One platform. Every EU requirement. No gaps.
The EU created NIS2 to harmonize cybersecurity across Europe. Then 27 countries implemented it differently. We fixed that.
The standardization that never was
NIS2 was supposed to be the great unifier – one directive to align cybersecurity requirements across all 27 EU member states. In practice, it did the opposite. The directive sets minimum requirements, and every country is free to go stricter. Most did. The result is a patchwork of national laws, each with its own interpretation, its own thresholds, and its own enforcement expectations.
Then the European Commission added CIR 2024/2690, an implementing regulation that specifies technical requirements for the most critical cross-border entities. It does not replace national law – it stacks on top of it. So now companies face three layers of requirements that overlap, contradict, and confuse in roughly equal measure.
If you operate in multiple EU countries, or if you simply want to know what "NIS2 compliant" actually means in concrete terms, you are on your own. There is no single source of truth. Until now.
NIS2 Directive (EU 2022/2555)
The EU-level directive that sets minimum cybersecurity requirements for essential and important entities. Deliberately vague on implementation details – it tells you what to achieve, not how to achieve it. Every member state must transpose it into national law, and they are explicitly allowed to go further.
BSIG – German National Transposition
Germany transposed NIS2 into the BSIG (BSI-Gesetz). It goes significantly beyond the directive's minimums: stricter incident reporting timelines, broader scope of affected entities, and explicit management liability under section 38. If you operate in Germany, the directive alone is not enough – the BSIG is what auditors enforce.
CIR 2024/2690 – EU Implementing Regulation
The Commission Implementing Regulation specifies detailed technical and methodological requirements for entities that provide cross-border services (DNS, cloud, CDN, data centers, and more). Unlike the directive, it is directly applicable – no national transposition needed. It adds granular requirements for risk management, incident handling, and supply chain security that go well beyond the directive's text.
IT-Grundschutz – BSI Implementation Methodology
The BSI's IT-Grundschutz standards (BSI-200-1, 200-2, 200-3) define exactly how to implement the requirements in practice. Under section 44(2) BSIG, implementing Grundschutz is explicitly recognized as fulfilling NIS2 obligations in Germany. It is the most detailed and prescriptive layer – and the one that turns vague policy statements into concrete, auditable controls.
The strictest common denominator
Our platform does not pick one framework and hope for the best. For every compliance topic – risk management, incident reporting, access control, encryption, training, supply chain – we identify the strictest requirement across all three normative sources: the NIS2 Directive, the CIR 2024/2690, and the BSIG with IT-Grundschutz methodology.
Then we build that strictest version into the platform as the default. Every form, every workflow, every evidence requirement is designed to satisfy the highest bar. When you complete a requirement on our platform, you do not just meet the German standard or the EU minimum – you meet all of them simultaneously.
The result: comply once, be compliant everywhere. Whether you operate only in Germany, across the EU, or fall under the CIR's cross-border scope, your compliance posture holds up. No duplicate work, no gaps, no surprises during an audit in a different jurisdiction.
| Compliance area | NIS2 Directive | CIR 2024/2690 | BSIG / Grundschutz |
|---|---|---|---|
| Risk management | "Appropriate and proportionate" measures, no prescribed methodology | Explicit risk assessment methodology with defined criteria, documented risk acceptance | Full asset-based risk analysis per BSI-200-3, threat modeling per IT-Grundschutz Compendium, mandatory annual review |
| Incident reporting | Early warning within 24h, full notification within 72h | Same timelines, plus recurring incidents must be aggregated and reported as a pattern | 24h/72h plus mandatory reporting to BSI, management must be notified immediately, root cause analysis required |
| Supply chain security | Consider supply chain risks, account for supplier vulnerabilities | Documented supplier assessment, contractual security requirements, periodic reassessment | Supplier risk register linked to asset inventory, NIS2 registration status tracked, Grundschutz-level supplier auditing |
| Encryption & cryptography | "Where appropriate" – use of cryptography and encryption | Cryptography policy required, key management documented, algorithm suitability assessed | BSI Technical Guidelines (TR-02102) define approved algorithms, key lengths, and protocols – no room for interpretation |
| Access control | Policies for access control to network and information systems | Role-based access, privileged access management, regular access reviews | Need-to-know principle, separation of duties, mandatory MFA for administrative access, documented RBAC with annual recertification |
| Cybersecurity training | Regular training for management and all employees | Role-specific training, management must demonstrate competence in risk oversight | Annual awareness training for all employees, role-specific training for IT staff, mandatory section 38 BSIG liability training for management |
Cross-border by default
Operate in Germany, expand to France, serve clients in the Netherlands – your compliance holds up everywhere. No jurisdiction-specific rework, no second audit. One process covers all 27 member states because you already meet the strictest interpretation.
Zero ambiguity
The NIS2 Directive is deliberately vague. "Appropriate measures" means different things to different auditors. Our platform eliminates that ambiguity by defaulting to the most specific, most prescriptive requirement available. You never have to guess whether your interpretation is "enough".
Future-proof compliance
Regulations only tighten. Countries that transposed NIS2 at the minimum level today will go stricter tomorrow. By already meeting the highest current standard, you are ahead of every future tightening – not scrambling to catch up.
Audit-ready from day one
BSI auditors expect Grundschutz-level evidence. ENISA assessments check CIR compliance. Our platform generates evidence that satisfies both, automatically. Assignments, sign-offs, deadlines, and audit trails are built into the workflow – they are the compliance process, not an afterthought.
This is the most common objection – and it is wrong. The difference between meeting the NIS2 Directive's minimum requirements and meeting the BSIG/Grundschutz standard is not more data entry, more documents, or more busywork. It is more structure. The same information a company provides for a bare-minimum NIS2 checkbox exercise is the same information needed for a Grundschutz-level implementation.
The extra "work" is understanding: knowing which assets to document, how to structure a risk assessment, what constitutes adequate evidence. That is exactly what our platform handles for you. The forms guide you through the right questions. The workflows enforce the right process. The evidence is generated as you work.
In practice, a company using our platform spends no more time than one using a minimum-compliance checklist tool. The difference is that our output actually holds up in an audit – in any EU country, under any applicable regulation. The effort is identical. The result is incomparably better.
Frequently asked questions
Isn't this overkill for a company that only operates in one country?
No. Even within a single country, you face multiple overlapping requirements: the national transposition, potentially the CIR if you provide cross-border services, and the practical expectations of your national auditor. Meeting the strictest common denominator means you never have to worry about which specific regulation applies to which part of your business. It is not overkill – it is the only approach that removes ambiguity entirely.
What if my country has different requirements than Germany's BSIG?
Every EU country transposed NIS2 at or above the directive's minimum. Germany's BSIG is among the strictest transpositions. If you meet BSIG-level requirements, you automatically exceed whatever your country requires. Think of it as a superset: the strictest national law plus the CIR plus the directive covers every possible interpretation any member state could enforce.
Does the stricter approach cost more or take longer?
No. The platform guides you through the same number of steps regardless. The difference is in how those steps are structured – our forms and workflows are designed to capture information at the level of detail that satisfies Grundschutz methodology. You are not doing more work; you are doing the same work more precisely. The time investment is comparable to any compliance tool, but the output is defensible across all EU jurisdictions.
What about ISO 27001? Do I still need it?
ISO 27001 is a management system standard, not a legal requirement. NIS2, BSIG, and CIR are legal obligations. There is significant overlap – if you comply with our platform's requirements, you have covered roughly 70-80% of ISO 27001's Annex A controls. But they serve different purposes: NIS2 compliance is mandatory and legally enforced, ISO 27001 certification is voluntary and market-driven. Our platform focuses on the legal obligations first. ISO 27001 alignment will follow as a future feature.
How does CIR 2024/2690 relate to national law like the BSIG?
The CIR is an EU implementing regulation – it applies directly in all member states without national transposition. It does not replace national law; it adds to it. For entities in scope of the CIR (primarily cross-border digital infrastructure providers), you must comply with both your national transposition (e.g., BSIG in Germany) and the CIR. Where they overlap, the stricter requirement applies. Where they do not overlap, both apply independently. Our platform handles this layering so you do not have to.