NIS2 Network Security Documentation: A Practical Guide for German Manufacturers
An estimated 29,500 German companies will fall under the NIS2 Directive when the German implementation law (NIS2UmsuCG) takes effect. For manufacturers, energy providers, transport operators, and digital service companies, the documentation requirements are substantial — and the penalties for non-compliance reach up to 10 million euros or 2% of global annual turnover. This guide breaks down exactly what you need to document and how to build a compliance framework that passes BSI audits.
What Is NIS2 and Who Must Comply?
The NIS2 Directive (EU 2022/2555) is the EU’s updated framework for network and information security. It replaces the original NIS Directive from 2016 and significantly expands both the scope and the depth of security requirements. Germany’s national transposition — the NIS2UmsuCG — adapts these requirements to the German regulatory environment under BSI oversight.
NIS2 divides organizations into two categories based on size and sector:
Essential Entities
- Energy (electricity, oil, gas, hydrogen)
- Transport (air, rail, water, road)
- Banking and financial markets
- Healthcare
- Drinking water and wastewater
- Digital infrastructure (DNS, IXPs, cloud)
- Public administration
- Space
Important Entities
- Postal and courier services
- Waste management
- Chemical manufacturing
- Food production and distribution
- Manufacturing (medical devices, electronics, machinery, motor vehicles)
- Digital providers (marketplaces, search engines, social networks)
- Research organizations
The size threshold is broadly 50+ employees or EUR 10M+ annual turnover. However, certain sectors — such as DNS providers, trust service providers, and critical infrastructure operators — are covered regardless of size.
The 7 Core NIS2 Requirements
Article 21 of the NIS2 Directive mandates that organizations implement appropriate and proportionate technical, operational, and organizational measures. These break down into seven core areas, each requiring specific documentation:
1. Risk Analysis and Security Policies
You must conduct regular risk assessments of your network and information systems and maintain documented security policies that address the identified risks. This includes asset inventories, threat modeling, and risk treatment plans.
Documentation required: Risk assessment methodology, asset register, risk treatment plan, security policy documents, annual review records.
2. Incident Handling Procedures
NIS2 requires documented incident response procedures with clear escalation paths and notification timelines. Significant incidents must be reported to the BSI within 24 hours (early warning), followed by a full notification within 72 hours, and a final report within one month.
Documentation required: Incident response plan, escalation matrix, contact lists, reporting templates, post-incident review process.
3. Business Continuity
Organizations must maintain business continuity and disaster recovery plans that cover backup management, crisis response, and service restoration. These plans must be tested regularly and updated when the environment changes.
Documentation required: BCP/DRP documents, backup policies, recovery time objectives, test results, lessons learned.
4. Supply Chain Security
NIS2 explicitly requires organizations to assess and manage the security risks in their supply chain. This means evaluating the security posture of suppliers and service providers, including contractual security requirements and ongoing monitoring.
Documentation required: Supplier risk assessments, security clauses in contracts, vendor monitoring procedures, third-party access controls.
5. Network and System Security
This is where firewall management, network segmentation, and access controls come in. Organizations must demonstrate that their network architecture is designed to contain threats, that changes to network security controls are properly managed, and that vulnerabilities are addressed in a timely manner.
Documentation required: Network architecture diagrams, firewall rule documentation, change management records, access control policies, encryption standards.
6. Vulnerability Handling
Organizations must implement processes for vulnerability detection, assessment, and remediation. This includes patch management, vulnerability scanning, and coordinated vulnerability disclosure.
Documentation required: Vulnerability management policy, scanning schedules and results, patch management records, remediation timelines.
7. Security Awareness and Training
All staff, including management, must receive cybersecurity awareness training. NIS2 holds management personally accountable for compliance — board members must approve risk management measures and can be held liable for failures.
Documentation required: Training program, attendance records, awareness materials, management sign-off on security policies.
German-Specific Requirements (NIS2UmsuCG)
The German NIS2 transposition adds several country-specific requirements beyond the EU directive:
- Management Accountability: The NIS2UmsuCG makes management personally liable for ensuring compliance. Board members and managing directors must approve cybersecurity risk management measures and can face personal fines for negligence.
- German Language Documentation: All documentation submitted to the BSI must be in German. While internal documentation can be in any language, audit submissions and incident reports must be provided in German.
- BSI Reporting: Incident reports go to the BSI (Bundesamt fur Sicherheit in der Informationstechnik), which serves as the national cybersecurity authority. The BSI can conduct audits, request documentation, and issue binding instructions.
Common Documentation Gaps in Manufacturing
German manufacturers face specific challenges when building NIS2-compliant documentation. Based on common patterns across the sector, these are the most frequent gaps:
- OT/IT Convergence: Manufacturing environments increasingly connect operational technology (OT) networks to IT systems. Firewall rules governing traffic between the production floor and the corporate network are often undocumented or poorly justified. NIS2 requires clear segmentation documentation for these zones.
- Legacy Systems: Older production systems that cannot be patched or updated require compensating controls. These controls — and the risk acceptance decisions behind them — must be documented formally.
- Supplier Access: Maintenance vendors and machine manufacturers often have remote access to production systems. These access paths must be documented with clear firewall rules, time restrictions, and monitoring procedures.
- Incident Response for OT: Standard IT incident response plans rarely cover OT-specific scenarios such as PLC compromise, HMI manipulation, or safety system bypass. NIS2 requires response procedures that address both IT and OT environments.
Building Your Documentation Framework
A practical approach to building NIS2-compliant documentation follows five phases:
Phase 1: Scope Definition
Determine whether your organization qualifies as an Essential or Important entity. Map your network and information systems that support essential services. Identify all assets, data flows, and dependencies.
Phase 2: Gap Assessment
Compare your existing security documentation against the seven core NIS2 requirements. Identify areas where documentation is missing, outdated, or insufficient. Prioritize gaps based on risk and regulatory timeline.
Phase 3: Documentation Development
Create or update the required documentation. Focus on policies, procedures, and evidence collection. Ensure firewall documentation includes rule justifications, change records, and review evidence. Network diagrams must be accurate and current.
Phase 4: Implementation and Testing
Implement the documented controls. Test incident response procedures. Verify business continuity plans. Run tabletop exercises. Ensure all technical controls — including firewall rules, access controls, and monitoring — match the documentation.
Phase 5: Continuous Improvement
NIS2 compliance is not a one-time project. Establish regular review cycles for all documentation. Schedule annual risk assessments, quarterly firewall rule reviews, and monthly vulnerability assessments. Track metrics to demonstrate ongoing improvement.
Firewall Documentation Under NIS2
Network security controls — specifically firewalls — are a core component of NIS2 compliance. The documentation requirements for firewalls under NIS2 are substantial:
- Rule Documentation: Every firewall rule must have a documented business justification, an identified owner, and a review date. Rules without justification are audit findings.
- Change Management: All firewall changes must follow a documented change management process with request, review, approval, implementation, and verification stages. Each step must be logged with timestamps and responsible parties.
- Regular Reviews: Firewall rules must be reviewed periodically to confirm they are still needed and appropriately scoped. BSI auditors will check for evidence of these reviews.
- Logging and Monitoring: Firewall logs must be retained, monitored, and available for incident investigation. Log retention periods must align with the incident reporting requirements.
Penalties and Enforcement
NIS2 significantly increases the penalties for non-compliance compared to the original directive:
Essential Entities
- Up to EUR 10,000,000 or 2% of global annual turnover (whichever is higher)
- Management liability for negligence
- Temporary suspension of certifications
- Temporary ban on management functions
Important Entities
- Up to EUR 7,000,000 or 1.4% of global annual turnover (whichever is higher)
- Management liability for negligence
- Binding instructions from BSI
- Public disclosure of non-compliance
Preparing for BSI Audits
The BSI has the authority to audit both Essential and Important entities. For Essential entities, audits can be proactive (without cause). For Important entities, audits are typically reactive (after an incident or complaint). In both cases, you must be able to demonstrate compliance through documentation and evidence. Key preparation steps:
- ✓ Maintain all documentation in German or have certified translations available
- ✓ Keep evidence of regular risk assessments with dates and participants
- ✓ Document all security incidents and your response actions
- ✓ Retain firewall change logs with complete approval chains
- ✓ Show evidence of supply chain security assessments
- ✓ Demonstrate management involvement (sign-off records, meeting minutes)
- ✓ Provide training records with dates, attendees, and content covered
- ✓ Have business continuity test results available
NIS2 Compliance Checklist
Use this checklist to assess your current readiness:
- ☐ Determined Essential vs. Important entity classification
- ☐ Completed asset inventory of network and information systems
- ☐ Conducted formal risk assessment
- ☐ Documented security policies covering all seven core areas
- ☐ Established incident response procedures with BSI reporting timelines
- ☐ Created and tested business continuity plans
- ☐ Assessed supply chain security risks and documented findings
- ☐ Documented all firewall rules with business justifications
- ☐ Implemented formal firewall change management process
- ☐ Scheduled regular firewall rule reviews
- ☐ Implemented vulnerability management with scanning and patching
- ☐ Established security awareness training program
- ☐ Obtained management sign-off on security measures
- ☐ Prepared German-language documentation for BSI submission
Firewall documentation is one of the most tangible areas where NIS2 compliance can be demonstrated — or where gaps become immediately visible to auditors. FwChange automates firewall rule documentation, change management, and review processes, providing audit-ready evidence that maps directly to NIS2 requirements. Start with a free rulebase audit to identify your current documentation gaps.
Frequently Asked Questions
When does NIS2 take effect in Germany?
The NIS2 Directive required EU member states to transpose it into national law by October 17, 2024. Germany’s implementation — the NIS2UmsuCG — is expected to take full effect in 2026. Organizations should begin preparation now, as the documentation requirements are substantial and cannot be created overnight.
How is NIS2 different from KRITIS?
NIS2 expands the scope far beyond the existing KRITIS framework. While KRITIS covers approximately 1,600 critical infrastructure operators, NIS2 will affect an estimated 29,500 German companies. The requirements overlap significantly, but NIS2 adds supply chain security, management accountability, and stricter reporting timelines.
Does NIS2 require specific firewall vendors?
No. NIS2 is technology-neutral. It requires documented network security controls, not specific products. What matters is that your firewall rules are documented, changes are managed through a formal process, and you can demonstrate compliance through evidence. Whether you use Palo Alto, Fortinet, Check Point, or any other vendor, the documentation requirements are the same.
What is the role of the BSI under NIS2?
The BSI serves as Germany’s competent authority for NIS2 compliance. It receives incident reports, conducts audits, issues binding instructions, and can impose penalties. The BSI also publishes guidance documents and technical standards that inform what “appropriate and proportionate” measures look like in practice.
Can existing ISO 27001 certification help with NIS2?
Yes, significantly. ISO 27001 covers many of the same areas as NIS2, and organizations with existing certification will have much of the required documentation already in place. However, NIS2 adds specific requirements around incident reporting timelines, supply chain security, and management accountability that ISO 27001 does not fully address. Think of ISO 27001 as a strong foundation that needs targeted additions for NIS2 compliance.
See How Your Firewall Rules Score
Upload your config and get a free compliance report with shadow rule detection, conflict analysis, and optimization recommendations.
Stay Updated
Get firewall management tips, compliance guides, and product updates.
No spam. Unsubscribe anytime.