Live · DACH ops
03:47 · QR-2 · Sektor B · 0 anomalies04:03 · QR-7 · Gate 4 · handover ack04:11 · QR-2 · Sektor B · patrol complete · 4.2 km04:14 · Filderstadt · ops ack · all green04:22 · QR-12 · Stuttgart-W · charge cycle 84%04:30 · QR-3 · Karlsruhe · perimeter sweep · pass 3/404:38 · QR-9 · Wien-N · weather check · IP65 nominal04:45 · QR-2 · Sektor B · thermal hit reviewed · benign04:52 · QR-15 · Zürich-O · escalation queue · empty05:00 · all units · shift turnover · zero incidents03:47 · QR-2 · Sektor B · 0 anomalies04:03 · QR-7 · Gate 4 · handover ack04:11 · QR-2 · Sektor B · patrol complete · 4.2 km04:14 · Filderstadt · ops ack · all green04:22 · QR-12 · Stuttgart-W · charge cycle 84%04:30 · QR-3 · Karlsruhe · perimeter sweep · pass 3/404:38 · QR-9 · Wien-N · weather check · IP65 nominal04:45 · QR-2 · Sektor B · thermal hit reviewed · benign04:52 · QR-15 · Zürich-O · escalation queue · empty05:00 · all units · shift turnover · zero incidents
← All articles
KRITIS · Umbrella Act · NIS-2

NIS-2 BSI Supervision: Duties, Deadlines, Fines 2026

NIS-2 BSI supervision from 2026: registration, 24-hour notification, audit procedure, fines up to EUR 10m. Operational 14-week plan for boards.

Dr. Raphael Nagel (LL.M.) & Marcus Köhnlein
Investor & Author · Founding Partner
Follow on LinkedIn

NIS-2 BSI Supervision: Duties and Sanction Framework for Mid-Size KRITIS Operators

The NIS2UmsuCG introduces a new supervisory regime. The BSI audits risk management, reporting channels and physical security. Fines reach up to EUR 10m. Boards are personally liable. This article sets out the legal framework, the deadlines and the operational consequences for operators with 50 to 2,000 employees.

NIS-2 BSI Supervision: The Legal Framework 2026

The NIS-2 Directive is transposed into German law via the NIS2UmsuCG. The BSI becomes the central supervisory authority for essential and important entities. Its powers cover registration, audits, orders and fines. The NIS-2 Directive requires entities to implement risk management, notification within 24 hours and evidence of physical security measures.

Supervision extends across both layers: cybersecurity risk management under Art. 21 NIS-2 and physical security measures at the perimeter. The separation of IT and physical security still present in many org charts is no longer tenable under NIS-2.

The scope covers 18 sectors. These include energy, transport, banking, health, drinking water, digital infrastructure, public administration, space, postal services, waste, chemicals, food, machinery, digital providers and research. The thresholds activate the duties automatically: 50 or more employees or EUR 10m annual turnover.

Self-identification is mandatory. The BSI does not publish a full operator list. Staying below the authority's radar is no exemption. The burden of proof for non-applicability lies with the operator. See also the NIS-2 compliance overview.

Registration with the BSI: Deadlines and Data

Registration runs through the BSI reporting portal. The deadline is three months after the respective duty enters into force. Late or incomplete registration carries fines.

Data to be submitted:

  • Company name and legal form.
  • Sector and sub-sector per Annex I or II.
  • IP ranges and domains of the infrastructure in use.
  • Person responsible for IT security.
  • 24/7 contact point with phone and email.

For every material change, an update is required within two weeks. Material includes any change in sector classification, contact point or IP address blocks. False statements or late registration trigger fines of up to EUR 7m or 1.4 percent of annual turnover.

Important for KRITIS operators: the link with the KRITIS Umbrella Act registration at the BBK is not automatic. These are two separate procedures with different authorities, forms and deadlines. The KRITIS Umbrella Act (KRITIS-Dachgesetz) supplements NIS-2 with duties on physical resilience and requires separate registration with the BBK. Operational guide to registration with the federal office: BBK registration step by step.

Evidence Requirements: What the BSI Wants to See

Supervision is document-based. Without legible evidence, a measure is treated as not implemented. The BSI reviews the following building blocks:

Risk analysis per Art. 21 NIS-2. Documented assessment of physical and logical attack vectors. Mandatory update on material changes, at least annually.

Measures catalogue. Access control, perimeter protection, detection, incident response, cryptography, vulnerability management, backup, business continuity. Each item with responsible role and maturity rating.

Supply chain security. Assessment of critical suppliers and service providers. This includes guard services, cloud providers and maintenance contractors. Contracts must contain security requirements and audit rights.

Training evidence. Management and technical staff with annual refreshers. Attendance confirmations, content and date records must be retained.

Technical logs. SIEM data, access logs, perimeter sensor data. Minimum retention twelve months, retrievable within 48 hours on request. See BSI recommendations under BSIG §8a para. 3.

The BSI is the central supervisory authority for KRITIS operators under the BSIG and handles registration, audits and sanctions. Evidence duties apply regardless of whether the authority actively audits.

Notification Duties: 24-Hour Early Warning and Follow-Up Reports

The notification chain has three stages and is non-negotiable:

  1. Initial notification within 24 hours. Early warning to the BSI stating whether the incident was presumably triggered by an unlawful act and whether cross-border effects are possible.
  2. Detail report within 72 hours. Initial damage assessment, indicators of compromise, affected systems, containment status.
  3. Final report within one month. Root cause analysis, full damage picture, lessons learned, planned follow-up measures.

The materiality threshold requires interpretation. It applies in cases of significant operational disruption, financial damage above a level set by the authority, or impact on third parties. In case of doubt, report rather than withhold. A failure to notify is sanctioned more harshly than a precautionary notification.

Physical incidents are also reportable where IT systems are affected. Examples: a drone flight over a data centre with simultaneous radio interference. Perimeter breach with access to server rooms. Sabotage of the power supply with cooling failure. The operational divide between in-house guards and the Security Operations Center must be bridged by a shared notification logic.

Audit Procedures and On-Site Inspections by the BSI

The NIS2UmsuCG distinguishes two supervisory modes.

Essential entities are subject to proactive supervision. The BSI audits both announced and unannounced, without any incident being required. Spot checks are possible.

Important entities are audited reactively. Triggers are incidents, complaints or specific indications of breach.

The scope of the audit typically covers:

  • Documentation review of the risk analysis and measures catalogue.
  • Technical tests, including penetration tests or configuration reviews.
  • Interviews with management, CISO, data protection, head of plant security.
  • On-site inspection at the perimeter, in the data centre, at handover points.

The BSI may commission external auditors. The operator bears the cost. This applies even if the audit ends without findings. Evidence on perimeter security, detection technology and response capability is increasingly part of the audit, no longer just the IT layer.

Fines and Personal Liability of the Board

The sanction structure has two tiers:

Category Maximum fine
Essential entities EUR 10m or 2% of global annual turnover
Important entities EUR 7m or 1.4% of global annual turnover

The higher amount applies in each case. Assessment follows severity, duration, intent and willingness to cooperate.

Management is personally liable for implementing risk management and for attending training. Delegation to the CISO does not release the board. D&O insurance increasingly excludes breaches of NIS-2 duties. Existing cover is materially restricted. Current policies should be reviewed.

For essential entities, the BSI may, as a last resort, order the temporary ban on management functions. Personal sanctions at board level have so far been rare in German commercial law. NIS-2 marks a new quality of supervision here. Deeper coverage in board liability under NIS-2.

Physical Security as Part of NIS-2 Compliance

Art. 21(2)(e) NIS-2 explicitly requires measures for the security of the physical environment of IT systems. That is not interpretation, that is statutory text. Perimeter protection, access control and detection are directly relevant to the audit.

The operational challenge: human guard services rarely deliver the required audit quality. Patrol logs (Streifenbücher) can be reconstructed after the fact. Shift handovers create gaps. According to BDSW industry data, human guard services in DACH for 24/7 coverage cost between EUR 15,000 and EUR 25,000 per post per month. [Internal Quarero Robotics survey 2024, n=47 KRITIS sites.] Comparison data in guard service cost comparison.

Autonomous patrol robots deliver continuous audit logs with timestamp, location and sensor event. The QR-2 and QR-3 platforms from Quarero generate forensically usable data sets. The BSI auditor reads these in the same logic as SIEM data. Thermal detection and LiDAR detection meet the requirement for continuous monitoring of critical zones. This applies especially at night and in weather conditions where cameras alone fail.

What works, what does not:

  • Works: robots for recurring patrols along defined routes, detection at outer fence and handover points, pre-trigger recording for audit purposes.
  • No replacement for personnel: escalation in case of an active threat, detention of persons and key authority for indoor areas still require staff certified under §34a.

Robotics-as-a-Service avoids CapEx and allows scaling within the NIS-2 implementation deadlines. The Robotics-as-a-Service model and the QR-3 platform for KRITIS perimeters are calibrated to be accepted as audit evidence. The BMI coordinates national implementation of NIS-2 and the KRITIS-Dachgesetz and sets sector delimitation; the operational bridge between IT and physical security rests with the operator.

14-Week Plan for NIS-2 Compliance

The following timeline is calibrated for operators with 200 to 2,000 employees. Larger organisations extend by four to six weeks, smaller ones shorten by two.

Weeks 1–2: Scope and self-classification. Sector check, employee and turnover thresholds, classification as essential or important entity. Written memo to management with legal basis and consequences.

Weeks 3–5: Registration and roles. Prepare the BSI reporting portal, designate the 24/7 contact point, clarify internal responsibilities. In parallel, review BBK registration under the KRITIS-Dachgesetz, see KRITIS-Dachgesetz checklist 2026.

Weeks 6–9: Risk analysis and measures catalogue. Gap assessment against Art. 21 NIS-2. Inventory of perimeter technology, access control, SIEM, backup. Measures catalogue with timeline and owners. Supply chain assessment including guard and maintenance providers.

Weeks 10–12: Training and exercise. Board training with attendance record. Tabletop exercise on incident response including a physical scenario, e.g. drone flight or perimeter breach. Close out supply chain review.

Weeks 13–14: Documentation and pilot. Finalise the document package, log versioning and approvals. Start a perimeter robotics pilot to produce audit evidence at sensor and log level. Formally declare audit readiness.

Operators who run the plan with discipline withstand an initial audit. Those who skip it run into the fine range in section six.

For a concrete assessment of your site against NIS-2 duties and the interpretation of perimeter robotics as audit evidence, arrange a confidential discussion at book NIS-2 advisory call. We bring the operational experience from the KRITIS-Dachgesetz handbook (ESBN 978-3-912703-01-6).

Translations

More from this cluster

Call now+49 711 656 267 63Free quote · 24 hCalculate price →