NIS-2: New cybersecurity law passed in Germany
Checklist: Is your company prepared?

The German Bundestag has passed the NIS 2 Implementation Act – and many companies and public institutions are now facing significantly higher requirements.

The introduction of the categories ‘particularly important’ and ‘important facilities’ has significantly expanded the scope of application. Many organisations are therefore affected for the first time.

There are no transition periods – the law applies immediately.

The new regulation provides for stricter minimum standards, specifies clear registration and reporting procedures for security incidents, and places a personal obligation on management to approve and monitor cybersecurity measures, undergo regular training in them, and also assume liability if these obligations are grossly violated.

For many organisations, this means that processes, documentation and security architecture must be modernised more quickly than previously planned – namely, immediately!

We have provided a checklist here so that you can assess whether your company is well prepared.

Impact

• Is your organisation classified as a ‘particularly important’ or ‘important’ institution?
• Does it already fall under stricter requirements as a KRITIS facility?
• Has registration with the joint registration office of the BSI and BBK already been completed or prepared?

Responsibility & governance

• Is the management aware of their personal duties and liability risks?
• Are roles, responsibilities and escalation paths for cyber and information security clearly defined?
• Is there a binding ISMS (e.g. based on ISO 27001 or BSI basic protection)?

Risk management

• Is there a current, documented IT and cyber risk management system in place?
• Are the risks assessed, prioritised and backed up with measures?
• Is there a procedure for regularly reassessing the risks?

Technical & organisational security measures

• Do the protective measures at least meet the ‘state of the art’ according to NIS-2?
• Are the security guidelines up to date and binding?

Supply chain & service provider management

• Are the IT security risks of service providers and IT suppliers assessed?
• Are security requirements and SLAs contractually defined?
• Is compliance with these requirements regularly checked?

Incident response and reporting

• Is there a documented emergency and incident response plan?
• Is the company prepared to report security incidents to the competent authority within 24 hours/72 hours in accordance with NIS-2?
• Is there a functioning monitoring system for detecting incidents?
• Are all relevant persons trained and do they know what to do in an emergency?

Continuity & crisis management

• Are there documented and tested emergency and recovery plans (BCM)?
• Are emergency processes practised regularly (e.g. cyber attack simulation)?
• How could operations be maintained or quickly restored in the event of a crisis?

Awareness & training

• Do all employees receive regular security awareness training?
• Is there special training for critical roles (admin, management, incident team)?
• Is the training documented and its effectiveness reviewed?

Documentation & auditability

• Is the entire security organisation documented in an audit-proof manner?
• Are policies, processes, training records and risk analyses up to date?
• Is there an internal control function or regular audits?

Our customers benefit from the fact that we provide them with the best possible advice on security, ensuring that they are NIS 2 compliant. You too can benefit – we are happy to assist you in implementing the technical and organisational measures.
A complex topic? You’ve come to the right place.