NIS2: Cybersecurity for essential and important entities
The NIS2 Directive (EU 2022/2555) obliges operators of essential and important entities across 18 sectors to implement comprehensive cybersecurity risk management. Art. 21(2)(d) makes supply chain security a mandatory measure — including all open source components in your software.
You have just created an SBOM and see 800 open source projects. You are responsible for all of them. Your management body is personally liable (Art. 20 NIS2, Section 38 NIS2UmsuCG). This is not a task you can solve internally: 800 projects mean 15 or more programming languages, hundreds of maintainers without contracts, without SLAs, without any ability to intervene.
Who is affected? #
NIS2 covers 18 sectors in two categories.
Sectors of high criticality (Annex I — 11 sectors) #
- Energy — electricity, oil, gas, hydrogen, district heating
- Transport — air, rail, water, road
- Banking
- Financial market infrastructures
- Health — hospitals, laboratories, pharmaceuticals, medical devices
- Drinking water
- Waste water
- Digital infrastructure — DNS, TLD, data centres, cloud, CDN, trust services
- ICT service management (B2B) — managed service providers, managed security service providers
- Public administration
- Space
Other critical sectors (Annex II — 7 sectors) #
- Postal and courier services
- Waste management
- Chemicals — manufacturing, production, distribution
- Food — manufacturing, processing, distribution
- Manufacturing — medical devices, electronics, optics, machinery, motor vehicles, other transport equipment
- Digital services — marketplaces, search engines, social networks
- Research
Thresholds in Germany (NIS2UmsuCG) #
| Category | Criterion |
|---|---|
| Particularly important entities (Annex 1) | 250+ employees OR over EUR 50 million turnover AND over EUR 43 million balance sheet |
| Important entities (Annex 1+2) | 50+ employees OR over EUR 10 million turnover AND over EUR 10 million balance sheet |
| Operators of critical facilities | Regardless of size (German special category) |
Telecommunications providers qualify as particularly important entities from 50 employees or over EUR 10 million turnover. Hospitals have an extended implementation period of five instead of three years (Section 61(3) NIS2UmsuCG).
What does NIS2 require? #
Supply chain security (Art. 21(2)(d)) #
You must ensure the security of your supply chain. Art. 21(3) expressly requires: the assessment of vulnerabilities of direct suppliers and the assessment of the security of your suppliers' development processes. For open source components, this means: you must assess how securely the projects your software depends on are developed — even when no contract and no SLA exists.
Vulnerability management (Art. 21(2)(e)) #
Management and disclosure of vulnerabilities are mandatory. This includes not only scanning but also the active treatment of discovered vulnerabilities and coordinated disclosure in accordance with Art. 12 NIS2.
Assessment of effectiveness (Art. 21(2)(f)) #
You must establish policies and procedures for assessing the effectiveness of your risk management measures. For your open source supply chain, this means: measurable, documented processes that an auditor can follow.
Reporting obligations (Art. 23) #
- Early warning within 24 hours (Art. 23(4a))
- Notification with assessment within 72 hours (Art. 23(4b))
- Final report within one month (Art. 23(4d))
In Germany: Section 32(1) Nos. 1-4 NIS2UmsuCG with identical deadlines.
ENISA implementation guidance on FOSS #
ENISA has published specific guidance on the treatment of open source software under NIS2. This defines what "appropriate measures" means for the security of the OSS supply chain. Art. 21(1) requires measures that take account of the "state of the art" and "relevant European and international standards". ISO/IEC 18974 defines this state of the art for open source security assurance.
Training obligation for management bodies (Art. 20(2)) #
Members of the management bodies must undergo training to acquire sufficient knowledge for the identification and assessment of risks.
Consequences of non-compliance #
Fines #
| Category | Amount | Legal basis |
|---|---|---|
| Essential entities | EUR 10 million or 2% of worldwide annual turnover (higher) | Art. 34(4) NIS2 |
| Important entities | EUR 7 million or 1.4% of worldwide annual turnover (higher) | Art. 34(5) NIS2 |
| Particularly important (DE) | EUR 10 million fixed or 2% for turnover above EUR 500 million | Section 65(5+6) NIS2UmsuCG |
| Important (DE) | EUR 7 million or 1.4% for turnover above EUR 500 million | Section 65(5+7) NIS2UmsuCG |
Personal management liability #
- Personal liability of management bodies (Art. 20(1), Art. 32(6) NIS2)
- Prohibition of management activities as an escalation step: natural persons may be temporarily prohibited from exercising management functions (Art. 32(5)(b) NIS2)
- In Germany: managing directors are personally liable for culpably caused damages (Section 38(2) NIS2UmsuCG) and must implement and supervise measures (Section 38(1))
- Prohibition of activity for unreliability (Section 61(9) No. 2 NIS2UmsuCG)
Public visibility #
- The authority may order public disclosure of violations (Art. 32(4)(h), Art. 33(4)(g))
- The CSIRT may inform the public about security incidents (Art. 23(7))
- In Germany: the BSI may order public disclosures (Section 61(8) NIS2UmsuCG)
Further consequences #
- Temporary suspension of certifications and authorisations (Art. 32(5)(a) NIS2, Section 61(9) No. 1 NIS2UmsuCG)
Why existing solutions are not enough #
An SCA scanner shows you registered CVEs. That is a good first step. But:
- Who fixes the vulnerabilities found? Not the scanner.
- For every registered CVE, there are 4 to 11 "silent fixes" — security corrections that were never registered as CVEs. No scanner finds them.
- Catalogue providers support selected end products but not their own dependencies. The majority of your SBOM remains uncovered.
- Art. 21(3) requires the assessment of your suppliers' development processes. No scanner detects whether the developer of a critical project has given up, whether nobody is fixing security vulnerabilities any more, or whether the project is on the verge of collapse. Yet these are precisely the risks that threaten your operations.
OTTRIA closes this gap: not just report, but fix. Not just popular projects, but your entire SBOM.
What OTTRIA covers #
| NIS2 obligation | OTTRIA service |
|---|---|
| Supply chain security (Art. 21(2)(d)) | Risk-based assessment of all OSS projects in your SBOM |
| Assessment of supplier vulnerabilities (Art. 21(3)) | Project health analysis, maintainer maturity, abandonment risk |
| Assessment of development processes (Art. 21(3)) | Analysis of governance, commit activity, security practices |
| Vulnerability management (Art. 21(2)(e)) | CVE scanning, silent fix detection, active upstream fixes |
| Coordinated disclosure (Art. 12) | Disclosure management as part of the steward role |
| State of the art (Art. 21(1)) | Support in meeting ISO/IEC 18974 |
| Assessment of effectiveness (Art. 21(2)(f)) | Measurable KPIs and documented remediation history |
What OTTRIA does not cover #
- Your decisions: OTTRIA delivers risk assessments and options for action. The decision on which risk you accept is yours.
- Your systems: OTTRIA works exclusively in the open source world. We have no access to your systems.
- Your overall responsibility: Regulatory responsibility remains with you. OTTRIA reduces your risk and provides evidence.
- Non-OSS components: Other service providers are responsible for proprietary software and other supply chain risks.
- Organisational measures: Internal policies, training, HR awareness remain your task. OTTRIA can support but does not replace your internal organisation.
- Resolution time guarantees: We respond as quickly as possible and document every step. Resolution times cannot be predicted.
What do you present to the auditor? #
OTTRIA delivers #
- Supply chain security documentation under Art. 21(2)(d)
- Vulnerability management evidence under Art. 21(2)(e)
- Assessment of development processes and vulnerabilities of your OSS suppliers under Art. 21(3)
- Remediation protocols per incident: what was done when, by whom, with what result
- SBOM with maintenance status and abandonment probability
- Evidence of compliance with international standards (ISO/IEC 18974)
You add #
- Your decision log: which risk did you accept, which did you mitigate?
- The implementation status in your system
- Your overarching risk management documentation under Art. 21
- Your reporting obligation processes under Art. 23 / Section 32 NIS2UmsuCG
Auditor narrative #
When your auditor asks how you ensure the security of your open source supply chain, you can document:
*"For the security of our open source supply chain under Art. 21(2)(d) NIS2, we have engaged OTTRIA as a specialised service provider. OTTRIA monitors all open source components in our SBOM, conducts continuous vulnerability analyses, coordinates upstream fixes, and delivers audit-ready documentation. Decisions on risk acceptance and measure implementation remain with our management body."*
Implementation in Germany #
NIS2UmsuCG and BSI #
NIS2 is a directive, not a regulation. Each member state transposes it nationally. In Germany, transposition is through the NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG), which amends substantial parts of the BSIG (BSI Act). The Federal Office for Information Security (BSI) is the competent authority.
German specificities #
- Three-tier categorisation: Particularly important, important, and critical infrastructure operators — instead of the EU two-tier classification (essential/important)
- Turnover-based fines only from EUR 500 million total turnover (Section 65 (6-7))
- Attack detection systems mandatory for critical infrastructure operators (Section 31(2))
- BSI may actively detect vulnerabilities — including port scans (Section 15)
- Prohibition of critical components from certain manufacturers possible (Section 41)
- DORA-regulated companies exempt from NIS2 DE (Section 28(6))
- Registration obligation with the BSI within three months (Section 33(1))
- Three-year evidence cycle for critical infrastructure operators (Section 39)
Divergent transposition in other EU countries #
Since NIS2 is a directive, each EU country transposes it differently. Thresholds, supervisory structures, and sanction regimes may diverge. If you operate in multiple EU countries, check the respective national transposition.
800 projects in the SBOM? Let us analyse together where your greatest risks lie. Request a free SBOM analysis.
How much would it cost to solve this internally? Talk to us about the realistic effort.
Further reading