NIS2 and Employee Background Screening: Who Needs to Check What Now — and How

The NIS2 Directive (EU 2022/2555) has had to be implemented across the EU since October 2024. In Germany, the NIS2 Implementation Act (NIS2UmsuCG) has been in force since January 2026. The scope has expanded dramatically — thousands of companies that were previously outside KRITIS are now affected. Article 21(2) requires “security of personnel.” In practical terms: background checks for sensitive roles.

NIS2 Scope: Who Is Now Affected?

NIS2 distinguishes between two categories:

Essential Entities (Annex I)

• Energy (electricity, gas, oil, hydrogen, district heating)

• Transport (air, rail, road, shipping)

• Banks and financial market infrastructure

• Healthcare (including pharmaceutical manufacturers)

• Drinking water and wastewater

• Digital infrastructure (cloud, data centers, DNS, TLD registries)

• ICT service management (B2B)

• Public administration

• Space

Important Entities (Annex II)

• Postal and courier services

• Waste management

• Chemical industry (manufacturing, production, distribution)

• Food (production, processing, distribution)

• Machinery and vehicle manufacturing

• Digital providers (online marketplaces, search engines, social media platforms)

• Research institutions

Thresholds: “medium” companies (more than 50 employees or more than €10 million in revenue) generally fall within scope, while “large” companies (more than 250 employees or more than €50 million in revenue) are automatically included.

Article 21(2): Ten Risk Management Measures

NIS2 requires ten minimum measures. For background checks, the key one is lit. i) “security of personnel, access control and asset management”. Specifically:

• Pre-employment screening for employees with access to critical systems

• Security screening of external service providers (technicians, consultants, maintenance staff)

• Ongoing monitoring — sanctions lists, PEPs, adverse media

• Offboarding processes — removal of all access rights when changing roles or leaving

• Security awareness training for all employees

Additional Article 21 requirements: incident handling, business continuity, supply chain security, cryptography, access controls, and reporting to CSIRT.

Which Roles Need Background Checks?

Mandatory

• Executive management (personal liability under § 30 NIS2UmsuCG)

• IT security officers and the CISO

• System administrators with privileged rights

• People with access to cryptographic keys or production data

• External ICT service providers (Art. 21(2) lit. d supply chain security)

Recommended

• Employees in security-relevant operational areas

• Data center staff

• Maintenance technicians with physical access

Personal Liability of Executive Management

This is the hard lever in NIS2: executive management is personally liable for inadequate implementation (§ 30 NIS2UmsuCG). This applies explicitly even if no damage has occurred. Supervisory authorities can impose fines of up to €10 million or 2% of annual revenue — against the company and the managing directors.

For “essential entities,” the penalty is even higher: up to €10 million or 2% of global annual revenue. Supervisory authorities can also temporarily bar managing directors from running the company.

What Applies in Switzerland?

Switzerland has not formally implemented NIS2. In substance, similar requirements apply through the Information Security Act (ISG), the Cyber Risk Ordinance (CyRV), and FINMA circulars for financial institutions. The competent authority is the National Cyber Security Centre (NCSC). However, Swiss companies with subsidiaries in the EU must implement NIS2.

What Applies in Austria?

Austria has implemented NIS2 with the Network and Information Systems Security Act (NIS-G). Competent authorities: GovCERT Austria and sector-specific authorities (e.g. E-Control for energy). The fine structure matches Germany.

Interfaces with Other Regulations

• DORA (financial sector) — DORA is lex specialis to NIS2. Financial institutions primarily follow DORA requirements

• KRITIS umbrella act (DE) — expands NIS2 to include physical security

• CER Directive (EU 2022/2557) — physical resilience of critical entities, running in parallel with NIS2

• Cyber Resilience Act (CRA) — product security, complements NIS2 at the product level

Implementation Checklist

1. Scope review: essential or important entity? Document the classification

2. Registration: with the competent supervisory authority within 3 months

3. Risk assessment: review all 10 Article 21 measures, perform a gap analysis

4. Role risk matrix: which roles need background checks?

5. Screening process: establish pre-employment screening plus ongoing monitoring

6. Supplier management: include external service providers as well

7. Incident reporting: implement 24h/72h/1m reporting deadlines to CSIRT

8. Executive management training: document evidence (§ 30 NIS2UmsuCG)

Indicium for NIS2 Compliance

Indicium supports NIS2 implementation in personnel security:

• Pre-employment screening with audit-proof documentation (CSIRT-audit capable)

• Ongoing sanctions, PEP, and adverse media monitoring

• Integration for external service providers (supply chain security)

• GDPR-compliant with server localization in the EU

Conclusion

NIS2 turns cybersecurity from an IT discipline into a board-level issue. Managing directors are personally liable. Background checks are part of the mandatory measures. Anyone who does not properly implement the ten categories of Article 21 risks multimillion-euro fines — and personal bans on serving in office.

Book a demo and talk to us about your NIS2 implementation in HR and vendor management.

Read More — Related Articles

• EU AI Act and high-risk AI in HR

• CSRD governance as an ESG topic

• Background checks in KRITIS

• BaFin fit and proper 2026

• Fit and proper KWG § 25c