Regulatory Framework

Legal Sources

Legal Source	Status	Relevance
NIS 2 Directive (EU) 2022/2555	In force since 16.01.2023	EU framework directive
NIS2UmsuCG (Omnibus Act)	In force since 06.12.2025	German implementation
BSIG (Revised)	In force since 06.12.2025	Central obligations
Implementing Regulation (EU) 2024/2690	In force	Detailed technical requirements
KRITIS Umbrella Act	Adopted 29.01.2026	Physical resilience

Applicability

The NIS2 Directive distinguishes two categories:

Category	Criteria	Sanctions
Essential entities	Annex I sectors, ≥250 employees or ≥€50M turnover	Up to €10M or 2% of global annual turnover
Important entities	Annex I/II sectors, ≥50 employees or ≥€10M turnover	Up to €7M or 1.4% of global annual turnover

§30 BSIG – Ten Risk Management Measures

No.	Measure	Documentation
1	Risk analysis and information system security concepts	Risk Management
2	Incident handling	Incident Management
3	Business continuity (BCM, backup, disaster recovery, crisis management)	Business Continuity
4	Supply chain security	Supply Chain Security
5	Security in acquisition, development and maintenance	Vulnerability Management
6	Effectiveness assessment concepts and procedures	Effectiveness Review
7	Basic cyber hygiene practices and training	Training & Awareness
8	Cryptography concepts and procedures	Cryptography
9	Personnel security, access control concepts	Access Control
10	Multi-factor authentication, secured communication	Access Control

Additional Obligations

Section	Obligation	Documentation
§32 BSIG	Reporting obligations for significant security incidents	Incident Management
§33 BSIG	Registration obligation with BSI	Organizationally implemented
§38 BSIG	Approval, supervision and training obligations of management	Governance

CRA Synergy

CRA-compliant processes (vulnerability management, incident response, supply chain) largely fulfil the corresponding NIS2 requirements. Details in the CRA Compliance Documentation.