NIS2 for KRITIS Operators: Personnel Security under Art. 21(2) — Deep Dive
The NIS2 Directive (EU 2022/2555) requires operators of critical and important infrastructure across Europe, for the first time, to implement comprehensive cybersecurity risk management that explicitly includes personnel security. While the general overview of employee background screening under NIS2 has already been covered elsewhere, this deep dive focuses on the sector-specific requirements for KRITIS operators and the practical implementation of Art. 21(2)(i) (personnel security) and (d) (supply chain security). For executive management, one development is central here: personal liability under § 30 NIS2UmsuCG goes further than under any previous IT security law.
Essential versus important entities: the new KRITIS system
NIS2 is the first to make a clear distinction between essential entities (Annex I) and important entities (Annex II). This categorization determines not only the scope of obligations, but also the intensity of supervision, the level of fines, and the frequency of external audits.
Criterion | Essential entities (Annex I) | Important entities (Annex II) |
|---|---|---|
Sectors | Energy, transport, banking, financial markets, healthcare, drinking water, wastewater, digital infrastructure, ICT service management B2B, public administration, space | Postal/courier services, waste management, chemicals, food, manufacturers of critical products, digital providers, research |
Thresholds | From 250 employees or EUR 50 million in revenue | From 50 employees or EUR 10 million in revenue |
Supervision | Proactive, regular audits | Reactive (ex post, after incidents) |
Fine range | Up to EUR 10 million or 2% of global annual turnover | Up to EUR 7 million or 1.4% of global annual turnover |
For companies in the gray area, the rule is this: classification is carried out by the BSI (Federal Office for Information Security) or the competent sector regulator. A mistaken self-classification is not accepted as an excuse — the executive management is responsible for ensuring correct classification. Anyone who has not yet checked their own categorization is acting negligently.
Sector specifics: what background checks actually mean
Personnel security under NIS2 is not a one-size-fits-all standard. Requirements vary significantly by sector — both in terms of which employee groups must be screened and in terms of depth of review and re-screening intervals.
Energy (electricity, gas, oil, district heating)
Grid operators and generators are also subject to the Energy Industry Act (EnWG) and the Federal Network Agency’s IT security catalog. For employees with access to control systems (SCADA, ICS), enhanced reliability screening is required, including not only identity verification but also criminal record checks, sanctions list screening (EU, UN, OFAC) and — depending on the role — credit checks as well. For control room staff in transmission networks, a standard comparable to a security clearance under the SÜG is effectively required.
Transport (rail, air, water, road)
Airport operators and aviation security companies already screen staff under § 7 LuftSiG; NIS2 adds the IT component. For rail and port operators with connected control technology, self-disclosures are no longer sufficient. Specifically: every employee at a container terminal with access to TOS systems (Terminal Operating Systems) falls under the screening obligation.
Healthcare (clinics, laboratories, pharmaceutical manufacturers)
The healthcare sector is particularly sensitive because screening employees with access to patient data must also be reconciled with Art. 9 GDPR (special categories of personal data). The rule here is: the higher the data access level (for example, administrators of KIS/PACS systems), the deeper the screening must go. For laboratories handling reportable pathogens, the Biological Agents Ordinance regime also applies.
Financial sector (banks, payment service providers, market infrastructure)
Here, DORA, MaRisk AT 5 and § 25c KWG apply in parallel with NIS2. In practice, the highest standard applies — meaning: complete initial screening at hiring, repeat screening every three years, and enhanced screening for key functions. NIS2 adds that IT specialists without a classic core banking role, but with access to core banking systems, must also be included.
Digital infrastructure (DNS, IXP, data centers, cloud)
Data centers and cloud providers must screen all employees with physical or logical access to customer data. DNS providers and IXPs (Internet Exchange Points) are subject to a special duty of care because they are central trust anchors of the internet. The BSI expects screening processes here to meet the standards of Tier III/Tier IV data centers.
Drinking water and wastewater
Often underestimated: water utilities and wastewater operators run highly connected OT systems. Employees with access to pumping station controls, chlorination systems, or control centers fall under the enhanced screening obligation. Drinking water regulations already require certain qualification and reliability checks — NIS2 adds the cyber dimension.
Art. 21(2)(i): “Personnel security” in plain language
The wording of the directive is deliberately broad: operators must take measures for “personnel security, access control concepts, and management of facilities.” The specifics are set out in the NIS2 Implementing Act (DRA) 2024/2690 of the Commission dated 17 October 2024, as well as in national implementing acts.
In concrete terms, the provision requires:
Background screening before hiring: identity verification, criminal record certificate (not older than 3 months), sanctions list screening, verification of professional qualifications. For key positions, a credit check is also required.
Need-to-know principle: access rights must be limited to the minimum necessary for the role. The screening must match this access level.
Continuous monitoring: re-screening when roles change, after significant life events (insolvency, criminal proceedings), and at fixed intervals (typically every 2–3 years).
Offboarding discipline: upon departure or role change, all access must be deactivated immediately, and the return of hardware and credentials documented.
Awareness training: regular training on social engineering, insider threats, and reporting channels.
The data protection basis is derived from Art. 6(1)(c) GDPR in conjunction with the NIS2 implementation — so this is not a voluntary measure, but a legal obligation.
Art. 21(2)(d): supply chain security, including external service providers
Perhaps the biggest innovation in NIS2 is the explicit inclusion of the supply chain. Art. 21(2) point (d) requires measures for “supply chain security, including security-related aspects concerning relationships with direct suppliers and service providers.” For personnel security, this means: if a KRITIS operator grants external service providers access to systems — whether for maintenance, consulting, cloud hosting, or outsourcing — it must ensure that those providers’ employees are subject to an equivalent screening standard.
In practice, this is implemented through:
Contract clauses within Art. 28 GDPR data processing agreements: requiring the service provider to screen its employees according to a defined standard.
Evidence obligation: submission of anonymized screening logs or audit reports from an independent third party.
Audit rights: annual on-site or remote audits at the service provider.
Sub-processing: the obligations apply all the way down to the last sub-service provider.
In practice, many companies fail at this point — not because their own organization is inadequate, but because the verification of personnel security among existing service providers has historically been neglected.
Management liability under § 30 NIS2UmsuCG
The German implementation act (NIS2UmsuCG) goes one step further than the directive in one respect: § 30 establishes personal liability for members of executive management. This liability applies if executive management has breached its monitoring and approval duties. Important: liability cannot be passed on to D&O insurance where intentional or grossly negligent conduct is involved — and it can apply retroactively once an incident is uncovered.
For board members and managing directors, this means concretely:
Approval obligation: risk management measures must be formally approved. A resolution that merely “takes note” is not enough.
Oversight obligation: implementation must be monitored continuously; regular reports from the CISO/Information Security Officer must be requested.
Training obligation: members of executive management must also take part in cybersecurity training — the BSI has published minimum requirements for this.
This duty is not delegable. Anyone who “delegates” this task to the CISO remains liable if they cannot prove that oversight was actually carried out.
Registration and reporting obligations
By 17 January 2025, KRITIS operators should have formally registered with the competent national authority — in Germany, with the BSI via the Reporting and Information Portal. That deadline has now passed, but retroactive registration is still required. Companies must register in every Member State in which they provide essential services.
Incident reporting obligations are structured uniformly across Europe:
Deadline | Content |
|---|---|
24 hours | Early warning: rough description, suspicion of malicious action, cross-border impact |
72 hours | Incident notification: initial assessment, severity, IOCs |
1 month | Final report: detailed description, root cause analysis, countermeasures taken |
In Germany, reports are submitted via the BSI portal; in Austria, via the GovCERT.at portal. Anyone who misses these deadlines risks not only fines, but also the loss of liability privileges vis-à-vis harmed third parties.
Interfaces with the KRITIS Umbrella Act and the CER Directive
NIS2 does not stand alone. In Germany, the KRITIS Umbrella Act (implemented in line with the CER Directive 2022/2557) adds physical resilience requirements. While NIS2 addresses cyberspace, the KRITIS Umbrella Act governs physical security — both regimes overlap completely when it comes to personnel security. A single background screening program usually covers both. Companies that qualify under both regimes must complete both registrations and comply with both supervisory frameworks.
What applies in Switzerland, Austria, and across the EU?
Switzerland
Switzerland has not adopted NIS2 because it is not an EU member state. Instead, the Information Security Act (ISG) of 18 December 2020 and the regime of the NCSC (National Cyber Security Centre, spun off into a separate federal office in 2024) apply. Since 1 April 2024, there has been a reporting obligation for cyberattacks on critical infrastructure. The substantive requirements largely correspond to NIS2 — personnel security is an integral part of the ISG regime. For Swiss companies with EU branches, the NIS2 obligations apply directly to the respective EU entity. Conversely, EU companies with Swiss subsidiaries must meet Swiss standards.
Austria
Austria implemented NIS2 through the NIS Act 2024 (NIS-G 2024), which entered into force on 1 March 2025. The competent authority is the Ministry of the Interior with BMI-CERT; the reporting platform is GovCERT.at. Fines are aligned with the directive; personnel security is handled in the same way as under the German implementation. Austria has also introduced stricter requirements for the public sector.
Across the EU
By 17 October 2024, all 27 EU Member States had to transpose the directive into national law. The actual state of implementation varies — some countries are late. For pan-European groups, the obligations apply in every Member State where the company operates an establishment or provides essential services. Central coordination through the parent company is possible, but it does not exempt anyone from local registration and reporting obligations.
90-day program for newly classified essential entities
For companies newly classified as essential entities, a structured 90-day program is advisable.
Days 1–30: assessment and governance
Have the formal classification confirmed (BSI dialogue, external legal review).
Board or management resolution on responsibilities and budget.
Gap analysis: current state vs. NIS2 requirements under Art. 21.
Personnel mapping: which employees have which access levels?
Registration with the BSI (if not already completed).
Days 31–60: implementing the core processes
Set up the background screening process: identity verification, criminal record checks, sanctions lists.
Obtain employee consents (GDPR-compliant, with notice).
Update service provider contracts: Art. 28 GDPR + NIS2 annex.
Create an incident response plan with 24h/72h/1 month reporting deadlines.
Roll out awareness training across all levels of the organization.
Days 61–90: documentation and audit readiness
Maintain audit-proof documentation of all checks.
Run internal tests of the incident response process.
CSIRT audit readiness check by external reviewers.
Report to management and the supervisory board.
How Indicium supports KRITIS operators
Indicium Technologies provides KRITIS operators with an audit-proof, GDPR-compliant platform for background checks. Specifically, we cover:
Identity verification to eIDAS standard (SOF High).
Criminal record checks for DE, AT, CH, and 40+ additional countries.
Sanctions list screening against EU, UN, OFAC, and national lists.
Credit checks for key positions.
Verification of qualifications (degrees, certificates, prior employment).
Audit trail that meets the requirements of BSI, GovCERT and NCSC.
Supply chain module for screening external service providers.
This lets you fully comply with Art. 21(2)(i) and (d) — without having to do your own legal detail work, without vendor management overhead, and with documentation that stands up to any audit.
Book a demo and see how your KRITIS compliance program can be set up in 90 days.
Read more — related articles
Nabil El Berr
