Name: Tinte
Price: 9.99 EUR
Author: Tinte

Question 1

What is NIS2?

Accepted Answer

NIS2 (Network and Information Security Directive 2) is the EU Directive 2022/2555 that establishes a high common level of cybersecurity across the European Union. It replaces the original NIS Directive and significantly expands the scope of affected organizations, introduces stricter security requirements, and increases penalties for non-compliance.

Question 2

Am I affected by NIS2?

Accepted Answer

You are likely affected if your company operates in one of 18 critical sectors (energy, healthcare, transport, digital infrastructure, manufacturing, food, chemicals, etc.) and has 50+ employees or €10M+ annual revenue. Some entities (trust service providers, DNS operators, TLD registries) are affected regardless of size. Use our free affected-check above to find out.

Question 3

What happens if I don't comply with NIS2?

Accepted Answer

Non-compliance can result in fines up to €10 million or 2% of global annual revenue for essential entities, and up to €7 million or 1.4% for important entities. Additionally, CEOs and managing directors can be held personally liable for negligence. The BSI can order audits and impose binding instructions.

Question 4

How high are NIS2 fines?

Accepted Answer

For essential entities (besonders wichtige Einrichtungen): up to €10M or 2% of global annual revenue, whichever is higher. For important entities (wichtige Einrichtungen): up to €7M or 1.4% of global annual revenue. Personal liability for management applies in both cases.

Question 5

What is the difference between essential and important entities?

Accepted Answer

Essential entities (besonders wichtige Einrichtungen) are large companies in high-criticality sectors (Annex 1) or special roles like KRITIS operators. They face the strictest requirements and BSI supervision. Important entities (wichtige Einrichtungen) are medium companies in high-criticality sectors or companies in other critical sectors (Annex 2). They have the same obligations but face lower fines and ex-post supervision.

Question 6

When does NIS2 take effect in Germany?

Accepted Answer

The EU NIS2 Directive required transposition by October 17, 2024. Germany's implementation law (NIS2UmsuCG — NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz) has been in the legislative process. Affected companies should prepare now, as the obligations apply regardless of the exact transposition date.

Question 7

Is the CEO personally liable under NIS2?

Accepted Answer

Yes. NIS2 introduces personal liability for managing directors and CEOs. They are responsible for approving and overseeing cybersecurity risk management measures. Negligence in implementing adequate measures can result in personal fines and liability claims. This liability cannot be delegated.

Question 8

What should I do first for NIS2?

Accepted Answer

Start with three steps: 1) Determine if you are affected (use our free check). 2) Scan your external attack surface to understand current exposures. 3) Conduct a gap analysis against NIS2 Art. 21 requirements. This gives you a clear picture of your starting point and priorities.

Question 9

What does a NIS2 compliance tool cost?

Accepted Answer

Tinte offers plans starting at €650/month for external scanning and NIS2 compliance dashboards, up to €1,000/month for full platform access with consulting support. Enterprise plans are custom-priced. A NIS2 Workflow Add-on is available for €200/month but is included in Team and Business plans.

Question 10

How quickly can I become NIS2 compliant?

Accepted Answer

With a structured approach, initial compliance measures can be implemented within 10 weeks. This includes external scanning, internal assessment, gap analysis, remediation planning, and BSI registration. Full compliance maturity is an ongoing process that we support with continuous monitoring and periodic reviews.

Question 11

What does NIS2 Art. 21 require?

Accepted Answer

Art. 21 defines 10 risk management measures: risk analysis and IT security policies, incident handling, business continuity, supply chain security, security in system procurement/development, effectiveness assessment, cyber hygiene and training, cryptography policies, HR security and access control, and multi-factor authentication. Tinte maps to all 10 requirements.

Question 12

What is the BSI registration requirement?

Accepted Answer

Affected companies must register with the German Federal Office for Information Security (BSI) and designate a point of contact. Essential entities are subject to BSI audits. All entities must report significant security incidents within 24 hours (initial notification) and 72 hours (full report).

NIS2 Art. 21 Requirement	What Tinte Checks	How It Verifies
(a) Risk analysis & IT security policies	External attack surface assessment	Automated scan of all public-facing assets, ports, and services
(b) Incident handling	Breach & credential monitoring	Continuous monitoring of breach databases and dark web sources
(c) Business continuity & crisis management	Infrastructure resilience check	DNS redundancy, backup MX records, service availability assessment
(d) Supply chain security	Third-party exposure analysis	Scanning shared infrastructure, cloud services, and vendor domains
(e) Security in system procurement & development	CVE vulnerability assessment	Known CVEs on exposed services with CVSS scoring and exploit status
(f) Effectiveness assessment of measures	Continuous re-scanning & trending	Periodic automated scans with before/after comparison reports
(g) Cyber hygiene & training	Credential exposure & phishing readiness	Employee credential leak detection, email security posture (SPF/DKIM/DMARC)
(h) Cryptography & encryption policies	TLS/SSL certificate analysis	Certificate validity, protocol versions, cipher suite assessment
(i) HR security, access control, asset management	Exposed credential & access analysis	Breached passwords, exposed admin panels, unauthorized access points
(j) Multi-factor authentication & secured communications	Authentication & email security assessment	Email authentication checks (DMARC enforcement), exposed login portals

NIS2 affects your company. Find out in 30 seconds.

What is NIS2 and why does it matter?

What is NIS2?

Who is affected?

Consequences

Are you affected by NIS2?

Is your company a qualified trust service provider, TLD registry, or DNS service provider?

What Tinte automatically shows

Attack Surface Discovery

Credential Exposure

Email Security Analysis

CVE Assessment

Attack Chain Analysis

Industry Threat Landscape

See what attackers see.

How Tinte maps to NIS2 Art. 21

The NIS2 Compliance Agent is live.

Find it. Fix it. Proof it.

Find It

Fix It

Proof It

Your path to NIS2 compliance

Kickoff & External Scan

Internal Assessment

Gap Analysis

Remediation Planning

Implementation & BSI Registration

Plans built for NIS2

Team

Business

Enterprise

Frequently asked questions about NIS2

15 minutes. One conversation. We scan your domain live.