DirectiveØ

NIS2 glossary

NIS2 glossary: terms and definitions.

Concise, citable definitions with legal references.

#nis2

NIS2

EU Directive 2022/2555 on cybersecurity, setting common minimum standards and reporting duties for essential and important sectors.

#nis2umsucg

NIS2UmsuCG

The German NIS2 Implementation Act transposing the NIS2 Directive into national law; in force since 6 December 2025, with no transition period.

#bsig-28

BSIG §28

Defines which entities count as essential or important — the legal basis for the affectedness check.

#bsig-30

BSIG §30

Requires affected entities to implement ten risk-management measures: risk analysis, incident handling, business continuity, supply-chain security, cryptography/MFA, training, and more.

#bsig-32

BSIG §32

Governs the duty to report significant security incidents to the BSI.

#bsig-38

BSIG §38

Establishes the management body's personal responsibility and liability for implementing and overseeing the measures.

#art-20

Art. 20 NIS2

Requires management bodies to approve risk-management measures, oversee their implementation, and undergo training.

#art-21

Art. 21 NIS2

Sets the directive's minimum risk-management measures, including supply-chain security — the EU basis for §30 BSIG.

#besonders-wichtig

besonders wichtige Einrichtung

Entity with the highest NIS2 duties and proactive BSI supervision; typically from 250 employees or over €50m turnover and €43m balance sheet in a regulated sector.

#wichtig

wichtige Einrichtung

Entity with the same core duties but reactive, cause-based supervision; typically from 50 employees or over €10m turnover.

#kritis

KRITIS

Operators of critical installations — a subset of essential entities with additional, installation-specific duties. NIS2 is broader than KRITIS.

#geschaeftsleitungshaftung

Geschäftsleitungshaftung

The management body's personal liability under §38 BSIG / Art. 20 NIS2 for implementing and overseeing the measures.

#lieferketten-nachweis

Lieferketten-Nachweis

The evidence a supplier provides to a NIS2-regulated customer about its security measures — often requested via questionnaires and contract clauses.

#meldekette

Erstmeldung / Folgemeldung / Abschlussmeldung

The three-stage reporting chain for significant incidents: early warning within 24 hours, follow-up report after 72 hours, and final report within one month.

#nisg-2026

NISG 2026

Austria's Network and Information System Security Act transposing NIS2; in force from 1 October 2026, registration by 31 December 2026.