NIS-2 Implementation Act: Duties for KRITIS Operators

The NIS-2 Implementation Act (NIS2UmsuCG) shifts cybersecurity duties in Germany onto a new basis. The scope grows by a factor of twenty compared to the old BSI Act. Management boards are personally liable. Reporting deadlines shrink to 24 hours. Operators who miss the cut-off risk fines up to 10 million euros.

The NIS-2 Implementation Act at a Glance

The NIS2UmsuCG transposes Directive (EU) 2022/2555 NIS-2 into national law. The EU transposition deadline expired on 17 October 2024. Germany missed that deadline. The Bundestag continues work on the draft, enforcement is expected from 2025.

The numbers matter operationally. Around 29,500 companies in Germany fall under the new scope. Of these, about 1,500 are classified as essential entities, the rest as important entities. The old BSI Act covered around 1,700 operators. The jump is roughly a factor of seventeen.

The thresholds for important entities sit at 50 employees or 10 million euros annual turnover (NIS-2 Directive Art. 3). Essential entities are caught from 250 employees or 50 million euros turnover. The KRITIS Regulation defines additional facility thresholds, for example for hospitals and waterworks (BSI-KritisV).

18 sectors are affected: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT services, public administration, space, postal and courier services, waste management, chemicals, food, manufacturing, digital providers and research.

Next step: review KRITIS requirements and sector classification.

Who Falls Under the Act

Essential entities include energy suppliers without a size threshold, hospitals from 30,000 full inpatient cases per year, and waterworks from 22 million cubic metres annual output (BSI-KritisV). The thresholds come from the KRITIS Regulation and apply in parallel to the general NIS-2 thresholds.

Important entities are food producers from mid-sized scale, chemical companies, machinery and plant engineering, and postal service providers. The 50-employee threshold applies here. Operators just below should document the three-year trend.

Self-registration with the BSI is mandatory. There is no administrative notice from the authority. The operator examines independently whether the Act applies and registers. Late registration counts as a breach of duty. The BSI is the competent national authority under Section 1 BSIG (BMI on NIS-2 transposition).

Group structures require individual assessment. Each subsidiary evaluates its own status. Automatic exemption through the parent does not exist. With shared service centres, accountability per facility must be clear.

Suppliers fall indirectly under the supply chain duties of the main operators. Anyone supplying NIS-2 operators is contractually bound to security measures. This applies to IT service providers, cleaning firms with site access, and maintenance contractors.

Next step: consult NIS-2 compliance at Quarero for scope assessment.

Board Liability and Personal Sanctions

The management board is personally liable for breaches. Discharge through delegation to the CISO or an external service provider is excluded. The board must approve, monitor and document risk management.

Fines are tiered. Essential entities pay up to 10 million euros or 2 percent of global annual turnover, whichever is higher (NIS-2 Directive Art. 34). Important entities pay up to 7 million euros or 1.4 percent. Fines are imposed on the entity, personal sanctions against management bodies apply on top.

Training for management bodies is mandatory. Content: risk management, cyber threats, regulatory duties. The training carries documentation obligations. During audits, the BSI checks attendance records.

A de facto reversal of the burden of proof applies. The board must actively demonstrate that it has fulfilled its duty of care. Mere assertion does not suffice. Board resolutions, risk reports and training records belong in the files.

D&O insurance helps only to a limited extent. Wilful breaches of duty are routinely excluded. With gross negligence, insurers reduce payouts. Anyone who has skipped training quickly enters the territory of gross negligence.

Next step: review board liability under NIS-2 in detail for file documentation.

Ten Minimum Technical and Organisational Measures

Article 21 of the NIS-2 Directive lists ten measure areas that every entity must implement. These are not optional.

1. Policies for risk analysis and information system security, reviewed annually.
2. Handling of security incidents with documented response plans and defined escalation.
3. Maintenance of operations: backup management, disaster recovery and crisis management following BCM logic.
4. Supply chain security, including security-related aspects of relationships with direct suppliers and service providers.
5. Security measures in the acquisition, development and maintenance of network and information systems, including vulnerability management.
6. Policies to assess the effectiveness of risk management measures.
7. Basic cyber hygiene practices and cybersecurity training.
8. Policies and procedures for the use of cryptography and encryption.
9. Personnel security, access control policies and asset management.
10. Use of multi-factor authentication solutions and secured voice, video and text communication.

Point 9 includes physical protection of IT sites and critical perimeters. Access control is not just a login. Whoever enters the data centre is part of asset security. Autonomous monitoring at perimeters counts towards implementation.

Next step: run a gap analysis against all ten points, name owners per measure.

Reporting Duties to the BSI

The reporting deadlines are three-tiered and apply cumulatively.

The early warning is due within 24 hours of becoming aware of a significant incident. Content: initial assessment of whether the incident stems from unlawful or malicious acts and whether it has cross-border effects.

The incident notification follows within 72 hours of awareness. It contains an initial assessment, scope of damage, and indicators of compromise. For essential entities, the BSI may request interim reports.

The final report is due within one month after the incident notification. It describes the incident in detail: type of threat, mitigation measures taken, and cross-border effects where present.

An incident is significant if it causes serious operational disruption, financial damage to the entity, or affects third parties with substantial material or immaterial harm. The threshold is lower than under the old BSI Act.

Reports go through the BSI reporting portal. The 24/7 availability of the internal reporting office must be ensured. Weekend incidents are not exempt. Anyone who detects ransomware on Friday evening reports by Saturday evening.

Next step: define reporting chain and on-call duty, run a dry run with a fictional incident.

Physical Security as Part of NIS-2 Duties

Annex I Number 4 of the Directive explicitly requires facility security, including physical access control. NIS-2 is not purely cyber. Anyone who neglects the physical layer fails the minimum measures.

Concretely affected: server rooms, substations, water treatment plants, data centres and telecommunications nodes. Perimeters must be secured, access logged, unusual movements detected.

Autonomous patrol robots document rounds without gaps. Each lap generates log data with timestamp, GPS position and sensor readings. These records are evidence for BSI audits. A patrol with a punch clock does not deliver this depth.

The QR-2 with thermal imaging detects intruders in darkness and poor visibility. The QR-3 with LiDAR sensors detects drones over sensitive facilities, for example over substations or drinking water reservoirs. Both models deliver data to the Security Operations Center in real time.

The cost frame is calculable. A QR-2 in the Robotics-as-a-Service model costs 3,500 euros per month (Quarero Robotics price list 2025). A 24/7 guard post with Manteltarifvertrag, allowances and cover costs 15,000 to 25,000 euros per month (BDSW wage overview 2024). The robot does not fully replace the Streife, but covers 80 percent of routine rounds (Quarero Robotics operating data 2024).

Next step: evaluate QR-2 for 24/7 outer perimeter for facility protection.

Implementation Plan in Twelve Weeks

Anyone starting in January is audit-ready by end of March. The plan is sequential, not parallel.

Weeks 1 to 2: scope assessment. Which sector, which thresholds, which subsidiaries. Prepare self-registration with the BSI. Name owners per business unit.

Weeks 3 to 4: gap analysis against the ten minimum measures from Article 21. Capture documentation status. Prioritise gaps by risk and regulatory visibility.

Weeks 5 to 8: establish or adjust risk management. Test emergency plans, do not just write them. Adjust supplier contracts, at least for the critical twenty percent of vendors. Implement access control and multi-factor authentication.

Weeks 9 to 10: conduct board training. Set up reporting processes including 24/7 availability. Document on-call schedules. First dry run of a BSI report.

Weeks 11 to 12: review physical protection. Walk perimeters, identify weak points. Start pilot operation of autonomous perimeter surveillance. Final documentation for the first audit cycle.

Next step: review the Robotics-as-a-Service model for the pilot phase.

Interfaces with the KRITIS Umbrella Act

NIS-2 governs cybersecurity. The KRITIS Umbrella Act (KRITIS-Dachgesetz) governs physical resilience. Both laws apply in parallel and overlap at several points. The draft of the KRITIS-Dachgesetz is on file as Bundestag-Drucksache 20/9262.

Operators falling under both regimes register with the BSI for NIS-2 and with the BBK for KRITIS. The BBK coordinates civil protection and maintains the register of critical facilities. Double registration does not mean double work, provided master data and risk documents are kept centrally.

The resilience plan under KRITIS-Dachgesetz and the information security concept under NIS-2 are kept separately. Substantively they must interlock. Anyone protecting a substation against sabotage also protects the SCADA control. Duplication is avoided through a shared risk register.

Joint audits make sense. Supplier reviews, personnel security and access controls appear in both regimes. Auditing once and covering both requirements saves effort. Auditors accept combined evidence as long as attribution is clear.

Board liability is anchored in both Acts. Training duties cumulate: cyber content under NIS-2 plus resilience content under KRITIS-Dachgesetz. A combined annual training covers both, if curriculum and documentation hold up.

Next step: use the KRITIS-Dachgesetz checklist 2026 for parallel implementation.

Operational Consequence for Board and Security Leadership

The NIS2UmsuCG is not an IT project. It is a board matter with measurable personal risk. Anyone missing the cut-off risks fines up to 10 million euros for the entity (NIS-2 Directive Art. 34) and personal liability for management bodies. Anyone formally registered but unable to evidence the ten minimum measures stands without defence at the first audit.

The operational answer has three layers. Cyber risk management per Article 21. Reporting readiness with 24/7 availability and documented processes. Physical protection of facilities, including autonomous perimeter surveillance where guard personnel are too expensive or unavailable.

The guard service cost comparison shows where Robotics-as-a-Service complements the Posten. The decision is not ideological. It is a question of audit depth and monthly operating cost.

For scope assessment, gap analysis and selection of physical measures, the path leads through NIS-2 compliance at Quarero. That is where the structured approach sits for operators who must meet NIS-2 and KRITIS-Dachgesetz in parallel.