NIS2 Implementation Act is in Force
NIS2 Compliance in Weeks, Not Months
30,000+ companies must act. Kopexa bundles frameworks, risks, evidence, and vendors in one platform. Made & Hosted in Europe.
30,000+
companies affected
24h
incident reporting deadline
€10M
maximum penalty
Trusted by leading organizations
Background
What is NIS2 and Why Does It Affect You?
NIS2 (EU Directive 2022/2555) is the revised EU cybersecurity directive that raises the protection of critical and important infrastructure across Europe to a new level. In Germany it was transposed into national law through the NIS2 Implementation Act (NIS2UmsuCG). The law has been in force since 6 December 2025. This means the new obligations apply not at some point in the future, but right now.
Affected are companies from 18 sectors that employ at least 50 people or generate annual revenue exceeding EUR 10 million. These include energy, transport, healthcare, digital infrastructure, waste management, food, manufacturing, postal and courier services, and providers of digital services. Companies below the thresholds may also be affected if they act as suppliers to regulated entities.
Compared to the original NIS Directive of 2016, NIS2 introduces far-reaching tightening. The number of regulated sectors has more than doubled. Personal liability of senior management is explicitly mandated: managing directors and board members must approve risk management measures and oversee their implementation. Violations can result in fines of up to EUR 10 million or 2% of global annual revenue. Also new is the mandatory supply chain security requirement: companies must ensure that their service providers and suppliers also implement adequate security measures.
The NIS2 Implementation Act is binding law. Since it came into force, the BSI can demand registrations, conduct audits, and impose sanctions. Those who fail to act now risk not only fines but also the loss of contracts with regulated customers who must secure their supply chain.
Essential Entities
250+ employees or EUR 50M+ turnover
- Energy, Transport, Banking, Financial Markets
- Healthcare, Drinking Water, Wastewater
- Digital Infrastructure, ICT Service Management
- Public Administration, Space
Important Entities
50+ employees or EUR 10M+ turnover
- Postal and Courier Services, Waste Management
- Chemicals, Food, Manufacturing
- Digital Services (Marketplaces, Search Engines, Social Media)
- Research Institutions
Free Applicability Check
Are You Affected by NIS2?
Find out in 2 minutes. Free and anonymous.
NIS-2 Impact Assessment
Does your company fall under the EU NIS-2 Directive?
With the NIS-2 Impact Assessment by Kopexa, you get a clear orientation in just a few clicks. Fast and anonymous.
- Well-founded, EU-compliant questions that systematically classify your company.
- Instant initial assessment: affected or not affected, including relevant obligations.
- Anonymous, secure, and for orientation purposes, not legal advice.
Start now and find out where you stand.
Note: This initial assessment is based on your responses and publicly available criteria (NIS2). It is not legally binding and does not replace an individual case review.
Timeline
The Road to NIS2 Implementation
EU NIS2 Directive Enters into Force
Directive 2022/2555 enters into force at EU level. Member states have 21 months for national transposition.
EU Transposition Deadline Expired
The deadline for national transposition ends. Germany misses the deadline.
NIS2 Implementation Act Takes Effect
The German implementation act becomes applicable law. Affected companies must act immediately.
BSI Registration & Audits
The BSI portal has been active since January 6, 2026. Affected entities must register. Systematic audits will follow.
EU NIS2 Directive Enters into Force
Directive 2022/2555 enters into force at EU level. Member states have 21 months for national transposition.
EU Transposition Deadline Expired
The deadline for national transposition ends. Germany misses the deadline.
NIS2 Implementation Act Takes Effect
The German implementation act becomes applicable law. Affected companies must act immediately.
BSI Registration & Audits
The BSI portal has been active since January 6, 2026. Affected entities must register. Systematic audits will follow.
The NIS2 Implementation Act has been applicable law since December 6, 2025. Companies that have not yet acted are already behind schedule. The sooner you start, the lower the risk during a BSI audit.
Article 21 NIS2 Directive
What NIS2 Demands from You
The key obligations every affected company must implement.
Risk Management
Systematic identification, assessment, and treatment of cyber risks.
Incident Handling
24h early warning, 72h report, 30-day final report to authorities.
Business Continuity
Emergency plans, backup strategies, and recovery processes.
Supply Chain Security
Security requirements for suppliers and service providers.
Training & Awareness
Regular cybersecurity training for all employees.
Cryptography & Access
Encryption, multi-factor authentication, and access control.
How Kopexa Helps
From Requirement to Implementation
24h reporting deadline?
Incident playbooks with automatic timer
Kopexa detects incidents, starts the timer, and guides your team through the three-stage reporting process: 24h early warning, 72h report, 30-day final report.
- Automatic deadline monitoring
- Predefined reporting workflows
- BSI-compliant report templates
Which framework fits?
NIS2 preloaded, mapped to ISO 27001
The NIS2 framework is available out of the box. With automatic mapping you can see which ISO 27001 controls already cover NIS2 requirements.
- NIS2 Framework out-of-the-box
- Automatic control mapping
- Gap analysis at the push of a button
Audit evidence?
Documents, evidence & reports from one platform
Manage policies, evidence, and reports centrally. During an audit, export everything with one click. Complete and up to date.
- Centralized evidence management
- Automatic evidence collection
- Export-ready audit reports
One Platform, Four Advantages
Automation, Strategy, and Support in One
There are many NIS2 tools. Kopexa is the only platform that combines automation, compliance strategy, and optional expert support in one product.
Real-Time Monitoring with KSPEC
KSPEC is our open standard for machine-readable compliance checks. Kopexa scans your infrastructure in real time, discovers assets automatically, and uncovers Shadow IT. Evidence is collected fully automatically. Natively integrated, no osquery, no agent chaos.
- Real-time monitoring & asset discovery
- Shadow IT detection
- Automated evidence collection
- Natively integrated, open source
Incident Playbooks and Reporting Deadlines
NIS2 requires a 24h early warning, 72h report, and 30-day final report. Kopexa guides your team with timers, templates, and escalation paths through every step.
- Three-stage reporting process
- Automatic deadline monitoring
- Risk management based on OSCAL
Self-Service or with a Partner
Start on your own and bring in a certified partner when needed. The Partner CISO program connects you with experts who know Kopexa inside out.
- Free self-service start
- Certified Partner CISOs
- Advisory and platform in one
Your ISMS Is Based on ISO 27001
Kopexa is a full ISMS based on ISO 27001. You don't just solve NIS2, you build an internationally recognized management system. That strengthens customer trust, opens new markets, and becomes a competitive advantage in sales.
- Internationally recognized certification
- Trust signal for customers & partners
- Competitive advantage in sales
- NIS2 + ISO 27001 in one platform
Explore all platform features
All Frameworks. One System.
Built by GRC Experts for European Mid-Market Companies
Kopexa is built on OSCAL, the open NIST standard for machine-readable compliance frameworks. Every framework, every standard, every regulation: available instantly or custom-built with our Framework Builder.
Content Hub
Deep Dive into NIS2
Frequently Asked Questions
Let’s Assess Where You Stand
Free & non-binding. Response within 24h.