NIS2 Intelligence Digest — 10 April 2026

BSI has moved from guidance to enforcement. This week’s most significant development: Germany’s BSI has activated formal NIS2 audit procedures under the IT-Sicherheitsgesetz 3.0 framework, conducting its first on-site inspections of essential entities in the energy and transport sectors. This is not a pilot or a consultation exercise — it is operational enforcement with documented audit criteria and defined remediation timelines. Supervisory authorities in France (ANSSI), Spain (INCIBE), and 17 other EU member states have now activated active supervision mechanisms, confirming what ENISA flagged in its January 2026 implementation report: the NIS2 enforcement infrastructure is live across the majority of the EU. If you have clients operating in Germany, France, or Spain who have not yet completed their NIS2 documentation gap analysis, the conversation needs to happen this quarter.

Main Feature: New Guide — NIS2 Underwriting Questions for Brokers

Placing cyber coverage for NIS2 in-scope clients without a structured question set is a reliable way to miss material compliance gaps. We have published a comprehensive guide: NIS2 Underwriting Questions for Brokers.

The guide covers entity classification confirmation, governance documentation, risk assessment currency, incident response testing history, supply chain security, and board-level accountability. Each question is paired with green flag / red flag indicators so you can quickly assess where a client’s documentation posture stands before you submit to an underwriter. It is the complement to the NIS2 Compliance Checklist PDF and the NIS2 Penalty Calculator — together, these three tools give brokers a structured workflow from client assessment through to coverage placement.

Tool Spotlight: NIS2 Penalty Calculator

One of the most frequently asked questions in broker consultations: what is my client’s actual maximum fine exposure under NIS2? The nominal ceiling is €10M for essential entities and €7M for important entities — but the turnover-based alternative calculation can produce substantially higher figures for large organisations. A €50 billion global turnover entity faces a €1B potential fine at the 2% threshold.

The NIS2 Penalty Calculator performs both calculations and returns the binding ceiling. For essential entities, it calculates both the fixed monetary cap and 2% of global annual turnover, returning the higher figure. For important entities, it applies the 1.4% threshold. The output is a defensible, documented maximum exposure figure that brokers can use in client conversations, coverage discussions, and renewal negotiations.

Use it at every renewal for NIS2 in-scope clients. It takes three minutes and changes the framing of the coverage conversation.

Sector Highlight: Healthcare NIS2 Exposure

Healthcare entities operating as essential entities — hospitals, blood and tissue facilities, medical device manufacturers with EU market presence — face a uniquely complex NIS2 exposure picture. The sector’s incident response requirements are demanding: a material security incident affecting patient care systems triggers both the NIS2 24-hour early warning obligation and the additional obligations under the EU Health Data Regulation. Supervisory authority for healthcare in most member states is the national health authority, which may lack the technical depth of BSI or ANSSI but is increasingly supported by specialist cybersecurity units.

Brokers placing coverage for healthcare clients should pay particular attention to the incident response plan documentation checkpoint. Tested plans with documented post-incident improvements are the exception rather than the rule in healthcare settings, where operational pressures frequently override documentation discipline. A client who has never tabletop-tested their incident response plan in 24 months is not just non-compliant — they are a material coverage uncertainty.

Coming Next Month: DORA ICT Risk Checklist Tool

The Digital Operational Resilience Act (DORA) enters its supervisory enforcement phase for financial entities in the EU in Q3 2026. To support brokers and underwriters working with financial sector clients, we are developing a DORA ICT Risk Checklist tool — structured against the DORA RTS on ICT risk management and the supervisory testing framework.

The tool will cover ICT risk appetite frameworks, incident classification and reporting procedures, resilience testing requirements (including threat-led penetration testing obligations for significant entities), and third-party ICT service provider management. It will be available in the Resiliently platform next month. If you are working with banks, investment firms, payment institutions, or insurance companies, this tool will be directly applicable to your placement and renewal workflow.

If you are not already subscribed to the NIS2 Intelligence Digest, subscribe below. We publish every Thursday.

Subscribe to the Digest