NIS2 Roadmap for managing directors
The prioritised steps. Your personal time: ~3 hours per year — everything else is delegable.
Are you actually in scope of NIS2? The 2-minute check is free, no login.
The roadmap
Check applicability
delegableCheck thresholds (employees, revenue, sector) to confirm whether your entity is classified as 'essential' or 'important'.
- Legal basis:
- §28 BSIG
- Owner:
- Managing director
- Effort:
- 2 minutes
- Deadline:
- now
Register with your national NIS2 authority
delegableYou register with the NIS2 authority of every EU Member State you operate in — not only Germany. 'Operate in' means physical establishment: your own company, a branch, an office, or your own employees on the ground in that country. Cross-border sales alone do not count. Example: a German GmbH with a Vienna office registers with the BSI (DE) and the NIS-Stelle (AT).
- Legal basis:
- NIS2 Art. 27 · §33 BSIG (DE)
- Owner:
- IT lead files, managing director signs
- Effort:
- ~1 hour per country + national identity setup (e.g. ELSTER in DE: 5–10 working days)
- Deadline:
- National deadlines apply — DE: 06.03.2026 passed; obligation continues
Complete the management training
personal · non-delegableThe one obligation that cannot be delegated. Demonstrate sufficient knowledge of cybersecurity risk management.
- Legal basis:
- §38(3) BSIG
- Owner:
- Managing director, personally
- Effort:
- ~2 hours initial · annual refresh recommended
- Deadline:
- before first audit
Asset inventory and risk register
delegableComplete list of the systems, applications, and data your operations depend on — and the risks against each. Both are the foundation for every other NIS2 obligation and the first thing an auditor asks to see. In the NISD2 platform, your IT lead and CISO build and maintain the inventory and risk register, and the incident reporting workflow (24h / 72h / 1 month under §32 BSIG) is wired in automatically.
- Legal basis:
- §30(2) BSIG · NIS2 Art. 21(2)(a)
- Owner:
- IT lead produces, managing director signs (§38(1) BSIG)
- Effort:
- ~1 day initial pass · maintained ongoing, signed off yearly
- Deadline:
- Q1
Supplier inventory and supplier risk management
delegableInventory of your direct suppliers, linked to your asset register (which supplier runs which system). Continuous cybersecurity risk management — not a one-shot questionnaire: per-supplier security posture, incident notifications received via their supplier portal, risk scoring. The platform ships with the NIS2-anchored standard questionnaire (open source, MIT + CC BY 4.0) and maintains the inventory.
- Legal basis:
- §30(2)(4) BSIG · NIS2 Art. 21(2)(d)
- Owner:
- Procurement / IT produces, managing director signs
- Effort:
- ~½ day initial pass · maintained ongoing
- Deadline:
- Q1–Q2
Implement the rest of NIS2
delegableThe ten measure areas under NIS2 Art. 21 — incident handling, business continuity (backups, recovery), training, access control, cryptography, vulnerability and patch management, network security, monitoring, supplier contracts, communications. The platform covers all ten with templates, automatic evidence capture, and a full audit trail; you sign off the annual summary.
- Legal basis:
- §30(2) Nr. 1–10 BSIG · NIS2 Art. 21
- Owner:
- IT lead / CISO implements, managing director signs off yearly
- Effort:
- ongoing, alongside normal IT work
- Deadline:
- Q2 onwards
Your personal minimum
- • 1× training (~2 hours, one-time)
- • 5× document sign-offs (~40 minutes total)
- • Annual refresh recommended
Total: ~3 hours per year.
Everything else is handled by your IT lead or CISO.
This page is structured guidance based on NIS2, BSIG, CIR 2024/2690, and ENISA TIG. It does not constitute legal advice. Your IT lead or CISO handles the operational work.