's up to €2 million. Plus reputational damage, business disruption, and the management liability angle.
Here's where theory meets practice. Based on conversations with dozens of DACH companies navigating NIS2, here are the most common challenges:
NIS2's sector definitions are broad and sometimes ambiguous. A manufacturing company might think it's not in scope, but if it produces components for critical infrastructure, it likely is. A software company might not realize that providing services to healthcare organizations makes it a "digital service provider" under the directive.
Action: Get a definitive legal assessment. Don't guess. The cost of a legal opinion (€5-15K) is trivial compared to the risk of non-compliance.
Many mid-market DACH companies have IT departments but not security departments. NIS2 requires continuous vulnerability management, incident response capabilities, and regular testing — activities that traditionally require dedicated security professionals.
Action: Technology can bridge the gap. Automated security scanning platforms like KENSAI provide continuous vulnerability assessment and compliance-mapped reporting without requiring a dedicated security team. This isn't a replacement for security expertise, but it provides the baseline continuous monitoring that NIS2 demands.
ISO 27001 provides a strong foundation, but NIS2 goes further in several areas:
- Supply chain security requirements are more prescriptive
- Incident reporting timelines are stricter (24/72 hours vs. ISO's more flexible approach)
- Management liability is explicit
- Vulnerability management must be continuous, not just periodic
If you're ISO 27001 certified, you're approximately 60-70% of the way to NIS2 compliance. The gap analysis is manageable, but the gaps are important.
NIS2's supply chain requirements mean you're responsible for assessing and managing the cybersecurity risks of your suppliers. This is particularly challenging for companies with complex supply chains — which describes most German manufacturers.
Action: Start with your most critical suppliers. Develop a security questionnaire, require evidence of security practices, and include NIS2-relevant clauses in contracts. This doesn't need to be perfect on day one, but you need to demonstrate a systematic approach.
For DACH companies that need to move quickly:
Month 1: Assessment
- Confirm NIS2 scope applicability
- Conduct gap assessment against requirements
- Identify quick wins and critical gaps
- Brief management on responsibilities and liability
Months 2-3: Quick Wins
- Implement continuous vulnerability scanning (kensai.app can get you started in minutes with a free scan)
- Establish incident response plan with 24/72-hour procedures
- Enable MFA across all administrative access
- Deploy security monitoring on critical systems
- Begin supplier security assessments
Months 4-6: Program Build
- Formalize risk management framework
- Implement required policies and procedures
- Establish management reporting cadence
- Conduct first tabletop incident response exercise
- Complete initial supplier assessments
Months 7-12: Maturation
- Refine processes based on operational experience
- Expand vulnerability management coverage
- Conduct business continuity testing
- Prepare for regulatory engagement
- Internal or external audit of NIS2 compliance
It's easy to view NIS2 purely as a compliance burden. But there's an opportunity angle that pragmatic DACH companies are already leveraging:
Competitive differentiation. In B2B markets, demonstrating NIS2 compliance becomes a sales advantage. Enterprise procurement increasingly includes cybersecurity requirements. Being able to demonstrate a mature security posture — backed by continuous scanning data and compliance evidence — opens doors.
Customer trust. For SaaS companies, financial services, healthcare providers, and anyone handling sensitive data, NIS2 compliance signals seriousness about security in a way that marketing claims cannot.
Operational resilience. The activities NIS2 requires — incident response planning, business continuity, vulnerability management — genuinely reduce business risk. Organizations that implement these measures well will experience fewer security incidents and recover faster when incidents occur.
NIS2 is the most significant cybersecurity regulation to affect DACH businesses in a decade. The scope is broader than most companies realize, the timelines are tight, and the penalties are meaningful.
But the requirements are achievable. Start with understanding your scope, automate what you can, and build systematically. The companies that treat NIS2 as a catalyst for genuine security improvement — rather than a checkbox exercise — will be the ones that benefit most.
Need a starting point? KENSAI provides AI-powered security scanning with NIS2 compliance mapping. Run a free scan to see your current posture in minutes.