The NIS2 Directive has been transposed into German law effective 6 December 2025. Approximately 29,000 companies across 18 critical sectors are affected — from energy to healthcare to digital infrastructure. The obligations are concrete: risk management systems, incident reporting within 24 hours, BSI registration by 6 March 2026, and fines of up to €10 million for non-compliance. This article outlines which measures must be implemented immediately and how AWS services support NIS2 compliance technically.
What Is NIS2 and Why Does It Apply Now?
The NIS2 Directive (Network and Information Security Directive 2, EU 2022/2555) is the revised European cybersecurity directive. It replaces the original NIS Directive from 2016 and significantly expands the scope: instead of a few hundred critical operators, approximately 29,000 German organisations are now directly regulated.
Germany transposed the directive through the NIS2UmsuCG. The rules entered into force on 6 December 2025, with a three-month BSI registration window closing on 6 March 2026.
For companies operating or using cloud infrastructure, this creates a clear mandate: technical and organisational measures must not only exist — they must be auditable, documented, and demonstrable to the BSI.
Which Organisations Are Affected?
| Category | Sectors (selection) | Thresholds | Max. fine |
|---|---|---|---|
| Essential Entities | Energy, drinking water, transport, healthcare, banking, digital infrastructure | ≥ 250 employees or ≥ €50m revenue | €10m or 2% global turnover |
| Important Entities | Postal, waste management, chemicals, food, machinery, digital services | ≥ 50 employees or ≥ €10m revenue | €7m or 1.4% annual turnover |
The Eight Core Obligations Under NIS2
- Risk management: Establish a systematic IT risk management process with documented risk analyses and treatment measures.
- Incident response: Demonstrate capability to detect, analyse and remediate security incidents with defined escalation paths.
- Incident reporting: Significant security incidents must be reported to the BSI within 24 hours; a detailed report follows within 72 hours.
- Business continuity: Backup concepts, disaster recovery plans and crisis management must be documented and tested.
- Supply chain security: Security requirements must extend to direct suppliers and service providers — including cloud providers.
- Identity and access management: Multi-factor authentication and zero-trust principles for all privileged access.
- Cryptography: Current encryption standards for data at rest and in transit.
- Training and awareness: Regular cybersecurity training for staff and executives — verifiably documented.
AWS Services for NIS2 Compliance
| NIS2 Requirement | AWS Service | Function |
|---|---|---|
| Vulnerability management | Amazon Inspector | Continuous vulnerability scanning for EC2, Lambda, container images |
| Threat detection | Amazon GuardDuty | AI-based threat intelligence, anomaly and attack pattern detection |
| Audit logging | AWS CloudTrail | Complete logging of all API calls — immutably stored in S3 |
| Security information | AWS Security Hub | Central collection and prioritisation of security findings |
| Backup & recovery | AWS Backup | Centralised, policy-driven backups with immutable storage |
| Identity management | AWS IAM Identity Center | SSO with MFA, fine-grained permissions, central audit trail |
| Network security | AWS Network Firewall | Stateful inspection, intrusion prevention, URL filtering |
| Encryption | AWS KMS | Cryptographic key management with full audit trail |
| Compliance monitoring | AWS Config | Continuous configuration checks against defined compliance rules |
Shared Responsibility: What AWS Covers, What You Own
The Shared Responsibility Model defines clear boundaries. NIS2 requires explicit documentation of these boundaries.
- AWS responsibility (Security of the Cloud)
- Physical security of data centres, hypervisor security, network infrastructure, hardware integrity. AWS holds ISO 27001, SOC 2, BSI C5 Type II and CSA STAR Level 2 certifications — usable as evidence with the BSI.
- Customer responsibility (Security in the Cloud)
- Configuration of AWS services, access management (IAM), OS and application patching on EC2, data encryption, network segmentation, monitoring and incident response. This is entirely the customer's responsibility and precisely where NIS2 measures apply.
- Contractual basis
- The AWS Data Processing Addendum (DPA) governs data processing under the GDPR. For NIS2, the AWS security agreements describe obligations on both sides. AWS provides audit reports (ISO, SOC, C5) on request.
NIS2 Implementation: A 6-Step Plan
- Assess applicability: Use the sector list and thresholds to determine whether your organisation is affected. The BSI provides a self-assessment tool.
- BSI registration: Register with the BSI by 6 March 2026. Prerequisite: designate contact persons and document IT infrastructure.
- Gap analysis: Compare existing security measures against NIS2 requirements. Document and prioritise gaps — ideally against ISO 27001 or BSI IT-Grundschutz.
- Implement technical measures: Activate GuardDuty, Security Hub and CloudTrail. Develop incident response playbooks for the 24-hour reporting obligation.
- Supply chain requirements: Review existing supplier contracts for NIS2 compliance. Obtain and document compliance evidence from cloud providers.
- Embed governance: Clearly assign CISO responsibilities. Launch training programmes. Establish annual review cycles.
BSI C5: The AWS Compliance Proof for Germany
The BSI C5 (Cloud Computing Compliance Criteria Catalogue) is the BSI's audit scheme for cloud services. AWS is one of the few global cloud providers with a C5 Type II attestation — requirements were not just declared but audited by an independent examiner over a period of time.
For NIS2-regulated companies, the AWS C5 attestation is a key element of supply chain security documentation. The current C5 attestation is available at aws.amazon.com/compliance/bsi-c5.
Frequently Asked Questions About NIS2
- Who is affected by NIS2?
- NIS2 affects approximately 29,000 organisations in Germany across 18 sectors. Essential Entities and Important Entities are distinguished from 50 employees or €10m annual revenue in critical sectors.
- By when must companies register with the BSI?
- The BSI registration obligation has been in effect since 6 March 2026. Those who have not registered risk fines and supervisory measures.
- What fines apply for NIS2 violations?
- Essential Entities risk fines up to €10 million or 2% of global annual turnover. For Important Entities the cap is €7 million or 1.4% of annual turnover.
- Does NIS2 apply to cloud users too?
- Yes. NIS2 applies to all affected entities regardless of whether they operate on-premises or in the cloud. Cloud users must ensure their configuration and operations meet NIS2 requirements.
Storm Reply: NIS2 Compliance on AWS
Storm Reply — AWS Premier Consulting Partner in the DACH market — supports companies with NIS2 implementation: from initial applicability assessment through technical implementation to building incident response playbooks. Storm Reply — AWS Premier Consulting Partner DACH — establishes NIS2 compliance as a sustainable operating mode, auditable and BSI-ready.
Implement NIS2 compliance?
Storm Reply analyses your NIS2 obligations and implements compliant measures on AWS.
Get in touch