Solutions.

NIS2 Compliance for German Mittelstand — Practical Implementation

Q: When is the NIS2 deadline in Germany?

Member states had to transpose NIS2 by 17 October 2024; the German NIS2UmsuCG entered into force in 2025; companies in scope must register with BSI within 3 months of becoming an in-scope operator and meet the technical and organisational measures listed in §30.

Q: How does curta.solutions help with NIS2 compliance?

curta.solutions runs ISO 27001 ISMS preparation engagements (see case study) and produces the NIS2 cross-walk as a deliverable; the engagement covers gap analysis, control implementation, BSI registration support, and incident-reporting playbooks.

By George Curta · Founder, curta.solutions · Updated May 24, 2026.

NIS2 transposed into German law as the NIS2UmsuCG. If your company is in scope, the obligations are concrete and dated. This page lays out who is affected and the deadlines. It also shows how to map your existing ISO 27001 controls to the new needs without rebuilding from scratch.

Scope.

What is NIS2 and which companies are in scope?

NIS2 (Directive (EU) 2022/2555) applies to companies in 18 sectors considered "key" or "important" with at least 50 employees and EUR 10M turnover. The German transposition is the NIS2UmsuCG. It incorporates the EU directive into Federal IT Safety Law.

The "key" category covers energy, transport, banking, financial market systems, health, drinking water, waste water, digital systems, ICT service control, public administration, and space. The "important" category adds postal and courier services, waste control, manufacturing of chemicals, food live, manufacturing of medical devices and machinery, digital vendors, and research organisations.

Companies determine in-scope status themselves — there is no central list issued by BSI. The thresholds are headcount and turnover. Smaller items can still be designated by member states if they are sole vendors of a critical service. Companies that are unsure should run a self-labeling against the sector list in Annex I and Annex II of the directive.

Group structures matter: the assessment usually applies at the legal-item level, not at the merged group level. A holding company is rarely in scope on its own, but operating subsidiaries in key sectors typically are.

Timeline.

When is the NIS2 deadline in Germany?

Member states had to transpose NIS2 by 17 October 2024. The German NIS2UmsuCG entered into force in 2025. Companies in scope must list with BSI within 3 months of becoming an in-scope operator. They must also meet the technical and organisational measures listed in §30.

Listing with BSI is a formal one-time step. It records the company as an in-scope operator, names a designated contact for safety incidents, and confirms the sector labeling. The 3-month clock starts when the company first meets the size and sector criteria, not when the law enters into force.

Incident reporting is on a tight schedule. The deployer must issue an early warning within 24 hours of becoming aware of a big incident, a formal incident notification within 72 hours, and a final report within one month. The reporting channel is the BSI MIRP portal. Failure to report can trigger administrative fines up to EUR 10M or 2% of global turnover for "key" items.

Control liability is explicit under NIS2: governing bodies must approve cybersecurity risk-control measures, oversee their rollout, and undergo regular training. Private liability for non-audit fit is one of the bigger changes versus the old IT-SiG.

Control Mapping.

How do I map our current ISO 27001 controls to NIS2 obligations?

NIS2 Article 21 lists 10 technical/organisational measure areas. Most map directly to ISO 27001:2022 Annex A controls (incident handling → A.5.24-A.5.30, supply-chain safety → A.5.19-A.5.23, biz continuity → A.5.29-A.5.30, access control → A.5.15-A.5.18, etc.). A cross-walk document is the fastest way to proof coverage.

The 10 Article 21 areas in short. Risk study and info system safety policies. Incident handling. Biz continuity and crisis control. Supply chain safety. Safety in network and info systems acquisition and dev work. Policies to assess the value of cybersecurity risk-control measures. Basic cyber hygiene practices and cybersecurity training. Cryptography policies. Human resources safety and access control. Use of multi-factor sign-in and secured comms.

An ISO 27001:2022-certified ISMS already satisfies the vast majority of these. The gaps that typically remain are the formal supply-chain risk procedure, the 24/72-hour incident-reporting playbook, and explicit board-level oversight proof. These can be added without rebuilding the ISMS. They fit as new clauses in the Statement of Applicability and as new steps in the existing document hierarchy.

For companies without ISO 27001, the BSI IT-Grundschutz starting point is an alternative reference framework that German regulators accept. It covers the same ground with German-language artefacts and a step-by-step rollout path.

Buy-in.

How does curta.solutions help with NIS2 compliance?

curta.solutions runs ISO 27001 ISMS prep engagements (see case study) and produces the NIS2 cross-walk as a output. The buy-in covers gap study, control rollout, BSI listing support, and incident-reporting playbooks.

A typical buy-in starts with a 2-week gap study against Article 21 and the 10 measure areas. The gap is mapped against any existing ISO 27001 or IT-Grundschutz docs. The output is a concrete control list with owners, deadlines, and proof needs.

Rollout runs in 6-to-12-week sprints depending on the size of the gap. Outputs include the BSI listing package and the Article 21 cross-walk. The pack also covers the 24/72-hour incident-reporting playbook with named on-call roles, the supply-chain risk procedure, the board cybersecurity briefing pack, and the Article 4 AI literacy training material where AI is in use.

The buy-in is designed for the German Mittelstand. Pragmatic outputs, docs in German where the regulator needs it, fixed scope and fixed price per sprint. It backs audit fit. The final checks sits with the company's governing body, which is what the directive needs.

Trade-offs.

Best fit and known limitations

Best fit

German Mittelstand items in NIS2 "key" or "important" sectors. They already have some ISO 27001 or IT-Grundschutz groundwork and need to close the Article 21 gap on a fixed timeline.

Less suitable

Pure consulting decks with no rollout work, or companies looking for a "audit fit certificate". NIS2 is not certified. It is enforced by BSI through audits and incident-reporting checks.