NIS2 & Remote Maintenance: What the BSIG Now Requires (BSI Deadline 31 July 2026)

Editorial note: The information in this article was compiled to the best of our knowledge at the time of publication. Technical details, prices, versions, licensing terms, and external content may change. Please verify the information provided independently, particularly before making business-critical or security-related decisions. This article does not replace individual professional, legal, or tax advice.

Want to make remote maintenance NIS2-compliant? We assess your remote access in a Security Audit and build sovereign remote management platforms that ship with RBAC, MFA and complete audit trails by default. Book an initial consultation.
NIS2 is no longer an announcement, it is law in force: Germany's NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) has been in force since 6 December 2025, and the BSI registration portal live since 6 January 2026. Around 29,500 entities in Germany fall under it, and the BSI has called on them to complete registration by 31 July 2026 at the latest (as of June 2026). The decisive question is no longer "whether" but "how provably".
One of the most concrete places where NIS2 bites is remote maintenance. That is exactly where external provider access, OT assets and internet exposure meet - the very points the BSI Act (BSIG) addresses explicitly. This article translates the obligations of Section 30 BSIG into concrete requirements for your remote access and shows how a sovereign remote-access platform maps to them. This article is general information and not legal advice.
Table of contents
- NIS2 is live: where things stand in June 2026
- Why remote maintenance is the pressure point
- What NIS2 concretely requires for remote access
- Seven requirements for NIS2-ready remote access
- How a sovereign remote-access platform maps to it
- How we work at WZ-IT
- Further reading
NIS2 is live: where things stand in June 2026
The key facts, verified against primary sources (as of June 2026):
- In force since 6 December 2025. With the promulgation of the NIS2UmsuCG, the new sections of the BSIG apply directly - including the risk management and reporting obligations (BSI press release).
- Registration with the BSI. The portal has been available since 6 January 2026. The three-month registration window closed on 6 March 2026; the BSI is pressing the still-missing entities to complete registration by 31 July 2026 at the latest.
- Who is in scope. Rule of thumb: 50 or more employees, or EUR 10 million annual turnover, in one of 18 regulated sectors. The act distinguishes essential and important entities with different thresholds and depth of obligations.
- Reporting obligations. Significant security incidents must be reported in stages under Section 32 BSIG: early warning within 24 hours, a confirmation/update within 72 hours, and a final report after one month.
- Liability and fines. Management is personally liable (Section 38 BSIG). Fines reach up to EUR 10 million or 2 percent of worldwide annual turnover for essential entities, and EUR 7 million or 1.4 percent for important entities (Section 65 BSIG).
Important: there is no formal grace period for the substantive obligations. The 31 July deadline concerns registration; the security measures under Section 30 BSIG have applied since 6 December 2025.
Why remote maintenance is the pressure point
Remote maintenance combines three risks that NIS2 deliberately targets:
- External access = supply chain. When a machine builder, OEM or IT provider reaches into your systems, that is supply-chain security in the sense of Section 30(2) no. 4 BSIG. Responsibility for that access stays with you.
- OT meets IT. In production and building technology, remote maintenance reaches deep into operational technology. A compromised maintenance access there is not just a data leak but an asset and safety risk.
- Internet exposure. Classic remote maintenance often hangs on exposed services - precisely the attack surface for which NIS2 demands strong authentication and segmentation.
Reality often looks different: a shared VPN account, shared passwords, a tool from someone else's cloud, and no record of who did what and when. Under NIS2, that is no longer tenable.
What NIS2 concretely requires for remote access
Section 30(2) BSIG lists ten minimum measures (statutory text). Four of them land directly on remote maintenance:
- No. 9 - access control, personnel security, ICT system administration. This is the basis for role-based permissions (RBAC) and the least-privilege principle: every access only as far as the task requires.
- No. 10 - multi-factor or continuous authentication and secured communications. MFA is named explicitly. The ENISA Technical Implementation Guidance of 26 June 2025 reads the "where appropriate" qualifier so narrowly that MFA is effectively the standard for internet-facing systems such as remote desktop and VPN; for privileged and remote access it recommends phishing-resistant methods (FIDO2, passkeys).
- No. 4 - supply-chain security. Third-party access must be contained both contractually and technically: defined roles, limited reach, revocable at any time.
- No. 5 - secure maintenance and vulnerability management. Maintenance access itself is software that must be patched and monitored - including the remote tools and gateways in use.
On top comes the reporting duty under Section 32 BSIG: a 24-hour early warning can only be met if you can reconstruct what happened. Without complete audit trails over every remote session, that is impossible.
Seven requirements for NIS2-ready remote access
The obligations translate into an auditable checklist:
- RBAC / least privilege. Role-based policies instead of shared accounts. Who can reach which asset is defined explicitly, not handed out by accident through network topology. Deeper dive: RBAC and audit for remote access.
- MFA for every access. Multi-factor authentication tied to an identity provider/SSO, phishing-resistant for privileged sessions.
- Complete audit trails. Who, when, from where, onto which system - logged and ideally recorded per session, with adequate retention.
- Just-in-time and time-limited. Access is granted for a maintenance window and expires automatically. No standing accounts for external parties.
- OT/IT separation and segmentation. Remote access ends at exactly the machine, not in the whole production network. Microsegmentation instead of a flat VPN.
- Controlled supplier access. External parties get their own tightly scoped, instantly revocable accounts - no shared password, no shared tunnel.
- Sovereignty and patchability. The platform runs self-hosted or in the EU, with no data flowing into foreign clouds, and is patched like any other software - backed by continuous CVE monitoring.
How these points connect legally is covered in our knowledge article on NIS2-compliant remote access.
How a sovereign remote-access platform maps to it
A modern zero-trust approach (ZTNA) meets these requirements more structurally than a classic VPN. Self-hosted platforms such as NetBird, Headscale or a cleanly built WireGuard stack deliver:
- Identity-based policies instead of IP reach: access depends on user and role, MFA/SSO sit at the entrance - covering RBAC and authentication.
- Granular microsegmentation: peer-to-peer connections to exactly the released hosts, not the whole subnet - the required OT/IT separation.
- Expiring access and setup keys with a validity period: the technical basis for just-in-time and supplier access.
- Central logs and session records: the audit-trail foundation for Section 32.
- Data sovereignty: the control plane runs on your infrastructure, without dependence on a US SaaS remote-maintenance tool.
That this holds up in production is shown by our references: secure machine remote maintenance at ABCO Water Systems in Australia and the platform for nextGYM in Germany. Both rely on sovereign, logged remote access rather than open tunnels.
How we work at WZ-IT
We treat NIS2-compliant remote maintenance as a build project with evidence, not a tool purchase:
- Inventory in a Security Audit. We map every existing remote access, the external accounts and the OT touchpoints and compare them against the obligations of Section 30 BSIG - see Security Audit.
- A platform, not patchwork. We build the remote management platform with RBAC, MFA, segmentation and audit trails as the default - self-hosted and revocable.
- Operations with an SLA. Patches, CVE monitoring and access reviews run continuously so the evidence does not decay after go-live.
That turns an abstract legal obligation into an auditable, documented architecture - exactly what regulators and management want to see.
Further reading
- NIS2-compliant remote access - the legal requirements for remote access in detail.
- RBAC and audit for remote access - how role-based permissions and complete logging work together.
- Cisco ASA, ArcaneDoor & CVE-2025-20362: WireGuard and NetBird as a modern VPN stack - why old VPN appliances become a risk.
- What's new in NetBird: new dashboard, identity-aware SSH and self-hosting - the current state of a sovereign ZTNA platform.
- Vaultwarden 1.36.0 & NIS2: Self-Hosted Password Management for SMBs - NIS2 building blocks beyond remote access.
NIS2 deadline breathing down your neck? We bring your remote maintenance to an auditable, sovereign state in a few weeks - RBAC, MFA and audit trails included. Book an initial consultation now.
Sources
- BSI press release: NIS-2 Implementation Act in force (December 2025)
- BSI press release: NIS-2 registration portal launched
- Section 30 BSIG - risk management measures (gesetze-im-internet.de)
- Section 32 BSIG - reporting obligations
- Section 38 BSIG - obligations of management
- Section 65 BSIG - fines
- ENISA Technical Implementation Guidance on NIS2 (26 June 2025)
- heise: BSI sets NIS2 registration deadline to end of July 2026
Frequently Asked Questions
Answers to important questions about this topic
Yes. External maintenance is a supply-chain risk under Section 30(2) no. 4 BSIG. Access by machine builders, OEMs or IT providers to your systems must be controlled, time-limited and logged. You remain responsible for the security of these accesses, even when a third party uses them.
Four of the ten minimum measures are most relevant: access control and personnel security (no. 9), multi-factor or continuous authentication and secured communications (no. 10), supply-chain security (no. 4) and secure maintenance plus vulnerability management (no. 5). For remote access this means RBAC, MFA, segmentation and complete audit trails.
In practice, yes. Section 30 BSIG names MFA explicitly. The ENISA guidance of 26 June 2025 reads the 'where appropriate' qualifier so narrowly that MFA is the baseline for internet-facing systems such as remote desktop and VPN. Without MFA you must document, per account class, why it is not appropriate. For privileged and remote access ENISA recommends phishing-resistant methods.
The NIS2 implementation act has been in force since 6 December 2025 and the BSI portal live since 6 January 2026. The statutory registration deadline expired on 6 March 2026. The BSI has called on the roughly 29,500 affected entities to complete registration by 31 July 2026 at the latest (as of June 2026).
Rarely. A flat site-to-site VPN usually grants the connected party access to an entire network segment, with no role-based restriction, no just-in-time logic and no session record. NIS2 requires least privilege, access control and auditability. A zero-trust approach (ZTNA) with identity-based, granular policies meets this far better.
Yes. Under Section 38 BSIG, management must implement and oversee the risk management measures, attend training regularly and is personally liable for breaches of duty. Fines reach up to EUR 10 million or 2 percent of worldwide annual turnover for essential entities (Section 65 BSIG).

Written by
Timo Wevelsiep
Co-Founder & CEO
Co-Founder of WZ-IT. Specialized in cloud infrastructure, open-source platforms and managed services for SMEs and enterprise clients worldwide.
LinkedInLet's Talk About Your Idea
Whether a specific IT challenge or just an idea - we look forward to the exchange. In a brief conversation, we'll evaluate together if and how your project fits with WZ-IT.


Timo Wevelsiep & Robin Zins
Managing Directors of WZ-IT





