NIS2 Applies to Us – What Now?
You have confirmed your company is in scope. Do not panic, do not hire a consultant for 100,000 euros. Here is a realistic 4-week plan to build the foundation.
The Short Version
NIS2 compliance is not a single project with a finish line. It is an ongoing operational practice, like accounting or quality management. But it has a clear starting point: register with the BSI, list your critical systems, assess the risks, and establish an incident reporting process. These four activities give you 80% of the foundation.
The biggest mistake companies make is treating NIS2 as an all-or-nothing effort. You do not need to be perfect by day one. The BSI evaluates trajectory and good faith. A company that has registered, started a risk assessment, and documented its first policies is in a fundamentally different position than one that has done nothing – even if neither is fully compliant yet.
4-Week Quick-Start Plan
This plan assumes a 50 to 250 employee company with one person dedicating roughly 2 hours per day to NIS2. Adjust the timeline based on your team's availability.
- Register with the BSI via muk.bsi.bund.de (if not done already). Takes 30–60 minutes with preparation.
- Read Section 30 BSIG to understand the 10 mandatory security measures. This is 2 pages of legal text, not a textbook.
- Identify who in your company will own NIS2 compliance. This does not need to be a new hire – it can be your IT manager, CISO, or quality manager.
- Brief management on their personal liability under Section 38 BSIG. They need to know about the three duties: approval, oversight, and training.
- Set up your compliance tracking – either a platform like NISD2.eu or at minimum a structured spreadsheet with the 10 measure categories.
- List all IT systems that support your critical business services. Think: ERP, email, production systems, network infrastructure, endpoints.
- For each system, note: what it does, who manages it (internal or supplier), where it runs (on-premises, cloud, hybrid), and what happens if it is down for 24 hours.
- Group identical assets – Grundschutz allows this. '45 standard Windows laptops' is one entry, not 45. Most mid-market companies have 10 to 20 grouped asset entries.
- Identify your key IT suppliers: cloud providers, managed service providers, software vendors. Note what access they have to your systems.
- Document everything in a structured format. This becomes the foundation for risk assessment, supplier management, and incident response.
- For each asset group, identify the main threats: ransomware, data breach, system failure, supplier compromise, human error.
- Rate each risk by likelihood (how likely in the next 12 months) and impact (what happens to your business). Use a simple 3-level or 5-level scale.
- Decide on treatment for each risk: accept, mitigate, transfer (insurance), or avoid. Document the rationale.
- Define what counts as a significant incident for your company and write down the reporting process: who decides, who files the BSI report, how to reach them outside business hours.
- Draft your first incident response checklist: detection, containment, BSI notification (24h), evidence preservation, full notification (72h), recovery, final report (1 month).
- Draft your cybersecurity policy – a 2 to 5 page document covering scope, responsibilities, key measures, and review cycle. This is not a 100-page manual.
- Draft your access control policy: who gets access to what, how access is granted and revoked, MFA requirements for remote and admin access.
- Schedule management training for Section 38 BSIG. Management must personally participate – this cannot be delegated. Training must cover the 10 Section 30 measures.
- Get management to formally approve your risk management measures. This approval is a specific legal requirement under Section 38 BSIG. Document it with timestamp and signature.
- Plan the next 3 months: supplier assessments, business continuity planning, detailed technical measures. The first 4 weeks build the foundation, months 2 to 6 fill in the details.
Waiting for Perfect Clarity
Some companies postpone action because they are not 100% sure the law applies to them or they want to wait for more BSI guidance. The law is in force. The obligations apply. Start with registration and an asset inventory – these are useful regardless of how the regulatory details evolve.
Trying to Do Everything at Once
Companies that try to implement all 10 Section 30 measures simultaneously get overwhelmed and stall. Follow the priority order: register, inventory, risk assessment, incident process. Then layer in policies, access controls, supplier management, and training over the following months.
No Clear Owner
NIS2 compliance cannot be a side task that nobody owns. Designate one person who is responsible for driving the process. This does not mean they do everything themselves – it means there is someone who tracks progress, escalates blockers, and reports to management. Without an owner, nothing moves.
Perfecting Documentation Before Starting
A 3-page policy that exists today is worth more than a 30-page policy that will be finished 'next quarter.' Start with short, practical documents. You can refine them over time. The BSI wants to see that you have a process, not that you have perfect prose.
Frequently Asked Questions
Do we need to hire a dedicated CISO for NIS2?
Not necessarily. The BSIG requires that someone is responsible for cybersecurity, but it does not mandate a dedicated CISO role. For a 50 to 150 person company, this can be your IT manager, quality manager, or another technical leader who takes on NIS2 as a primary responsibility. What matters is that the person has authority to make decisions and direct access to management. For companies over 150 employees or in high-criticality sectors, a dedicated role becomes more practical.
How much time per week does NIS2 compliance take after the initial setup?
After the first 3 to 6 months of setup, ongoing NIS2 compliance for a mid-market company typically requires 4 to 8 hours per week from the responsible person. This covers monitoring, incident triage, supplier follow-ups, and periodic reviews. Annual activities like full risk reassessment and management training require additional focused time. Most of the work is not technical – it is documentation, process, and communication.
Can we use ISO 27001 certification instead of NIS2 compliance?
ISO 27001 covers significant overlap with NIS2, but it is not a direct substitute. Having ISO 27001 means you already have most of the management system in place (risk assessment, policies, access controls, incident management). You still need to satisfy NIS2-specific requirements: BSI registration, the specific incident reporting timelines (24h/72h/1 month), supply chain security as defined by Section 30(2)(4) BSIG, and management liability documentation under Section 38. An ISO 27001-certified company can typically reach NIS2 compliance in weeks rather than months.
What if we get audited before we are fully compliant?
For important entities (wichtige Einrichtungen), the BSI only audits reactively – meaning after an incident or evidence of non-compliance. For essential entities, proactive audits can happen. In either case, the BSI evaluates your overall posture, not just whether every requirement is perfectly met. A company that can show it has registered, started a risk assessment, is implementing measures, and has management engagement is in a defensible position. A company that has done nothing is not.
Should we do this ourselves or hire a consultant?
For a 50 to 250 person company, a combination works best. Use a structured platform or guide for the framework (this keeps costs under control and ensures nothing is missed), and bring in a consultant for specific topics where you lack expertise – typically risk assessment methodology, technical security measures, or legal review of policies. Avoid open-ended consulting engagements. Define the scope and deliverables upfront. The total cost for external support should be proportionate to your risk – typically 15,000 to 40,000 euros for the initial setup.