Ten steps to bring your organisation in line with NIS2 — and where digital trust does the heavy lifting.
NIS2 is the EU’s most far-reaching cybersecurity directive to date, and it is no longer theoretical. In Germany, the national transposition — the NIS2-Umsetzungsgesetz (NIS2UmsuCG) — brings tens of thousands of organisations into scope, many of which never considered themselves “critical” before. With 18 sectors covered and an estimated 29,000 additional German companies affected, the practical question for most security leaders is simple: where do we start?
Does NIS2 apply to you?
NIS2 distinguishes between essential and important entities across sectors such as energy, transport, banking, health, digital infrastructure, public administration, water, and manufacturing. Many mid-sized companies are now in scope for the first time. If your organisation operates in one of the regulated sectors and exceeds the size thresholds, you should assume NIS2 applies and validate the detail rather than wait to be told.
The ten-point checklist
- Confirm scope and register. Determine whether you are an essential or important entity and complete any required registration with the competent authority.
- Make management accountable. NIS2 places responsibility with senior leadership. Boards must approve risk-management measures and can be held liable — so governance and oversight must be documented.
- Build an asset and risk inventory. Maintain a current inventory of servers, clients, cloud and SaaS resources, network components, privileged accounts and critical data flows. This is the foundation everything else rests on.
- Implement risk-based security measures. Adopt state-of-the-art technical and organisational controls proportionate to your risk — covering networks, systems and the supply chain.
- Establish incident reporting. Stand up processes to meet NIS2’s strict timelines — an early warning within 24 hours and a fuller notification within 72 hours of a significant incident.
- Secure your supply chain. Assess and contractually manage the security of suppliers and service providers; their weaknesses become yours.
- Enforce strong authentication. Deploy phishing-resistant multi-factor authentication and tighten access to privileged accounts — explicitly expected under NIS2.
- Encrypt and manage keys properly. Use encryption for data in transit and at rest, backed by sound key management; cryptography is named among the baseline measures.
- Plan for continuity. Maintain backup, disaster-recovery and crisis-management plans so essential services survive an incident.
- Document and prove it. Every measure must be demonstrable. Keep evidence, policies and audit trails ready — “we do this” is not enough without proof.
Where cryptography and identity do the heavy lifting
Several checklist items — strong authentication, encryption, key management and verifiable trust — sit squarely in the domain of digital trust. Public-key infrastructure underpins secure machine and user identity; phishing-resistant MFA protects access; encryption and disciplined key management protect the data itself. Getting these foundations right closes a meaningful share of the NIS2 gap in one move.
How CRYPTAS helps
CRYPTAS brings together strong authentication, enterprise PKI, certificate lifecycle management and encryption with key management — the exact controls NIS2 expects. We help you turn the checklist into an operational, auditable programme: phishing-resistant authentication for users and administrators, trusted identities for machines and services, and encryption you can prove to an auditor.
Where do you stand against NIS2? Talk to CRYPTAS about closing the technical gaps — starting with authentication, PKI and encryption.