For managing directors

NIS2 — the 5 steps for managing directors

What your organisation must do. Your personal time: ~3 hours per year.

Before you read further

Are you actually in scope of NIS2? The 2-minute check is free, no login.

Check applicability

The 5 steps

Check applicability

delegable

Check thresholds (employees, revenue, sector) to confirm whether your entity is classified as 'essential' or 'important'.

Legal basis:: §28 BSIG
Owner:: Managing director
Effort:: 2 minutes
Deadline:: now

2-minute check, no login

Register with the BSI

delegable

Registration on the BSI portal: sector, contact person, scope. Requires an ELSTER organisational certificate.

Legal basis:: §33 BSIG
Owner:: IT lead files, managing director signs
Effort:: ~1 hour + 5–10 working days for ELSTER setup
Deadline:: 06.03.2026 — deadline passed; obligation continues

Go to BSI portal

Complete the management training

personal · non-delegable

The one obligation that cannot be delegated. Demonstrate sufficient knowledge of cybersecurity risk management.

Legal basis:: §38(3) BSIG
Owner:: Managing director, personally
Effort:: ~2 hours initial · annual refresh recommended
Deadline:: before first audit

Start the free MD course

Asset and risk inventory

delegable

Top 10 assets and top 5 risks on one page. Including the incident reporting process (24h / 72h / 1 month under §32 BSIG).

Legal basis:: §30(2) BSIG
Owner:: IT lead produces, managing director signs (§38(1) BSIG)
Effort:: ~1 day initial pass · review yearly
Deadline:: Q1

Free gap assessment (116 questions, 5 days)

Supplier list + minimum questionnaire

delegable

Extend your existing GDPR Art. 30 register. Send a minimum cybersecurity questionnaire to direct suppliers.

Legal basis:: §30(2)(4) BSIG · NIS2 Art. 21(2)(d)
Owner:: Procurement / IT produces, managing director signs
Effort:: ~½ day with the open-source questionnaire
Deadline:: Q1–Q2

Open-source questionnaire (MIT + CC BY 4.0)

Your personal minimum

• 1× training (~2 hours, one-time)
• 4× document sign-offs (~30 minutes total)
• Annual refresh recommended

Total: ~3 hours per year.

Everything else is handled by your IT lead or CISO.

This page is structured guidance based on NIS2, BSIG, CIR 2024/2690, and ENISA TIG. It does not constitute legal advice. Implementation is more than these 5 steps — your IT lead or CISO handles the operational work.

Sources and transparency

NIS2 Directive (EU) 2022/2555 · BSIG (as of 06.12.2025) · CIR 2024/2690 · ENISA Technical Implementation Guidance v1.0

Open-source tooling (MIT + CC BY 4.0) · Hosted in Germany · GDPR-compliant