NIS2 · Compliance

NIS2 Compliance Checklist 2026: What Companies Must Implement Now

NIS2 has been in effect in Germany since October 2024. This checklist shows which measures affected companies must implement now — including third-party risk management.

The NIS2 directive requires affected companies to implement comprehensive cybersecurity measures — explicitly including the management of supplier and third-party risks (Art. 21 Para. 2d).

NIS2 Compliance Checklist: 10 Measures

1. Risk analysis and information security concept. 2. Incident response plan. 3. Business continuity management. 4. Supply chain security and supplier risk management. 5. Security in acquisition, development and maintenance of IT systems. 6. Effective procedures for evaluating cybersecurity measures. 7. Training and cybersecurity awareness. 8. Cryptography and encryption. 9. Personnel security and access controls. 10. Multi-factor authentication.

Management liability

NIS2 introduces personal liability for management. In case of violations, managers are personally liable — fines up to €10 million or 2% of global annual turnover.

NIS2 Art. 21: Supply Chain Security

NIS2 Art. 21 Para. 2d explicitly requires supply chain security: companies must assess and monitor the security practices of their suppliers and service providers. This includes contractual security requirements, regular assessments and continuous monitoring.

360TPRM meets NIS2 Art. 21

360TPRM automates supply chain risk management according to NIS2 — with continuous monitoring, automated assessments and complete documentation for supervisory authorities.

FAQ

What is NIS2?+

NIS2 is the revised EU directive on network and information security, effective in Germany since October 2024. It requires affected companies to implement comprehensive cybersecurity measures and report security incidents.

Which companies are affected by NIS2?+

Companies with more than 50 employees or more than €10 million annual turnover in critical sectors — including energy, transport, health, digital infrastructure and many more.

What does NIS2 require regarding supplier security?+

NIS2 Art. 21 Para. 2d requires assessment and monitoring of the security practices of suppliers and service providers — including contractual security requirements and regular assessments.

What penalties apply for NIS2 violations?+

For essential entities: up to €10 million or 2% of global annual turnover. For important entities: up to €7 million or 1.4% of global annual turnover. Plus personal liability of management.

Achieve NIS2 compliance with 360TPRM

See in a 45-minute demo how 360TPRM specifically meets your requirements.

Request free demo →