BSI Publishes NIS2 Checklist: Six Steps to Start Your NIS2 Implementation

The German Federal Office for Information Security, the Bundesamt für Sicherheit in der Informationstechnik (BSI), has published a NIS2 checklist intended to support companies and organisations in preparing step by step for the requirements of NIS2 regulation.

Many companies are currently facing similar questions: Does NIS2 apply to us? Which internal responsibilities need to be established? When is registration with the BSI required? And which technical and organisational measures need to be implemented in practice?

The BSI checklist provides a practical starting point. It structures key tasks for NIS2 preparation into six steps.

1. Check whether NIS2 applies

The first step is to check whether your company or organisation falls within the scope of NIS2 regulation.

This assessment cannot always be made solely on the basis of employee numbers or revenue. Relevant factors include, among others, sector, company size, services provided, group structure and the national implementation of NIS2 requirements.

For this purpose, the BSI refers, among other things, to the NIS2 decision tree and the NIS2 applicability assessment. However, the result of such an assessment serves only as initial guidance and does not replace a legal evaluation.

Enobyte service: Quick check: Applicability of the NIS2 Directive

2. Define responsibilities

NIS2 makes cybersecurity a management-level issue. Management bodies and executive leadership must approve cybersecurity risk management measures, oversee their implementation and appropriately take the associated risks into account.

The BSI checklist recommends appointing and enabling at least two people within the company to take on a coordinating role for information security. These individuals should have the necessary expertise, authority and resources to embed information security effectively within the organisation.

3. Prepare registration in the BSI portal

Companies and organisations affected by NIS2 must register in the BSI portal.

For registration in Germany, an ELSTER organisational certificate is required, among other things. This can be obtained via the digital service “Mein Unternehmenskonto”. Companies should therefore check at an early stage whether the necessary organisational and technical requirements for registration are already in place.

4. Establish reporting processes for security incidents

Another central component of NIS2 implementation is preparation for reporting obligations in the event of significant security incidents.

Companies should define before an incident occurs which internal stakeholders must be informed, who is responsible for assessing the incident and who coordinates communication with authorities.

For affected organisations in Germany, the following timelines are particularly relevant:

• Early warning within 24 hours of becoming aware of the incident
• Notification within 72 hours of becoming aware of the incident
• Final report within one month of the notification

These requirements make clear that incident response cannot be organised only once an incident has occurred. Roles, escalation paths and reporting processes must be defined, documented and tested in advance.

Enobyte service: CSIRT Services

5. Arrange training for management

NIS2 provides that management bodies must receive regular training on cybersecurity risks and risk management measures.

The objective is to ensure that decision-makers understand the relevant risks, can assess appropriate measures and are able to fulfil their oversight and governance responsibilities properly.

For companies, this means that NIS2 training should not be viewed merely as a compliance obligation. It is also an important component of an effective governance structure for information security.

Enobyte supports companies in meeting these requirements with practical NIS2 training for management — available in English, German and Japanese upon request.

Learn more: NIS2 Manager Training

6. Implement risk management measures

The final step concerns the practical implementation of technical and organisational measures.

The obligation to implement risk management measures arises from Article 21 of the NIS2 Directive.

NIS2 requires affected organisations to take appropriate, proportionate and effective measures to manage cybersecurity risks.

These include, in particular:

• Policies for risk analysis and information system security
• Incident response processes
• Business continuity, backup, recovery and crisis management
• Supply chain security
• Security in the procurement, development and maintenance of ICT systems
• Procedures for assessing the effectiveness of risk management measures
• Cyber hygiene and cybersecurity training
• Use of cryptography and encryption
• Personnel security, access control and asset management
• Multi-factor authentication and secure means of communication

For many companies, the challenge will be to systematically record existing measures, identify gaps and derive a prioritised implementation roadmap.

Enobyte services: NIS2 Assessment, CSIRT Services

NIS2 Support from Enobyte

Enobyte supports you with questions relating to NIS2, as well as with registration with the competent authorities, the establishment of incident response structures, management training and the implementation of risk management measures.

If your company needs support with NIS2 implementation, please contact us.