NIS2 Tool: Buyer's Guide for Compliance Software
What NIS2 tools you actually need, what they cost, what to look for, and which features are mandatory under the directive.
A NIS2 tool is software that helps companies implement the EU NIS2 Directive (2022/2555) and its national transposition (in Germany: BSIG / NIS2UmsuCG). It must support the 10 cybersecurity measures from Article 21 NIS2 plus incident reporting and authority registration.
- NIS2 requires durable audit evidence — Word documents are not enough.
- The BSI checks response times (24h / 72h / 1 month) — hard to demonstrate manually.
- Personal management liability under §38 BSIG: you need proof measures were implemented.
- The 10 measures from Article 21 span multiple departments — coordinated tools save time.
| Tool | Purpose | NIS2 |
|---|---|---|
| GRC platform | Governance, Risk & Compliance — represents all measures, risks, audits. | Mandatory for documentation |
| Asset management | IT asset inventory as the basis for risk analysis. | Mandatory (RSK 2.2) |
| SIEM / logging | Detection of security events, forensics. | Strongly recommended — detect reportable incidents |
| Patch management | Tracking updates for operating systems and applications. | Mandatory (Article 21(2)(e) NIS2) |
| MFA / IAM | Multi-factor authentication, identity & access management. | Mandatory (Article 21(2)(j) NIS2) |
| Backup / DR | Data backup and recovery capability. | Mandatory (Article 21(2)(c) NIS2) |
| Supplier management | Cybersecurity assessment of your suppliers and partners. | Mandatory (Article 21(2)(d) NIS2) |
| Training platform | Awareness training for all employees + management (§38 BSIG). | Mandatory (Article 21(2)(g) NIS2) |
- All 10 measures from Article 21 NIS2 / §30 BSIG
- Three-stage incident reporting cascade (24h / 72h / 1 month) under §32 BSIG
- BSI registration data (§33 BSIG) version-controlled
- Audit trail: every change with timestamp and responsible person
- Management sign-off via eIDAS-compliant signature
- Supplier inventory with their own compliance status
- Multi-country support if you operate across the EU
- Vendor lock-in: full data export must be possible
- "Forever free" as a marketing claim — usually a hook, read the fine print
- All 49 BSIG requirements covered
- Three-stage incident reporting cascade built in
- Audit trail that cannot be deleted
- Management liability protection: sign-off, training, evidence
- Supplier portal: self-service questionnaires
- Free platform, optional paid implementation guidance
What does a NIS2 tool cost?
Commercial GRC tools (Vanta, Drata, OneTrust) typically run €10,000–€60,000 per year for a mid-sized company. nisd2.eu is free. Implementation guidance from us starts at €500 per month.
Do I need a tool, or is Excel enough?
Excel is not enough. The BSI requires a tamper-evident audit trail. After an incident, you must prove who changed what when. Excel files are overwritten — a BSI auditor will reject this.
Is one tool enough, or do I need several?
A GRC tool covers documentation and proof. For SIEM, patch management, MFA, backups you still need separate technical tools. A good NIS2 tool integrates evidence from those systems.
Can a free platform be NIS2-compliant?
Yes. NIS2 doesn't mandate a specific vendor. What matters is whether the requirements are met and documented in an audit-resistant way. Open-source and free tools can do this just as well as expensive SaaS.