NIS-2 Progress Report: Duties for Board and Management

The NIS-2 progress report is not a form. It is the central evidence that management bodies have met their supervisory duty. Whoever fails to keep it is personally liable. This text describes mandatory content, structure and frequency, based on the work documented in detail in our KRITIS Umbrella Act handbook (KRITIS-Dachgesetz-Handbuch, ESBN 978-3-912703-01-6).

NIS-2 Progress Report: What the Legislator Requires

Article 20 of the NIS-2 Directive obligates the management bodies of affected entities to approve risk management measures and monitor their implementation. This duty cannot be delegated. It sits with the board, the managing director, the head of institution.

The German NIS2UmsuCG transposes this European requirement directly into national law. §38 BSIG-neu provides for personal liability of management bodies if supervision is missing or insufficiently documented (NIS2UmsuCG draft, https://www.bmi.bund.de/SharedDocs/gesetzgebungsverfahren/DE/nis-2-umsetzungsgesetz.html). Precondition: supervision is missing or insufficiently documented. Fines hit the company, recourse hits the individual.

The documented progress report is the evidence vis-à-vis the BSI and the BMI. Without it, there is no line of defence in an audit. With it, supervision becomes verifiable, dated, signed.

Frequency: at minimum quarterly. For material incidents ad hoc, in parallel with the 24-hour reporting duty. Reporting half-yearly or annually does not meet the supervisory duty under Article 20.

Next step: NIS-2 compliance overview.

Mandatory Content: The Ten Risk Management Areas

Article 21 paragraph 2 NIS-2 lists ten areas every entity must address. The progress report must treat each one separately. Gaps are scored by the auditor as insufficient implementation.

Risk analysis and security of information systems. Current status, changes since the previous report, newly identified risks, closed assessments. No generic statements: concrete risks with probability of occurrence and damage value.

Incident handling. Number of security incidents in the reporting period, classification by severity, response time from detection to containment, incidents reported to the BSI with case number.

Business continuity. Backup tests with date and success rate, measured recovery times against agreed RTO, executed disaster recovery exercises, lessons learned.

Supply chain security. Assessment of critical suppliers, contractually agreed security requirements, audit results, replacement planning for non-compliant suppliers.

Access control and cryptography. MFA coverage in percent across all privileged accounts, certificate management with expiry overview, key lifecycle with rotation evidence.

Physical security. Perimeter protection, access control, site surveillance, incidents in the physical domain. This area is regularly forgotten. Precisely there is where most audit findings arise.

The remaining four areas (training, asset management, vulnerability management, effectiveness assessment) follow the same logic: status, measure, responsible owner, deadline.

Next step: Requirements for KRITIS operators.

Structure of an Audit-Proof Report

A progress report that holds up before the BSI has five fixed components.

Executive summary. One page maximum. Traffic light system for the ten risk areas, each green, yellow or red with brief justification. This page is read by the chair of the board. If it is unclear, the entire report is devalued.

Measures matrix. In table form. Each measure with a unique identifier, responsible owner (name, not department), deadline (date, not quarter), status (open, in progress, closed), budget (approved, drawn, remaining).

Incident register. Chronological listing of all security incidents in the reporting period. Per incident: timestamp of detection, classification, affected systems, response steps, BSI report with case number where filed, closing report.

Training evidence. Article 20 paragraph 2 NIS-2 obligates the management bodies themselves to undergo training. Participation rate of the board, date of training, content, provider, certificates as annex. Anyone reporting 80 percent here has a problem: 100 percent is required.

Annexes. External audit reports, penetration test results, supplier assessments, each with date and named auditor. Without these annexes the report is not examinable.

Versioning is mandatory. Every report carries a version number, a date, a signature. Later changes are made as addenda, not by overwriting.

Documenting Physical Security in the Progress Report

NIS-2 does not separate cyber and physical security. Article 21 paragraph 2 lit. e names physical protection of facilities explicitly as a mandatory measure. Filling the progress report only with IT metrics does not meet the directive.

Concretely in the report belong: patrol logs with timestamps, perimeter incidents with classification, sensor coverage in percent, gaps in surveillance with planned closure.

The KRITIS-Dachgesetz draft in Bundestag-Drucksache 20/9262 explicitly interlinks physical and cybersecurity for critical facilities. The BBK coordinates resilience requirements. In interplay with the KritisV this creates a dual duty for operators of critical facilities: NIS-2 for IT and the KRITIS-Dachgesetz for physical security. Both areas belong in the same report.

Autonomous patrol robotics deliver gap-free, tamper-evident log data. QR-2 documents every patrol with timestamp, thermal signature and incident classification. The datasets are directly exportable into the quarterly report, in JSON format, with hash for evidence preservation. What human patrols record in shift books is then available as a structured dataset.

What works: robotics for uniform patrols, perimeter surveillance, night patrols. What does not work: robotics as a replacement for response forces. The trade-off line runs between detection (machine) and intervention (human).

Next step: QR-3 for KRITIS facilities.

Frequency and Reporting Channels

Quarterly report to the full board. Submission in the ordinary board meeting, documented acknowledgement in the minutes. Without a minute entry the report counts as not submitted.

Half-yearly report to the supervisory board or advisory board. Consolidated version of two quarterly reports, supplemented by strategic assessment. Here too: minute entry, named mention of those present.

Ad hoc report within 24 hours for reportable incidents. In parallel with the BSI notification, not as a substitute. The BSI notification fulfils §32 BSIG-neu, the ad hoc report fulfils Article 20 NIS-2. Two different duties, two different addressees.

Annual report as a consolidated version. Addressees: external auditors, on BSI request, supervisory board. Serves as the basis for the effectiveness report under Article 21 paragraph 4.

Retention period: at minimum six years (§257 HGB, https://www.gesetze-im-internet.de/hgb/__257.html; §93 AktG for limitation of director liability claims, https://www.gesetze-im-internet.de/aktg/__93.html). This period results from the parallel application of commercial record-keeping duties and the limitation period for director liability. Shorter retention creates evidentiary distress in the event of damage.

Next step: Board liability under NIS-2.

Common Errors and Their Consequences

Delegation to the IT department without board involvement. The duty under Article 20 falls personally on management bodies. Tasking the CISO with the report and filing it unread breaches the non-delegability. In a liability case the CISO's signature does not help.

Pure status reports without measure tracking. A report that only says "MFA coverage 87 percent" does not meet the supervisory duty. Required is the tracking: what was the previous quarter, what is the target value, who is responsible, by when closed.

Missing training evidence for management bodies. Article 20 paragraph 2 demands training of board members themselves. Breach risks a fine up to 10 million euros or 2 percent of worldwide annual turnover (Art. 34 para. 4 NIS-2 Directive, https://eur-lex.europa.eu/eli/dir/2022/2555/oj). The higher amount applies. This exposure can be avoided with 4 hours of training per year and board member.

Gappy documentation of physical security. Most frequent audit finding. The report contains 40 pages on IT security and 2 pages on perimeter. The ratio must match the risk exposure, not the departmental structure.

No versioning of reports. In a liability case it must be demonstrable which information the board had at which point in time. Without versioning there is evidentiary distress, and this works against the board member.

Next step: KRITIS-Dachgesetz checklist 2026.

Robotics as a Data Source for the Report

Patrol robots deliver structured JSON logs. Every patrol produces a dataset with timestamp, GPS position, sensor values, incident classification. This data integrates directly into report templates, without manual transfer.

Tamper-evident recording meets evidentiary requirements. Datasets are signed with hash, stored in immutable logs, timestamped by a trusted time server. In court they are admissible as evidence.

Comparison to manual shift logs: human records typically show 15 to 30 percent gaps [source required]. Shift changes, forgotten entries, illegible notes, retroactive corrections. A report on this basis is not audit-proof.

QR-3 extends the data base with LiDAR mapping and drone detection. Airspace incidents are increasingly relevant for KRITIS sectors such as energy, water and logistics. Without sensors in the report no statement on airspace, meaning a gap in risk management.

Procurement via Robotics-as-a-Service model: no CapEx, monthly operating fee, delivery in 48 hours, minimum term 24 months. What works: predictable cost, fast availability, automatic updates. What does not work: short-term single rental for weeks, the model is not designed for that.

Cost comparison against classical guarding: Wachschutz cost comparison for KRITIS operators.

Approach: First Report in 90 Days

Anyone without a progress report yet starts now. The window until the first BSI examination is shorter than most boards assume.

Week 1 to 2: gap analysis. Compare actual against the ten risk management areas from Article 21 paragraph 2. Result: gap list with prioritisation. Responsible: CISO and data protection officer jointly.

Week 3 to 6: responsibilities and data sources. One named owner per risk area. Connection of data sources (SIEM for IT, access system for perimeter, HR for training). Template creation for measures matrix and incident register.

Week 7 to 10: audit physical security. Site walk of all locations, document sensor coverage, close gaps. Integrate patrol robotics where manual patrols demonstrably show gaps. Configure data export from the robotics platform into the reporting system.

Week 11 to 12: board training. Duty under Article 20 paragraph 2. External provider, half-day session, topics: NIS-2 duties, liability, individual role in an incident. Documentation with attendee list and certificate.

Week 13: first quarterly report. Submission in the ordinary board meeting, formal handling, minute entry. Establish versioning. Storage in an audit-secure system.

After 90 days the first report is in place. From then on the frequency is quarterly. Effort drops from initial 400 person-hours to around 80 hours per follow-up quarter [source required], provided data sources are cleanly connected.

Treating the progress report as a check-box exercise misses the actual benefit. It is the only documentation that protects against recourse on board members in a liability case. This protective effect arises from consistent leadership over years. A single report for an examination is not enough.

Concrete implementation with defined responsibilities, data sources and report templates: NIS-2 compliance overview.