Back to Blog

NIS2 Meets AI Agents: Securing Agent Deployments Under Germany’s Now-Binding Cybersecurity Law

Henri Jung, Co-founder at Superkind
Henri Jung

Co-founder at Superkind

A padlock securing a row of identical AI agent modules, representing NIS2 governance of agent deployments

On 6 December 2025, NIS2 stopped being a directive somewhere in Brussels and became binding German law. The NIS2-Umsetzungsgesetz took effect with no transition period, and the number of companies under BSI supervision jumped from roughly 4,500 to around 29,500 across 18 sectors1. Many of those companies are mid-sized manufacturers, suppliers, and service providers that never thought of themselves as critical infrastructure.

At the same time, AI agents are moving from pilot to production on the shop floor and in the back office. Gartner expects 40 percent of enterprise applications to feature task-specific AI agents by the end of 2026, up from less than 5 percent in 202518. An agent is not a chatbot. It reads from your ERP, writes to your systems, holds credentials, and takes actions. That makes it the fastest-growing attack surface in enterprise IT and, at the same time, an asset that now sits squarely inside a BSI-regulated ISMS.

This guide is for the CISO, CTO, or Geschaeftsfuehrer who has to do both things at once: deploy AI agents that create real value, and keep them inside the lines of a cybersecurity law that carries personal liability. No fear, no hype. Just what NIS2 actually asks, where agents change the picture, and how to build a deployment that is compliant from the first pilot.

TL;DR

NIS2 is now binding - the German implementation law took effect on 6 December 2025 with no transition period, pulling around 29,500 companies under BSI supervision.

AI agents are in scope by default - there is no AI carve-out. An agent that touches your systems falls inside your Section 30 risk management and your ISMS.

Agents are a double exposure - a new attack surface (broad permissions, prompt injection, shadow AI) and a newly regulated asset at the same time.

The clock is real - significant incidents, including agent failures, trigger a 24-hour early warning, a 72-hour notification, and a one-month final report to the BSI.

Management is personally liable - Section 38 BSIG requires directors to approve measures, supervise them, and attend cybersecurity training. It cannot be delegated away.

The Double Exposure: Attack Surface and Regulated Asset

Most articles treat AI agents and NIS2 as two separate projects. They are not. An AI agent deployment changes your cyber risk and your regulatory position in the same move, which is why it needs a single, joined-up plan.

  • Agents expand the attack surface - 48 percent of cybersecurity professionals name agentic AI and autonomous systems as the top attack vector for 2026, ahead of deepfakes and other risks17.
  • Agents act with real permissions - unlike a read-only chatbot, an agent authenticates, holds credentials, and takes actions across systems, so a compromise is not a leaked answer but an executed transaction22.
  • Shadow AI is already inside - an estimated 68 percent of employees use AI tools without IT approval, creating agents and integrations that no ISMS currently covers21.
  • Agents misbehave in the wild - 80 percent of IT professionals report having seen AI agents take unauthorised or unexpected actions21.
  • The same agent is now regulated - if your company is in scope, that agent is part of the network and information systems the BSI supervises under Section 30 BSIG3.
  • The cost is measurable - the average AI-agent-related data breach is estimated at 4.7 million dollars in 2026, before any regulatory fine is added17.

Why This Matters Now

Deploying an agent without a NIS2 lens does not save time - it defers the work to a worse moment. Retrofitting least-privilege access, logging, and an incident runbook onto a live agent that already holds broad credentials is slower and riskier than building them in from the first pilot. The double exposure is cheapest to close before the agent goes live.

DimensionChatbot / CopilotAI AgentNIS2 Relevance
AccessReads context, answersReads and writes across systemsAccess control, MFA (Section 30)
ActionSuggestsExecutes transactionsIncident potential, reporting
CredentialsUsually the user’s sessionOwn identity and secretsIdentity governance, logging
Blast radiusA wrong answerA wrong action at machine speedBusiness continuity, containment
Supply chainOne model APIModel, tools, data connectors, hostSupply chain security duty

What NIS2 Now Requires (In Plain Terms)

NIS2 in Germany lives in the amended BSIG. Five paragraphs carry most of the weight, and it helps to know them by number because the BSI and your auditors will refer to them directly.

  • Section 28 - Scope - defines who counts as a besonders wichtige (essential) or wichtige (important) Einrichtung, based on sector, headcount, and revenue5.
  • Section 30 - Risk management - the ten minimum technical and organisational measures every in-scope entity must implement4.
  • Section 32 - Reporting - the 24-hour, 72-hour, and one-month reporting duties for significant incidents8.
  • Section 38 - Management duties - directors must approve and supervise measures and attend training, with personal liability attached7.
  • Section 65 - Fines - up to 10 million euros or 2 percent of global turnover for essential entities, up to 7 million euros or 1.4 percent for important entities1.

The dates are already behind us, which is the point people miss. There was no grace period.

MilestoneDateWhat It Means
Law in force6 December 2025Risk management, reporting, and registration duties apply immediately1
BSI registration portal liveFrom December 2025In-scope entities self-register via the BSI portal11
Registration deadline6 March 2026Three months after the law took effect; late registration still possible10
Section 39 proof of implementationWithin three years (by December 2028)Essential entities must evidence effective measures via audits or certification9

Key Data Point

The BSIG lists ten minimum measures under Section 30: risk analysis, incident handling, business continuity and backups, supply chain security, security in acquisition and development, effectiveness testing, cyber hygiene and training, cryptography, access control and asset management, and multi-factor authentication with secured communications4. Every one of them applies to an AI agent the moment it touches your systems.

Are You In Scope? Essential vs Important Entities

The first question is not about agents at all. It is whether your company is regulated. NIS2 sorts in-scope organisations into two tiers, and the tier decides how hard the supervision bites.

The two tiers

CriterionBesonders wichtig (Essential)Wichtig (Important)
Typical size250+ employees or over 50M euro revenue in high-criticality sectors50+ employees or over 10M euro revenue
SupervisionProactive: audits, inspections, information requestsReactive: after an incident or indication
Maximum fine10M euro or 2% of global annual turnover7M euro or 1.4% of global annual turnover
Proof of implementationRequired within three years (Section 39)On request
RegistrationMandatory via BSI portalMandatory via BSI portal

How to run the scope check

  1. Match your sector - check whether your activity falls in one of the 18 sectors, from energy, transport, and manufacturing to digital services, waste, food, and chemicals5.
  2. Apply the size thresholds - combine headcount and revenue against the tier definitions in Section 28. Group structures can pull a small subsidiary into scope5.
  3. Check for special cases - some entities are in scope regardless of size, such as certain digital infrastructure and public administration providers3.
  4. Register on the BSI portal - if in scope, register the company. The deadline was 6 March 2026 and late registration is still possible10.
  5. Document the determination - even a company that concludes it is out of scope should keep a dated record of the reasoning. Scope can change with the next acquisition or revenue year.

Common Trap

Many Mittelstand suppliers assume NIS2 is for utilities and banks. It is not. Manufacturing, food, waste, chemicals, and a long list of B2B service sectors are covered, and the threshold starts at 50 employees for important entities. If you sell into critical sectors, your customers will also push their supply chain security duty down to you by contract, whether or not you are directly in scope12.

Why AI Agents Widen the Attack Surface

An agent earns its value by acting on your behalf. The same property is what makes it dangerous when it is compromised or confused. These are the failure modes NIS2 expects you to manage.

  • Prompt injection - a malicious instruction hidden in an email, document, or web page hijacks the agent’s goal, turning a helpful assistant into an exfiltration tool. OWASP ranks goal hijacking as the top risk for agentic applications in 202621.
  • Excessive permissions - agents are often granted broad, standing access so they “just work”. A single compromised agent then reaches far more than any one employee could22.
  • Identity sprawl - agents spawn service accounts, tokens, and secrets faster than IAM tools can track. Gartner warns that agent sprawl without a registry becomes ungovernable19.
  • The confused deputy - an agent with legitimate access is tricked into using it for an attacker’s purpose, and the logs show the agent, not the attacker.
  • Data leakage through context - an agent that pulls sensitive records into a prompt can echo them into a downstream tool, a log, or a third-party model.
  • Supply chain compromise - the model, the tool integrations, and the data connectors are all third-party components that can be poisoned or breached22.
  • Shadow agents - business teams stand up agents on personal accounts, outside IT’s view, with no logging and no owner21.
Agent RiskWhat Goes WrongNIS2 Section 30 Control
Prompt injectionGoal hijacked by untrusted inputSecurity in development, effectiveness testing
Excessive permissionsOne compromise, wide blast radiusAccess control, MFA
Identity sprawlUntracked agent accounts and secretsAsset management, cryptography
Data leakageSensitive data echoed to third partiesCryptography, supply chain security
Shadow agentsUngoverned agents outside the ISMSRisk analysis, cyber hygiene and training

“Every institution or person reachable from the internet is in principle under threat. Attackers deliberately search for the most vulnerable attack surfaces.”

- Claudia Plattner, President of the German Federal Office for Information Security (BSI)16

Bringing Agents Into Your Section 30 Risk Management

You do not need a separate “AI ISMS”. You extend the one you already run so that an agent is treated like any other high-privilege system - just with a few agent-specific twists. If you hold ISO 27001, industry estimates put the overlap with Section 30 at roughly 70 to 80 percent, so most of this is extension, not invention13.

Mapping the ten measures to an agent

  1. Risk analysis - assess each agent as its own asset: what it can read, write, and trigger, and what the worst plausible action is. Add agents to the risk register.
  2. Incident handling - define an agent incident class with detection signals, a kill switch, and an owner who can pause the agent within minutes.
  3. Business continuity - plan for the agent being wrong or offline. Keep the manual process runnable and back up the agent’s configuration and memory.
  4. Supply chain security - assess the model provider, tool integrations, connectors, and host. Put security terms and data location in the contract12.
  5. Security in acquisition and development - review prompts, tools, and connectors like code. Test against prompt injection before go-live.
  6. Effectiveness testing - red-team the agent regularly. Replay adversarial inputs and confirm guardrails still hold after model or prompt changes.
  7. Cyber hygiene and training - train the people who supervise agents to recognise abnormal behaviour and to escalate.
  8. Cryptography - encrypt the agent’s data in transit and at rest, and manage its secrets in a vault, not in a prompt or a config file.
  9. Access control and asset management - give the agent its own identity, least-privilege and time-boxed access, and an entry in the asset inventory.
  10. Multi-factor authentication and secured communications - protect the human and machine accounts around the agent, and route its actions over authenticated channels4.

Agent-in-ISMS Readiness Checklist

  • Every production agent has a named owner and an entry in the asset inventory
  • Each agent has its own identity, not a shared or human account
  • Agent permissions are least-privilege and reviewed on a schedule
  • All agent actions are logged in a tamper-evident, queryable store
  • A kill switch can pause any agent within minutes
  • Prompt-injection testing is part of the go-live gate
  • The agent’s supplier is covered by your supply chain assessment
  • An agent failure is a defined incident class in your runbook

Standing Broad Access vs Least-Privilege Agent Identity

Least-Privilege Agent Identity

  • Small blast radius - a compromise reaches only scoped resources
  • Clean audit trail - actions map to one agent identity
  • Revocable - kill one agent without breaking others
  • Maps to Section 30 - satisfies access control and asset management

Standing Broad Access

  • Wide blast radius - one token unlocks many systems
  • Opaque logs - shared accounts hide who did what
  • Hard to revoke - pulling access breaks unrelated work
  • Fails an audit - no least-privilege story to show the BSI

Deploy AI agents that pass a NIS2 audit

Book a 30-minute call. We will map your highest-value use case and the controls it needs from day one.

Book a Demo →
A secured vault dial representing access control and the binding NIS2 compliance gate for AI agents

When an Agent Causes an Incident: The 24/72/30 Clock

Section 32 BSIG sets a three-stage reporting duty for significant incidents, and the clock starts the moment you become aware8. An agent that leaks data or takes a harmful action can be exactly such an incident. The reportability test looks at impact on your service, not at whether a human or a machine caused it.

The three stages

StageDeadlineWhat You Submit
Early warningWithin 24 hoursInitial notice: that a significant incident occurred and whether it looks malicious or cross-border23
Incident notificationWithin 72 hoursAssessment: severity, impact, indicators of compromise, initial containment23
Final reportWithin one monthRoot cause, full impact, mitigation, and lessons learned8
Parallel GDPR noticeWithin 72 hoursIf personal data is affected, a separate Article 33 notice to the data protection authority23

An agent incident runbook

  1. Detect - alert on abnormal agent behaviour: permission escalation, unusual data volumes, actions outside the agent’s defined scope.
  2. Contain - hit the kill switch. Pause the agent, revoke its tokens, and isolate the systems it touched.
  3. Assess - use the action log to reconstruct exactly what the agent did and whether the service impact is significant.
  4. Report - if significant, file the 24-hour early warning to the BSI, then the 72-hour notification, then the one-month final report8.
  5. Recover - restore from backups, fix the root cause (a prompt, a tool, a permission), and re-test before the agent goes back online.
  6. Learn - feed the incident into the risk register and the effectiveness testing so the same failure cannot recur silently.

The 24-Hour Rule in Practice

The 24-hour early warning does not require a full analysis. The BSI expects a preliminary assessment, not a finished forensic report. The guidance from practitioners is blunt: better to report early and incomplete than late and detailed. An agent incident that is still being contained is exactly the kind of event the early warning exists for23.

Supply Chain, Vendors, and Management Liability

Two of the most under-appreciated parts of NIS2 land hardest on AI agent projects: the duty to secure your supply chain, and the personal duty on management. An agent is built from third-party parts and approved by named directors, so both apply directly.

The agent supply chain

  • Assess every layer - the foundation model, the orchestration framework, the tool and connector integrations, and the hosting environment are all suppliers under Section 3012.
  • A vendor certificate is evidence, not a discharge - a supplier’s own ISO 27001 helps, but it does not by itself meet your duty; you still assess the risk to your service14.
  • Fix data location and processing - know where prompts and outputs go, which sub-processors are involved, and whether data leaves the EU.
  • Get contractual security terms - reporting duties, audit rights, breach notification, and secure development commitments belong in the contract, not in a slide.
  • Keep an exit path - you must be able to switch off or replace a compromised supplier without halting your service.

Management liability under Section 38

  • Approve the measures - the management body must formally approve the Section 30 risk management measures, in writing7.
  • Supervise implementation - approval is not enough; directors must oversee that the measures are actually in place and working7.
  • Attend training - managers must take part in cybersecurity training regularly, and it must be documented7.
  • Cannot be delegated - these duties cannot be outsourced to a third party; they sit with the leadership personally7.
  • Personal liability - managers can be held personally liable for damage caused by a breach of these duties, which is what elevates NIS2 to a board topic7.

Build Governance In vs Retrofit It Later

Governance From Day One

  • Cheaper - controls designed in cost a fraction of retrofits
  • Audit-ready - documentation exists when the BSI asks
  • Faster scaling - the second and third agents reuse the pattern
  • Liability cover - management can show approval and supervision

Retrofit After Go-Live

  • Expensive - re-scoping a live agent’s access is disruptive
  • Gaps go live - the agent runs ungoverned in the meantime
  • No audit story - missing logs cannot be recreated after the fact
  • Exposure - unreported incidents and untrained management stay open

The 90-Day NIS2-Ready Agent Deployment

A NIS2-ready deployment is not slower than a normal one - it is a normal one done properly. Here is a week-by-week path that produces both a working agent and the evidence the BSI expects.

Phase 1: Scope and design (Weeks 1-4)

  1. Week 1: Confirm regulatory scope - determine your NIS2 tier and register with the BSI if you have not already. Document the determination either way.
  2. Week 2: Map the use case and data flows - define exactly what the agent will read, write, and trigger, and which systems and data it touches.
  3. Week 3: Design the agent identity - assign a dedicated identity, least-privilege scopes, secret storage, and the kill switch before any build starts.
  4. Week 4: Threat model and supplier check - run a prompt-injection and abuse threat model, and complete the supply chain assessment for model, tools, and host.

Phase 2: Build and test (Weeks 5-8)

  1. Week 5-6: Build with guardrails - implement the agent with scoped tools, input validation, and full action logging from the first line, not as an afterthought.
  2. Week 7: Red-team - attack your own agent with injection, confused-deputy, and data-exfiltration scenarios. Fix what breaks.
  3. Week 8: Write the runbook - finalise the agent incident class, detection signals, and the 24/72/30 reporting steps. Rehearse the kill switch.

Phase 3: Deploy and evidence (Weeks 9-12)

  1. Week 9: Controlled rollout - deploy to a limited scope with a human-in-the-loop on high-impact actions. Monitor closely.
  2. Week 10-11: Expand and monitor - widen scope as confidence grows, keeping logging and alerting live. Train the supervising team.
  3. Week 12: Produce the evidence - management approves the measures under Section 38, records the training, and files the documentation that supports a Section 39 proof later.

NIS2-Ready Go-Live Gate

  • Company scope determined and BSI registration complete
  • Agent has a dedicated, least-privilege identity
  • All agent actions are logged and queryable
  • Prompt-injection red-teaming passed
  • Supplier assessment complete with contractual security terms
  • Incident runbook written and kill switch rehearsed
  • Management has approved measures and completed training
  • Documentation stored for a future Section 39 proof

How Superkind Fits

Superkind builds custom AI agents for SMEs and enterprises, and it builds them to sit inside a regulated environment from the start. The approach is process-first and control-first: your workflows and your ISMS shape the agent, not the other way around.

  • Dedicated agent identity - every agent gets its own identity, scoped credentials, and secret storage, so access control and asset management map cleanly to Section 30.
  • Least-privilege by design - agents receive the narrowest access that makes the use case work, and access is reviewed rather than granted once and forgotten.
  • Full action logging - every read, write, and trigger is recorded in a queryable, tamper-evident store, so an incident can be reconstructed and evidenced.
  • Kill switch and human-in-the-loop - high-impact actions pause for human approval, and any agent can be stopped within minutes.
  • Prompt-injection hardening - agents are built and red-teamed against goal hijacking and confused-deputy attacks before they go live.
  • Runs on EU infrastructure - data stays within your infrastructure or EU-hosted environments, with clear data location and encrypted connections.
  • Supplier transparency - clear documentation of the model, tools, and connectors so the agent fits your supply chain assessment.
  • Audit-ready documentation - the deployment produces the records management needs to approve measures and support a Section 39 proof.
ApproachGeneric AI PlatformSuperkind
Agent identityOften a shared key or user accountDedicated per-agent identity and secrets
AccessBroad by defaultLeast-privilege, scoped, reviewed
LoggingBasic usage metricsFull action log for incident reconstruction
Data locationOften US-hostedYour infrastructure or EU-hosted
Compliance evidenceYour problemProduced as part of delivery

Superkind

Pros

  • NIS2-aware by design - controls built in, not retrofitted
  • Fits your existing ISMS - extends what you run rather than adding a silo
  • EU data posture - clear location and encrypted connections
  • Audit-ready - documentation and logs for the BSI

Cons

  • Not a self-serve tool - it involves working with our team
  • Needs process access - we map the real workflow, not just docs
  • Not a compliance service - we build compliant agents, we do not run your ISMS for you
  • Capacity-limited - we work with a focused number of clients at a time

Decision Framework: Deploy, Harden, or Wait

NIS2 is not a reason to stop deploying agents. It is a reason to deploy them well. This framework helps you decide what to do with each agent idea on your list.

SituationWhat It MeansAction
In scope, new agent ideaClean slate to build governance inRun the 90-day NIS2-ready playbook
In scope, agent already liveLikely ungoverned exposureAudit access and logging now, retrofit least-privilege
Shadow agents in the businessUnknown attack surface outside the ISMSDiscover, inventory, and bring under governance or shut down
Not sure if in scopeScope risk compounds with growth and acquisitionsRun the Section 28 scope check and document it
Supplier to critical sectorsCustomers push their duty down to youPrepare supply chain evidence even if not directly in scope
High-impact autonomous actionBlast radius too large for full autonomyKeep a human-in-the-loop until controls and evidence mature

“Enterprises are treating AI agent governance as binary, either locked down or fully trusted, and that is the root cause of failure.”

- Shiva Varma, Senior Director Analyst at Gartner20

Frequently Asked Questions

NIS2 does not name AI agents, but it covers the network and information systems that run your essential and important services. An AI agent that reads from your ERP, moves data between systems, or triggers actions is part of those systems. If you are in scope as a company, the agent falls inside your ISMS and your risk management obligations under Section 30 BSIG. There is no separate AI carve-out.

The NIS2 implementation law (NIS2-Umsetzungsgesetz, which amends the BSIG) was promulgated and entered into force on 6 December 2025, with no transition period. Registration, reporting, and risk management duties applied immediately. Around 29,500 companies across 18 sectors are now under BSI supervision, up from roughly 4,500 under the previous KRITIS regime.

Besonders wichtige Einrichtungen (essential entities) are the largest or most critical organisations and face the strictest oversight, including proactive audits and fines up to 10 million euros or 2 percent of global annual turnover. Wichtige Einrichtungen (important entities) face lighter, reactive supervision and fines up to 7 million euros or 1.4 percent of turnover. Classification depends on sector, headcount, and revenue thresholds.

Section 32 BSIG requires a three-stage report to the BSI for significant incidents. An early warning is due within 24 hours of becoming aware, a fuller incident notification within 72 hours, and a final report within one month. If personal data is affected, a separate GDPR Article 33 notification to the data protection authority within 72 hours runs in parallel.

It can be. An agent that leaks data, takes a harmful autonomous action, or is manipulated through prompt injection can cause a significant disruption to your service, which is the trigger for reporting. The reportability test is about impact on the service, not about whether a human or an agent caused it. Your incident runbook should treat agent failures as a defined incident class.

No, but it gets you most of the way. Industry estimates put the overlap between a mature ISO 27001 ISMS and the Section 30 measures at roughly 70 to 80 percent. The gaps that ISO 27001 does not fully cover are the explicit supply chain security duties, the fixed 24/72/30 reporting timelines, personal management accountability, and specific controls like multi-factor authentication. NIS2 also makes the measures a legal duty, not a voluntary standard.

Section 38 BSIG places duties on the management body itself. Directors must approve the risk management measures, supervise their implementation, and attend cybersecurity training. These duties cannot be delegated to a third party, and managers can be held personally liable for damage caused by a breach of duty. This is the reason NIS2 is a board-level topic, not just an IT topic.

You register the company, not the individual agent. In-scope entities had to register via the BSI portal within three months of the law taking effect, by 6 March 2026, and late registration remains possible. What matters for agents is that they appear in your asset inventory and are covered by the risk management measures you attest to.

Supply chain security is one of the ten mandatory measures under Section 30. You must assess and manage the security of your direct suppliers and service providers, including the company that builds or hosts your AI agent. A vendor holding its own ISO 27001 certificate is helpful evidence but does not by itself discharge your duty. You need contractual security terms, data location clarity, and the ability to audit.

You carry two compounding risks. The first is the security risk of an ungoverned agent with broad permissions, which is the fastest-growing attack surface in enterprise IT. The second is the regulatory risk: unreported incidents, missing risk management, and untrained management can trigger BSI enforcement and fines up to 10 million euros or 2 percent of global turnover for essential entities.

Yes. NIS2 does not ban agents or slow down well-run deployments. It asks for the same things a competent rollout already does: a clear scope, least-privilege access, logging, an incident plan, and vendor due diligence. Teams that build these in from the first pilot move faster later because they never have to retrofit governance onto a live agent.

For a single use case, a focused team can reach a NIS2-ready production deployment in about 90 days. The first weeks map scope, data flows, and the agent identity model. The middle weeks build least-privilege access, logging, and the incident runbook. The final weeks run a controlled rollout with monitoring and produce the documentation the BSI expects. Retrofitting an ungoverned agent takes longer.

Related Articles

Henri Jung, Co-founder at Superkind
Henri Jung

Co-founder of Superkind, where he helps SMEs and enterprises deploy custom AI agents that actually fit how their teams work. Henri is passionate about closing the gap between what AI can do and the value it creates in real companies. He believes the Mittelstand has everything it needs to lead in AI - it just needs the right approach, and that approach now has to be secure and compliant by design.

Ready to deploy AI agents that stay inside the lines?

Book a 30-minute call with Henri. We will map your highest-value use case and the controls it needs to pass a NIS2 audit - no commitment, no sales pitch.

Book a Demo →