NIS2-Compliant Remote Access: Requirements and Setup

NIS2-compliant remote access means every external connection to your systems is role-based (RBAC), enforces multi-factor authentication (MFA), is time-limited, and is logged without gaps. The EU NIS2 Directive (2022/2555) and its German transposition, the NIS2 Implementation Act (NIS2UmsuCG, in force since 6 December 2025), mandate exactly these measures through the risk management requirements in Section 30 of the BSIG. For industrial plants and OT, IEC 62443 adds a second, technical benchmark. This article explains which obligations specifically apply to remote access and how to implement them cleanly.

NIS2 and the NIS2UmsuCG: the 2026 status

The NIS2 Directive (EU) 2022/2555 was adopted on 14 December 2022, with a national transposition deadline of 17 October 2024. Germany transposed it with the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), which entered into force on 6 December 2025 and comprehensively reworked the BSI Act (BSIG).

The law raises the number of regulated organisations in Germany from roughly 4,500 to about 29,500. There is no general transition period: the obligations apply from the date the law took effect. The deadline to register with the BSI ended on 6 March 2026; late registration remains possible but does not retroactively shield you from non-compliance.

Who is in scope: sectors and thresholds

The BSIG distinguishes two classes that mirror the European categories essential and important:

• Essential (particularly important) entities: from 250 employees, or more than 50 million euros annual turnover and more than 43 million euros balance sheet total (Section 28 BSIG). Operators of critical infrastructure under the BSI-KritisV always qualify, regardless of size.
• Important entities: from 50 employees or more than 10 million euros annual turnover.

The law covers 18 sectors, split into Annex 1 (11 sectors of high criticality such as energy, transport, banking, health, digital infrastructure, and water) and Annex 2 (7 further sectors such as food, chemicals, and manufacturing). Important for industrial firms: even if you sit just below the thresholds yourself, supply chain security pulls you in indirectly as soon as you supply an in-scope entity. This is exactly where machine and plant builders provide remote maintenance.

Fines and reporting deadlines

The penalty range is significant. Essential entities risk up to 10 million euros or 2 percent of global annual turnover (whichever is higher); important entities up to 7 million euros or 1.4 percent. In addition, management bears personal responsibility for implementing and supervising the risk management measures.

Significant security incidents must be reported in stages under Section 32 BSIG: an early warning without undue delay and at the latest within 24 hours, a confirming follow-up within 72 hours, and a final report within one month. You can only meet these deadlines if you can fully reconstruct accesses and incidents - the direct link back to remote access.

Which NIS2 obligations specifically affect remote access

The ten minimum measures in Section 30(2) BSIG are phrased technology-neutral. Translated to remote access, they produce concrete requirements:

Two points deserve special attention. First, supplier and third-party access: external service partners are often the weakest link, because flat VPN accounts give them reach across the whole network. NIS2 requires securing these relationships. Second, the separation of IT and OT: remote access to a machine must not also be a door into the office IT. We go deeper on both topics in the guide to RBAC and audit for remote access.

IEC 62443: secure remote access for OT

For industrial plants, the IEC 62443 series complements the legal requirements with a technical architecture. Its core for remote access:

• Zones and conduits: the network is divided into zones of similar criticality that communicate only through controlled paths (conduits). A vulnerability stays confined to one zone.
• Jump host instead of direct connection: direct connections to OT devices are disabled. Every remote session runs through a hardened jump host in a DMZ at the IT/OT boundary.
• MFA and approval workflow: each maintenance session is explicitly approved, has a maximum duration, uses MFA, and is recorded and logged.
• Security levels (SL 1 to 4): depending on a zone's protection needs, an SL target defines how strong the controls must be.

How this becomes a concrete, secure remote maintenance setup for machines and plants is covered in secure remote maintenance of machines and plants.

How a sovereign remote-access platform delivers NIS2

The requirements from NIS2 and IEC 62443 cannot be met with a bare VPN. You need a platform that brings identity, access, encryption, and audit together. That is exactly what we build with our sovereign remote management platforms - operated in Germany, with no dependency on US cloud services:

• Browser-based access via Apache Guacamole, so no fleet-wide VPN client is needed on third-party devices and every session terminates at the gateway.
• Encrypted site connectivity via WireGuard, cleanly separating OT networks from IT - detailed in the guide on WireGuard site connectivity.
• RBAC, MFA, and complete audit enforced centrally, including time-limited just-in-time access and recording of critical sessions.
• Continuous vulnerability management through our CVE monitoring and a regular architecture review in a security audit.

This approach is already proven in production: for ABCO Water Systems in Australia we operate secure remote access to distributed plants with HMI access, role-based permissions, and a complete audit trail - precisely the model NIS2 and IEC 62443 call for.

This article is general information and not legal advice. For a binding assessment of your scope and obligations, please consult qualified legal counsel; we are happy to support the technical implementation. Book a free initial consultation.