30:["$","$L34",null,{"formats":"$undefined","locale":"en","messages":{"applicability":{"title":"NIS2 Applicability Check - Am I Affected?","metaDescription":"Check in under 2 minutes if your company falls under NIS2. Free quick check by sector, size, and special cases.","subtitle":"Find out if your company falls under the NIS2 directive in under 2 minutes.","cta":"Book a Demo","steps":{"exclusion":"Exclusion check","sector":"Sector selection","size":"Company size","specialCases":"Special cases","result":"Result"},"step":"Step {current} of {total}","exclusion":{"title":"Does your organization fall into an excluded category?","description":"The following entity types are exempt from NIS2 by law. If any apply to you, NIS2 does not cover your organization and the check ends here.","noneOfTheAbove":"No - none of these apply to us","noneHelp":"Select this to continue. Most private-sector companies will choose this option."},"sector":{"title":"What sector does your company operate in?","description":"Select all applicable sectors. A company can operate in multiple NIS2 sectors.","annexI":"Sectors of high criticality","annexII":"Other critical sectors","noSector":"None of these sectors apply to my company","selectedCount":"{count, plural, =0 {No sectors selected} =1 {1 sector selected} other {# sectors selected}}"},"size":{"title":"What is the size of your organization?","description":"Size is calculated at the entire enterprise group level, including parent companies and subsidiaries.","employees":"Total employees (FTE)","employeesHelp":"Include all group companies unless your entity has fully independent IT infrastructure.","turnover":"Annual turnover (EUR millions)","turnoverHelp":"Worldwide consolidated turnover of the entire enterprise group.","balanceSheet":"Annual balance sheet total (EUR millions)","balanceSheetHelp":"Worldwide consolidated balance sheet of the entire enterprise group.","independentIt":"Our German entity has fully independent IT systems from the parent group","independentItHelp":"If checked, only your German entity's own figures apply."},"specialCases":{"title":"Does any of the following apply?","description":"These entities fall under NIS2 regardless of company size.","noneOfTheAbove":"None of the above","noneHelp":"Most organizations will select this option.","selectedCount":"{count, plural, =1 {1 selected} other {# selected}}"},"result":{"notInScope":"Likely not in scope","important":"Important entity","importantLabel":"Likely an important entity","essential":"Essential entity","essentialLabel":"Likely an essential entity","kritis":"Betreiber kritischer Anlagen","kritisLabel":"Likely a KRITIS operator","reason":{"excluded":"Your organization appears to be excluded from NIS2 scope (sovereign function exemption).","no_sector":"Based on your selection, your company does not appear to operate in any sector covered by NIS2. If you are unsure, consult the full NIS2 sector list or seek legal advice.","below_threshold":"Your company appears to operate in a NIS2 sector but may fall below the medium enterprise threshold. However, you may still face NIS2 requirements through supply chain contracts with in-scope customers.","special_case":"Based on its classification, your organization likely falls in scope regardless of size.","size_and_sector":"Based on the information provided, your company appears to meet both the sector and size criteria for NIS2."},"disclaimer":"This is an indicative assessment, not a legal determination. NIS2 applicability depends on factors that may not be fully captured here, including corporate group structure, independent IT infrastructure, and regulatory interpretations. Consult a qualified advisor to confirm your status.","obligations":"Key obligations","penalty":"Penalty ceiling","penaltyValue":"{amount} or {percent} of global turnover","penaltyInfo":"Maximum fine for violations of cybersecurity measures, incident reporting, or BSI directives. The turnover-based alternative applies to companies with > EUR 500M revenue. Fines are set per the severity of the violation by the BSI.","supervisionLabel":"Supervision","supervisionProactive":"Proactive (ex-ante) - BSI can audit at any time","supervisionReactive":"Reactive (ex-post) - BSI acts on evidence of non-compliance","supervisionInfo":"Proactive: BSI can conduct unannounced audits, request documentation, and order specific security measures at any time. Reactive: BSI only investigates after an incident or upon justified suspicion of non-compliance.","registration":"BSI Registration","registrationDeadline":"By March 6, 2026 via BSI portal","registrationInfo":"You must self-register via the BSI portal (live since Jan 6, 2026). Requires: entity name, address, sectors, IP ranges, and entity category declaration. First create a \"Mein Unternehmenskonto\" (MUK) via ELSTER, then register on the BSI portal.","riskManagement":"Risk Management","riskManagementValue":"10 mandatory measures (Section 30 BSIG)","riskManagementInfo":"You must implement all 10 measures from Section 30 BSIG: risk analysis, incident handling, business continuity, supply chain security, secure development, effectiveness assessment, cyber hygiene training, cryptography, access control/asset management, and multi-factor authentication.","incidentReporting":"Incident Reporting","incidentReportingValue":"24h / 72h / 1 month cascade to BSI","incidentReportingInfo":"Significant security incidents must be reported to BSI in three stages: (1) Early warning within 24 hours - suspected cause and cross-border impact, (2) Updated notification within 72 hours - severity, impact, indicators of compromise, (3) Final report within 1 month - root cause, mitigation, preventive steps.","managementLiability":"Management Liability","managementLiabilityValue":"Personal liability for board members (Section 38 BSIG)","managementLiabilityInfo":"Board members (Vorstand/Geschäftsführer) are personally liable for NIS2 compliance. Three duties: (1) formally approve cybersecurity measures, (2) actively monitor implementation, (3) complete mandatory cybersecurity training. Liability cannot be waived by shareholders. D&O insurance does not remove the statutory obligations.","managementTraining":"Management Training","managementTrainingValue":"Mandatory cybersecurity training every 3 years","managementTrainingInfo":"All members of the management body must personally participate in cybersecurity training at least every 3 years. This duty cannot be delegated to a CISO or IT department. Failure to comply contributes to personal liability under Section 38 BSIG.","cta":"Book a walkthrough","ctaVoluntary":"Book a walkthrough anyway","restart":"Start over","supplyChainNote":"Even if not directly in scope, you may face NIS2 requirements through contracts with in-scope customers."},"nav":{"back":"Back","next":"Continue","checkResult":"See result"},"leadCapture":{"title":"Get your free compliance roadmap","description":"We'll send you a personalized action plan based on your classification — no spam, just the steps you need to take.","placeholder":"your@company.de","cta":"Send roadmap","success":"Check your inbox — your compliance roadmap is on the way.","error":"Something went wrong. Please try again."}},"assets":{"title":"Asset Register","description":"Inventory of all IT and OT systems supporting essential services. Required by CIR 2024/2690 §12 and NIS2 Art. 21(2)(i).","helpText":"Register every IT system, OT device, cloud service, and physical asset your organization relies on. Mark critical assets and OT systems separately - these face stricter NIS2 requirements.","add":"Add Asset","edit":"Edit Asset","empty":"No assets yet. Add your first asset to get started.","deleteConfirm":"Are you sure you want to delete this asset?","actions":"Actions","critical":"Critical","ot":"OT","otherType":"Other","otherTypePlaceholder":"Enter custom asset type","types":{"application":"Application","server":"Server","endpoint":"Endpoint","network":"Network","database":"Database","cloud_service":"Cloud Service","data_store":"Data Store","ot_ics":"OT / ICS","iot":"IoT","physical":"Physical"},"typeDescriptions":{"application":"Business applications (ERP, CRM, email)","server":"Physical or virtual servers","endpoint":"Laptops, workstations, mobile devices","network":"Routers, switches, firewalls, VPN","database":"Databases, data warehouses","cloud_service":"SaaS, IaaS, PaaS","data_store":"File shares, backups, archives","ot_ics":"SCADA, PLC, industrial controllers","iot":"IoT devices, sensors","physical":"Buildings, rooms, infrastructure"},"fields":{"name":"Asset Name","type":"Type","description":"Description","status":"Status","isOT":"OT Asset","isCritical":"Critical Asset","owner":"Owner","location":"Location","ipAddress":"IP Address","hostname":"Hostname","operatingSystem":"Operating System","softwareVersion":"Software Version","hasMfa":"MFA Enabled","encryptionAtRest":"Encryption at Rest","encryptionInTransit":"Encryption in Transit","cryptoImplementation":"Crypto Implementation","hasBackup":"Backup Enabled","lastPatchDate":"Last Patch Date","lastVulnScanDate":"Last Vulnerability Scan","backupFrequency":"Backup Frequency","backupLocation":"Backup Location","lastBackupTestDate":"Last Backup Test","rto":"RTO (hours)","rpo":"RPO (hours)","endOfLife":"End of Life","quantity":"Quantity","processesPersonalData":"Processes Personal Data"},"fieldDescriptions":{"name":"Unique name identifying this asset in your organization's inventory.","type":"Category of asset per NIS2 all-hazards scope.","description":"Brief description of the asset's purpose and role in supporting essential services.","status":"Select the current operational status of this asset.","isOT":"Enable if this is an Operational Technology asset (SCADA, ICS, PLC). OT assets face stricter NIS2 requirements.","isCritical":"Enable if this asset directly supports essential or important services under NIS2 scope.","owner":"Person or role responsible for managing and maintaining this asset (CIR 2024/2690 Recital).","location":"Physical or logical location where the asset is deployed (e.g., data center, cloud region, office).","ipAddress":"Primary IP address assigned to this asset.","hostname":"Fully qualified hostname or DNS name of this asset.","operatingSystem":"Operating system and major version (e.g., Ubuntu 22.04, Windows Server 2022).","softwareVersion":"Primary application or firmware version installed on this asset.","hasMfa":"Whether multi-factor authentication is enforced for access to this asset.","encryptionAtRest":"Approved algorithm from cryptography policy applied to data at rest (e.g., AES-256-GCM).","encryptionInTransit":"Approved TLS suite from cryptography policy applied to data in transit (e.g., TLS_AES_256_GCM_SHA384).","cryptoImplementation":"Tool or hardware implementing encryption (e.g., BitLocker + TPM, AWS KMS, Let's Encrypt).","hasBackup":"Whether regular backups are configured and running for this asset.","lastPatchDate":"Date when the most recent security patch was applied (CIR 2024/2690 Recital).","lastVulnScanDate":"Date when the last vulnerability scan was performed.","backupFrequency":"How often backups are taken.","backupLocation":"Where backup data is stored.","lastBackupTestDate":"Date when the last backup restoration test was completed.","rto":"Recovery Time Objective in hours.","rpo":"Recovery Point Objective in hours.","endOfLife":"Date when this asset reaches end of life / end of support (CIR 2024/2690 Recital).","quantity":"Number of identical units in this asset group (BSI-200-2 §8.1 grouping).","processesPersonalData":"Enable if this asset stores, processes, or transmits personal data (triggers GDPR considerations and feeds the RoPA inventory)."}},"auth":{"title":"Start NIS2 compliance","description":"Create an account or sign in.","email":"Email","password":"Password","signIn":"Sign in","register":"Create account","signInGoogle":"Continue with Google","switchToRegister":"No account yet? Register now","switchToLogin":"Already have an account? Sign in","or":"or","orgDomain":"Organisation: {domain}","errorInvalid":"Invalid email or password.","errorGeneric":"Something went wrong. Please try again.","errorConsentRequired":"Please accept the Terms and Privacy Policy to continue.","consentLabel":"I accept the Terms of Service and acknowledge the Privacy Policy.","backToHome":"Back to nisd2.eu"},"audit":{"title":"Audit Trail","subtitle":"Tamper-evident log of all compliance-relevant actions","noEntries":"No audit log entries yet.","description":"Description","action":"Action","user":"User","time":"Time"},"audit-readiness":{"title":"Audit Readiness","subtitle":"Evaluate your BSIG/NIS2 audit readiness with AI analysis","startEvaluation":"Start Evaluation","evaluating":"Evaluating all sections...","reEvaluate":"Re-evaluate","reEvaluating":"Re-evaluating...","overallScore":"Overall Score","verdict":"Verdict","pass":"Audit Ready","partial":"Needs Work","fail":"Major Gaps","sectionsPassing":"{count} passing","sectionsPartial":"{count} partial","sectionsFailing":"{count} failing","strengths":"Strengths","structureGaps":"Structure Gaps","dataGaps":"Data Gaps","recommendations":"Recommendations","showDetails":"Show details","hideDetails":"Hide details","severity":{"critical":"Critical","important":"Important","nice-to-have":"Nice to have"},"fieldKey":"Field","requirement":"Requirement","issue":"Issue","recommendation":"Recommendation","noGaps":"No gaps identified","disclaimer":"AI-generated evaluation - does not replace a formal audit"},"changes":{"title":"Change Management","description":"IT/OT change requests with risk assessment and approval workflow. Supports NIS2 Art. 21(2)(e).","helpText":"Track all changes to IT and OT systems through a formal approval process. Each change request includes risk assessment, implementation plan, and rollback procedure. NIS2 requires controlled change management to prevent security regressions.","add":"New Change Request","edit":"Edit Change Request","empty":"No change requests yet. Create your first change request.","deleteConfirm":"Are you sure you want to delete this change request?","actions":"Actions","type":{"standard":"Standard","normal":"Normal","emergency":"Emergency"},"changeType":{"standard":"Standard","normal":"Normal","emergency":"Emergency"},"status":{"draft":"Draft","submitted":"Submitted","approved":"Approved","implementing":"Implementing","implemented":"Implemented","rolled_back":"Rolled Back","closed":"Closed"},"fields":{"title":"Title","description":"Description","changeType":"Change Type","status":"Status","createdAt":"Created At","businessJustification":"Business Justification","securityImpactAssessment":"Security Impact Assessment","rollbackPlan":"Rollback Plan"},"fieldDescriptions":{"title":"Short descriptive title for this change request (e.g., 'Upgrade firewall firmware to v4.2').","description":"Detailed description of the proposed change, including affected systems and expected outcome.","changeType":"Select the type: standard (pre-approved, low risk), normal (requires review), or emergency (urgent, post-approval).","status":"Current status of the change request in the approval and implementation workflow.","createdAt":"Date when this change request was submitted.","businessJustification":"Explain why this change is necessary, including business drivers and security benefits.","securityImpactAssessment":"Describe the potential security impact of this change, including risks introduced or mitigated.","rollbackPlan":"Describe the steps to revert this change if implementation fails or causes unexpected issues."}},"common":{"save":"Save","saving":"Saving...","cancel":"Cancel","back":"Back","next":"Next","open":"Open","optional":"optional","loading":"Loading...","entries":"{count} entries","select":"Select...","yes":"Yes","no":"No","noData":"No data","user":"User","modules":{"asset":"Assets","risk":"Risks","incident":"Incidents","supplier":"Suppliers","policy":"Policies","training_record":"Training Records","exercise":"Exercises","management_review":"Management Reviews","kpi_measurement":"KPI Measurements","change_request":"Change Requests","patch_record":"Patch Records","internal_audit":"Internal Audits","improvement_item":"Improvements","bsi_registration":"BSI Registration","bsi_incident_report":"BSI Incident Reports"},"moduleRef":{"confirmCompliance":"Confirm compliance","noRecords":"No records yet - add data in the module first"}},"status":{"not_started":"Open","in_progress":"In Progress","completed":"Completed","not_applicable":"N/A","needs_review":"Needs Review","approved":"Approved","rejected":"Rejected"},"priority":{"P0":"Critical - immediate action required","P1":"High - address within current cycle","P2":"Medium - plan for next cycle","P3":"Low - address when convenient"},"metadata":{"title":"NIS2 Compliance Platform","description":"NIS2/BSIG 2025 Compliance Management"},"companyLookup":{"title":"Is your company affected by NIS2?","subtitle":"The binding determination is made by your national supervisory authority. Below are the official contact points per country, plus a free self-check for orientation. Not sure? See real-world edge cases for examples.","authorityCallout":{"heading":"Binding determination: your national supervisory authority","body":"The final NIS2 classification is made by the competent authority in your country. We link the official sources — the self-check below is only a quick orientation tool.","seeAll":"See all 27 EU member states"},"selfCheckHeading":"Quick self-check","selfCheckSubtitle":"Orientation by sector, size, and special cases — does not replace the official determination by your authority.","placeholder":"Enter company name (e.g. Stadtwerke München)","noResults":"No companies found. Check the spelling or try the full legal name.","error":"Company lookup is currently unavailable. Please try again later.","sectors":"NIS2 Sectors","companyData":"Company data","legalForm":"Legal form","register":"Trade register","founded":"Founded","capital":"Share capital","companySize":"Company size","revenue":"Revenue","industryCodes":"Industry codes (WZ)","purpose":"Business purpose","missingData":"Some data could not be retrieved automatically. The classification is based on available information and may change when all data is available.","ctaInScope":"Let's discuss next steps","checkNis2":"Check NIS2 status","loading":"Analyzing company data…","ctaNotInScope":"Get protected anyway","disclaimer":"Company data is sourced from public registers and stored to improve our service.","holdingWarning":"This company appears to be a holding or group parent. NIS2 applicability is assessed per entity — subsidiaries with their own operations, employees, and IT systems may be independently in scope, even if the holding itself is not. Check each subsidiary separately.","resultDisclaimer":"This is an indicative assessment based on publicly available register data, not a legal determination. Actual NIS2 applicability depends on factors not fully captured here. Consult a qualified advisor to confirm.","result":{"not_in_scope":"Likely not in scope","important":"Likely an important entity","essential":"Likely an essential entity","kritis":"Likely a KRITIS operator"},"reason":{"excluded":"Your organization appears to be exempt from NIS2 scope.","no_sector":"None of the registered industry codes appear to fall under a NIS2 sector.","below_threshold":"Your company appears to operate in a NIS2 sector but may be below the size threshold based on available data.","special_case":"Based on its classification, your organization likely falls in scope regardless of size.","size_and_sector":"Based on available data, both sector and size criteria for NIS2 appear to be met."},"orSeparator":"or check manually","manualFallback":"Can't find your company?","manualLink":"Start manual check"},"compliance":{"title":"NIS2 Compliance","subtitle":"BSIG 2025 - {totalReqs} requirements in {steps} steps","startAssessment":"Start Compliance Assessment","startDescription":"Systematically go through all NIS2/BSIG requirements. Requirements are displayed per domain and can be addressed directly.","startButton":"Start Assessment","continueButton":"Continue","completeAssessment":"Complete assessment","domains":"{count} Compliance Domains","loadingCategories":"Loading categories...","loadingRequirements":"Loading requirements...","categoryNotFound":"Category not found.","noFrameworkData":"No framework data available.","noRequirements":"No requirements found for this category.","frequency":"Frequency: {value}","mandatory":"Mandatory","requiredEvidence":"Required Evidence","progress":"{completed} of {total}","progressTooltip":"{completed} of {total} requirements completed ({percentage}%)","assign":"Assign","categoryOwner":"Owner","noOwner":"No owner assigned","assignedTo":"Assigned to {name}","assignedCount":"{count} assigned","unassigned":"Unassigned","readOnlyBanner":"This category is assigned to {name}. Contact your admin for access.","noUsersToAssign":"No team members available","inviteMember":"Invite new member","invitePlaceholder":"name@company.com","assignFailed":"Failed to assign","unassignFailed":"Failed to unassign","moduleBacked":"Module-backed - linked to operational data","signOff":"Sign Off","signOffAllCount":"Sign Off All ({count})","bulkSignOffSuccess":"{count} requirements signed off","signedOffBy":"Signed off by {role} on {date}","notApplicable":"Not Applicable","notApplicablePlaceholder":"Explain why this requirement doesn't apply to your organization (§30 BSIG proportionality)...","confirmNotApplicable":"Confirm N/A","exportPolicy":"Export Policy","completedSectionCount":"Signed off ({count})","implementationGuide":"Implementation Guide","showMore":"Show more","showLess":"Show less","deadline":{"overdue":"Overdue {days}d","dueToday":"Due today","dueIn":"Due in {days}d"},"guided":{"banner":"Guided Setup","progress":"Category {current} of {total}","skipToDashboard":"Skip to Dashboard","finish":"Finish Setup"},"overview":{"title":"Compliance Overview","subtitle":"Track your progress across all NIS2 requirement categories","requirements":"{count} requirements"},"requirement":{"backToCategory":"Back to {category}","whatSection":"What is required","whySection":"Why this matters","howSection":"How to fulfill this","specificsSection":"Your specifics","evidenceSection":"Evidence","noFieldsNeeded":"No specific data needed - review the guidance and sign off when ready.","viewDetails":"View details","prevRequirement":"Previous","nextRequirement":"Next","threatContext":"Threat context","legalConsequence":"Legal consequence","businessValue":"Business value","signedOff":"Signed off","signedOffByOn":"Signed off by {name} on {date}","rejectionFeedback":"Review feedback","moduleData":"Operational data","goToRegister":"Go to register","requiredRole":"This requirement requires sign-off by: {role}","signOffProgress":"{signed} of {total} sign-offs completed","details":"Details","priority":"Priority","frequency":"Frequency","deadline":"Deadline","importance":"Importance","implSteps":"Implementation steps","whyItMatters":"Why it matters","prerequisitesTitle":"Prerequisites","prerequisiteComplete":"Completed","prerequisitePending":"Required","prerequisitesBlocked":"Complete the following requirements first:","ceoCourseTitle":"NIS 2 CEO course available","ceoCourseDescription":"Complete the built-in management training course to satisfy the §38(3) BSIG / Art. 20(2) NIS 2 training obligation.","takeCourse":"Start the course"},"frameworkName":"NIS2 / BSIG 2026","categories":{"GOV":{"name":"Governance & Liability","description":"Management oversight, personal liability, and organizational governance","legalBasis":"Art. 20 NIS2 · §38 BSIG","threatLandscape":"Without clear governance, cybersecurity measures lack direction and accountability. Management that does not engage with security creates a culture of neglect, leaving the organization vulnerable to systematic failures.","bsiGuidance":"BSI expects management to formally approve cybersecurity risk measures, appoint responsible persons, allocate adequate budget, and complete regular cybersecurity training (§38 BSIG). Personal liability applies to managing directors."},"RSK":{"name":"Risk Management","description":"Risk identification, assessment, and treatment using an all-hazards approach (cyber, physical, environmental)","legalBasis":"Art. 21(2)(a) NIS2 · §30(2) Nr. 1 BSIG","threatLandscape":"Organizations that lack a structured risk assessment process cannot prioritize security investments effectively, leading to critical systems being left unprotected while resources are wasted on low-risk areas.","bsiGuidance":"BSI expects a documented risk assessment methodology, complete risk register, treatment plan with management-approved risk acceptance, and regular review cycle (at least annual). Must cover all critical information systems using an all-hazards approach."},"INC":{"name":"Incident Handling","description":"Detection, response, and BSI reporting","legalBasis":"Art. 21(2)(b), Art. 23 NIS2 · §30(2) Nr. 2, §32 BSIG","threatLandscape":"Cyber incidents are inevitable. Without a rehearsed response plan, organizations lose critical hours during the 24h BSI early warning window and the 72h notification deadline, risking regulatory penalties on top of operational damage.","bsiGuidance":"BSI expects an incident response plan with clear roles and escalation paths, 24h early warning capability (§32(1)), 72h incident notification with impact assessment, classification scheme, evidence of drills, and post-incident review process."},"BCP":{"name":"Business Continuity","description":"Backup, recovery, and crisis management","legalBasis":"Art. 21(2)(c) NIS2 · §30(2) Nr. 3 BSIG","threatLandscape":"Ransomware and infrastructure failures can halt operations entirely. Without tested backup/recovery procedures and a crisis management plan, recovery times extend from hours to weeks, threatening business survival.","bsiGuidance":"BSI expects a business impact analysis, documented BCP with RPO/RTO targets, regular backup and restore tests, crisis communication procedures, and evidence of at least annual BCP testing."},"SUP":{"name":"Supply Chain Security","description":"Third-party risk management","legalBasis":"Art. 21(2)(d) NIS2 · §30(2) Nr. 4 BSIG","threatLandscape":"Supply chain attacks (SolarWinds, Kaseya) demonstrate that a single compromised supplier can cascade across thousands of organizations. Third-party risk is now a primary attack vector.","bsiGuidance":"BSI expects a supplier register with security criticality classification, security requirements in contracts (SLAs, audit rights), ongoing supplier monitoring, incident notification clauses, and assessment of single points of failure."},"PRO":{"name":"Procurement & Development","description":"Secure procurement, patch management, change control","legalBasis":"Art. 21(2)(e) NIS2 · §30(2) Nr. 5 BSIG","threatLandscape":"Unpatched vulnerabilities are the most common entry point for attackers. Organizations that lack structured vulnerability and patch management processes remain exposed to known exploits for weeks or months.","bsiGuidance":"BSI expects security requirements in procurement, secure SDLC if developing software, vulnerability scanning and patching with defined SLAs, coordinated disclosure policy, configuration hardening baselines, and third-party component tracking."},"EFF":{"name":"Effectiveness Assessment","description":"Audits, KPIs, and management reviews","legalBasis":"Art. 21(2)(f) NIS2 · §30(2) Nr. 6 BSIG","threatLandscape":"Security measures degrade over time. Without regular effectiveness assessments, organizations develop a false sense of security while actual protection levels decline through configuration drift and evolving threats.","bsiGuidance":"BSI expects defined KPIs/metrics for cybersecurity effectiveness, regular internal audits, management reviews, trend analysis of incidents and findings, and corrective action tracking from assessments."},"TRN":{"name":"Cyber Hygiene & Training","description":"Awareness, phishing tests, management training","legalBasis":"Art. 21(2)(g) NIS2 · §30(2) Nr. 7 BSIG","threatLandscape":"Human error accounts for over 80% of security breaches. Phishing, social engineering, and credential misuse are the most effective attack techniques, all targeting untrained employees.","bsiGuidance":"BSI expects a cybersecurity awareness training program for all employees, role-specific training for IT/security staff, training completion tracking, at least annual refresher courses, phishing simulations, and security onboarding for new employees."},"CRY":{"name":"Cryptography & Encryption","description":"Encryption policies and key management","legalBasis":"Art. 21(2)(h) NIS2 · §30(2) Nr. 8 BSIG","threatLandscape":"Weak or outdated encryption exposes data in transit and at rest. Poor key management can render even strong encryption useless, and quantum computing threatens current cryptographic standards.","bsiGuidance":"BSI expects a cryptography policy with approved algorithms (per BSI TR-02102), encryption of data at rest and in transit, key management procedures (generation, rotation, revocation), certificate management, and an inventory of cryptographic assets."},"ACC":{"name":"Access Control & HR Security","description":"Identity management, privileged access, HR processes","legalBasis":"Art. 21(2)(i) NIS2 · §30(2) Nr. 9 BSIG","threatLandscape":"Excessive access rights are a multiplier for every other attack. A compromised account with broad privileges can access, exfiltrate, or destroy far more data than necessary. Insider threats exploit poor access controls.","bsiGuidance":"BSI expects an access control policy based on least-privilege, user provisioning/de-provisioning process, regular access reviews, privileged access management (PAM), asset management policy, and HR security processes including joiners-movers-leavers."},"AUT":{"name":"Authentication & Communications","description":"MFA or continuous authentication, secure communications, emergency channels","legalBasis":"Art. 21(2)(j) NIS2 · §30(2) Nr. 10 BSIG","threatLandscape":"Credential theft and password-only authentication are the primary vectors for account compromise. Without MFA, a single phished password grants full access. Insecure communications can be intercepted for espionage.","bsiGuidance":"BSI expects multi-factor or continuous authentication for critical systems and remote access, secure voice/video/text communication solutions, emergency out-of-band communication channel, centralized identity management, and session management policies."},"REG":{"name":"Registration & Reporting","description":"BSI registration, annual updates, compliance evidence","legalBasis":"Art. 3, Art. 23 NIS2 · §33, §34, §39 BSIG","threatLandscape":"Failure to register with BSI and maintain current contact data means the organization cannot receive threat warnings and cannot fulfill mandatory reporting obligations, compounding regulatory risk.","bsiGuidance":"BSI expects completed registration (§33), designated contact point, current registration data (annual update), compliance with information sharing obligations (§34), domain name registry maintenance (§39 if applicable), and documented regulatory correspondence."},"DPA":{"name":"Processor Agreements","description":"Data Processing Agreements per GDPR Art. 28 with all processors handling personal data","legalBasis":"GDPR Art. 28","threatLandscape":"","bsiGuidance":""},"ROP":{"name":"Records of Processing","description":"Documentation of every processing activity per GDPR Art. 30 — purpose, legal basis, recipients, retention","legalBasis":"GDPR Art. 30","threatLandscape":"","bsiGuidance":""},"TOM":{"name":"Technical & Organisational Measures","description":"Security measures protecting personal data per GDPR Art. 32","legalBasis":"GDPR Art. 32","threatLandscape":"","bsiGuidance":""},"BRC":{"name":"Breach Response","description":"72-hour notification process and breach documentation per GDPR Art. 33/34","legalBasis":"GDPR Art. 33, Art. 34","threatLandscape":"","bsiGuidance":""},"DSR":{"name":"Data Subject Rights","description":"Workflow for handling access, erasure, portability, and objection requests within one month","legalBasis":"GDPR Art. 12-22","threatLandscape":"","bsiGuidance":""},"AI-LIT":{"name":"AI Literacy","description":"Ensure staff and persons operating AI systems on the company's behalf have a sufficient level of AI literacy.","legalBasis":"Art. 4 EU AI Act","threatLandscape":"Untrained staff using AI tools cause data leakage, hallucination-driven errors, and deepfake exposure that organisations cannot defend in audit or court.","bsiGuidance":""},"AI-PRO":{"name":"Prohibited Practices","description":"Screen AI use cases against the eight (plus one) banned practices in Art. 5 and document the screening outcome.","legalBasis":"Art. 5 EU AI Act","threatLandscape":"Using a prohibited practice triggers the highest penalty tier (EUR 35M or 7% of global turnover) regardless of intent.","bsiGuidance":""},"AI-INV":{"name":"AI System Inventory","description":"Maintain an inventory of every AI system in use, classify each by risk tier, and re-classify on substantial modification.","legalBasis":"Art. 6, 25, 26 EU AI Act","threatLandscape":"Without an inventory, shadow-AI deployments evade oversight and create unmitigated compliance and liability exposure.","bsiGuidance":""},"AI-RSK":{"name":"AI Risk Management","description":"Operate a documented risk management system for high-risk AI systems, with annual review and treatment of identified risks.","legalBasis":"Art. 9 EU AI Act","threatLandscape":"Unmanaged AI risks (bias, drift, robustness failures) translate directly into incident exposure under Art. 73.","bsiGuidance":""},"AI-FRI":{"name":"Fundamental Rights Impact Assessment","description":"Conduct a Fundamental Rights Impact Assessment before deploying high-risk AI systems in public, financial, or insurance contexts.","legalBasis":"Art. 27 EU AI Act","threatLandscape":"Skipping the FRIA exposes the deployer to civil claims from affected persons and to market-surveillance enforcement.","bsiGuidance":""},"AI-OVS":{"name":"Human Oversight","description":"Designate a competent human overseer per high-risk AI system and verify oversight effectiveness annually.","legalBasis":"Art. 14, Art. 26(2) EU AI Act","threatLandscape":"Autonomous high-risk AI systems without effective human override breach Art. 14 and create direct provider/deployer liability.","bsiGuidance":""},"AI-TRA":{"name":"Transparency","description":"Disclose AI interactions and AI-generated content to end users; watermark synthetic content; disclose deepfakes.","legalBasis":"Art. 50 EU AI Act","threatLandscape":"Lack of disclosure on chatbots and synthetic content breaches Art. 50 and undermines trust with customers and regulators.","bsiGuidance":""},"AI-INC":{"name":"AI Incident Reporting","description":"Document the AI incident response procedure; notify the market surveillance authority of serious incidents within 15 days.","legalBasis":"Art. 73 EU AI Act","threatLandscape":"Failure to notify within the 15-day window triggers the second penalty tier (EUR 15M or 3% of turnover).","bsiGuidance":""},"AI-DOC":{"name":"Technical Documentation","description":"Maintain Annex IV technical documentation, automatic logging, and the EU Declaration of Conformity for high-risk AI systems.","legalBasis":"Art. 11, 12, 18, 19, 47 · Annex IV, V EU AI Act","threatLandscape":"Incomplete technical documentation prevents conformity assessment and blocks placing on the EU market.","bsiGuidance":""},"AI-GPI":{"name":"General-Purpose AI","description":"GPAI provider obligations: model card, copyright policy, training-content summary, plus systemic-risk evaluation when training compute exceeds 10^25 FLOPs.","legalBasis":"Art. 51-55 EU AI Act","threatLandscape":"GPAI providers that miss transparency obligations face EU AI Office enforcement directly, with fines under Art. 101.","bsiGuidance":""},"CRA-MFG":{"name":"Manufacturer Obligations","description":"Per-product cybersecurity risk assessment and management body sign-off before placing the product on the EU market.","legalBasis":"Art. 13 EU CRA","threatLandscape":"Manufacturers that ship without a documented risk assessment have no defence when actively exploited vulnerabilities surface.","bsiGuidance":""},"CRA-ESS":{"name":"Essential Cybersecurity Requirements","description":"Compliance with Annex I Part I: no known exploitable vulnerabilities at placing on market, secure by default, protection of data confidentiality, integrity, availability.","legalBasis":"Annex I Part I EU CRA","threatLandscape":"Products that fail essential requirements cannot legally remain on the EU market and trigger the highest penalty tier.","bsiGuidance":""},"CRA-VLN":{"name":"Vulnerability Handling","description":"Documented vulnerability handling, coordinated disclosure policy, security updates without delay, and public disclosure of fixed vulnerabilities.","legalBasis":"Annex I Part II EU CRA","threatLandscape":"Vendors without a vulnerability handling process cannot meet the 24h / 72h / 14-day reporting cascade and become liable for downstream incidents.","bsiGuidance":""},"CRA-INC":{"name":"Active Exploitation Reporting","description":"24-hour early warning to ENISA and CSIRT, 72-hour notification, 14-day final report for actively exploited vulnerabilities and severe incidents.","legalBasis":"Art. 14 EU CRA","threatLandscape":"Missed reporting deadlines (other than the 24h deadline for SMEs) trigger the highest penalty tier and product-recall powers.","bsiGuidance":""},"CRA-CONF":{"name":"Conformity Assessment","description":"Conformity assessment route per product class (self-assessment Module A, Module B+C with notified body, or Module H quality system) followed by CE marking.","legalBasis":"Art. 24, Art. 27 EU CRA","threatLandscape":"Products without valid conformity assessment cannot be placed on the EU market from 11 December 2027.","bsiGuidance":""},"CRA-DOC":{"name":"Technical Documentation","description":"Maintain Annex VII technical documentation for each product placed on the EU market.","legalBasis":"Art. 28 · Annex VII EU CRA","threatLandscape":"Missing or incomplete technical documentation blocks market surveillance verification and triggers product withdrawal.","bsiGuidance":""},"CRA-SUP":{"name":"Support Period","description":"Publicly commit to a security update support period (default five years or expected product life, whichever is longer).","legalBasis":"Art. 13(8) EU CRA","threatLandscape":"Failure to support the full period exposes the manufacturer to claims from customers stranded on insecure products.","bsiGuidance":""},"CRA-SBOM":{"name":"Software Bill of Materials","description":"Generate and maintain a machine-readable Software Bill of Materials for each product placed on the EU market.","legalBasis":"Annex I Part II §1 EU CRA","threatLandscape":"Without an SBOM, manufacturers cannot trace which products contain a vulnerable component and miss the Art. 14 reporting window.","bsiGuidance":""},"CRA-IMP":{"name":"Importer and Distributor","description":"Importers verify manufacturer compliance before placing on market; distributors perform due diligence on conformity markings.","legalBasis":"Art. 18, Art. 19 EU CRA","threatLandscape":"Importers and distributors that miss verification inherit manufacturer liability under Art. 22.","bsiGuidance":""},"CRA-OSS":{"name":"Open-Source Steward","description":"Open-source software stewards adopt a cybersecurity policy, coordinated vulnerability disclosure, and report actively exploited vulnerabilities.","legalBasis":"Art. 24 EU CRA","threatLandscape":"OSS stewards are penalty-exempt under Art. 64(10), but downstream commercial users still depend on their reporting.","bsiGuidance":""}}},"intake":{"bsiContext":"What BSI expects","threatLandscape":"Threat landscape","grundschutzModule":"IT-Grundschutz Module","companyContext":"Your company profile","completeSection":"Complete this section","operationalData":"From your platform data","saveDraft":"Save Draft","submitSignOff":"Submit & Sign Off","saved":"Draft saved","submitted":"Category submitted and signed off","submitFailed":"Submission failed","incomplete":"Please fill all required fields before submitting.","alreadySignedOff":"Signed off on {date}","fieldProgress":"{completed} of {total} fields","statusDraft":"Draft","statusSubmitted":"Submitted","statusSignedOff":"Signed Off","validate":"Validate with BSI Panel","validating":"Running BSI panel evaluation...","validateFailed":"Validation failed","noSchema":"No intake form available for this category.","autoSaved":"Auto-saved","categoryOwner":"Category Owner","noOwner":"No owner assigned","onlyOwnerCanSubmit":"Only the assigned owner or an admin can submit this category.","responsiblePerson":"Responsible Person","responsiblePersonDescription":"The person assigned here will be able to sign off on this category.","frequencyOneTime":"One-time","frequencyMonthly":"Monthly","frequencyQuarterly":"Quarterly","frequencySemiAnnual":"Semi-annual","frequencyAnnual":"Annual","frequencyEvery3Years":"Every 3 years","frequencyOnChange":"On change","frequencyOngoing":"Ongoing"},"form":{"completeRequirement":"Complete requirement","noFields":"No form fields defined.","requirementCompleted":"{code} completed","requirementSaved":"Requirement has been saved.","edit":"Edit","save":"Save","saving":"Saving...","failedToSave":"Failed to save"},"evidence":{"loading":"Loading files…","uploading":"Uploading…","uploadFailed":"Upload failed. Please try again.","deleteFailed":"Delete failed. Please try again."},"signoff":{"title":"Management sign-off required","description":"Management must confirm and approve the implementation of \"{title}\".","roleLabel":"Role / Function","rolePlaceholder":"e.g. CEO, CISO, IT Manager","confirm":"I confirm that the requirement has been reviewed and implementation approved by management.","saving":"Saving...","submit":"Grant approval","granted":"Approval granted","grantedDescription":"{code} was approved by {role}."},"llm":{"title":"AI Prefill","extractTitle":"Extract data via AI","extractDescription":"Paste text or drag file here (PDF, DOCX, TXT). The AI extracts the relevant data for the form.","extractPlaceholder":"Paste text here or drag file here...\n\nExample: Muller GmbH based in Berlin, energy sector, 120 employees, annual revenue EUR 15M, classified as important entity under NIS2...","extractButton":"Extract data","unsupportedFormat":"Unsupported format: {name}. Supported: {formats}","noText":"No text found in document.","fileError":"Error processing file","dropHere":"Drop file here","processing":"Processing document...","selectFile":"Select file","fieldsFilled":"{count} fields filled","extracting":"Extracting...","assistButton":"AI Assist","assistTitle":"Form Guidance","assistDescription":"AI-generated guidance to help you fill out this requirement form. No actual data is sent - only field names and types.","assistLoading":"Generating guidance...","assistError":"Failed to generate guidance. Please try again.","assistOverview":"Overview","assistWhatThisIs":"What this is","assistWhyThisExists":"Why this exists","assistApplicability":"Does this apply?","assistQuickStart":"Quick start","assistExample":"Example of a good submission","assistExampleWhyGood":"Why this is good","assistFieldGuidance":"Field-by-field guidance","assistMeaning":"What it means","assistExamples":"Good examples","assistWhereToFind":"Where to find it","assistField":"Field","assistValue":"Value"},"dashboard":{"title":"Dashboard","description":"Security compliance overview","risks":"Risks","openRisks":"Open Risks","highRisks":"High Risks","assets":"Assets","criticalAssets":"Critical","otAssets":"OT","incidents":"Incidents","suppliers":"Suppliers","criticalSuppliers":"Critical","policies":"Policies","approved":"Approved","training":"Training","managementTraining":"Management","exercises":"Emergency Drills","completed":"Completed","kpis":"Security Metrics","changes":"Changes","openChanges":"Open","patches":"Security Updates","pendingPatches":"Pending","audits":"Self-Assessments","plannedAudits":"Planned","improvements":"Action Items","openImprovements":"Open","complianceByCategory":"Compliance by Category","riskMatrix":"Risk Matrix","riskTreatmentDistribution":"Risk Treatment Distribution","noRisksRegistered":"No risks registered","noData":"No data","incidentsBySeverity":"Incidents by Severity","treatmentLabel":{"mitigate":"Mitigate","accept":"Accept","transfer":"Transfer","avoid":"Avoid"},"severity":{"nearMiss":"Near Miss","incident":"Incident","significant":"Significant"},"complianceProgress":"Compliance Progress","requirementsCompleted":"{completed} of {total} requirements","allModules":"All Modules","deadlines":{"overdue":"Overdue","dueThisWeek":"Due this week","dueThisMonth":"Due this month","upcoming":"Upcoming Deadlines","overdueDays":"{days}d overdue","dueToday":"Due today","dueDays":"Due in {days}d"}},"exercises":{"title":"Exercises","description":"BC/DR drills and incident response exercises. Required by NIS2 Art. 21(2)(c).","helpText":"Plan and document business continuity and disaster recovery exercises. NIS2 requires regular testing of your continuity plans. Record exercise type, participants, findings, and follow-up actions.","add":"Add Exercise","edit":"Edit Exercise","empty":"No exercises planned yet. Schedule your first drill.","deleteConfirm":"Are you sure you want to delete this exercise?","actions":"Actions","type":{"tabletop":"Tabletop","technical":"Technical","red_team":"Red Team","full_scale":"Full Scale"},"exerciseType":{"tabletop":"Tabletop","technical":"Technical","red_team":"Red Team","full_scale":"Full Scale"},"fields":{"title":"Title","exerciseType":"Exercise Type","domain":"Domain","scheduledDate":"Scheduled Date","completedAt":"Completed At","scenarioDescription":"Scenario","facilitator":"Facilitator","lessonsLearned":"Lessons Learned"},"fieldDescriptions":{"title":"Name of the exercise or drill (e.g., 'Q1 Ransomware Tabletop', 'DR Failover Test').","exerciseType":"Select the exercise format: tabletop (discussion-based), technical (hands-on), red team (adversary simulation), or full scale (live drill).","domain":"Security domain being tested (e.g., incident response, business continuity, disaster recovery, crisis communication).","scheduledDate":"Date when this exercise is planned to take place.","completedAt":"Date when this exercise was actually completed.","scenarioDescription":"Describe the simulated scenario, including threat actor, attack vector, and expected organizational response.","facilitator":"Name of the person responsible for planning and leading this exercise.","lessonsLearned":"Document key findings, gaps identified, and recommended improvements from this exercise."}},"export":{"title":"Export Reports","subtitle":"Download compliance reports for your assessments","noAssessments":"No assessments found. Complete the setup first.","download":"Download PDF","started":"Started","progress":"{completed} of {total} requirements","compliance":"Compliance"},"funnel":{"meta":{"title":"NIS2 Compliance Platform – Book a Demo","description":"Step-by-step NIS2 compliance for German mid-market companies. 49 BSIG requirements, guided forms, automatic evidence tracking, audit-ready from day one."},"hero":{"headline":"49 BSIG requirements. We guide you through every one.","subhead":"The fastest path from 'NIS2 applies to us' to 'we're audit-ready.' Structured forms, deadline management, and automatic evidence tracking. Start in 48 hours.","cta":"Book Your 30-Minute Demo","trust":"Made in Cologne · Hosted in Germany"},"stats":{"heading":"The regulatory reality","companies":"29,500","companiesLabel":"companies in scope in Germany alone","penalty":"€10M / 2%","penaltyLabel":"fine or 2% of global annual turnover","liability":"§38 BSIG","liabilityLabel":"management personally liable","description":"The NIS2 directive is transposed into German law via the BSIG. Registration deadlines are approaching, and management boards carry personal liability for non-compliance. Waiting is no longer an option."},"alternatives":{"heading":"Why existing options fall short","consultants":{"title":"Consultants","price":"€150K–500K","items":["Spreadsheet-based tracking","No automation or audit trail","Months of back-and-forth","Knowledge leaves when they leave"]},"enterprise":{"title":"Enterprise GRC","price":"€100K+/year","items":["6–12 month implementation","Built for Fortune 500 complexity","Overkill for mid-market","Requires dedicated GRC team"]},"usPlatforms":{"title":"US Platforms","price":"€7,500+/year","items":["English-first, bolt-on translations","No BSIG-specific guidance","US data hosting defaults","Generic framework mapping"]},"nisd2":{"title":"NISD2.eu","items":["Step-by-step through all 49 requirements","Audit-ready from day one","German-language, EU-hosted","Live in 48 hours"]},"callout":"Purpose-built for NIS2 and BSIG. Nothing more, nothing less."},"features":{"heading":"What you get","obligations":{"title":"49 requirements, guided step-by-step","description":"Every BSIG requirement broken down into structured forms with clear instructions. No compliance background needed, just answer the questions."},"evidence":{"title":"Automatic evidence & audit trail","description":"Upload documents, track approvals, and maintain a tamper-evident audit trail. Everything timestamped and ready for BSI review."},"deadlines":{"title":"Deadline tracking & escalation","description":"BSI registration, incident reporting cascades (24h / 72h / 1m), training renewals. Every deadline tracked with automatic escalation so nothing slips."},"bsiRegistration":{"title":"BSI registration support","description":"Guided preparation for your BSI registration, including all required documentation and pre-submission checklists."}},"offer":{"heading":"Founding Partner Program","subtitle":"We're onboarding our first 10 companies with hands-on support.","items":["3 months free, full platform access","White-glove onboarding within 48 hours","Direct founder access for the lifetime of your account","Lock in preferential pricing before general availability"],"exchange":"In return, we ask for honest feedback to shape the product.","cta":"Book Your Free Demo"},"faq":{"heading":"Common questions","q1":"Are we affected by NIS2?","a1":"If your company operates in one of the 18 critical sectors (energy, transport, health, digital infrastructure, etc.) and has 50+ employees or €10M+ revenue, you are very likely in scope. Our free applicability check takes 2 minutes and gives you a clear answer.","q2":"We already have ISO 27001. Isn't that enough?","a2":"ISO 27001 covers roughly 60–70% of NIS2 requirements. But NIS2 adds obligations around incident reporting (24h/72h), supply chain security, management liability, and BSI registration that ISO 27001 does not address. Our platform covers all of these.","q3":"How much does it cost after the free period?","a3":"We're finalizing pricing for general availability. Founding partners lock in preferential pricing for the lifetime of their account. We'll share details during the demo call.","q4":"How long does implementation take?","a4":"Most companies complete their initial compliance baseline within 2–4 weeks. We onboard you within 48 hours, and the platform guides you through each step. No 6-month implementation projects.","q5":"What about data security?","a5":"All data is hosted in Germany. We use encryption at rest and in transit, role-based access controls, and maintain a complete audit trail. We practice what we preach.","q6":"What happens after the free months?","a6":"You transition to a paid plan at the rate discussed during onboarding. No surprise pricing. If you decide it's not for you, we help you export all your data. No lock-in."},"finalCta":{"headline":"The BSI registration deadline is March 2026. We can onboard you within 48 hours.","cta":"Book Your 30-Minute Demo","email":"Or email us directly: contact@nisd2.eu"}},"gap-assessment":{"title":"NIS2 Gap Assessment","subtitle":"Evaluate your NIS2 readiness across 15 domains","startAssessment":"Start Assessment","resumeAssessment":"Resume Assessment","viewResults":"View Results","day":"Day {number}","dayOf":"Day {current} of {total}","questionsAnswered":"{answered} of {total} answered","saving":"Saving...","saved":"Saved","overview":{"heading":"Assessment Overview","description":"A structured self-assessment covering all NIS2 compliance domains. Answer honestly about your current state. No right or wrong answers.","day1":"Scoping & Governance","day1desc":"Are you in scope? Does your management understand their liability?","day2":"Risk Management","day2desc":"Do you know your assets, your risks, and your security policies?","day3":"Incident & Business Continuity","day3desc":"Can you detect, respond to, and recover from incidents?","day4":"People, Suppliers & Access","day4desc":"Are your employees trained, suppliers managed, and access controlled?","day5":"Technical Controls & Evidence","day5desc":"Are your technical protections and documentation audit-ready?","questions":"{count} questions","estimatedTime":"~{minutes} min","noActiveSession":"You have not started an assessment yet.","pastSessions":"Previous Assessments","score":"Score: {score}%","completedOn":"Completed {date}","inProgress":"In progress"},"question":{"yes":"Yes","partially":"Partially","no":"No","notApplicable":"N/A","showExplanation":"What does this mean?","hideExplanation":"Hide explanation","legalBasis":"Legal basis","criticality":"Importance","criticalityLevels":{"0":"Informational","1":"Low","2":"Medium","3":"High"},"respondent":{"0":"CEO / Management","1":"IT / Security","2":"HR","3":"Procurement","4":"Anyone"},"suggestedRespondent":"Best answered by"},"navigation":{"previousDay":"Previous Day","nextDay":"Next Day","completeAssessment":"Complete Assessment","backToOverview":"Back to Overview"},"results":{"heading":"Assessment Results","overallScore":"Overall Score","domainScores":"Domain Scores","maturityLevel":"Maturity Level","priorityGaps":"Priority Gaps","exportPdf":"Export PDF","domain":"Domain","score":"Score","maturity":"Maturity","answered":"Answered","noGaps":"No gaps identified. Excellent.","gapRank":"Priority","gapQuestion":"Finding","gapDomain":"Domain","gapConsequence":"Consequence","gapTimeToFix":"Effort","fineRisk":"Fine Risk","viewInPlatform":"View in Platform","maturityLevels":{"critical":"Critical","initial":"Initial","developing":"Developing","managed":"Managed","optimized":"Optimized"},"consequenceLevels":{"0":"Audit Finding","1":"Operational Risk","2":"Fine","3":"Personal Liability"},"timeToFixLevels":{"0":"Quick Win","1":"Days","2":"Weeks","3":"Months"},"summary":{"criticalGaps":"{count} critical gaps","fineExposed":"{count} create fine exposure","personalLiability":"{count} create personal liability for the CEO","quickWins":"{count} can be fixed immediately"},"startCompliance":"Start Closing Gaps","retakeAssessment":"Take Assessment Again"}},"grcComparison":{"meta":{"title":"GRC / ISMS / NIS2 pricing audit: 136 commercial vendors verified","description":"On 17 May 2026 we visited the pricing pages of 136 commercial GRC, ISMS and NIS2 platforms. 103 of them won't tell you what they cost without a demo call. Here's the full list, sortable and filterable. Nine open-source alternatives are excluded by design."},"hero":{"eyebrow":"Market audit · 17 May 2026","title":"We audited 136 commercial GRC/ISMS platforms. 103 won't tell you what they cost.","subtitle":"We captured every vendor's pricing page verbatim. Where pricing is hidden behind a demo form we record 'Demo call required'. No estimates, no third-party sources. Nine open-source alternatives (verinice, CISO Assistant, Deming, ISMS Builder, Unicis CE, ourselves and others) are excluded from this list because they don't sell you a subscription.","ctaPlatform":"Start free","ctaMethodology":"Methodology"},"stats":{"totalLabel":"Vendors audited","transparentLabel":"Public pricing","partialLabel":"Starting price only","gatedLabel":"Demo call required","nis2Label":"NIS2 as framework","ossLabel":"Open source","countriesLabel":"Countries","lastUpdatedPrefix":"As of:"},"thesis":{"title":"Why this market is ripe for disruption","body":"76% of these 136 commercial GRC/ISMS vendors hide their prices. The products are forms, templates and checklists on top of a database. The marginal cost of one more customer is near zero. The price is not. Here are the receipts.","points":[{"title":"Five-figure annual contracts for a form","body":"Vanta, Drata, Secureframe, OneTrust, MetricStream, IBM OpenPages, ServiceNow GRC, Archer, Diligent — every enterprise GRC suite hides pricing and charges €30,000+/year for a workflow tool with templates."},{"title":"Eastern EU vendors are 10x cheaper and transparent","body":"Copla (LT) sells NIS2 for €3,500/year as a dedicated SKU. NIS2 Manager (CZ) at ~€980/month. Conformio (HR) at €145/month. Same product category, different pricing decision."},{"title":"OSS competition is growing from Germany and France","body":"ISMS Builder (DE, AGPL), CISO Assistant (FR, AGPLv3, 130+ frameworks), Little-ISMS-Helper (DACH), Deming (FR) — all free self-hosted, all NIS2 explicit."},{"title":"Market consolidation is accelerating","body":"AuditBoard → Optro. CONTECHNET → i-doit. DocSetMinder → Allgeier. 3rdRisk → Diligent. RISMA + Wired Relations + ComplyCloud → Cerivo. StandardFusion → Wolters Kluwer. Galvanize → Diligent. Tugboat → OneTrust. Archer → Cinven."}]},"filters":{"searchPlaceholder":"Search vendor…","tierLabel":"Pricing model","tierAll":"All","tierTransparent":"Transparent","tierPartial":"Partial","tierGated":"Demo call","tierUnverifiable":"Unverifiable","countryLabel":"Country","countryAll":"All countries","categoryLabel":"Category","categoryAll":"All categories","categoryIsms":"ISMS","categoryGrc":"GRC","categoryTprm":"Vendor risk","categoryConsultancy":"Consultancy + SaaS","categoryAudit":"Audit","categoryRatings":"Cyber ratings","categoryTemplate":"Template shop","categoryAiGrc":"AI GRC","categoryEndpoint":"Endpoint","categoryVuln":"Vulnerability","categoryCspm":"Cloud security","categoryIam":"IAM/Insider","categoryTraining":"Awareness","categoryAsset":"Asset mgmt","categoryReporting":"Reporting","categoryComms":"Secure comms","nis2OnlyLabel":"NIS2 vendors only","freeTierLabel":"Has free option","ossLabel":"Open source only","resetButton":"Reset filters"},"table":{"name":"Vendor","country":"Country","category":"Category","tier":"Pricing","entryPrice":"Entry","nis2":"NIS2","freeTier":"Free","source":"Source","noResults":"No vendors found. Reset filters.","tierBadgeTransparent":"Transparent","tierBadgePartial":"Partial","tierBadgeGated":"Demo call","tierBadgeUnverifiable":"Unverifiable","nis2Yes":"Yes","nis2No":"No","freeTierNone":"—","freeTierTrial":"Trial","freeTierFreemium":"Free","freeTierOss":"OSS","viewVendorPricing":"Open pricing page","lastVerified":"Verified","dataExport":"Data export","dataExportFullOpen":"Fully open","dataExportPartial":"Partial","dataExportReportOnly":"Reports only","dataExportNone":"Nothing documented","dataExportUnknown":"—"},"methodology":{"title":"Methodology","verified":"Verified on","rules":["We visited each pricing page manually.","Prices are quoted verbatim from the vendor's website.","No extrapolation from G2, Capterra, third-party blogs or LinkedIn.","Where prices are hidden behind a demo form: 'Demo call required'.","Where prices are only quoted as 'from €X': 'Partial transparency'.","Quarterly re-audit. Vendors can submit corrections."],"correctionsTitle":"Submit a correction","correctionsBody":"Is our data about your product wrong? Email simon@nisd2.eu with your pricing page URL. We update within 48 hours and keep a change log."},"cta":{"title":"Free + Open Source + no lock-in","body":"We don't sell NIS2 compliance. We make it accessible. Free, open source, no sales team calling you.","button":"Launch platform"}},"improvements":{"title":"Improvements","description":"Continuous improvement items from audits, incidents, and reviews. Supports PDCA cycle per NIS2.","helpText":"Track improvement actions identified from audits, incident post-mortems, management reviews, and KPI trends. Each item has a source, priority, owner, and target date. This register demonstrates your organization's commitment to continuous improvement.","add":"Add Improvement","edit":"Edit Improvement","empty":"No improvement items yet. Add items from audits, incidents, or reviews.","deleteConfirm":"Are you sure you want to delete this improvement item?","actions":"Actions","source":{"audit":"Audit","incident":"Incident","pentest":"Pentest","management_review":"Management Review","kpi_breach":"KPI Breach","gap_analysis":"Gap Analysis","regulatory_change":"Regulatory Change","suggestion":"Suggestion"},"status":{"open":"Open","in_progress":"In Progress","resolved":"Resolved","verified":"Verified","deferred":"Deferred"},"priority":{"P0":"P0 - Immediate","P1":"P1 - 3 months","P2":"P2 - 6 months","P3":"P3 - 12 months"},"fields":{"title":"Title","description":"Description","source":"Source","priority":"Priority","status":"Status","targetDate":"Target Date","deferralReason":"Deferral Reason","verificationNotes":"Verification Notes"},"fieldDescriptions":{"title":"Short descriptive title for this improvement action (e.g., 'Implement MFA for VPN access').","description":"Detailed description of the improvement, including current gap and desired outcome.","source":"Select where this improvement was identified: audit finding, incident post-mortem, management review, KPI breach, etc.","priority":"Select the priority level which determines the implementation timeframe (P0: immediate, P1: 3 months, P2: 6 months, P3: 12 months).","status":"Current status of the improvement: open, in progress, resolved, verified (effectiveness confirmed), or deferred.","targetDate":"Date by which this improvement action should be completed.","deferralReason":"If status is Deferred, provide the justification and expected resumption timeline.","verificationNotes":"Document how the effectiveness of this improvement was verified after implementation."}},"incidents":{"title":"Incident Register","description":"Security incident log with severity classification and timeline tracking. Required by NIS2 Art. 23.","helpText":"Log every security incident when it occurs. NIS2 requires early warning to BSI within 24 hours and full notification within 72 hours for significant incidents. Record severity, affected systems, timeline, and resolution steps.","add":"Report Incident","edit":"Edit Incident","empty":"No incidents recorded. Report an incident when one occurs.","deleteConfirm":"Are you sure you want to delete this incident?","actions":"Actions","severity":{"near_miss":"Near Miss","incident":"Incident","significant":"Significant"},"fields":{"title":"Title","description":"Description","severity":"Severity","situationColor":"Situation Color","discoveredAt":"Discovered At","occurredAt":"Occurred At","resolvedAt":"Resolved At","confidentialityImpacted":"Confidentiality Impacted","integrityImpacted":"Integrity Impacted","availabilityImpacted":"Availability Impacted","threatType":"Threat Type","rootCause":"Root Cause","countermeasures":"Countermeasures","preventiveMeasures":"Preventive Measures","requiresGdprNotification":"GDPR Breach Notification Required","dataSubjectsAffected":"Data Subjects Affected","gdprNotifiedAt":"GDPR Authority Notified","notifiedDataSubjectsAt":"Data Subjects Notified"},"bsiDeadlines":{"title":"BSI Reporting Deadlines","overdue":"Overdue","dueIn":"Due in {days}d","dueToday":"Due today","reportType":{"early_warning":"24h Early Warning","notification":"72h Notification","intermediate":"Intermediate Report","final":"Final Report","progress":"Progress Report"}},"fieldDescriptions":{"title":"Short descriptive name for this incident (e.g., 'Phishing attack on finance department').","description":"Detailed description of what happened, which systems and data were affected, and the scope of impact.","severity":"Select the severity level. 'Significant' incidents require BSI notification within 24h (early warning) and 72h (full report) under NIS2 Art. 23.","situationColor":"Traffic-light indicator of current incident status: green (contained), amber (ongoing), red (critical).","discoveredAt":"Date and time when this incident was first detected or reported.","occurredAt":"Date and time when this incident actually began (may differ from discovery).","resolvedAt":"Date and time when this incident was fully resolved and normal operations resumed.","confidentialityImpacted":"Enable if unauthorized disclosure of information occurred or is suspected.","integrityImpacted":"Enable if unauthorized modification or corruption of data occurred or is suspected.","availabilityImpacted":"Enable if services or systems were disrupted or rendered unavailable.","threatType":"Select the type of threat (e.g., malware, DDoS, insider, phishing, vulnerability exploitation).","rootCause":"Describe the underlying cause of the incident after investigation is complete.","countermeasures":"Describe the immediate actions taken to contain and remediate the incident.","preventiveMeasures":"Describe the long-term measures implemented to prevent recurrence of this type of incident.","requiresGdprNotification":"Enable if this incident involved a personal data breach requiring notification to the supervisory authority under GDPR Art. 33 (within 72 hours of awareness).","dataSubjectsAffected":"Approximate number of data subjects whose personal data was compromised (Art. 33(3)(a) — required content of notification).","gdprNotifiedAt":"Date and time the supervisory authority was notified of the breach.","notifiedDataSubjectsAt":"Date and time affected data subjects were informed (Art. 34 — required when breach poses high risk)."}},"info":{"footer":{"nis2Info":"NIS2 Information","whatIsNis2":"What is NIS2?","nis2InGermany":"NIS2 in Germany","nis2Requirements":"NIS2 Requirements","ceoLiability":"Management Liability (§38)","grundschutz":"NIS2 & IT-Grundschutz","costs":"Implementation Costs","smeGuide":"Guide for Mid-Market","checklist":"Requirements Checklist","platform":"Platform","applicabilityCheck":"Applicability Check","nis2Roadmap":"NIS2 Roadmap for Managing Directors","signIn":"Sign In","trainingPortal":"Training Portal","scheduleDemo":"Schedule a Demo","copyright":"NISD2.eu - NIS2 Compliance Platform","disclaimer":"This platform is a compliance management tool and does not constitute legal advice. All compliance responsibility remains with the user.","features":"Features","nis2Tool":"NIS2 Tool: Buyer's Guide","nis2Documents":"NIS 2 Documents (Required List)","featureGuided":"Step-by-step guided","featureLiability":"Management liability protection","featureRequirements":"49 structured BSIG requirements","featureDeadlines":"Deadline tracking & escalation","featureModules":"12 operational security modules","featureAuditTrail":"Permanent audit trail & data","legal":"Legal","mission":"Our Mission","team":"Team","corrections":"Corrections","terms":"Terms of Service","impressum":"Legal Notice","datenschutz":"Privacy Policy","avv":"Data Processing Agreement (DPA)","toms":"TOMs (Art. 32 GDPR)","changelog":"Changelog","openSource":"Open Source","status":"Status","contact":"Contact","hostedInGermany":"Hosted in Germany","gdprCompliant":"GDPR-compliant","avvBadge":"DPA available","tomsBadge":"TOMs published","expertArticles":"Expert Articles","registration":"NIS2 Registration Gap","cirGuide":"CIR 2024/2690 Guide","isoMapping":"ISO 27001 vs NIS2","incidentReporting":"Incident Reporting","euImplementation":"NIS2 Across Europe","multiCountryReg":"NIS2 in Multiple EU Countries","missedRegistration":"Missed Registration?","kritisComparison":"NIS2 vs KRITIS","penalties":"Penalties & Fines","sectorWaste":"Waste Management","glossary":"NIS2 Glossary","securityObligation":"IT Security Obligation","bsiRegistration":"BSI Registration Guide","whatToDo":"NIS2 - What To Do Now","sectorFood":"NIS2 for Food Industry","sectorManufacturing":"NIS2 for Manufacturing","sectorHealth":"NIS2 for Healthcare","sectorLogistics":"NIS2 for Logistics","europeanStandard":"NIS2 European Standard","entityTypes":"NIS2 Entity Types","gapAssessment":"NIS2 Gap Assessment","faq":"NIS2 FAQ","timeline":"NIS2 Timeline","registrationPortals":"Registration Portals","supplyChainCompliance":"NIS2 for Suppliers"},"relatedArticles":{"heading":"Related Articles"},"impressum":{"meta":{"title":"Impressum - NISD2.eu","description":"Legal notice (Impressum) for NISD2.eu pursuant to Section 5 DDG."},"title":"Impressum","subtitle":"Legal notice pursuant to Section 5 DDG (Digitale-Dienste-Gesetz).","responsible":{"heading":"Information pursuant to Section 5 DDG","company":"Kardashev Catalyst UG (haftungsbeschränkt)","represented":"Represented by: Simon Orzel (Geschäftsführer)","registration":"Amtsgericht Köln, HRB 126993","euid":"EUID: DER3306.HRB126993","address":"Trierer Str. 6, 50676 Köln, Germany","emailLabel":"Email","email":"contact@nisd2.eu"},"mstv":{"heading":"Responsible for content pursuant to Section 18(2) MStV","name":"Simon Orzel","address":"Trierer Str. 6, 50676 Köln, Germany"},"dispute":{"heading":"EU Online Dispute Resolution","p1":"The European Commission provides a platform for online dispute resolution (ODR):","url":"https://ec.europa.eu/consumers/odr/","p2":"We are neither willing nor obligated to participate in dispute resolution proceedings before a consumer arbitration board."},"liability":{"heading":"Liability for Content","p1":"As a service provider, we are responsible for our own content on these pages in accordance with general laws pursuant to Section 7(1) DDG. According to Sections 8 to 10 DDG, however, we are not obligated as a service provider to monitor transmitted or stored third-party information or to investigate circumstances that indicate illegal activity.","p2":"Obligations to remove or block the use of information under general law remain unaffected. However, liability in this regard is only possible from the time of knowledge of a specific legal violation. Upon becoming aware of such violations, we will remove this content immediately."},"links":{"heading":"Liability for Links","p1":"Our website contains links to external third-party websites over whose content we have no influence. Therefore, we cannot assume any liability for this third-party content. The respective provider or operator of the pages is always responsible for the content of the linked pages.","p2":"The linked pages were checked for possible legal violations at the time of linking. Illegal content was not recognizable at the time of linking. Permanent content control of linked pages is unreasonable without concrete evidence of a legal violation. Upon becoming aware of legal violations, we will remove such links immediately."},"copyright":{"heading":"Copyright","p1":"The content and works created by the site operators on these pages are subject to German copyright law. Duplication, processing, distribution, and any kind of use beyond the limits of copyright law require the written consent of the respective author or creator.","p2":"Insofar as the content on this site was not created by the operator, the copyrights of third parties are respected. In particular, third-party content is marked as such. Should you nevertheless become aware of a copyright infringement, please inform us accordingly. Upon becoming aware of legal violations, we will remove such content immediately."}},"datenschutz":{"meta":{"title":"Privacy Policy - NISD2.eu","description":"Privacy policy for NISD2.eu in accordance with the EU General Data Protection Regulation (GDPR)."},"title":"Privacy Policy","subtitle":"Information on data processing in accordance with the EU General Data Protection Regulation (GDPR).","responsible":{"heading":"Responsible Party","p1":"The responsible party for data processing on this website is:","company":"Kardashev Catalyst UG (haftungsbeschränkt)","represented":"Represented by: Simon Orzel (Geschäftsführer)","registration":"Amtsgericht Köln, HRB 126993","address":"Trierer Str. 6, 50676 Köln, Germany","emailLabel":"Email","email":"contact@nisd2.eu"},"dataCollected":{"heading":"Data We Collect","p1":"When you use our platform, we process the following personal data:","account":"Account data: name and email address provided via Google OAuth during sign-in","forms":"Form submissions: data you enter in compliance requirement forms","files":"Uploaded files: evidence documents you upload to the platform","technical":"Technical data: IP address, browser type, and access timestamps in server logs"},"purpose":{"heading":"Purpose and Legal Basis","p1":"We process your data for the following purposes:","items":{"contract":"Providing the NIS2 compliance platform (Art. 6(1)(b) GDPR - performance of a contract)","auth":"User authentication and account management (Art. 6(1)(b) GDPR)","security":"Ensuring the security and integrity of our platform (Art. 6(1)(f) GDPR - legitimate interest)","legal":"Compliance with legal obligations (Art. 6(1)(c) GDPR)"}},"processors":{"heading":"Third-Party Processors","p1":"We use the following third-party services to operate the platform:","google":"Google (OAuth): authentication - processes your name and email address for sign-in","aws":"Amazon Web Services (S3): file storage - stores evidence documents you upload","resend":"Resend: transactional email - delivers notification and invitation emails","xai":"xAI: AI-assisted form prefill - processes company information to generate draft form responses"},"analytics":{"heading":"Analytics","p1":"We use Umami for website analytics. Umami is self-hosted on our own infrastructure. It does not collect personal data, does not use cookies, and does not track individual users. All data is aggregated and anonymous. No consent is required for this type of analytics."},"cookies":{"heading":"Cookies","p1":"This website only uses technically necessary cookies:","session":"Session cookie (NextAuth): required for authentication - expires when you sign out or after the session timeout","locale":"Locale cookie (next-intl): stores your language preference (EN/DE)","p2":"We do not use tracking cookies, advertising cookies, or any third-party cookies. No cookie consent banner is needed because only technically necessary cookies are set."},"rights":{"heading":"Your Rights (Art. 15-21 GDPR)","p1":"You have the following rights regarding your personal data:","access":"Right of access (Art. 15): request information about what data we store","rectification":"Right to rectification (Art. 16): correct inaccurate data","erasure":"Right to erasure (Art. 17): request deletion of your data","restriction":"Right to restriction (Art. 18): restrict processing of your data","portability":"Right to data portability (Art. 20): receive your data in a machine-readable format","objection":"Right to object (Art. 21): object to processing based on legitimate interest","p2":"To exercise any of these rights, contact us at contact@nisd2.eu."},"authority":{"heading":"Right to Lodge a Complaint","p1":"You have the right to lodge a complaint with a supervisory authority. The competent authority for Köln is:","name":"Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)","url":"https://www.ldi.nrw.de"},"encryption":{"heading":"SSL/TLS Encryption","p1":"This website uses SSL/TLS encryption for security reasons and to protect the transmission of personal data and other confidential content. You can recognize an encrypted connection by the \"https://\" prefix and the lock icon in your browser's address bar."},"retention":{"heading":"Data Retention","p1":"Your data is stored as long as your account is active and necessary for the purposes described above. Compliance data (form submissions, evidence, audit trail) is retained for the legally required period. When you delete your account, personal data is removed. Anonymized audit trail entries may be retained."},"changes":{"heading":"Changes to This Policy","p1":"We may update this privacy policy from time to time. The current version is always available on this page. Last updated: February 2025."}},"avv":{"meta":{"title":"Data Processing Agreement (DPA / AVV) - Art. 28 GDPR","description":"Data processing agreement under Art. 28 GDPR for customers of the NISD2.eu platform. Signed individually on request."},"title":"Data Processing Agreement (AVV / DPA)","subtitle":"Agreement under Art. 28 GDPR for customers of the NISD2.eu platform.","intro":{"heading":"What this is","p1":"When you use the NISD2.eu platform, we process personal data on your behalf (e.g. names of your employees in compliance forms, evidence you upload). Art. 28 GDPR requires a written data processing agreement (DPA, in German AVV) between you as controller and us as processor.","p2":"On request, we provide a DPA and sign it individually for your organisation - typically within one business day."},"scope":{"heading":"Contents of the DPA","p1":"The DPA we provide meets Art. 28 GDPR requirements and includes:","items":{"subject":"Subject and duration of processing","purpose":"Nature and purpose of processing, types of data, categories of data subjects","instructions":"Processor acts only on documented instructions","confidentiality":"Confidentiality obligations of personnel","toms":"Technical and organisational measures (Art. 32 GDPR) - see TOMs document","subprocessors":"List of sub-processors and approval procedure","rights":"Assistance with data subject rights (Art. 15-22 GDPR)","audit":"Audit rights of the controller","deletion":"Deletion or return of data on termination","liability":"Liability and cooperation obligations"}},"request":{"heading":"Request a DPA","p1":"Send an email to contact@nisd2.eu with the following information:","items":{"company":"Full company name and registered address","register":"Commercial register number (if applicable)","represented":"Authorised representative","contact":"Data protection contact person"},"p2":"We typically return the signed DPA within one business day by email. A signed paper copy by post is available on request.","emailLabel":"Request DPA by email","emailHref":"mailto:contact@nisd2.eu?subject=DPA%20request%20NISD2.eu"},"subprocessors":{"heading":"Sub-processors","p1":"The following sub-processors are used to operate the platform:","items":{"hetzner":"Hetzner Online GmbH (Falkenstein/Nuremberg, Germany) - hosting of application servers and database","aws":"Amazon Web Services EMEA SARL - storage of uploaded evidence documents (S3, EU region)","google":"Google Ireland Limited - OAuth authentication","resend":"Resend, Inc. (USA) - delivery of transactional emails","xai":"xAI Corp. (USA) - AI-assisted form prefill (optional, can be disabled)"},"p2":"Changes to the sub-processor list will be announced in advance. You have the right to object to changes."},"toms":{"heading":"Technical and organisational measures","p1":"The technical and organisational measures relevant to this DPA under Art. 32 GDPR are described in our TOMs document.","linkLabel":"View TOMs document","linkHref":"/toms"}},"toms":{"meta":{"title":"Technical and Organisational Measures (TOMs) - Art. 32 GDPR","description":"Technical and organisational measures of the NISD2.eu platform under Art. 32 GDPR. Hetzner Germany hosting, TLS, audit trail with SHA-256 chaining, multi-tenant isolation, RBAC."},"title":"Technical and Organisational Measures (TOMs)","subtitle":"Measures under Art. 32 GDPR ensuring the security of personal data processing on the NISD2.eu platform.","lastUpdated":"Last updated: April 2026.","intro":{"heading":"Overview","p1":"This document describes the technical and organisational measures actually implemented by Kardashev Catalyst UG (haftungsbeschränkt) as operator of the NISD2.eu platform. It is an honest inventory, not a wish list - we list only what is already in place.","p2":"The measures are aligned with IT-Grundschutz (BSI) and will be extended as the platform grows."},"hosting":{"heading":"Hosting in the EU","p1":"Production processing of personal data takes place exclusively within the EU:","items":{"appServers":"Application servers and PostgreSQL database: Hetzner Online GmbH, data centre Falkenstein/Nuremberg, Germany","fileStorage":"Storage of uploaded evidence documents: AWS S3, EU region","noUSTransfer":"No production data processing outside the EU. US sub-services (Resend for transactional email, xAI for optional AI prefill) only process the data necessary for their function."}},"pseudonymization":{"heading":"Encryption (Art. 32(1)(a) GDPR)","items":{"transit":"Transport encryption: TLS for all connections to the platform (HTTPS)","rest":"Encryption at rest: AWS S3 server-side encryption (AES256, set explicitly on every upload via PutObject); PostgreSQL data on Hetzner infrastructure","secrets":"Credentials and API keys are managed via server environment variables, not stored in source or databases"}},"confidentiality":{"heading":"Confidentiality (Art. 32(1)(b) GDPR)","p1":"Measures ensuring confidentiality:","items":{"physical":"Physical access control: data centres of the hosting providers (Hetzner, AWS) hold ISO 27001 certifications","auth":"Authentication: exclusively via Google OAuth 2.0; no passwords stored on the platform. MFA for users is provided through their Google account","rbac":"Role-based permissions: admin, reviewer, member; enforced in the application layer via tRPC middleware","separation":"Multi-tenant isolation: every data-bearing query filters at the database layer on the company ID of the authenticated user; no shared data pools between customers","secrets":"No plaintext passwords on the platform - authentication is exclusively OAuth-based"}},"integrity":{"heading":"Integrity (Art. 32(1)(b) GDPR)","items":{"input":"Input control: audit trail of all mutations capturing user ID, action, entity type, timestamp, IP address, user agent, and before/after values","checksum":"Audit trail tamper detection: every audit row carries a SHA-256 checksum over its contents so changes to a row are detectable","transfer":"Transfer control: data transmission only via TLS; all authenticated endpoints require a valid session","evidenceHash":"Evidence documents: storage location and metadata are written on upload; an optional client-supplied SHA-256 hash can be stored alongside the file","signoff":"Sign-off mechanism: at the moment of approval, the requirement state is snapshotted into a sign-off history table whose entries form a SHA-256 chain (each entry's checksum covers the previous one) - tampering with the history is detectable end-to-end"}},"availability":{"heading":"Availability (Art. 32(1)(b) GDPR)","items":{"backup":"Database backups according to the Hetzner Cloud service defaults; details on the current backup configuration are available on request","redundancy":"Storage of evidence documents in AWS S3 with the object durability guarantees provided by AWS","rateLimit":"Rate limiting on login attempts, public endpoints (applicability check, supplier portal), and resource-heavy authenticated endpoints (PDF exports, certificate generation)","uploadLimit":"Uploaded files are limited to 50 MB per file"}},"evaluation":{"heading":"Procedure for regular review (Art. 32(1)(d) GDPR)","items":{"review":"These TOMs are reviewed when triggered by an event and at least once per year","patch":"Updates of dependencies and security-relevant libraries: Dependabot is enabled to surface security patches and version updates as pull requests on a weekly cadence","incident":"Reporting obligations: personal data breaches will be reported to the competent supervisory authority within 72 hours per Art. 33 GDPR","code":"Development practice: code changes go through pull requests; TypeScript strict-mode type checks are enforced; targeted automated tests cover security-critical logic (e.g. applicability classification)"}},"subprocessors":{"heading":"Sub-processors","p1":"All sub-processors are bound by Art. 28 GDPR contracts. The full list is in the DPA document.","linkLabel":"See full sub-processor list (DPA)","linkHref":"/avv"},"contact":{"heading":"Data protection contact","p1":"Questions about these TOMs or our data processing should be sent to:","email":"contact@nisd2.eu"}},"terms":{"meta":{"title":"Terms of Service - NISD2.eu","description":"Terms of service for the NISD2.eu NIS2 compliance platform. Information on usage scope, liability, and data protection."},"title":"Terms of Service","subtitle":"Please read these terms carefully before using the NISD2.eu platform.","lastUpdated":"Last updated: February 2026.","scope":{"heading":"1. Scope of Service","p1":"NISD2.eu (\"Platform\") is a compliance management tool operated by Simon Orzel (\"Provider\"). The Platform provides structured workflows, forms, document management, and tracking features to support organizations in managing their NIS2/BSIG compliance obligations.","p2":"The Platform is exclusively a support tool for areas that are within the customer's sole responsibility. The Provider does not assume any responsibility for a specific compliance result or success."},"noLegalAdvice":{"heading":"2. No Legal Advice","p1":"The Platform does not constitute legal advice, legal counsel, or any form of professional legal service. Content provided on the Platform - including requirement descriptions, guidance text, form fields, and informational pages - is for general informational purposes only.","p2":"The Platform is not a substitute for qualified legal, regulatory, or professional advice. Users should consult with qualified professionals for advice specific to their situation.","p3":"No attorney-client relationship or professional advisory relationship is created between the Provider and users of the Platform."},"customerResponsibility":{"heading":"3. Customer Responsibility","p1":"The customer is solely responsible for:","items":{"accuracy":"The accuracy, completeness, and truthfulness of all data entered into the Platform","applicability":"Determining whether specific requirements, measures, or obligations apply to their organization","compliance":"Achieving and maintaining compliance with NIS2, BSIG, and all other applicable laws and regulations","decisions":"All compliance decisions made based on or in connection with the use of the Platform","review":"Having qualified professionals review their compliance documentation where appropriate"},"p2":"The Platform validates the completeness of form submissions, not the correctness or legal sufficiency of the content provided by the customer."},"noGuarantee":{"heading":"4. No Guarantee of Compliance Outcomes","p1":"The Provider does not guarantee or warrant that:","items":{"audit":"Use of the Platform will result in passing any audit, inspection, or regulatory review","compliant":"Information or workflows provided through the Platform are complete, accurate, or suitable for any specific organization's compliance needs","penalty":"Use of the Platform will prevent fines, penalties, or enforcement actions by regulatory authorities","requirements":"The Platform covers all requirements that may apply to a specific organization"},"p2":"The Provider does not assume any guarantees, not even with regard to certain characteristics or properties of the service. Results provided by the Platform rely on customer inputs, assumptions, and individual circumstances."},"liability":{"heading":"5. Limitation of Liability","p1":"The Provider's liability is limited to cases of willful intent and gross negligence. For minor negligence involving essential contractual obligations, liability is limited to foreseeable, contract-typical damages up to the total fees paid by the customer in the twelve (12) months preceding the event giving rise to the claim.","p2":"The Provider is not liable for indirect damages, consequential damages, loss of profit, loss of data, loss of savings, regulatory fines imposed on the customer, or business interruption, to the extent permitted by applicable law.","p3":"The limitations above do not apply to liability for personal injury or liability under the German Product Liability Act (Produkthaftungsgesetz)."},"indemnification":{"heading":"6. Indemnification","p1":"The customer agrees to indemnify and hold the Provider harmless from any third-party claims, damages, losses, or expenses arising from:","items":{"misuse":"The customer's use of the Platform in violation of these terms","data":"Inaccurate, incomplete, or misleading data provided by the customer","claims":"Claims related to the customer's compliance status or regulatory obligations"}},"ip":{"heading":"7. Intellectual Property and Data","p1":"All Platform content, including software, requirement structures, form designs, guidance text, and workflows, is the intellectual property of the Provider.","p2":"All data entered by the customer into the Platform remains the property of the customer. The Provider processes customer data solely for the purpose of providing the service, in accordance with the Privacy Policy."},"availability":{"heading":"8. Service Availability","p1":"The Provider endeavors to maintain Platform availability but does not guarantee uninterrupted or error-free operation. Scheduled maintenance and unforeseen outages may occur. The Provider is not liable for any damages resulting from service interruptions."},"changes":{"heading":"9. Changes to These Terms","p1":"The Provider may update these terms from time to time. Material changes will be communicated to registered users. Continued use of the Platform after changes take effect constitutes acceptance of the updated terms."},"governing":{"heading":"10. Governing Law and Jurisdiction","p1":"These terms are governed by the laws of the Federal Republic of Germany. The exclusive place of jurisdiction for all disputes arising from or in connection with these terms is Cologne (Köln), Germany, to the extent permitted by law."},"severability":{"heading":"11. Severability","p1":"If any provision of these terms is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. The invalid provision shall be replaced by a valid provision that most closely reflects the economic intent of the original."},"contact":{"heading":"12. Contact","p1":"For questions about these terms, please contact:","name":"Simon Orzel","address":"Trierer Str. 6, 50676 Cologne, Germany","emailLabel":"Email","email":"contact@nisd2.eu"}},"whatIsNis2":{"meta":{"title":"What is NIS2? - EU Directive 2022/2555 Explained","description":"Complete overview of the EU NIS2 Directive: timeline, affected sectors, size thresholds, and key obligations for essential and important entities."},"title":"What is NIS2?","subtitle":"EU Directive 2022/2555 on cybersecurity - the most significant overhaul of EU-wide cybersecurity regulation since 2016.","overview":{"heading":"Overview","p1":"The NIS2 Directive (Directive (EU) 2022/2555) is the European Union's updated framework for achieving a high common level of cybersecurity across all Member States. It replaces the original NIS Directive from 2016.","p2":"NIS2 dramatically expands the scope of EU cybersecurity regulation - from approximately 10,000 entities under NIS1 to an estimated 160,000 across Europe. In Germany alone, roughly 29,500 companies are affected.","p3":"The directive mandates harmonized risk management measures, incident reporting obligations, and supply chain security requirements. It introduces personal liability for management and significantly higher penalties for non-compliance."},"timeline":{"heading":"Key Dates","items":{"published":{"date":"27 December 2022","event":"NIS2 Directive published in the EU Official Journal"},"inForce":{"date":"16 January 2023","event":"NIS2 enters into force at EU level"},"transposition":{"date":"17 October 2024","event":"Deadline for Member States to transpose into national law"},"registries":{"date":"17 April 2025","event":"Deadline for Member States to establish entity registries"},"review":{"date":"17 October 2027","event":"European Commission reviews the directive's functioning"}},"seeFullTimeline":"See full NIS2 timeline"},"nis1VsNis2":{"heading":"NIS1 vs NIS2","headers":{"aspect":"Aspect","nis1":"NIS1 (2016)","nis2":"NIS2 (2022)"},"rows":{"scope":{"aspect":"Scope","nis1":"~10,000 entities in the EU","nis2":"~160,000 entities in the EU"},"sectors":{"aspect":"Sectors","nis1":"7 sectors","nis2":"18 sectors (11 highly critical + 7 other critical)"},"classification":{"aspect":"Entity classification","nis1":"Operators of essential services (OES) + digital service providers","nis2":"Essential entities + Important entities (size-based)"},"penalties":{"aspect":"Penalties","nis1":"Set by Member States, varied widely","nis2":"Harmonized: up to EUR 10M or 2% of global turnover"},"management":{"aspect":"Management liability","nis1":"Not addressed","nis2":"Personal liability for management bodies"},"reporting":{"aspect":"Incident reporting","nis1":"Without undue delay","nis2":"Strict 24h / 72h / 1 month cascade"},"supplyChain":{"aspect":"Supply chain","nis1":"Not addressed","nis2":"Mandatory supply chain security assessment"},"supervision":{"aspect":"Supervision","nis1":"Left to Member States","nis2":"Proactive (essential) + reactive (important)"}}},"sectors":{"heading":"18 Affected Sectors","annexI":{"heading":"Annex I - Sectors of High Criticality","description":"Large entities in these sectors are classified as essential (essential entities). Medium entities are classified as important.","items":{"energy":"Energy (electricity, district heating/cooling, oil, gas, hydrogen)","transport":"Transport (air, rail, water, road)","banking":"Banking","financial":"Financial market infrastructures","health":"Health (hospitals, pharma, medical devices, reference labs)","water":"Drinking water","wastewater":"Wastewater","digital":"Digital infrastructure (DNS, TLD, cloud, data centres, CDN, telecom)","ict":"ICT service management - B2B (MSP, MSSP)","publicAdmin":"Public administration","space":"Space"}},"annexII":{"heading":"Annex II - Other Critical Sectors","description":"Entities in these sectors are classified as important, regardless of whether they are medium or large.","items":{"postal":"Postal and courier services","waste":"Waste management","chemicals":"Chemicals (manufacturing, production, distribution)","food":"Food (wholesale, industrial production, processing)","manufacturing":"Manufacturing (medical devices, electronics, electrical equipment, machinery, motor vehicles, other transport)","digitalProviders":"Digital providers (online marketplaces, search engines, social networks)","research":"Research organizations"}}},"sizeThresholds":{"heading":"Size Thresholds","description":"NIS2 uses the EU SME definition. Classification is determined by employee count OR financial metrics (both turnover AND balance sheet must be exceeded for the financial test).","headers":{"size":"Size","employees":"Employees","financial":"Financial Threshold","scope":"NIS2 Scope"},"rows":{"large":{"size":"Large","employees":"≥ 250","financial":"> EUR 50M turnover AND > EUR 43M balance sheet","scope":"In scope"},"medium":{"size":"Medium","employees":"≥ 50 (and < 250)","financial":"> EUR 10M turnover AND > EUR 10M balance sheet","scope":"In scope"},"small":{"size":"Small","employees":"< 50","financial":"≤ EUR 10M turnover AND ≤ EUR 10M balance sheet","scope":"Generally out of scope"}},"note":"Certain entity types are in scope regardless of size - including DNS providers, TLD registries, qualified trust service providers, KRITIS operators, and sole providers of essential services."},"obligations":{"heading":"Key Obligations at a Glance","items":{"risk":"Implement 10 mandatory cybersecurity risk management measures","reporting":"Report significant incidents within 24h / 72h / 1 month","management":"Management must approve, oversee, and be trained on cybersecurity","supplyChain":"Assess and manage cybersecurity risks in the supply chain","registration":"Register with the national competent authority","audit":"Maintain evidence of compliance (audits for KRITIS operators every 3 years)"}}},"nis2InGermany":{"meta":{"title":"NIS2 in Germany 2026: Deadlines, Fines & BSIG Guide","description":"NIS2 in Germany explained: NIS2UmsuCG status, BSI registration deadline, essential vs important entities, fines up to €10M, management liability, supervision."},"title":"NIS2 in Germany","subtitle":"Germany transposed the NIS2 Directive into national law through the NIS2UmsuCG, overhauling the Federal Cybersecurity Act (BSIG). All obligations apply since 6 December 2025.","timeline":{"heading":"German Timeline","items":{"euPublished":{"date":"27 Dec 2022","event":"NIS2 Directive published in the EU Official Journal"},"euForce":{"date":"16 Jan 2023","event":"NIS2 enters into force at EU level"},"euDeadline":{"date":"17 Oct 2024","event":"EU transposition deadline (Germany missed it)"},"bundestag":{"date":"13 Nov 2025","event":"Bundestag passes NIS2UmsuCG"},"bundesrat":{"date":"21 Nov 2025","event":"Bundesrat approves"},"published":{"date":"5 Dec 2025","event":"Published in Bundesgesetzblatt"},"inForce":{"date":"6 Dec 2025","event":"New BSIG enters into force - all obligations apply immediately"},"portal":{"date":"6 Jan 2026","event":"BSI registration portal goes live"},"registration":{"date":"6 Mar 2026","event":"Deadline for BSI registration"},"kritisAudit":{"date":"~2028","event":"KRITIS operators: first evidence of compliance due"}},"noTransition":"There is no transition period. Risk management measures, incident reporting, and management liability applied from the day the law entered into force.","seeFullTimeline":"See full NIS2 timeline"},"categories":{"heading":"Entity Categories","description":"Germany uses different terminology than the EU directive. Approximately 29,500 companies in Germany are affected.","headers":{"euTerm":"EU Term","germanTerm":"German Term","abbreviation":"Abbreviation"},"rows":{"essential":{"eu":"Essential entity","de":"Besonders wichtige Einrichtung","abbr":"bwE"},"important":{"eu":"Important entity","de":"Wichtige Einrichtung","abbr":"wE"},"kritis":{"eu":"Critical infrastructure operator","de":"Betreiber kritischer Anlagen","abbr":"KRITIS"}},"hierarchy":"The hierarchy: KRITIS ⊂ essential entities ⊂ all NIS2 entities. KRITIS operators are automatically classified as essential entities."},"penalties":{"heading":"Penalties","byCategory":{"heading":"By Entity Category","headers":{"category":"Category","maxFine":"Maximum Fine","turnover":"Turnover-Based Alternative"},"rows":{"bwe":{"category":"Essential entities","fine":"EUR 10,000,000","turnover":"2% of worldwide annual group turnover"},"we":{"category":"Important entities","fine":"EUR 7,000,000","turnover":"1.4% of worldwide annual group turnover"}}},"byViolation":{"heading":"By Violation Type","headers":{"violation":"Violation","maxFine":"Maximum Fine"},"rows":{"measures":{"violation":"Failure to implement cybersecurity measures (§30)","fine":"EUR 10M / EUR 7M"},"incidents":{"violation":"Failure to report incidents (§31)","fine":"EUR 10M / EUR 7M"},"bsiDirectives":{"violation":"Non-compliance with BSI directives","fine":"EUR 10M / EUR 7M"},"kritisComponents":{"violation":"KRITIS: failure in critical component reporting","fine":"EUR 5,000,000"},"kritisAudit":{"violation":"KRITIS: failure in audit evidence procedures","fine":"EUR 2,000,000"},"registration":{"violation":"Registration violations, failure to notify BSI","fine":"EUR 500,000"},"obstruction":{"violation":"Obstruction of BSI inspections","fine":"EUR 500,000"},"contact":{"violation":"Contact accessibility failures","fine":"EUR 100,000"}}}},"managementLiability":{"heading":"Management Liability (Section 38 BSIG)","description":"One of the most impactful provisions of the German implementation. Management bodies are personally liable for cybersecurity compliance.","duties":{"heading":"Three Core Duties","approval":{"title":"Approval (Billigung)","description":"Management must formally approve cybersecurity risk management measures per Section 30 BSIG."},"oversight":{"title":"Oversight (Überwachung)","description":"Active monitoring of implementation - not passive awareness. Management must verify that measures are actually being implemented."},"training":{"title":"Training (Schulung)","description":"Mandatory personal participation in cybersecurity training at minimum every 3 years. This duty cannot be delegated."}},"liability":"Executives are personally liable to their own company when they culpably violate these duties. Delegation of operational tasks is permitted, but strategic responsibility and oversight remain with management. Management cannot claim lack of technical knowledge as defense.","waiver":"Section 38 BSIG explicitly prohibits contractual liability waivers by shareholders that are disproportionate to existing uncertainty regarding rights."},"registration":{"heading":"BSI Registration","description":"All entities classified as essential or important entities must register with the BSI.","deadline":"Deadline: 6 March 2026 (3 months after the BSIG entered into force).","process":"Registration uses a two-step process: first create an account via Mein Unternehmenskonto (MUK/ELSTER), then register via the BSI portal (live since 6 January 2026).","selfId":"Registration is a self-identification obligation - no notification from BSI. Companies must determine themselves whether they are in scope. The BSI can also order a company to register if it determines the company falls within scope."},"supervision":{"heading":"Supervision Model","headers":{"aspect":"Aspect","bwe":"Essential","we":"Important"},"rows":{"approach":{"aspect":"Supervision","bwe":"Proactive (ex-ante) - BSI can audit at any time","we":"Reactive (ex-post) - only on evidence of non-compliance"},"fines":{"aspect":"Maximum fine","bwe":"EUR 10M or 2% global turnover","we":"EUR 7M or 1.4% global turnover"},"audit":{"aspect":"Audit requirements","bwe":"Risk-based spot checks by BSI","we":"Only on justified suspicion"},"kritisAudit":{"aspect":"KRITIS audit cycle","bwe":"Every 3 years (if KRITIS operator)","we":"N/A"}}}},"features":{"meta":{"title":"NIS2 Compliance Software: Free Platform — Features","description":"Free NIS2 compliance software with all 49 BSIG requirements, deadline tracking, audit trail, management liability protection. EU-wide, no lock-in."},"title":"Platform Features","subtitle":"Step-by-step through every NIS2 requirement. No compliance background needed, just start and we guide you to the finish line.","badges":{"tenMeasures":"10 Measures","traceable":"Traceable","requirements":"Requirements","measures":"§ 30 Measures","assistedPrefill":"Assisted Prefill","tenPhases":"10 Phases","granular":"Granular","exportAnytime":"Export Anytime","dataStaysForever":"Data Stays Forever","date":"Date","event":"Event"},"guided":{"heading":"Guided Step-by-Step Process","p1":"You don't need to understand NIS2 to get compliant. The platform walks you through every requirement one by one, with clear instructions and structured forms.","p2":"This is not a generic GRC tool. Every requirement maps directly to the BSIG, broken into the 10 mandatory measures of Section 30 and the entity categories of Sections 28-29.","p3":"Just answer the questions, upload your evidence, and move on. When you're done, you have a complete, audit-ready compliance record."},"liability":{"heading":"Management Liability Protection","p1":"Section 38 BSIG makes management personally liable for cybersecurity compliance. Three duties apply: approval, oversight, and training. These cannot be delegated away.","p2":"NISD2.eu structures compliance so that management can demonstrate they fulfilled all three duties. Every approval is logged with timestamp and user identity, creating the evidence trail that Section 38 demands.","p3":"If the BSI audits your company, you need proof that management approved measures, oversaw implementation, and completed training. This platform generates that proof as a byproduct of normal use."},"requirements":{"heading":"49 Structured BSIG Requirements","p1":"The 10 mandatory measures of Section 30 BSIG are broken down into 49 concrete, actionable requirements - each with its own structured form.","p2":"Every requirement is a form. Every form field maps to a specific compliance obligation. Fill in the form, and you have documented your compliance. No ambiguity, no guesswork.","p3":"Forms support text, selections, multi-select, dates, and file uploads for evidence. AI-assisted prefill helps you draft responses based on your company profile, then you refine and approve."},"deadlines":{"heading":"Deadline Tracking & Escalation","p1":"NIS2 compliance is not a one-time project. BSI registration, incident reporting cascades (24h / 72h / 1 month), KRITIS audit cycles, and training renewals all have hard deadlines with real penalties.","p2":"The platform tracks every deadline across your compliance lifecycle. Notifications escalate through 10 phases - from early reminders to critical alerts - so nothing falls through the cracks.","p3":"Granular permissions control who gets notified for what. Assign responsibility per requirement, per module, per team member. The right person gets the right alert at the right time."},"modules":{"heading":"12 Operational Security Modules","p1":"Beyond the core compliance forms, NISD2.eu includes 12 operational modules that mirror the ongoing security operations the BSIG requires:","items":{"assets":"Asset Management - inventory of all critical systems and infrastructure","risks":"Risk Register - structured risk assessments with likelihood and impact scoring","incidents":"Incident Management - detection, response, and BSI reporting workflows","suppliers":"Supplier Management - supply chain security assessments and monitoring","policies":"Policy Management - document lifecycle for security policies","training":"Training Records - track mandatory cybersecurity training per employee","access":"Access Control - role-based access management and reviews","crypto":"Cryptography Register - encryption usage and key management records","continuity":"Business Continuity - disaster recovery plans and test documentation","vulnerability":"Vulnerability Management - tracking and remediation workflows","network":"Network Security - architecture documentation and segmentation records","monitoring":"Security Monitoring - log management and detection system records","communication":"Secured Communications - MFA deployment and secure channel documentation"},"p2":"Each module is purpose-built for NIS2 - not adapted from a generic GRC template. Data flows between modules: an asset referenced in a risk assessment links to the same asset in your incident report."},"auditTrail":{"heading":"Permanent Audit Trail & Long-Term Data","p1":"Every action in the platform is logged: who changed what, when, and what the previous value was. Every entry is checksummed (SHA-256) for tamper evidence.","p2":"All compliance data lives in structured forms that can be exported at any time - for BSI audits, internal reviews, or legal proceedings. The complete history of your compliance posture is always available.","p3":"Compliance only grows. New requirements get added, regulations evolve, your company changes. NISD2.eu is built on a first-principles data architecture: your compliance data stays here permanently. You never re-enter data. When regulations update, your existing documentation carries forward - you only fill in what changed.","p4":"This is not a spreadsheet you lose or a consultant's report that sits on a shelf. It is a living, versioned, auditable record of everything your company has done for NIS2 compliance - from day one, forever."}},"nis2Requirements":{"meta":{"title":"NIS2 Requirements - 10 Measures","description":"NIS2 requirements explained: 10 mandatory risk management measures, incident reporting cascade, audit obligations, and supply chain security."},"title":"NIS2 Requirements","subtitle":"What affected entities must implement: 10 mandatory cybersecurity measures, a strict incident reporting cascade, and evidence-based compliance.","measures":{"heading":"10 Mandatory Risk Management Measures (Section 30 BSIG / Article 21)","description":"All essential and important entities must implement these measures. There is no transition period - these obligations apply since 6 December 2025 in Germany.","items":{"m1":{"title":"Risk analysis and information security policies","description":"Establish and maintain policies for risk analysis and information systems security. Conduct regular risk assessments covering all critical systems and processes."},"m2":{"title":"Incident handling","description":"Implement procedures for preventing, detecting, identifying, containing, mitigating, and responding to security incidents."},"m3":{"title":"Business continuity and crisis management","description":"Backup management, disaster recovery planning, and crisis management procedures to ensure operational resilience."},"m4":{"title":"Supply chain security","description":"Security measures for relationships with direct suppliers and service providers. Includes assessment of all suppliers' cybersecurity practices and contractual security requirements."},"m5":{"title":"Security in acquisition, development, and maintenance","description":"Security in network and information system acquisition, development, and maintenance. Includes vulnerability handling and disclosure procedures."},"m6":{"title":"Effectiveness assessment","description":"Policies and procedures for assessing the effectiveness of cybersecurity risk management measures. Regular testing and evaluation of security controls."},"m7":{"title":"Cybersecurity training and cyber hygiene","description":"Basic cybersecurity training practices for all employees. Awareness programs covering phishing, social engineering, password management, and safe computing practices."},"m8":{"title":"Cryptography and encryption","description":"Policies and procedures on the use of cryptography and, where appropriate, encryption. Covers data at rest, data in transit, and key management."},"m9":{"title":"Personnel security, access control, and asset management","description":"Human resources security policies, access control mechanisms, and asset management procedures. Includes onboarding/offboarding, least-privilege access, and asset inventories."},"m10":{"title":"Multi-factor authentication and secured communications","description":"Use of MFA or continuous authentication solutions. Secured voice, video, and text communications. Secured emergency communication systems within the entity."}}},"incidentReporting":{"heading":"Incident Reporting Cascade","description":"All essential and important entities must report significant security incidents to the BSI using a three-stage cascade.","stages":{"s1":{"deadline":"24 hours","title":"Early warning (Frühwarnung)","description":"Report whether the incident is suspected to be caused by unlawful or malicious acts, and whether it could have cross-border impact."},"s2":{"deadline":"72 hours","title":"Updated notification (Aktualisierte Meldung)","description":"Severity assessment, impact assessment, indicators of compromise, and initial root cause analysis if available."},"s3":{"deadline":"1 month","title":"Final report (Abschlussmeldung)","description":"Detailed description of the incident, confirmed root cause, mitigation measures taken, preventive steps implemented, and cross-border impact assessment."}},"significant":{"heading":"What counts as a \"significant\" incident?","p1":"A security incident qualifies as significant when it has caused or is capable of causing severe operational disruption or financial losses for the entity.","p2":"It also qualifies when it has affected or is capable of affecting other natural or legal persons by causing considerable material or immaterial damage."}},"auditRequirements":{"heading":"Audit and Evidence Requirements","kritis":{"heading":"KRITIS Operators","description":"Must demonstrate compliance through audits, inspections, or certifications every 3 years. Must include attack detection systems in their measures. Initial evidence deadline set by BSI at registration (~2028)."},"bwe":{"heading":"Essential entities (non-KRITIS)","description":"No regular mandatory audit cycle, but must maintain comprehensive documentation. BSI may conduct proactive spot checks and order evidence at any time using risk-based selection."},"we":{"heading":"Important entities","description":"Must document implementation of all required measures. BSI inspections are reactive only - triggered by incidents or justified suspicion of non-compliance."},"evidence":{"heading":"Acceptable Evidence","items":{"audits":"Internal or external audit reports","certifications":"Certifications (ISO 27001, BSI IT-Grundschutz, etc.)","documentation":"Comprehensive documentation of risk assessments, implemented measures, and effectiveness reviews"},"note":"ISO 27001 or IT-Grundschutz certification supports but does not guarantee NIS2 compliance - the BSIG requirements may go beyond standard certification scope."}},"supplyChain":{"heading":"Supply Chain Security","description":"NIS2 introduces mandatory supply chain security obligations. Entities must:","items":{"assess":"Assess the cybersecurity practices of all direct suppliers and service providers","contractual":"Include cybersecurity requirements in supplier contracts","monitor":"Monitor and review supplier security posture on an ongoing basis","coordinate":"Coordinate vulnerability disclosure with suppliers","risk":"Consider the overall quality of products and practices of suppliers, including their secure development procedures"}}},"ceoLiability":{"meta":{"title":"NIS2 Management Liability - §38 BSIG","description":"§38 BSIG makes managing directors personally liable for NIS2 cybersecurity failures. Three core duties, applicable fines, and how to protect yourself."},"title":"NIS2 Management Liability","subtitle":"§38 BSIG makes managing directors personally liable for cybersecurity failures - a first in German law.","overview":{"p1":"§38 BSIG introduces something unprecedented in German cybersecurity regulation: personal liability for management. The Geschäftsführung of every company subject to NIS2 - whether GmbH, AG, or KG - is now personally responsible for ensuring cybersecurity measures are implemented, overseen, and maintained. This is not delegable to the IT department.","p2":"This is entirely new. Under the original NIS1 framework (the previous IT-Sicherheitsgesetz), liability rested with the company as a legal entity. §38 BSIG changes the game: individual managing directors can now be held liable with their personal assets if they fail to fulfill their cybersecurity duties. The law explicitly references Geschäftsleiter - the people who sign on behalf of the company.","p3":"The law defines three core duties for management: approval (Billigung) of cybersecurity measures, oversight (Überwachung) of their implementation, and personal training (Schulung) in cybersecurity. Failing any one of these creates personal liability exposure - even if the company itself has implemented reasonable measures."},"duties":{"heading":"Three Core Duties","description":"§38(1) BSIG defines three obligations that management must fulfill personally. These cannot be delegated to employees, consultants, or external service providers.","items":{"approval":{"title":"Approval (Billigung)","description":"Management must formally approve the cybersecurity risk management measures required under §30 BSIG. This means reviewing and signing off on the company's information security policies, risk assessments, and treatment plans. A verbal 'go ahead' is not sufficient - you need documented, traceable approval with timestamps and signatures."},"oversight":{"title":"Oversight (Überwachung)","description":"Management must actively oversee the implementation of approved measures. This means regular status reviews, progress tracking, and escalation handling. You must be able to demonstrate that you monitored whether measures were actually implemented - not just that you approved them and walked away. Quarterly management reviews are the minimum defensible frequency."},"training":{"title":"Training (Schulung)","description":"Management must personally complete cybersecurity training to develop sufficient knowledge to evaluate risks and measures. This is not the general employee awareness training from §30(2)(9) - it is a separate obligation specifically for Geschäftsleiter. The training must be adequate to understand the company's risk profile, the measures in place, and the residual risks accepted."}}},"consequences":{"heading":"What Happens When You Fail","description":"The BSIG establishes a tiered enforcement regime. The BSI can issue orders, impose fines, and in severe cases, prohibit management from exercising their duties. Here are the specific consequences for common violations.","items":{"noMeasures":{"violation":"No cybersecurity measures implemented","consequence":"Fines up to €10 million or 2% of global annual turnover (whichever is higher) under §65 BSIG for essential entities. For wichtige Einrichtungen: up to €7 million or 1.4% of turnover. Management faces personal liability claims from the company for damages resulting from the violation."},"noReporting":{"violation":"Incident not reported to BSI","consequence":"§32 BSIG requires initial notification within 24 hours, follow-up within 72 hours, and final report within one month. Missing these deadlines triggers enforcement action. If management was aware of an incident and failed to ensure reporting, personal liability applies under §38 for oversight failure."},"noTraining":{"violation":"Management hasn't completed training","consequence":"Direct violation of §38(1) BSIG. This is the easiest violation for the BSI to prove - either you have training records or you don't. It also undermines your defense on all other points: how can you claim adequate oversight if you lack the training to evaluate what you're overseeing?"},"noOversight":{"violation":"No active oversight of implementation","consequence":"If measures were approved but management cannot demonstrate ongoing oversight (review meetings, status reports, escalation records), the approval alone is insufficient. The law requires all three duties. Approving without overseeing is like signing a contract without reading it - you're still on the hook."}}},"misconceptions":{"heading":"Common Misconceptions","description":"In conversations with German Mittelstand companies, we encounter the same misunderstandings repeatedly. All of them create false security.","items":{"delegate":{"myth":"I can delegate this to the IT department","reality":"You can delegate execution, but not responsibility. §38 BSIG explicitly names Geschäftsleiter - not IT managers, not CISOs, not external consultants. You must personally approve, oversee, and be trained. Your IT team implements; you approve and monitor. The distinction matters in court."},"insurance":{"myth":"D&O insurance covers NIS2 liability","reality":"Most D&O policies exclude regulatory fines and penalties. Even where civil liability claims are covered, insurers can deny claims if management knowingly failed to comply with statutory duties. Check your policy's exclusion clauses - 'failure to comply with mandatory regulations' is a standard exclusion in German D&O policies."},"ignorance":{"myth":"I'm not technical - I can't be held responsible","reality":"§38(3) BSIG imposes the training obligation precisely to eliminate this defense. The law assumes that after completing adequate cybersecurity training, management has sufficient knowledge to fulfill their duties. 'I don't understand technology' is not a defense - it's proof of a training violation."},"waiver":{"myth":"Shareholders can waive my liability","reality":"§38(2) BSIG explicitly states that claims for damages arising from violations of §30 BSIG duties cannot be waived by shareholders, nor can they be settled in a manner that is disproportionate to the company's financial situation. This overrides the normal GmbHG §43 rules. The Gesellschafterversammlung cannot release you from NIS2 liability."},"smallCompany":{"myth":"We're too small for anyone to care","reality":"The NIS2 scope threshold starts at 50 employees and €10 million turnover. If you meet these thresholds in a covered sector, you are subject to the full regime - including §38 management liability. The BSI has already begun requesting registration from companies in this size range. Size is not a defense; it's a scoping criterion, and you're in scope."}}},"personalRisk":{"heading":"The Personal Risk","description":"Understanding the unique nature of NIS2 management liability under German law.","liableToCompany":"Here's what catches most managing directors off guard: under §38 BSIG, you are liable to your own company. If the company suffers damage because you failed to implement, oversee, or be trained on cybersecurity measures, the company (or its insolvency administrator, or its shareholders) can claim damages from you personally. This is an internal liability - your own organization can sue you.","cannotWaive":"§38(2) BSIG contains a provision without precedent in German corporate cybersecurity law: shareholders cannot waive or settle these liability claims if doing so would be disproportionate to the company's financial situation. In practical terms, if the company goes bankrupt due to a cyber incident, the insolvency administrator will come after your personal assets - and the shareholders cannot have waived that right in advance.","cannotClaimIgnorance":"The training obligation in §38(3) BSIG is not optional professional development - it is a legal prerequisite that removes ignorance as a defense. Once the law requires you to be trained, your failure to obtain that training is itself a violation. You cannot claim you didn't understand the risks when the law required you to learn about them."},"steps":{"heading":"Three Steps to Protect Yourself","description":"The good news: fulfilling your §38 BSIG duties is straightforward if you approach it systematically. These three steps create the documented trail that protects you.","items":{"step1":{"title":"Formally approve cybersecurity measures","description":"Review the risk assessment, security policies, and treatment plans prepared under §30 BSIG. Sign off with your name, date, and role. Store the approval in an auditable system - not in an email inbox. This creates the documented evidence that you fulfilled your Billigung duty. Repeat whenever measures are materially changed."},"step2":{"title":"Establish oversight processes","description":"Schedule quarterly management reviews of cybersecurity status. Review implementation progress, open risks, incident reports, and effectiveness metrics. Document attendance, decisions, and action items. This creates the continuous trail proving your Überwachung duty - not just a one-time approval, but ongoing engagement."},"step3":{"title":"Complete cybersecurity training","description":"Complete a training program that covers your company's threat landscape, the §30 BSIG measures, incident reporting obligations, and your personal duties under §38. Document the training: provider, date, content covered, certificate if available. Refresh annually. This eliminates the ignorance defense gap and fulfills your Schulung duty."}}},"ctaCard":{"heading":"Demonstrate Your Compliance","description":"The NIS2 compliance platform tracks management approvals, oversight activities, and training completion - creating the auditable evidence trail that protects you personally under §38 BSIG."},"cta":"Start Your NIS2 Compliance Process"},"grundschutz":{"meta":{"title":"NIS2 & IT-Grundschutz Compliance","description":"§44(2) BSIG lets German companies prove NIS2 compliance via IT-Grundschutz. The legal chain from NIS2 to BSIG to CIR to Grundschutz explained."},"title":"NIS2 and IT-Grundschutz","subtitle":"§44(2) BSIG provides a legal shortcut: implementing IT-Grundschutz is recognized as sufficient proof of NIS2 compliance in Germany.","overview":{"heading":"The Legal Chain","p1":"German companies have a unique advantage over their European peers when it comes to NIS2 compliance. While companies in France, Italy, or the Netherlands must work directly from the NIS2 Directive and the EU Implementing Regulation, German companies can leverage IT-Grundschutz - a well-established, BSI-maintained methodology that has been the standard for information security in Germany for over 25 years.","p2":"§44(2) BSIG provides the legal shortcut: companies that implement IT-Grundschutz can use this as evidence of NIS2 compliance. This is not informal guidance - it is codified in the Federal Cybersecurity Act. The BSI itself develops and maintains both the Grundschutz framework and the NIS2 enforcement regime, ensuring alignment by design.","p3":"This page maps the entire legal chain from the EU NIS2 Directive through German transposition to the practical implementation methodology. Understanding this chain is essential for any compliance lead: it tells you exactly which requirements come from where, why they exist, and how to satisfy them with documented evidence."},"chain":{"heading":"From EU Directive to German Practice","description":"NIS2 compliance in Germany follows a four-layer legal chain. Each layer adds specificity, from high-level objectives down to concrete implementation guidance.","items":{"nis2":{"title":"NIS2 Directive","description":"EU Directive 2022/2555 - the EU-wide cybersecurity framework"},"bsig":{"title":"BSIG","description":"German Federal Cybersecurity Act - transposes NIS2 into German law"},"cir":{"title":"CIR 2024/2690","description":"EU Implementing Regulation - defines the technical minimum measures"},"grundschutz":{"title":"IT-Grundschutz","description":"BSI methodology - the established German framework for implementing these measures"}}},"section44":{"heading":"§44(2) BSIG: Grundschutz Equals Compliance","description":"The legal shortcut most companies don't know about.","p1":"§44(2) BSIG states that compliance with the requirements of §30 BSIG can be demonstrated through implementation of recognized standards - and explicitly references IT-Grundschutz as such a standard. This means that if you implement Grundschutz according to BSI-200-1 through BSI-200-4 methodology, you have a legally recognized basis for claiming NIS2 compliance. This is not a 'get out of jail free' card - you still need evidence - but it gives you a clear, BSI-approved methodology to follow.","p2":"In practice, this means you don't need to interpret the NIS2 Directive or CIR 2024/2690 from scratch. The Grundschutz Kompendium already maps the technical requirements to specific Bausteine (modules) and Anforderungen (requirements). When the BSI audits your NIS2 compliance, they are auditing against a methodology they themselves created - not against an abstract EU directive. This alignment eliminates the interpretation gap that plagues companies in other EU member states.","p3":"For BSI auditors, Grundschutz implementation is familiar territory. They have been auditing Grundschutz for decades. This means audit efficiency: the auditors know exactly what evidence to expect, the terminology is standardized, and the methodology is documented in German. Compare this to defending an ad-hoc compliance approach against the English-language CIR - the practical advantage is significant."},"cir":{"heading":"CIR 2024/2690: The EU Technical Baseline","description":"The Commission Implementing Regulation that defines the technical minimum every EU member state must enforce.","p1":"CIR 2024/2690 (Commission Implementing Regulation) was published on October 17, 2024 and establishes the technical and methodological requirements for NIS2 compliance across the EU. It applies directly - no transposition needed - and defines the minimum measures that all essential and important entities must implement. This is the floor, not the ceiling.","p2":"The CIR specifically covers DNS service providers, TLD name registries, cloud computing services, data center providers, content delivery networks, managed services, managed security services, online marketplaces, online search engines, social networking platforms, and trust service providers. However, the BSIG extends these technical requirements to all NIS2-covered sectors in Germany, making the CIR's technical measures the de facto standard for everyone.","p3":"The Grundschutz Kompendium covers every requirement in the CIR and goes further. Where the CIR says 'implement access control,' Grundschutz specifies exactly how - through modules like ORP.4 (Identity and Access Management) with step-by-step implementation guidance. This is why §44(2) BSIG recognizes Grundschutz: it is a superset of CIR requirements, not just an equivalent."},"comparison":{"heading":"IT-Grundschutz vs ISO 27001 for NIS2","description":"Both are recognized information security frameworks, but for NIS2 compliance in Germany, they are not equivalent.","items":{"recognition":{"title":"BSI Recognition","description":"IT-Grundschutz is explicitly referenced in §44(2) BSIG as a recognized standard for demonstrating NIS2 compliance. ISO 27001 certification may support your case, but it is not specifically named in the law. When the BSI is both the framework author and the enforcement authority, alignment matters."},"coverage":{"title":"Requirements Coverage","description":"Grundschutz covers 100% of CIR 2024/2690 requirements through its Kompendium modules. ISO 27001 covers information security management broadly but does not specifically address all BSIG §30 measures - particularly the NIS2-specific incident reporting timelines, supply chain requirements, and management liability obligations. You would need ISO 27001 plus additional gap-filling."},"language":{"title":"Language & Methodology","description":"Grundschutz is developed in German, by the BSI, for German organizations. The terminology matches the BSIG exactly. ISO 27001 is an international standard published in English, with different terminology and a less prescriptive methodology. For a 100-person German Mittelstand company, Grundschutz's concrete, German-language implementation guidance is significantly more practical than ISO 27001's abstract control objectives."}}},"benefits":{"heading":"Why This Matters for Your Company","description":"For mid-market German companies, the Grundschutz pathway offers three concrete advantages over alternative compliance approaches.","items":{"audit":{"title":"Audit Advantage","description":"When the BSI audits your NIS2 compliance, presenting Grundschutz-structured evidence means the auditor speaks your language. The methodology, documentation structure, and evidence expectations are standardized. This translates to faster audits, fewer misunderstandings, and clearer outcomes."},"alignment":{"title":"BSI Alignment","description":"The BSI publishes the Grundschutz Kompendium, enforces NIS2 compliance, and audits your implementation. Using their own methodology ensures that your interpretation of requirements matches theirs. There is no interpretation gap - the same organization that defines the rules also provides the playbook."},"certainty":{"title":"Legal Certainty","description":"§44(2) BSIG gives Grundschutz implementation explicit legal standing as proof of compliance. This is the strongest legal position available: you are following the methodology recognized by the law itself. If challenged, you can point to a specific statutory provision that validates your approach - not just industry best practice or consultant opinion."}}},"ctaCard":{"heading":"Built on the Grundschutz Framework","description":"The platform structures all 49 BSIG requirements according to IT-Grundschutz methodology, with evidence templates and audit-ready documentation that follows the BSI's own structure."},"cta":"Start Your NIS2 Compliance Process"},"costs":{"meta":{"title":"NIS2 Implementation Costs","description":"Honest NIS2 compliance cost breakdown for mid-market German companies. Consultants, GRC platforms, US tools, and DIY approaches compared."},"title":"NIS2 Implementation Costs","subtitle":"An honest breakdown of what NIS2 compliance actually costs for a mid-market German company - because nobody else publishes real numbers.","overview":{"heading":"The Cost Transparency Gap","p1":"Search for 'NIS2 implementation costs' and you'll find consultant websites that say 'it depends' and enterprise vendors who hide pricing behind sales calls. This is by design - opacity benefits sellers. For a 100-person German company trying to budget for compliance, this is useless. You need real numbers to make real decisions.","p2":"Here's an honest breakdown based on market rates in Germany as of 2026. These numbers assume a company with 50-250 employees, basic IT infrastructure (Office 365, a few line-of-business applications, standard network), no existing ISMS, and no dedicated security staff. If you already have ISO 27001 or Grundschutz, your costs will be significantly lower."},"approaches":{"heading":"Four Ways to Get Compliant","prosLabel":"Advantages","consLabel":"Disadvantages","consultants":{"title":"Management Consultants","price":"€150K-500K","description":"Big Four or specialized cybersecurity consultancies (KPMG, Deloitte, PwC, or boutique firms like HiSolutions or Secunet). They assess your current state, write policies, implement measures, and prepare you for audit. Typical engagement: 6-12 months.","pros":["Deep expertise and regulatory knowledge","Handle complexity - appropriate for KRITIS operators","Provide defensible external validation"],"cons":["Prohibitively expensive for most mid-market companies","Knowledge leaves when the consultants leave","Often over-engineer solutions beyond what the law requires","Long engagement timelines - 6+ months is common"]},"enterprise":{"title":"Enterprise GRC Platforms","price":"€100K+/year","description":"Platforms like ServiceNow GRC, SAP GRC, or Archer. Built for large enterprises with dedicated GRC teams. Powerful but complex, requiring implementation projects and ongoing administration. Often sold with mandatory professional services.","pros":["Comprehensive functionality for large organizations","Integration with enterprise IT ecosystems","Established vendor support and longevity"],"cons":["Licensing costs alone exceed €100K/year","Implementation projects cost another €50K-200K","Require dedicated GRC staff to operate","Massively over-scoped for a 100-person company"]},"usPlatforms":{"title":"US Compliance Platforms","price":"€7,500+/year","description":"Platforms like Vanta, Drata, or Secureframe. Designed for SOC 2 and ISO 27001 compliance, primarily serving US tech startups. Some have added NIS2 as a framework option, but coverage is superficial - they don't understand BSIG, Grundschutz, or BSI registration.","pros":["Modern UI and good user experience","Automated evidence collection via cloud integrations","Reasonable pricing compared to enterprise solutions"],"cons":["NIS2 coverage is a checkbox addition, not the core product","No understanding of BSIG specifics (§38 management liability, §32 reporting)","No Grundschutz alignment - you lose the §44(2) advantage","Support and documentation in English only","BSI auditors won't recognize the framework structure"]},"diy":{"title":"Internal / DIY","price":"€20K-80K","description":"Build your own compliance using spreadsheets, document templates, and internal staff time. The cheapest option in direct costs, but the most expensive in hidden costs: learning curve, risk of non-compliance, and no external validation.","pros":["Lowest direct cost","Full control over the process","Internal knowledge retention"],"cons":["Massive time investment - 200-500 hours of staff time","High risk of gaps that only surface during BSI audit","No structured methodology or progress tracking","Spreadsheet-based evidence is hard to maintain and audit","No way to prove implementation timeline to BSI"]}},"breakdown":{"heading":"Realistic Costs for a 100-Person Company","description":"Regardless of approach, these are the cost categories every NIS2-affected company faces. Numbers assume a 100-person company in a regulated sector with no existing ISMS.","headers":{"item":"Cost Item","oneTime":"One-Time","annual":"Annual"},"rows":{"assessment":{"item":"Gap assessment & scoping","oneTime":"€5,000-15,000","annual":"-"},"documentation":{"item":"Policy & documentation","oneTime":"€10,000-30,000","annual":"€2,000-5,000"},"technical":{"item":"Technical measures","oneTime":"€15,000-50,000","annual":"€5,000-15,000"},"training":{"item":"Employee training","oneTime":"€3,000-8,000","annual":"€3,000-8,000"},"maintenance":{"item":"Ongoing compliance mgmt","oneTime":"-","annual":"€10,000-25,000"},"total":{"item":"Total","oneTime":"€33,000-103,000","annual":"€20,000-53,000"}}},"nisd2Approach":{"heading":"The NISD2.eu Approach","description":"The platform eliminates the most expensive parts of NIS2 compliance: interpretation, documentation structure, and evidence management.","items":["49 BSIG requirements pre-structured according to Grundschutz methodology - no gap assessment needed to know what's required","Built-in form pipeline generates audit-ready documentation as you fill in company-specific details - no policy writing from scratch","Management approval workflows with timestamped sign-offs create §38 BSIG evidence automatically - no separate tracking needed","Progress tracking across all 13 compliance modules with evidence uploads - replaces spreadsheets with an auditable system"]},"cta":{"heading":"See What NIS2 Compliance Looks Like","description":"Explore the platform, see the requirement structure, and understand exactly what NIS2 compliance involves for your company - before making any investment decisions.","button":"Start Your NIS2 Compliance Process"}},"mission":{"meta":{"title":"Halve Europe's NIS2 Bill - Our Mission","description":"NIS2 will cost European businesses €31.2 billion every year. Here is the breakdown - and our plan to halve it."},"badge":"Our Mission","title":"Halve Europe's NIS2 bill.","subtitle":"The €31 billion problem, and our plan to fix it.","problem":{"heading":"The €31 billion problem","p1":"NIS2 will cost European businesses €31.2 billion every year (Frontier Economics, 2023). That is 0.31% of every regulated company's revenue. Forever.","p2":"Most of that is not security. It is friction. Translation, interpretation, paperwork, audit prep - work that has to happen at every company because nobody made it once for everybody."},"breakdown":{"heading":"What the €31.2 billion is made of","description":"Frontier Economics' breakdown of EU-wide NIS2 compliance cost across the four cost categories.","footnote":"Source: Frontier Economics, Assessing the Economic Impact of EU Initiatives on Cybersecurity, July 2023.","items":{"staff":{"label":"Staff (compliance + security hires)","value":"€14B"},"consultants":{"label":"Consultants & advisory","value":"€8B"},"software":{"label":"Software (compliance + security tools)","value":"€5B"},"hardware":{"label":"Hardware (firewalls, gateways, appliances)","value":"€4B"}}},"plan":{"heading":"How we will halve it","p1":"We do not cut hardware. We do not cut security tools. Those are real and necessary.","p2":"We cut the friction. The translation work, the interpretation work, the paperwork - done once, structured, free, shared with everyone."},"savings":{"heading":"Where the €16 billion saving comes from","description":"Four levers, four cost pools. Together they halve the bill.","total":"€16.5B saved per year","items":{"consultants":{"label":"Replace consultant interpretation","value":"€6B saved"},"internal":{"label":"Compress internal effort","value":"€5B saved"},"evidence":{"label":"Standardize evidence (audit + supplier + over-engineering)","value":"€4B saved"},"software":{"label":"Eliminate compliance software bloat","value":"€1.5B saved"}}},"tactics":{"heading":"How each cut actually works","description":"Most NIS2 cost is not security work - it is coordination work that gets duplicated at every company. We do that work once, with one strict standard, and share the result. Each card below names the cost that disappears, not the feature that does the work.","items":{"consultants":{"heading":"Replace consultant interpretation","amount":"€6B saved","principle":"Consultants get paid to translate the law. We translate it once.","tactics":["No per-country consulting fees. We use IT-Grundschutz and CIR 2024/2690 as the default - the strictest standard in the EU. Meet ours, meet every member state. No separate engagement for German BSIG, French transposition, Italian implementation.","No per-sector premium. We do not maintain 13 sector variants. One strict standard already covers every sector's controls - simpler for us, cheaper for the buyer.","No 'what does this article mean' billable hours. The interpretation work that consultants charge for is done once on the platform, in plain language, for every BSIG requirement.","No paying for opinion-of-law behind a paywall. The open NIS2/BSIG dataset (in development) lets any auditor verify the interpretation directly - no vendor opacity to pay around."]},"internal":{"heading":"Compress internal effort","amount":"€5B saved","principle":"Most internal effort is paperwork done multiple times. Structured data is captured once.","tactics":["No interpretation phase. Companies currently spend internal staff time figuring out what NIS2 requires of them. The platform delivers the requirements pre-structured.","No copy-paste between systems. Compliance data is currently maintained in spreadsheets, policies, and supplier registers separately. The platform captures each fact once and surfaces it where it is needed.","No separate documentation pass. Compliance work and the documentation of it are currently two passes. On the platform, the audit trail records work as it happens.","No manual deadline scheduler. The BSIG cascade (24h/72h/1m incident reports, registration renewals, training cycles) currently requires manual tracking. The platform tracks it automatically."]},"evidence":{"heading":"Standardize evidence","amount":"€4B saved","principle":"The same evidence currently gets re-built per audit, per supplier, per regulator.","tactics":["No 10 questionnaires per supplier. A supplier serving 10 NIS2 customers currently fills 10 different security questionnaires. With the NIS2 Supplier Profile - an open standard, GRC-platform-agnostic - they fill one. The biggest single saving in this bucket.","No incident report drafting under deadline pressure. The 24h/72h/1m reports follow BSI-format-ready templates instead of being written from scratch when the clock is running.","No separate audit prep cycle. Audit-ready evidence is generated continuously as work happens, not assembled in a panic the month before.","No over-engineering markup. Consultants over-scope to bill more hours. The platform constrains to 'appropriate and proportionate' (§30(1) BSIG) - companies do not pay for unnecessary controls."]},"software":{"heading":"Eliminate compliance software bloat","amount":"€1.5B saved","principle":"We replace the NIS2 slice of compliance software - not the security tools, and not those tools' other frameworks.","tactics":["No NIS2 module fees on enterprise GRC suites. Companies using ServiceNow GRC, Archer, or MetricStream currently pay for the NIS2 portion. We replace that slice. The rest of those tools stays where it is.","No NIS2 add-on on US compliance platforms. Vanta, Drata, and Secureframe charge for their NIS2 framework module. Replaced for NIS2 specifically. Their SOC 2 and ISO 27001 modules are unaffected.","Hardware, SIEM, EDR, encryption, and firewalls stay. Those are operational security and necessary. The platform does not replace them and does not pretend to."]}}},"free":{"heading":"What we provide","description":"The core platform is free today and we intend to keep it that way. Some advanced features may eventually carry a cost - the principle is that NIS2 compliance should be significantly cheaper than the consultant-driven status quo, not zero on every line item. And we do not lock you in: open dataset, exportable evidence, GRC-platform-agnostic supplier profile.","items":["The core NIS2 compliance platform covering every BSIG requirement","Plain-language guidance for every requirement","The NIS2 Supplier Profile - open standard, GRC-platform-agnostic","Video tutorials for each NIS2 entity category","NIS2 Management Training portal — structured course with dictionary, quizzes, and progress tracking","Cybersecurity awareness training videos","Incident reporting templates and 24h / 72h / 1 month workflows","Audit-ready evidence trails, generated as you work","Notifications and deadline tracking for the BSIG cascade","The open NIS2 / BSIG requirements dataset (in development)","No lock-in: open dataset, exportable evidence, no proprietary formats"]},"paid":{"heading":"Where we charge","p1":"Training courses for management and staff. Guided consultancy for company-specific decisions — risk treatment trade-offs, supplier negotiations, complex incident response. Premium features as they develop. Self-host licensing for entities that need to run the platform internally.","p2":"The core compliance platform stays free. The open dataset stays open. The principle is that the bill should be cut, not shifted to us."},"team":{"heading":"Who we are","description":"Two founders trying to cut the NIS2 bill in half."},"cta":{"heading":"Start now","description":"Check if NIS2 applies to you, or jump straight into the platform.","checkButton":"Check NIS2 applicability","platformButton":"Start your free platform"}},"smeGuide":{"meta":{"title":"NIS2 for Mid-Market - Practical Guide","description":"NIS2 implementation guide for German Mittelstand (50-250 employees). 12-week roadmap, role assignments, and practical BSIG advice."},"badge":"Mittelstand / SME","title":"NIS2 Implementation for Mid-Market Companies","subtitle":"A practical 12-week implementation roadmap for German companies with 50-250 employees - no security team required.","overview":{"heading":"You're Affected. Now What?","p1":"An estimated 29,500 companies in Germany fall under NIS2 scope. If you have more than 50 employees and operate in a covered sector - waste management, food production, manufacturing, energy, transport, health, digital infrastructure - you are almost certainly one of them. The BSIG entered force on December 6, 2025, and the BSI registration deadline was March 6, 2026.","p2":"Here's what most consultants won't tell you: for a mid-market company with basic IT, NIS2 compliance is manageable. It is not a 6-month, six-figure project. Most of the 49 BSIG requirements are write-once documentation - policies, risk assessments, procedures. Only a handful require ongoing operational processes. The law demands 'appropriate' measures proportional to your risk - not Fortune 500 security infrastructure.","p3":"This guide gives you the practical plan: a 12-week roadmap, the roles you need (all part-time, all existing staff), the common mistakes that trip up companies your size, and the priority order for tackling the 10 mandatory measures under §30 BSIG. No theory, no fear-mongering - just the steps."},"audience":{"heading":"Who This Guide Is For","description":"This guide is written specifically for mid-market German companies encountering NIS2 for the first time.","items":{"size":"Companies with 50-250 employees in NIS2 sectors","limitedIt":"Limited IT staff - maybe 2-5 people, not a security team","noCompliance":"No dedicated compliance department or GRC experience","firstTime":"First time dealing with NIS2, BSIG, or BSI registration"}},"roadmap":{"heading":"Implementation Roadmap","phases":{"foundation":{"title":"Foundation","weeks":"Weeks 1-2","description":"Establish the organizational foundation: register with the BSI, assign responsibilities, and brief management on their personal liability under §38 BSIG. This phase is about getting the right people engaged and the scope defined.","actions":["BSI registration via Mein Unternehmenskonto + BSI portal","Appoint compliance lead (part-time role, not a new hire)","Management briefing on §38 BSIG duties and personal liability","Set up compliance platform and invite team members","Initial scope: identify which entity category applies (essential or important)"]},"risk":{"title":"Risk Assessment","weeks":"Weeks 3-4","description":"Build your asset inventory and conduct the initial risk assessment. This is the foundation everything else builds on - §30(1) BSIG measure 1. Use the BSI-200-3 risk analysis methodology: identify assets, identify threats, assess likelihood and impact, decide on treatment.","actions":["Build asset inventory - group identical assets (e.g., '45 laptops' = 1 entry)","Identify and categorize suppliers with access to your systems","Conduct initial risk assessment: likelihood × impact for each asset","Document risk treatment decisions: accept, mitigate, transfer, or avoid","Map risks to BSIG measures - which controls address which risks"]},"controls":{"title":"Controls & Documentation","weeks":"Weeks 5-8","description":"Document your security controls and procedures. This is the largest phase by volume but most requirements are write-once policies. Focus on documenting what you already do (most companies have informal processes) and filling genuine gaps.","actions":["Write or adopt security policies (information security, access control, incident response)","Document cryptography usage and key management approach","Set up incident response process with 24h/72h/1m cascade","Review access control: least privilege, onboarding/offboarding procedures","Document business continuity and backup procedures","Implement or document MFA for critical systems"]},"evidence":{"title":"Evidence & Audit Readiness","weeks":"Weeks 9-12","description":"Close the loop: management approvals, training completion, evidence collection, and a first effectiveness check. This phase transforms your documented measures into auditable compliance evidence.","actions":["Management formally approves all cybersecurity measures (§38 duty)","Complete mandatory management cybersecurity training","Upload evidence documents: screenshots, configs, policy sign-offs","Run first effectiveness assessment - are controls actually working?","Export compliance report for internal review"]}}},"roles":{"heading":"Roles You Need","description":"You don't need to hire anyone. These are part-time responsibilities assigned to existing staff.","items":{"complianceLead":{"title":"Compliance Lead (4-8 hours/week)","description":"Drives the process, fills out requirement forms, coordinates with IT and management. Usually the IT manager, quality manager, or operations lead."},"itContact":{"title":"IT Contact (2-4 hours/week)","description":"Provides technical input: asset details, network architecture, encryption status, access controls. Your admin or IT manager."},"managementSponsor":{"title":"Management Sponsor (1-2 hours/week)","description":"Reviews and approves measures, completes training, demonstrates oversight. Required by §38 BSIG - cannot be delegated."},"externalAuditor":{"title":"External Auditor (optional)","description":"For KRITIS operators: required every 3 years. For essential and important entities: optional but recommended for the first compliance cycle to validate your work."}}},"mistakes":{"heading":"Common Mistakes","description":"What we see companies get wrong - and how to avoid it.","items":{"waiting":{"title":"Waiting for 'the final guidance'","description":"The law is in force since December 2025. The CIR defines the technical measures. There is no further guidance coming that would change what you need to do. Start now."},"overEngineering":{"title":"Over-engineering the solution","description":"A 100-person waste management company does not need a SOC or a SIEM. Match your controls to your actual risk profile. The BSIG requires 'appropriate' measures, not maximum measures."},"noManagement":{"title":"Treating it as an IT project","description":"§38 BSIG makes this a management responsibility. If the managing director isn't involved, you're already non-compliant. Schedule the management briefing in week 1."},"ignoreSupplyChain":{"title":"Ignoring supply chain security","description":"NIS2 explicitly requires assessing your suppliers' cybersecurity. This catches many companies off guard. Start documenting supplier relationships early."},"paperOnly":{"title":"Paper compliance without real measures","description":"Writing policies nobody reads doesn't count. The BSI can request evidence that measures are actually implemented and effective. Build real processes, not just documents."}}},"ctaCard":{"heading":"Start Your Implementation Today","description":"The platform walks you through all 49 BSIG requirements in the order they should be implemented, with structured forms, evidence uploads, and management sign-off workflows - exactly what a mid-market company needs to get compliant without hiring a consultant."},"cta":"Start Your NIS2 Compliance Process"},"checklist":{"meta":{"title":"NIS2 Requirements Checklist - §30 BSIG","description":"All 10 mandatory NIS2 measures under §30 BSIG: what is required, what evidence you need, and effort estimates. Prioritized for German companies."},"title":"NIS2 Requirements Checklist","subtitle":"All 10 mandatory cybersecurity measures under §30 BSIG - what each requires, what evidence the BSI expects, and the practical priority order for implementation.","overview":{"p1":"§30 BSIG defines 10 mandatory cybersecurity measures that every NIS2-affected company in Germany must implement. These measures are not optional and not negotiable - they apply to all essential and important entities regardless of size or sector. The CIR 2024/2690 adds technical detail to each measure.","p2":"Use this checklist to assess your current state against each measure, identify gaps, and plan your implementation. For each measure, we list the key requirements and the evidence the BSI would expect in an audit. Work through them in the priority order at the bottom - they build on each other, so sequence matters."},"howToUse":{"heading":"How to Use This Checklist","items":{"i1":"Work through each measure in order - they build on each other","i2":"For each requirement, document your current state and identify gaps","i3":"Focus on evidence: for every requirement, ask 'how would we prove this to the BSI?'"}},"measures":{"heading":"10 Mandatory Measures (§30 BSIG)","description":"Each measure below maps to §30(2) BSIG and is further specified by CIR 2024/2690. The effort rating reflects a typical 100-person company starting from scratch.","keyRequirements":"Key Requirements","evidenceNeeded":"Evidence Needed","items":{"m1":{"title":"Risk Analysis & Information Security Policies","description":"§30(2)(1) BSIG - Establish risk analysis processes and information security policies. This is the foundation: without a risk assessment, you cannot justify any other measure. The BSI expects a methodical approach (BSI-200-3 recommended), not ad-hoc risk lists.","requirements":["Establish an information security management framework","Conduct regular risk assessments covering all critical assets","Define risk acceptance criteria and treatment procedures","Maintain and review security policies at least annually"],"evidence":["Documented risk assessment with asset inventory","Information security policy signed by management","Risk treatment plan with assigned owners"],"effort":"High - foundational, do this first"},"m2":{"title":"Incident Handling","description":"§30(2)(2) BSIG - Establish processes for detecting, managing, and reporting security incidents. §32 BSIG defines strict reporting timelines: initial notification to BSI within 24 hours, follow-up within 72 hours, final report within one month. You need processes that can meet these deadlines at 2 AM on a Sunday.","requirements":["Define incident detection, classification, and escalation procedures","Establish 24h/72h/1m reporting cascade to BSI per §32 BSIG","Assign incident response roles and contact chains","Implement post-incident review and lessons-learned process"],"evidence":["Incident response plan with defined roles and responsibilities","BSI reporting templates and communication procedures","Incident log with classification, timeline, and resolution records"],"effort":"High - critical, and requires tested processes not just documentation"},"m3":{"title":"Business Continuity & Crisis Management","description":"§30(2)(3) BSIG - Ensure continuity of critical services during and after security incidents. This covers backup management, disaster recovery, and crisis management. The CIR requires documented recovery time objectives (RTO) and recovery point objectives (RPO) for critical systems.","requirements":["Identify critical business processes and their IT dependencies","Define RTO and RPO for critical systems","Implement and test backup procedures","Establish crisis management and communication procedures"],"evidence":["Business continuity plan with RTO/RPO per critical system","Backup procedures with documented test results","Crisis communication plan with emergency contacts"],"effort":"Medium - leverages your existing backup infrastructure"},"m4":{"title":"Supply Chain Security","description":"§30(2)(4) BSIG - Assess and manage cybersecurity risks in the supply chain. NIS2 recognizes that your security is only as strong as your weakest supplier. You must assess suppliers who have access to your systems, data, or network - and include security requirements in contracts.","requirements":["Inventory all suppliers with access to systems, data, or network","Assess cybersecurity posture of critical suppliers","Include cybersecurity requirements in supplier contracts","Monitor supplier security posture on an ongoing basis"],"evidence":["Supplier inventory with risk categorization","Supplier assessment questionnaires or audit results","Contract clauses referencing cybersecurity requirements"],"effort":"Medium - time-consuming to gather supplier data initially"},"m5":{"title":"Security in Network & System Procurement","description":"§30(2)(5) BSIG - Include security considerations in procurement, development, and maintenance of IT systems. This means security requirements in procurement specs, vulnerability handling procedures, and secure configuration baselines for new systems.","requirements":["Define security requirements for IT procurement","Establish vulnerability handling and disclosure procedures","Implement secure configuration baselines for new systems","Include security reviews in system acceptance testing"],"evidence":["Procurement guidelines with security requirements","Vulnerability management process documentation","Secure configuration standards per system type"],"effort":"Medium - mostly documentation if you already have procurement processes"},"m6":{"title":"Effectiveness Assessment","description":"§30(2)(6) BSIG - Evaluate the effectiveness of cybersecurity risk management measures. This is the audit loop: you must regularly check whether your measures actually work, not just whether they exist. KPIs, internal audits, and corrective action processes are required.","requirements":["Define metrics and KPIs for cybersecurity effectiveness","Conduct regular internal audits or assessments","Implement corrective action procedures for identified gaps","Report effectiveness results to management"],"evidence":["Effectiveness assessment reports with KPI measurements","Internal audit plan and completed audit reports","Corrective action log with resolution tracking"],"effort":"Medium - requires the other measures to be in place first"},"m7":{"title":"Cybersecurity Training & Awareness","description":"§30(2)(7) BSIG - Implement cybersecurity training and awareness programs. This covers all employees (annual awareness training), IT staff (role-specific technical training), and management (§38 BSIG obligation). The scope is broader than most companies expect.","requirements":["Provide annual cybersecurity awareness training for all employees","Deliver role-specific training for IT and security staff","Ensure management completes §38 BSIG cybersecurity training","Track training completion and maintain records"],"evidence":["Training plan with target groups and frequencies","Training completion records with dates and attendee lists","Management training certificates per §38 BSIG"],"effort":"Low - many providers offer off-the-shelf training packages"},"m8":{"title":"Cryptography & Encryption","description":"§30(2)(8) BSIG - Implement appropriate cryptography and encryption measures. Document what encryption you use, where, and why. The CIR requires encryption for data at rest and in transit where appropriate, plus key management procedures.","requirements":["Inventory encryption usage across systems and data flows","Implement encryption for data at rest and in transit","Establish key management procedures (generation, storage, rotation, revocation)","Define cryptographic algorithm standards aligned with BSI TR-02102"],"evidence":["Cryptography policy with algorithm standards","Encryption inventory: what's encrypted, where, with what","Key management procedures documentation"],"effort":"Low to Medium - mostly documenting what you already use"},"m9":{"title":"Access Control & Asset Management","description":"§30(2)(9) BSIG - Implement access control, identity management, and asset management measures. This combines who can access what (least privilege, role-based access) with what you have (asset inventory). The asset inventory from measure 1 feeds directly into this.","requirements":["Implement role-based access control with least privilege principle","Establish onboarding/offboarding procedures for access provisioning","Maintain asset inventory covering hardware, software, and data","Implement privileged access management for administrative accounts"],"evidence":["Access control policy with role definitions","Onboarding/offboarding checklists with access review records","Asset inventory with assigned owners and classification"],"effort":"High - requires operational process changes, not just documentation"},"m10":{"title":"Multi-Factor Authentication & Secure Communication","description":"§30(2)(10) BSIG - Implement multi-factor authentication and secure communication measures. MFA is required for remote access, administrative access, and access to critical systems. Secure communication means encrypted email, messaging, and voice where confidential information is exchanged.","requirements":["Implement MFA for remote access, VPN, and administrative accounts","Deploy MFA for access to critical business applications","Establish secure communication channels for confidential information","Implement emergency access procedures when MFA is unavailable"],"evidence":["MFA deployment documentation with covered systems list","Secure communication policy and tool inventory","Emergency access procedures with break-glass documentation"],"effort":"Medium - technical implementation required if MFA is not yet deployed"}}},"priority":{"heading":"Priority Order","description":"Not all measures are equally urgent. This priority order reflects dependencies - later measures build on earlier ones - and enforcement risk. Start with what the BSI will ask for first.","tiers":{"t1":{"title":"Start immediately","description":"Measures 1 (risk analysis), 2 (incident handling), 9 (access control & assets). These are foundational - everything else builds on them."},"t2":{"title":"Weeks 3-6","description":"Measures 3 (continuity), 4 (supply chain), 7 (training). These require the asset inventory from measure 1."},"t3":{"title":"Weeks 7-12","description":"Measures 5 (procurement), 6 (effectiveness), 8 (crypto), 10 (MFA). These build on the controls established in tier 2."}}},"ctaCard":{"heading":"Track Your Progress","description":"The platform breaks each of these 10 measures into structured requirements with evidence uploads, management sign-offs, and progress tracking - so you always know exactly where you stand and what's left to do."},"cta":"Start Your NIS2 Compliance Process"},"registration":{"meta":{"title":"BSI NIS2 Registration: Deadline & Step-by-Step Guide","description":"BSI registration under §33 BSIG: who must register, deadlines, portal walkthrough. 30,000 NIS2 entities in Germany — most still missing. Avoid €500K fines."},"title":"NIS2 Registration Gap Analysis","subtitle":"The BSI estimated ~30,000 entities subject to NIS2 in Germany. The registration deadline passed on March 6, 2026. A significant portion of in-scope companies have still not registered - leaving them exposed to enforcement under §65 BSIG.","overview":{"p1":"§33 BSIG requires every entity that falls under NIS2 - whether essential or important entity - to register with the Bundesamt für Sicherheit in der Informationstechnik (BSI). This is not optional. The registration obligation exists independently of whether the company has implemented any cybersecurity measures. You must register first, then comply.","p2":"The BSI registration portal (muk.bsi.bund.de) went live on January 6, 2026 - one month after the BSIG entered into force. The registration deadline under §33 BSIG was March 6, 2026 (3 months after entry into force). Despite a clear legal obligation and a two-month window, a significant share of the estimated 29,000-30,000 in-scope entities did not register by the deadline. A G DATA survey found that 44% of affected companies were unaware of their NIS2 obligations entirely.","p3":"The registration gap is particularly concerning because registration is a precondition for the BSI's supervisory regime. Unregistered entities are not invisible - they are non-compliant by default. When the BSI begins systematic enforcement (which it has signalled for 2026), unregistered companies face penalties not just for missing cybersecurity measures, but for the registration violation itself - a separate offence under §65 BSIG."},"stats":{"heading":"Registration by the Numbers","description":"Current state of NIS2 registration in Germany based on BSI data and industry surveys.","items":{"estimated":{"value":"~29,000-30,000","label":"Estimated in-scope entities","detail":"BSI's own estimate of entities subject to NIS2 obligations under the NIS2UmsuCG, covering both essential and important entities."},"awareness":{"value":"44%","label":"Unaware of NIS2 obligations","detail":"G DATA survey (2024): 44% of German mid-market companies did not know NIS2 applied to them - before the law even entered into force."},"portalWindow":{"value":"2 months","label":"Registration window","detail":"BSI portal went live January 6, 2026. Registration deadline was March 6, 2026 - a two-month window for ~30,000 entities to register."},"deadline":{"value":"§33 BSIG","label":"Registration legal basis","detail":"Registration is required without undue delay (unverzüglich) after determining that the entity falls within scope. There is no grace period - the obligation is immediate upon the law taking effect."}}},"reasons":{"heading":"Why the Gap Exists","description":"Four structural factors explain why the majority of German NIS2 entities have not registered.","items":{"awareness":{"title":"Lack of awareness","description":"A G DATA survey conducted in 2024 found that 44% of German mid-market companies were unaware that NIS2 applied to them. The scoping criteria - 50+ employees or EUR 10 million turnover in 18 covered sectors - are not self-evident to companies that have never dealt with IT security regulation. Many companies in sectors like waste management, food production, and chemical manufacturing do not think of themselves as 'critical infrastructure'."},"complexity":{"title":"Scoping complexity","description":"Determining whether a company falls under NIS2 requires mapping the business against Annex I and II of the NIS2 Directive (transposed into §28 BSIG). The sector definitions reference NACE codes, turnover thresholds, and employee counts - but edge cases abound. Companies with mixed business lines, partial sector coverage, or group structures face genuine uncertainty about whether they are in scope."},"resources":{"title":"Resource constraints","description":"German Mittelstand companies in the 50-250 employee range typically lack dedicated compliance or information security staff. The person responsible for 'IT' is often also responsible for facilities, procurement, and everything else that involves a computer. NIS2 registration requires understanding regulatory text, classifying the company's sector, and navigating a government portal - tasks that fall outside normal operations."},"uncertainty":{"title":"Legislative uncertainty","description":"The NIS2UmsuCG went through multiple drafts and was delayed several times before final passage. Many companies adopted a 'wait and see' approach, expecting further changes or extended deadlines. This was a rational but incorrect bet - the law passed, the registration obligation is in force, and the BSI is not offering extensions."}}},"consequences":{"heading":"Consequences of Non-Registration","description":"Registration is not just administrative paperwork - failure to register is an independent violation with its own penalties.","items":{"fines":{"title":"Administrative fines","description":"§65 BSIG provides for fines of up to EUR 10 million or 2% of worldwide annual turnover for essential entities, and up to EUR 7 million or 1.4% for wichtige Einrichtungen. Non-registration is a separate violation from non-compliance with substantive security measures - meaning companies can face penalties for both."},"liability":{"title":"Management personal liability","description":"Under §38 BSIG, the Geschäftsleitung is personally responsible for ensuring compliance with NIS2 obligations - including registration. A managing director who fails to register the company is in personal breach of their statutory duties, creating exposure for personal liability claims from the company or its shareholders."},"enforcement":{"title":"Enforcement priority","description":"The BSI has indicated that it will prioritize enforcement against entities that have not registered, because non-registration signals complete non-compliance. A company that has registered but is working on measures demonstrates good faith. A company that has not even registered has no defense of ongoing implementation efforts."},"reputation":{"title":"Reputational and commercial impact","description":"NIS2 supply chain requirements (§30(2)(4) BSIG) mean that in-scope companies must assess the cybersecurity posture of their suppliers. An unregistered company cannot demonstrate NIS2 compliance to its customers - potentially losing contracts or being flagged in supply chain audits. This commercial pressure will accelerate as more companies implement supply chain due diligence."}}},"sources":{"heading":"Sources","items":["BSI - NIS2 registration statistics, public statements (2025)","G DATA CyberDefense - NIS2 awareness survey: 44% of mid-market companies unaware of obligations (2024)","G DATA CyberDefense - NIS2 awareness survey among German mid-market companies (2024)","BSIG - §33 (Registration obligation), §65 (Administrative fines), §38 (Management liability)","NIS2UmsuCG - Gesetz zur Umsetzung der NIS-2-Richtlinie (NIS2 Implementation Act)","BMI - Referentenentwürfe and parliamentary documentation for NIS2UmsuCG"]},"ctaCard":{"heading":"Register and Comply - Before the BSI Comes Knocking","description":"The platform walks you through BSI registration requirements and immediately starts building your compliance evidence trail - so you move from unregistered to audit-ready in a structured process."},"cta":"Start Your NIS2 Compliance Process"},"cir":{"meta":{"title":"CIR 2024/2690 - NIS2 Technical Measures","description":"CIR 2024/2690 defines exact technical requirements for NIS2 entities. Published October 2024, it applies directly across all EU member states."},"title":"CIR 2024/2690 Implementation Guide","subtitle":"The EU Implementing Regulation that specifies exactly what technical and methodological measures NIS2 entities must implement - published in the Official Journal on 17 October 2024 and directly applicable across all member states.","overview":{"heading":"What Is CIR 2024/2690?","p1":"Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 was published in the Official Journal of the European Union (OJ L series, 2024/2690). It lays down rules for the application of Directive (EU) 2022/2555 (the NIS2 Directive) with regard to technical and methodological requirements of cybersecurity risk-management measures. Unlike the NIS2 Directive itself, this regulation does not require national transposition - it applies directly in all 27 member states from the date of its entry into force.","p2":"The CIR is the answer to the question every compliance officer asks: 'What exactly do we have to implement?' While §30 BSIG (the German transposition) lists 10 measure areas in broad terms, the CIR Annex breaks these down into specific, auditable technical and methodological requirements. It is the most granular official specification of NIS2 obligations available - more detailed than the Directive itself, more specific than the BSIG, and directly enforceable.","p3":"The regulation was developed in consultation with ENISA and the NIS Cooperation Group, drawing on existing frameworks including ISO/IEC 27001, ETSI EN 319 401, and national standards. It applies specifically to DNS service providers, TLD name registries, cloud computing service providers, ICT service management providers, managed security service providers, online marketplace providers, online search engine providers, social networking service platform providers, and trust service providers - though its technical requirements serve as a de facto benchmark for all NIS2 entities."},"scope":{"heading":"Entities Directly Covered","description":"The CIR applies mandatory requirements to the following entity types as defined in Article 1:","items":{"dns":"DNS service providers","tld":"TLD name registries","cloud":"Cloud computing service providers","managed":"ICT service management (managed services) and managed security service providers","marketplaces":"Online marketplace providers","social":"Social networking services platform providers","trust":"Trust service providers"}},"articles":{"heading":"Regulation Structure","description":"The CIR consists of 7 articles defining scope, definitions, and requirements, plus a detailed Annex containing the technical and methodological specifications.","items":{"a2":{"title":"Article 2 - Definitions","description":"Establishes definitions for 'network and information system security', 'significant incident', and other key terms. Aligns terminology with the NIS2 Directive while adding implementation-specific precision."},"a3":{"title":"Article 3 - Significance of incidents","description":"Defines when an incident is 'significant' - the threshold that triggers reporting obligations. An incident is significant if it causes financial loss exceeding EUR 500,000 or 5% of annual turnover, results in exfiltration of trade secrets, causes death or considerable damage to health, or meets entity-specific criteria defined in the Article."},"a4":{"title":"Article 4 - Recurring significant incidents","description":"Specifies that recurring incidents which individually do not meet the significance threshold may be aggregated and treated as a single significant incident if they collectively meet the criteria within a six-month period."},"a5":{"title":"Article 5 - Significant incidents for DNS and TLD registries","description":"Adds specific significance criteria for DNS service providers and TLD registries, including service availability below 99.9% for any period, incorrect DNS response rates, and compromise of integrity or confidentiality of stored domain registration data."},"a6":{"title":"Article 6 - Technical and methodological requirements","description":"The core article - requires covered entities to implement the technical and methodological requirements set out in the Annex. The measures must be 'appropriate and proportionate' to the risks, taking into account the entity's size, exposure, likelihood of incidents, and societal impact."},"a7":{"title":"Article 7 - Entry into force","description":"The regulation entered into force on the twentieth day following its publication in the Official Journal (published 17 October 2024). It applies directly in all member states without requiring national transposition."}}},"measures":{"heading":"The 10 Measure Areas (CIR Annex)","description":"The Annex organises technical and methodological requirements into 10 areas that mirror §30(2) BSIG. Each area contains detailed sub-requirements with specific implementation criteria.","items":{"policies":{"title":"Policy on the security of network and information systems","description":"Requires a documented security policy approved by management, reviewed at least annually, and updated after significant incidents or changes. Must define roles, responsibilities, and the framework for all subsequent measures. Must include a risk acceptance policy and evidence of management commitment."},"risk":{"title":"Risk management","description":"Requires a documented risk assessment methodology, risk identification covering all critical assets and processes, risk analysis with likelihood and impact assessment, risk treatment with documented decisions (accept, mitigate, transfer, avoid), and residual risk acceptance by management. Must be reviewed at planned intervals and after significant changes."},"incidents":{"title":"Incident handling","description":"Requires incident detection, classification, response, and recovery procedures. Must define roles and responsibilities for incident handling, establish communication channels, include post-incident analysis (lessons learned), and maintain incident logs. Detection must include monitoring for anomalies and known indicators of compromise."},"continuity":{"title":"Business continuity and crisis management","description":"Requires business impact analysis, continuity plans for critical services, backup and recovery procedures with tested restore capabilities, and crisis management procedures. Backup integrity must be verified regularly. Recovery time objectives must be defined and tested. Plans must be reviewed after incidents or significant changes."},"supply":{"title":"Supply chain security","description":"Requires a supply chain security policy, assessment of direct suppliers' cybersecurity practices, contractual security requirements for ICT products and services, and monitoring of supplier security posture over the contract lifecycle. Must consider supply chain-specific risks including those arising from the supplier's own supply chain."},"testing":{"title":"Security in acquisition, development, and maintenance","description":"Requires secure development lifecycle for in-house development, security requirements for acquired ICT products and services, configuration management, change management procedures, and security testing (including vulnerability scanning and penetration testing where appropriate). Must cover the full lifecycle from acquisition through decommissioning."},"crypto":{"title":"Cryptography","description":"Requires a policy on the use of cryptography, including selection of cryptographic algorithms and key lengths appropriate to the classification of data, key management procedures (generation, distribution, storage, rotation, revocation, destruction), and periodic review of cryptographic implementations against current best practices and known vulnerabilities."},"access":{"title":"Access control and asset management","description":"Requires an access control policy based on business and security requirements, identity management with unique user identification, access provisioning and de-provisioning procedures, privileged access management, and an asset inventory covering all network and information system components. Access rights must be reviewed at planned intervals."},"mfa":{"title":"Multi-factor authentication and secure communication","description":"Requires multi-factor authentication or continuous authentication for access to critical systems and remote access. Secure communication channels must be established for emergency and fallback scenarios. Voice, video, and text communications used for incident response must be secured against interception."},"communication":{"title":"Cybersecurity awareness and training","description":"Requires regular cybersecurity awareness programmes for all personnel, role-specific training for staff with security responsibilities, and management training on cybersecurity governance. Training must cover the entity's security policies, common threats, incident reporting procedures, and the personnel's specific responsibilities."}}},"relationship":{"heading":"CIR, NIS2 Directive, and BSIG - How They Fit Together","description":"Understanding the legal hierarchy is essential for compliance planning.","p1":"The NIS2 Directive (EU) 2022/2555 is the parent legislation - it establishes the framework, obligations, and enforcement regime at EU level. Member states were required to transpose it into national law by 17 October 2024. Germany's transposition is the NIS2UmsuCG, which amends the BSIG. The BSIG now contains all NIS2 obligations in German law, including §30 (cybersecurity measures) and §32 (incident reporting).","p2":"The CIR 2024/2690 is a directly applicable EU regulation - it does not require transposition and takes precedence over conflicting national provisions. Where the CIR specifies a technical requirement, that requirement applies directly, regardless of whether the BSIG addresses it. For the entity types listed in Article 1, the CIR is the primary compliance standard.","p3":"For entities NOT directly listed in CIR Article 1 but still subject to NIS2 (e.g., energy providers, healthcare, transport), the CIR serves as the most authoritative reference for what 'appropriate and proportionate' measures look like. German courts and the BSI are expected to reference the CIR's technical specifications when evaluating whether a company's measures meet the §30 BSIG standard - even if the CIR does not formally bind those entities."},"sources":{"heading":"Sources","items":["Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 - Official Journal of the European Union, OJ L 2024/2690","EUR-Lex - Full text of CIR 2024/2690 (CELEX: 32024R2690)","Directive (EU) 2022/2555 (NIS2 Directive) - Official Journal of the European Union","ENISA - Technical guidance on NIS2 implementation measures (2024)","secuvera GmbH - Analysis of CIR 2024/2690 requirements and mapping to ISO 27001 (2024)","BSIG - §30 (Risikomanagementmaßnahmen), §32 (Meldepflichten), as amended by NIS2UmsuCG"]},"ctaCard":{"heading":"Implement CIR Requirements Systematically","description":"The platform maps every CIR Annex requirement to structured tasks with evidence uploads, deadline tracking, and management sign-offs - turning a 30-page regulation into actionable compliance steps."},"cta":"Start Your NIS2 Compliance Process"},"isoMapping":{"meta":{"title":"ISO 27001 vs NIS2 - Gap Analysis","description":"ISO 27001 covers about 70% of NIS2 but misses BSI registration, incident timelines, personal liability, and supply chain requirements."},"title":"ISO 27001 to NIS2 Gap Analysis","subtitle":"An ISO 27001 certification covers roughly 70% of NIS2 technical requirements - but the remaining 30% includes the areas with the highest enforcement risk: registration, incident reporting timelines, and management personal liability.","overview":{"heading":"ISO 27001 Is a Head Start, Not a Finish Line","p1":"If your company holds an ISO 27001:2022 certification, you are ahead of most NIS2-affected entities. The ISMS framework, risk assessment methodology, and Annex A controls map well onto the ten cybersecurity measure areas defined in §30(2) BSIG. The BSI has explicitly acknowledged that ISO 27001 certification demonstrates a mature security posture - but it has equally explicitly stated that certification alone does not equal NIS2 compliance.","p2":"The gap exists because NIS2 introduces obligations that ISO 27001 was never designed to address. ISO 27001 is a voluntary management system standard focused on information security within an organisation. NIS2 is a regulatory obligation focused on critical infrastructure resilience with government reporting, personal liability for management, and statutory penalties. These are fundamentally different compliance paradigms - one is about best practice, the other is about legal compliance.","p3":"ENISA's mapping guidance and analyses by DataGuard, secuvera, and the BSI itself consistently identify the same gaps. Understanding where ISO 27001 covers NIS2 - and where it does not - allows certified companies to build on their existing ISMS rather than starting from scratch, while ensuring they do not overlook the regulatory-specific requirements that carry the highest enforcement risk."},"overlap":{"heading":"Where ISO 27001 Already Covers NIS2","description":"These NIS2 requirement areas are substantially addressed by a well-implemented ISO 27001:2022 ISMS.","items":{"risk":{"title":"Risk management (§30(2)(1) BSIG)","detail":"ISO 27001 Clauses 6.1 and 8.2 require risk identification, analysis, evaluation, and treatment - precisely what §30(2)(1) demands. An existing ISMS risk assessment methodology, if properly maintained, meets this requirement. Ensure your risk register covers operational technology and supply chain risks specifically, not just information security risks."},"access":{"title":"Access control (§30(2)(5) BSIG)","detail":"ISO 27001 Annex A.5.15 through A.5.18 and A.8.2 through A.8.5 cover access control policy, user access provisioning, privileged access management, and information access restriction. This maps directly to §30(2)(5) BSIG requirements for access control to network and information systems."},"incident":{"title":"Incident handling (§30(2)(2) BSIG)","detail":"ISO 27001 Annex A.5.24 through A.5.28 cover incident management planning, assessment, response, and learning. The technical incident handling process required by NIS2 is well covered - though the reporting timelines and BSI notification are not part of ISO 27001 (see gaps below)."},"continuity":{"title":"Business continuity (§30(2)(3) BSIG)","detail":"ISO 27001 Annex A.5.29 and A.5.30 address information security during disruption and ICT readiness for business continuity. Combined with a proper BIA and tested recovery procedures, this covers the NIS2 continuity requirements substantially."},"crypto":{"title":"Cryptography (§30(2)(8) BSIG)","detail":"ISO 27001 Annex A.8.24 covers use of cryptography. A mature ISMS includes cryptographic policies, key management procedures, and algorithm selection standards that align with NIS2 cryptography requirements."},"supplier":{"title":"Supplier relationships (§30(2)(4) BSIG - partial)","detail":"ISO 27001 Annex A.5.19 through A.5.23 address information security in supplier relationships, including supplier assessment, service delivery monitoring, and change management. This provides a foundation but NIS2 requires more extensive supply chain due diligence (see gaps)."},"awareness":{"title":"Training and awareness (§30(2)(9) BSIG)","detail":"ISO 27001 Annex A.6.3 covers information security awareness, education, and training. This aligns with the general NIS2 training requirement, though NIS2 adds specific management training obligations under §38 BSIG that go beyond ISO 27001's scope."}}},"gaps":{"heading":"Critical Gaps - What ISO 27001 Does Not Cover","description":"These NIS2 requirements have no equivalent in ISO 27001 and must be addressed separately. They represent the highest enforcement risk for ISO-certified companies.","items":{"registration":{"title":"BSI registration obligation (§33 BSIG)","detail":"ISO 27001 has no concept of government registration. §33 BSIG requires every NIS2 entity to register with the BSI, providing entity information, sector classification, contact details, and IP ranges. This is a standalone regulatory obligation with its own penalty provisions - your ISO certification does not trigger or replace it."},"reporting":{"title":"Incident reporting timelines (§32 BSIG)","detail":"ISO 27001 requires incident response but sets no external reporting timelines. §32 BSIG mandates: early warning to BSI within 24 hours, incident notification within 72 hours, and final report within one month. These are statutory deadlines with separate penalties for non-compliance. Your ISMS incident process must be extended with BSI-specific reporting workflows."},"management":{"title":"Management personal liability (§38 BSIG)","detail":"ISO 27001 requires management commitment and leadership (Clause 5) but creates no personal legal liability. §38 BSIG makes Geschäftsleiter personally liable for failures in cybersecurity governance, including a non-waivable duty to approve measures, oversee implementation, and complete personal cybersecurity training. No ISO control addresses this."},"penalties":{"title":"Statutory penalty framework (§65 BSIG)","detail":"ISO 27001 non-compliance results in loss of certification - a reputational consequence. NIS2 non-compliance under §65 BSIG carries fines of up to EUR 10 million or 2% of global turnover for essential entities. The enforcement mechanism is fundamentally different: government penalties vs. voluntary certification status."},"supply":{"title":"Enhanced supply chain due diligence (§30(2)(4) BSIG)","detail":"While ISO 27001 Annex A.5.19-A.5.23 covers supplier security, NIS2 requires more granular supply chain risk assessment including evaluation of suppliers' own cybersecurity maturity, consideration of supply chain-specific vulnerabilities, and assessment of critical dependencies. The CIR 2024/2690 Annex specifies contractual security requirements and ongoing supplier monitoring that exceed ISO 27001's supplier management controls."},"governance":{"title":"NIS2-specific governance requirements","detail":"NIS2 requires specific governance structures including designated contact points for the BSI (§33 BSIG), participation in sector-specific CSIRTs, and compliance with BSI enforcement orders. These are regulatory governance requirements that sit outside the ISMS scope - they concern the relationship between the entity and government authorities, not internal security management."}}},"mapping":{"heading":"§30(2) BSIG to ISO 27001 Control Mapping","description":"Detailed mapping of each NIS2 measure area to the closest ISO 27001:2022 Annex A controls, with coverage assessment.","headers":{"nis2":"NIS2 / §30(2) BSIG Measure","iso":"ISO 27001:2022 Controls","coverage":"Coverage"},"rows":{"m1":{"nis2":"Risk analysis and security policies","iso":"Clause 6.1, 8.2; A.5.1","coverage":"full","coverageLabel":"Full"},"m2":{"nis2":"Incident handling","iso":"A.5.24-A.5.28","coverage":"partial","coverageLabel":"Partial - no BSI reporting timelines"},"m3":{"nis2":"Business continuity and crisis management","iso":"A.5.29, A.5.30","coverage":"full","coverageLabel":"Full"},"m4":{"nis2":"Supply chain security","iso":"A.5.19-A.5.23","coverage":"partial","coverageLabel":"Partial - enhanced due diligence missing"},"m5":{"nis2":"Security in acquisition, development, maintenance","iso":"A.8.25-A.8.31","coverage":"full","coverageLabel":"Full"},"m6":{"nis2":"Effectiveness evaluation","iso":"Clause 9.1, 9.2, 9.3; A.8.8","coverage":"full","coverageLabel":"Full"},"m7":{"nis2":"Cybersecurity training","iso":"A.6.3","coverage":"partial","coverageLabel":"Partial - §38 management training not covered"},"m8":{"nis2":"Cryptography","iso":"A.8.24","coverage":"full","coverageLabel":"Full"},"m9":{"nis2":"Access control and asset management","iso":"A.5.9-A.5.18; A.8.2-A.8.5","coverage":"full","coverageLabel":"Full"},"m10":{"nis2":"Multi-factor authentication and secure communication","iso":"A.8.5","coverage":"partial","coverageLabel":"Partial - MFA requirement more specific in NIS2"}}},"sources":{"heading":"Sources","items":["ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection - Information security management systems","BSIG - §30(2) (Risikomanagementmaßnahmen), §32 (Meldepflichten), §33 (Registrierung), §38 (Geschäftsleitung), §65 (Bußgeldvorschriften)","BSI - Guidance on relationship between ISO 27001 certification and NIS2 compliance","ENISA - NIS2 to ISO 27001 mapping guidance (2024)","DataGuard - ISO 27001 to NIS2 gap analysis and mapping (2024)","CIR (EU) 2024/2690 - Annex technical requirements and ISO 27001 references"]},"ctaCard":{"heading":"Close Your ISO-to-NIS2 Gaps","description":"The platform identifies exactly which NIS2 requirements your ISO 27001 certification already covers and which gaps remain - so you build on existing controls instead of starting from scratch."},"cta":"Start Your NIS2 Compliance Process"},"incidentReporting":{"meta":{"title":"NIS2 Incident Reporting: 24h / 72h / 1 Month Playbook","description":"NIS2 incident reporting under §32 BSIG: early warning in 24 hours, incident notification in 72 hours, final report in 1 month. Criteria, BSI portal, fines."},"title":"NIS2 Incident Reporting Playbook","subtitle":"§32 BSIG transposes Art 23(4) NIS 2: three mandatory reports with fixed deadlines (24h, 72h, 1 month) plus two conditional reports (on request, if the incident is still ongoing). Missing a deadline is a separate violation, independent of the incident itself.","overview":{"heading":"Incident Reporting Under NIS2","p1":"§32 BSIG implements Article 23 of the NIS2 Directive. It establishes a mandatory reporting regime for significant security incidents. Every entity classified as a essential entity or important entity must report to the BSI when an incident meets the significance criteria. The cascade has three mandatory reports with fixed deadlines and two conditional reports, triggered on request or by an ongoing incident. The obligation cannot be delegated to a managed security service provider; the entity itself is responsible for timely reporting.","p2":"The reporting timelines are strict and begin when the entity becomes aware of the incident, not when the investigation is complete. This is a critical distinction: the 24-hour early warning must be submitted based on initial awareness, even if the full scope and impact are unknown. Waiting for complete information before reporting is itself a violation."},"timeline":{"heading":"Reporting Cascade per Art 23(4) NIS 2","description":"Three mandatory stages with fixed deadlines from the moment of awareness, plus up to two conditional reports (intermediate on the authority's request, progress report if the incident is still ongoing on the day the final report is due).","items":{"early":{"title":"Early Warning (Frühwarnung)","deadline":"Within 24 hours","description":"The initial notification to the BSI that a potentially significant incident has been detected. Must be submitted within 24 hours of becoming aware of the incident. The purpose is to enable the BSI to assess cross-sector impact and issue warnings to other entities if necessary.","contents":["Confirmation that a significant incident has occurred or is suspected","Whether the incident is suspected to be caused by unlawful or malicious acts","Whether the incident could have cross-border impact","Entity name, sector, and contact details for follow-up"]},"update":{"title":"Incident Notification (Meldung)","deadline":"Within 72 hours","description":"A more detailed notification updating the early warning with additional information gathered during the initial response. Must be submitted within 72 hours of awareness. Updates the BSI on the incident's nature, severity, and initial impact assessment.","contents":["Updated assessment of the incident's severity and impact","Indicators of compromise (IoCs) where available","Initial assessment of the nature and cause of the incident","Measures taken or planned to mitigate the incident","Cross-border impact assessment if applicable"]},"intermediate":{"title":"Intermediate Report (Zwischenbericht)","deadline":"On request","description":"Submitted on request from the BSI between the 72-hour notification and the final report. Status update on the current state of incident handling. Not automatic; triggered by the authority.","contents":["Current status of containment and remediation","New findings on cause, scope or impact","Adjustments to countermeasures","Updated damage assessment"]},"final":{"title":"Final Report (Abschlussbericht)","deadline":"1 month after the 72h notification","description":"A comprehensive final report submitted within one month of the 72-hour incident notification. Full documentation of the incident and the response.","contents":["Detailed description of the incident, including severity and impact","Root cause analysis - the type of threat or vulnerability that caused the incident","Measures applied and ongoing to mitigate the incident and its effects","Cross-border impact if applicable","Lessons learned and corrective actions planned or implemented"]},"progress":{"title":"Progress Report (Verlaufsbericht)","deadline":"If incident still ongoing","description":"If the incident is not yet resolved by the time the final report is due, the progress report replaces it. The subsequent final report is then due within one month of incident resolution.","contents":["Current status, since the incident is still ongoing","Containment measures implemented so far","Expected duration until incident resolution, where foreseeable","Plan for the eventual final report after incident resolution"]}}},"criteria":{"heading":"What Makes an Incident 'Significant'","description":"Not every security event triggers the §32 BSIG reporting obligation. An incident is significant if it meets one or more of the following criteria, as defined in Article 23(3) NIS2 Directive and specified further in CIR 2024/2690 Article 3.","items":{"disruption":{"title":"Service disruption","description":"The incident has caused or is capable of causing severe operational disruption to the services provided by the entity. For DNS providers and TLD registries, the CIR specifies thresholds including availability below 99.9% or incorrect DNS response delivery."},"financial":{"title":"Financial loss","description":"The incident has caused or is capable of causing financial loss to the entity. CIR 2024/2690 Article 3 specifies a threshold of EUR 500,000 or 5% of annual turnover - whichever is lower. This includes direct costs (remediation, forensics) and indirect costs (revenue loss, contractual penalties)."},"spread":{"title":"Impact on other entities","description":"The incident has caused or could cause considerable damage to other natural or legal persons. This includes incidents that propagate through supply chains, affect shared infrastructure, or expose data belonging to third parties."},"data":{"title":"Data breach","description":"The incident involves unauthorised access to, destruction of, or alteration of data. Note that NIS2 incident reporting under §32 BSIG is separate from and additional to GDPR breach notification under Art. 33/34 GDPR - both obligations may apply simultaneously."},"duration":{"title":"Extended outage","description":"The incident has caused or is expected to cause a prolonged disruption to the entity's services. The duration threshold is not fixed in the Directive but CIR 2024/2690 provides entity-specific criteria. Extended outages affecting critical services are presumed significant."}}},"fields":{"heading":"Required Reporting Fields","description":"The BSI reporting portal requires structured information. Having these fields prepared in advance significantly reduces the risk of missing the 24-hour deadline.","items":{"entity":{"title":"Entity identification","description":"Company name, BSI registration number, sector classification, NACE code, and designated contact point for incident coordination. This information should be pre-configured in your incident response plan - not looked up during a crisis."},"nature":{"title":"Incident nature and classification","description":"Type of incident (ransomware, DDoS, data breach, insider threat, supply chain compromise, etc.), affected systems and services, timeline of events from detection to current state, and initial severity classification."},"impact":{"title":"Impact assessment","description":"Number of affected users or customers, services disrupted, estimated financial impact, data categories affected (if any), and duration of disruption. For the early warning, estimates are acceptable - precision comes in the 72-hour notification and final report."},"crossBorder":{"title":"Cross-border impact","description":"Whether the incident affects or could affect entities or citizens in other EU member states. This triggers information sharing between national CSIRTs and may involve ENISA coordination. Must be assessed in both the early warning and subsequent notifications."},"measures":{"title":"Response measures","description":"Actions taken to contain, eradicate, and recover from the incident. Includes technical measures (isolation, patching, credential rotation), communication measures (customer notification, stakeholder briefing), and organisational measures (crisis team activation, external support engagement)."}}},"where":{"heading":"Where and How to Report","description":"Reporting is exclusively through the BSI's digital reporting portal.","p1":"All incident reports under §32 BSIG must be submitted via the BSI's official reporting portal. The BSI does not accept reports by email, telephone, or letter as a substitute for portal submission - though telephone contact with the BSI's incident response team (CERT-Bund) is appropriate for coordinating response to critical incidents in parallel with the formal report.","p2":"The reporting portal is available at the BSI's website under the NIS2 section. Access requires prior registration under §33 BSIG - which means unregistered entities face a compounded problem: they cannot file incident reports through the proper channel because they have not completed the prerequisite registration. This is another reason why BSI registration must not be delayed."},"penalties":{"heading":"Penalties for Reporting Failures","description":"Non-reporting is penalised independently of the incident itself. A company that suffers an incident and handles it well technically but fails to report faces separate enforcement action.","items":{"essential":{"amount":"Up to EUR 10,000,000 or 2% of turnover","label":"Essential entities","detail":"The higher of EUR 10 million or 2% of worldwide annual turnover of the preceding business year. This applies to essential entities in sectors listed in BSIG Annex 1 (energy, transport, banking, health, water, digital infrastructure, space, public administration)."},"important":{"amount":"Up to EUR 7,000,000 or 1.4% of turnover","label":"Important entities","detail":"The higher of EUR 7 million or 1.4% of worldwide annual turnover. This applies to important entities in sectors listed in BSIG Annex 2 (postal services, waste management, chemicals, food, manufacturing, digital providers, research)."},"management":{"amount":"Personal liability - §38 BSIG","label":"Management (Geschäftsleitung)","detail":"If management was aware of an incident and failed to ensure timely reporting, this constitutes a violation of the oversight duty under §38(1) BSIG. Management can be held personally liable to the company for damages arising from the reporting failure - separate from penalties imposed on the company itself."}}},"sources":{"heading":"Sources","items":["NIS2 Directive (EU) 2022/2555 - Article 23 (Reporting obligations)","BSIG - §32 (Meldepflichten bei erheblichen Sicherheitsvorfällen)","BSIG - §38 (Billigung, Überwachung, Schulung - Geschäftsleitung)","BSIG - §65 (Bußgeldvorschriften)","CIR (EU) 2024/2690 - Article 3 (Significance of incidents), Article 4 (Recurring incidents)","ENISA - Guidance on NIS2 incident reporting obligations and templates (2024)","BSI - NIS2 reporting portal documentation and FAQ"]},"ctaCard":{"heading":"Be Reporting-Ready Before the Incident Hits","description":"The platform pre-configures your BSI reporting fields, maintains an incident register with classification workflows, and tracks the 24h/72h/1-month deadlines - so you meet every obligation under pressure."},"cta":"Start Your NIS2 Compliance Process"},"euImplementation":{"meta":{"title":"NIS2 Across Europe - Status Tracker","description":"NIS2 transposition deadline was October 2024. By 2026, fewer than 8 of 27 EU states had fully transposed. Country-by-country tracker."},"title":"NIS2 Implementation Across Europe","subtitle":"The transposition deadline was 17 October 2024. By early 2026, the majority of EU member states had missed it - triggering infringement proceedings and creating a fragmented compliance landscape across Europe.","overview":{"heading":"A Directive Deadline Missed by Most","p1":"Directive (EU) 2022/2555 - the NIS2 Directive - required all 27 EU member states to transpose its provisions into national law by 17 October 2024. This deadline was explicit, non-negotiable, and established more than two years in advance when the Directive was published on 27 December 2022. Despite this, the vast majority of member states failed to meet it.","p2":"As of March 2026, roughly half of the 27 member states have fully transposed the Directive into national law. Belgium was notably first, enacting its Loi NIS2 in April 2024 - six months before the deadline. Croatia, Hungary, Latvia, and Lithuania were among the early adopters. Italy enacted its national transposition (D.Lgs. 138/2024) in October 2024. Germany followed in late 2025 with the NIS2UmsuCG.","p3":"The European Commission launched infringement proceedings against member states that had not communicated full transposition measures by the deadline. By November 2024, the Commission had sent letters of formal notice to 23 member states. This is not unusual for EU directives - but the scale of non-transposition for a cybersecurity regulation affecting critical infrastructure raised concerns about the EU's collective cyber resilience posture."},"keyStats":{"transposed":{"value":"~6-8","label":"Member states fully transposed by early 2026"},"late":{"value":"23","label":"Member states receiving infringement letters (Nov 2024)"},"deadline":{"value":"17 Oct 2024","label":"Directive transposition deadline"}},"countries":{"heading":"Country-by-Country Implementation Status","description":"Status as of early 2026 based on European Commission transposition tracker, national legislative databases, and Wavestone NIS2 radar analysis.","headers":{"country":"Country","status":"Status","law":"Implementing Law","notes":"Notes"},"rows":{"de":{"country":"Germany","status":"Transposed","statusKey":"done","law":"NIS2UmsuCG (amending BSIG)","notes":"Passed after significant delays (November 2025, over a year late). Amends the BSI-Gesetz (BSIG) with new §§28-65 covering scope, measures, reporting, and penalties. BSI registration portal operational since January 6, 2026."},"at":{"country":"Austria","status":"Transposed","statusKey":"done","law":"NISG 2024 (Netz- und Informationssystemsicherheitsgesetz)","notes":"Austria adopted its NIS2 transposition law in 2024. Closely aligned with the German approach due to shared legal traditions and DACH coordination."},"be":{"country":"Belgium","status":"Transposed","statusKey":"done","law":"Loi NIS2 (April 2024)","notes":"First EU member state to transpose NIS2 - six months before the deadline. CCB (Centre for Cybersecurity Belgium) designated as national authority."},"hr":{"country":"Croatia","status":"Transposed","statusKey":"done","law":"Zakon o kibernetičkoj sigurnosti","notes":"Among the early adopters. National CERT (CERT.hr) and competent sectoral authorities designated."},"hu":{"country":"Hungary","status":"Transposed","statusKey":"done","law":"Government Decree 418/2024","notes":"Transposed through government decree rather than parliamentary legislation. NDGDM designated as national cybersecurity authority."},"it":{"country":"Italy","status":"Transposed","statusKey":"done","law":"D.Lgs. 138/2024","notes":"Decreto Legislativo adopted in October 2024. ACN (Agenzia per la Cybersicurezza Nazionale) is the competent authority. Registration portal launched."},"lv":{"country":"Latvia","status":"Transposed","statusKey":"done","law":"Amendments to the National Cyber Security Law","notes":"Transposed by amending existing cybersecurity legislation. CERT.LV continues as national CSIRT."},"lt":{"country":"Lithuania","status":"Transposed","statusKey":"done","law":"Kibernetinio saugumo įstatymas (amended)","notes":"Early adopter. Amendments to existing Cyber Security Law came into force in late 2024."},"fr":{"country":"France","status":"In progress","statusKey":"partial","law":"Projet de loi NIS2 (pending)","notes":"ANSSI published draft transposition text. Parliamentary process delayed by political instability in late 2024. Expected completion in 2026. ANSSI acting as de facto authority in the interim."},"nl":{"country":"Netherlands","status":"In progress","statusKey":"partial","law":"Cyberbeveiligingswet (Cbw) - in legislative process","notes":"Draft Cybersecurity Act (Cbw) published. Senate review ongoing as of early 2026. NCSC-NL designated as CSIRT, with sectoral authorities for specific sectors."},"pl":{"country":"Poland","status":"In progress","statusKey":"partial","law":"Amendment to KSC (Krajowy System Cyberbezpieczeństwa)","notes":"Draft amendments to the National Cybersecurity System Act published. Multiple rounds of public consultation. Delayed by scope discussions around public administration entities."},"es":{"country":"Spain","status":"In progress","statusKey":"partial","law":"Anteproyecto de Ley NIS2","notes":"Preliminary draft published. CCN-CERT and INCIBE share cybersecurity authority responsibilities. Legislative timeline uncertain as of early 2026."},"se":{"country":"Sweden","status":"In progress","statusKey":"partial","law":"Cybersäkerhetslagen (proposed)","notes":"Government inquiry (SOU) completed. Draft legislation under review. MSB (Myndigheten för samhällsskydd och beredskap) designated as coordinating authority."}}},"germany":{"heading":"Germany's Transposition - The BSIG Amendments","description":"Germany's NIS2 transposition went through a protracted legislative process before final passage.","p1":"Germany transposed NIS2 through the NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG), which amends the existing BSI-Gesetz (BSIG). The legislative process was delayed multiple times - the initial drafts circulated in mid-2023, but the law did not pass through the Bundestag (13 November 2025) and Bundesrat (21 November 2025) until over a year after the original October 2024 deadline.","p2":"The amended BSIG introduces a comprehensive NIS2 regime: §28 defines scope (essential and important entities), §30 establishes the 10 cybersecurity measure areas, §32 implements incident reporting with the three-stage timeline, §33 creates the BSI registration obligation, §38 introduces management personal liability, and §65 defines the penalty framework. The BSI serves as the national competent authority and CSIRT.","p3":"The BSI registration portal went live on January 6, 2026, enabling entities to fulfill their §33 registration obligation. The registration deadline passed on March 6, 2026. The BSI has published sector-specific guidance documents and FAQs, and has begun outreach to entities that may be in scope but have not registered. Enforcement - including periodic audits and on-site inspections for essential entities - is now active."},"challenges":{"heading":"Cross-Border Compliance Challenges","description":"The fragmented transposition creates practical challenges for companies operating across multiple EU member states.","items":{"fragmentation":{"title":"Regulatory fragmentation","description":"Companies operating in multiple member states face different national implementations of the same Directive. While the core obligations are harmonised, member states have exercised discretion on scope (which sub-sectors to include), penalty levels (within the Directive's minimum thresholds), and supervisory approaches. A company present in Germany, France, and the Netherlands may face three different regulatory timelines and registration procedures."},"definitions":{"title":"Divergent scope definitions","description":"The NIS2 Directive allows member states to extend scope beyond the minimum. Some countries (notably Belgium) have applied NIS2 to additional sectors. Others have applied different size thresholds or included public administration entities at varying levels. This makes pan-European scope assessment challenging - a company in scope in one country may not be in another."},"reporting":{"title":"Multiple reporting channels","description":"An incident at a company with operations in multiple member states may trigger reporting obligations in each country where the affected services are provided. Each national CSIRT has its own portal and procedures. While ENISA coordinates cross-border incident sharing, the entity must file with each relevant national authority independently."},"enforcement":{"title":"Uneven enforcement maturity","description":"Countries that transposed early (Belgium, Croatia, Hungary) have a head start in building supervisory capacity. Countries still in the legislative process have no functioning enforcement regime. This creates an uneven playing field - and a risk that enforcement will be concentrated in the most mature jurisdictions, creating compliance pressure based on geography rather than risk."}}},"sources":{"heading":"Sources","items":["Directive (EU) 2022/2555 - NIS2 Directive, Official Journal of the European Union (27 December 2022)","European Commission - NIS2 transposition tracker and infringement proceedings updates (2024-2025)","Wavestone - NIS2 Transposition Radar: country-by-country implementation status (2025)","NIS2UmsuCG - Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Stärkung der Cybersicherheit (Germany)","Loi NIS2 - Belgian NIS2 transposition law (April 2024)","D.Lgs. 138/2024 - Italian NIS2 transposition decree","ENISA - NIS2 implementation overview and cross-border coordination guidance (2025)","BMI/BSI - Parliamentary documentation and guidance on NIS2UmsuCG implementation"]},"relatedArticle":{"heading":"Operating in multiple EU countries?","description":"If your company has legal entities in more than one EU member state, you must register with each country's national authority separately. Read our guide covering all 28 authorities.","cta":"Read: NIS2 registration across multiple EU countries"},"ctaCard":{"heading":"Comply Where It Matters - Starting with Germany","description":"The platform implements the full BSIG requirement set - Germany's NIS2 transposition - with structured requirements, evidence management, and audit readiness. Built for German law, applicable across the EU."},"cta":"Start Your NIS2 Compliance Process"},"missedRegistration":{"meta":{"title":"Missed BSI NIS2 Registration? Immediate Steps","description":"Missed the NIS2 BSI registration deadline? 18,000 companies are in the same boat. Portal still open — register now, document, avoid €500K fines. Step-by-step."},"title":"You Missed the BSI Registration Deadline. Now What?","subtitle":"About 18,000 German companies missed the §33 BSIG registration deadline. The BSI portal is still open. Here is what matters now - and what actually happens if you act quickly.","shortAnswer":{"heading":"The Short Answer","p1":"Don't panic. You are not alone - and you are not too late to fix this. The BSI estimated that roughly 30,000 entities fall under NIS2 in Germany. The registration deadline passed on March 6, 2026, but a significant number of companies have still not registered. You are far from the only one in this position.","p2":"The registration portal under §33 BSIG is still open. You can register today. The BSI has signaled that it will prioritize enforcement against companies that ignore their obligations entirely - not against those who registered late but are acting in good faith. Late is better than never, and 'never' is the only truly dangerous option.","p3":"The key is to act now, document that you started, and begin the actual compliance work. A late registration with visible progress looks fundamentally different to a regulator than no registration at all."},"steps":{"heading":"Five Steps to Get Back on Track","description":"Follow this order. Each step builds on the previous one, and together they create a documented trail that shows the BSI you are taking compliance seriously.","items":{"check":{"title":"1. Confirm you are actually in scope","description":"Before you register, verify that NIS2 applies to your company. The criteria are in §28 BSIG: you need to operate in one of 18 listed sectors AND meet the size threshold (50+ employees or €10M+ annual revenue). If you are unsure, check the BSI's sector lists in Annex I and Annex II of the NIS2 Directive. Many companies assume they are out of scope when they are not - and vice versa. If you are genuinely uncertain, get a legal opinion before registering, but do not use uncertainty as an excuse to delay."},"register":{"title":"2. Register via the BSI portal immediately","description":"Go to the BSI's NIS2 registration portal and complete your registration under §33 BSIG. You will need: your company details, sector classification, contact person for cybersecurity matters, and IP address ranges for your critical systems. The registration itself takes about 30 minutes if you have your information ready. Do this today - every day you wait adds to the gap between the deadline and your registration date."},"document":{"title":"3. Document that you have started","description":"Create a written record - even a simple internal memo - that documents when you became aware of your NIS2 obligations, when you registered, and what steps you are taking. This creates a paper trail that demonstrates good faith. If the BSI ever asks why you were late, 'we identified the obligation, registered immediately, and began compliance work on [date]' is a strong answer."},"implement":{"title":"4. Begin actual compliance work","description":"Registration is just the first step - §30 BSIG requires you to implement cybersecurity risk management measures. Start with the foundations: asset inventory, risk assessment methodology, and incident reporting procedures. You do not need to be fully compliant overnight, but you need to be visibly working toward it. The BSI will look at trajectory, not just current state."},"legal":{"title":"5. Consider legal counsel if scope is unclear","description":"If your company sits near the threshold (close to 50 employees or €10M revenue), operates in a sector that could be interpreted multiple ways, or has a complex corporate structure, consult a lawyer specializing in IT regulation. The cost of a legal opinion (€2,000-5,000) is trivial compared to the cost of either non-compliance or unnecessary compliance. Some industry associations (like Bitkom or BDI) also offer NIS2 scope guidance for members."}}},"risks":{"heading":"What Are the Actual Risks of Late Registration?","description":"Being honest about the risks helps you make proportionate decisions. The consequences are real but not catastrophic - if you act now.","items":{"fines":{"title":"Administrative fines","description":"§65 BSIG provides for fines of up to €500,000 specifically for registration violations. In practice, the BSI has limited enforcement capacity and is focused on getting companies into the system, not punishing stragglers. A company that registers late and demonstrates active compliance efforts is unlikely to face the maximum penalty. A company that never registers is a different story."},"orders":{"title":"Compliance orders","description":"The BSI can issue binding compliance orders requiring you to register and implement specific measures within a set timeframe. Non-compliance with such an order escalates the legal situation significantly. Registering proactively - even late - avoids this escalation path entirely."},"liability":{"title":"Management personal liability","description":"§38 BSIG makes the Geschäftsführung personally liable for ensuring NIS2 compliance. If your company is in scope and you - as management - knowingly delayed registration, this creates personal exposure. The liability cannot be waived by shareholder resolution. Documenting that you acted as soon as you became aware is important protection."},"audit":{"title":"Increased scrutiny in future audits","description":"For essential entities, the BSI conducts periodic audits. A late registration will be visible in your compliance timeline. However, a well-documented catch-up process that shows systematic improvement is viewed very differently from a pattern of neglect. Auditors assess trajectory, not just the starting point."}}},"context":{"heading":"Why So Many Companies Missed the Deadline","p1":"The NIS2 registration gap is not primarily caused by negligence. The German legislative process was delayed repeatedly - the NIS2UmsuCG passed months after the original EU transposition deadline. Many companies reasonably waited for the German law to be finalized before taking action. Others were unaware they fell in scope because the sector definitions expanded dramatically compared to the old KRITIS regime.","p2":"The BSI itself acknowledged the scale of the registration gap publicly. The agency has taken a pragmatic stance: the priority is getting all 30,000 entities registered and into the compliance system, not punishing the first wave of late registrants. This pragmatism has limits - it applies to companies that are actively working toward compliance, not to those using the BSI's patience as an excuse to do nothing."},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"Is the BSI registration portal still open?","a":"Yes. The §33 BSIG registration portal remains open. There is no deadline after which you can no longer register - the obligation is ongoing. The deadline was when you should have registered, not when you could. Register now."},"q2":{"q":"What is the fine for late registration?","a":"§65 BSIG provides for fines of up to €500,000 for registration violations. However, fines are assessed on a case-by-case basis considering the severity, duration, and whether the company acted in good faith. A company that registers a few months late and shows active compliance efforts faces a very different risk profile than one that ignores the obligation entirely."},"q3":{"q":"Does late registration affect my other NIS2 obligations?","a":"No. Your obligations under §30 BSIG (cybersecurity measures), §32 (incident reporting), and §38 (management liability) exist independently of whether you have registered. Registration does not create the obligations - it fulfills one of them. The other obligations apply from the moment you meet the scope criteria, regardless of registration status."},"q4":{"q":"Can I register if I am not sure we are in scope?","a":"Yes, and the BSI recommends erring on the side of registration if you are uncertain. Registering when you turn out to be out of scope has no negative consequences - the registration can be corrected. Not registering when you are in scope carries real legal risk. When in doubt, register."},"q5":{"q":"What if we registered but have not started compliance work?","a":"Registration without compliance work is like filing a tax return but not paying the tax - you fulfilled one obligation but not the substantive ones. Start with §30 BSIG measures now: asset inventory, risk assessment, incident reporting procedures. The BSI expects registered entities to be actively working toward compliance, not just sitting on a registration number."}},"sources":{"heading":"Sources","items":["BSI - NIS2 registration statistics and public statements on enforcement approach (2025)","G DATA CyberDefense - NIS2 awareness survey: 44% of mid-market companies unaware of obligations (2024)","BSIG - §33 (Registration obligation), §65 (Administrative fines), §38 (Management liability)","NIS2UmsuCG - Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Stärkung der Cybersicherheit","BMI - Parliamentary documentation and guidance on NIS2UmsuCG implementation"]},"ctaCard":{"heading":"Register, Then Build Your Compliance Trail","description":"The platform guides you from registration through full §30 BSIG compliance - creating the documented evidence trail that shows the BSI you are taking this seriously."},"cta":"Start Your NIS2 Compliance Process"},"kritisComparison":{"meta":{"title":"NIS2 vs KRITIS - What Changed","description":"NIS2 extends KRITIS from 2,000 to 30,000 companies with new sectors, personal liability, and tighter reporting. What changed and what stayed."},"title":"NIS2 vs KRITIS: What Actually Changed","subtitle":"NIS2 does not replace KRITIS - it extends it dramatically. From roughly 2,000 operators to about 30,000 entities, seven new sectors, personal management liability, and tighter reporting deadlines.","overview":{"heading":"KRITIS Was the Warm-Up. NIS2 Is the Main Event.","p1":"If your company was already classified as KRITIS (Kritische Infrastruktur) under the old BSI-KritisV regime, you know what cybersecurity regulation looks like. You have dealt with BSI audits, incident reporting, and IT security measures. The good news: your existing work is not wasted. The challenging news: NIS2 raises the bar, broadens the scope, and adds obligations that did not exist before.","p2":"If your company was NOT previously KRITIS, this is likely your first encounter with mandatory cybersecurity regulation. NIS2 - transposed into German law through the amended BSIG - brings roughly 28,000 additional companies into the regulatory perimeter. Many of these companies have never reported an incident to a government agency, never been audited for IT security, and never thought of cybersecurity as a legal compliance topic."},"table":{"heading":"Side-by-Side Comparison","description":"How KRITIS and NIS2/BSIG differ across the eight areas that matter most for compliance planning.","headers":{"aspect":"Aspect","kritis":"KRITIS (BSI-KritisV)","nis2":"NIS2 / BSIG (new)"},"rows":{"scope":{"aspect":"Scope","kritis":"Approximately 2,000 operators of critical infrastructure in 10 sectors, identified by exceeding specific threshold values (e.g., 500,000 people served)","nis2":"Approximately 30,000 entities across 18 sectors, using a simple size threshold: 50+ employees or €10M+ annual revenue. Includes both 'essential' and 'important' categories"},"threshold":{"aspect":"Threshold model","kritis":"Sector-specific quantitative thresholds (e.g., 500,000 supplied persons for energy, 500,000 residents for water). Complex to calculate, many borderline cases","nis2":"Uniform size criteria: medium enterprise (50+ employees or €10M+ revenue) across all sectors. Much simpler to determine. Some sectors have additional criteria regardless of size"},"registration":{"aspect":"Registration","kritis":"Self-declaration to BSI with optional verification. No formal registration portal for most KRITIS operators initially","nis2":"Mandatory registration via BSI portal under §33 BSIG. Must provide entity details, sector classification, contact person, and IP ranges. Separate penalty provision for non-registration"},"reporting":{"aspect":"Incident reporting","kritis":"Significant incidents reported to BSI without strict timeline in earlier regulations. Later tightened but less structured than NIS2","nis2":"Three-stage mandatory reporting under §32 BSIG: early warning within 24 hours, incident notification within 72 hours, final report within one month. Each stage has defined content requirements"},"penalties":{"aspect":"Penalties","kritis":"Fines up to €100,000 for some violations. Limited enforcement in practice. Penalties rarely applied publicly","nis2":"Fines up to €10M or 2% of global annual turnover for essential entities, up to €7M or 1.4% for important entities. Separate fines for registration and reporting violations. Modeled on GDPR penalty structure"},"liability":{"aspect":"Management liability","kritis":"No specific personal liability provision for management. General corporate law duties applied","nis2":"§38 BSIG introduces explicit personal liability for Geschäftsführung. Management must approve cybersecurity measures, undergo training, and can be held personally liable for damages. Cannot be waived by shareholder resolution"},"audit":{"aspect":"Audit requirements","kritis":"Biennial evidence submission (§8a BSIG old). Primarily self-audit with BSI review of submitted evidence","nis2":"Essential entities: BSI can conduct proactive audits and on-site inspections. Important entities: reactive supervision (audits triggered by incidents or evidence of non-compliance). BSI has broader enforcement powers including binding instructions"},"supply":{"aspect":"Supply chain security","kritis":"Not a specific regulatory requirement under old KRITIS regime. Companies managed supplier risk on their own terms","nis2":"§30(2)(4) BSIG mandates supply chain security measures. Must assess supplier cybersecurity, include security requirements in contracts, and monitor supplier posture throughout the relationship. Applies to all in-scope entities"}}},"newSectors":{"heading":"Seven Newly In-Scope Sectors","description":"These sectors were not covered by the old KRITIS regime. Companies in these industries are dealing with mandatory cybersecurity regulation for the first time.","items":{"waste":{"title":"Waste management","detail":"Collection, treatment, and disposal of waste. Covered under NIS2 Annex II. Includes municipal waste services, hazardous waste processors, and recycling operations. Most waste companies have never dealt with cybersecurity regulation."},"food":{"title":"Food production and distribution","detail":"Food manufacturing, processing, and wholesale distribution. Covered under NIS2 Annex II. This extends beyond the retail food chain to include production facilities, cold chain logistics, and food safety systems."},"manufacturing":{"title":"Manufacturing of critical products","detail":"Manufacturing of medical devices, computers, electronics, optical products, electrical equipment, machinery, motor vehicles, and other transport equipment. Covered under NIS2 Annex II. A significant number of German Mittelstand companies fall into this category."},"postal":{"title":"Postal and courier services","detail":"Postal service providers and courier companies. Covered under NIS2 Annex II. Includes parcel delivery services, mail sorting operations, and logistics platforms that support last-mile delivery."},"chemicals":{"title":"Chemical production and distribution","detail":"Manufacturing, production, and distribution of chemicals. Covered under NIS2 Annex II. Overlaps significantly with existing safety regulation (Störfallverordnung) but adds cybersecurity-specific obligations."},"research":{"title":"Research organizations","detail":"Research institutions whose primary purpose is to carry out applied research or experimental development. Covered under NIS2 Annex II. Includes Fraunhofer institutes, Helmholtz centers, and private research organizations above the size threshold."},"digital":{"title":"Digital infrastructure and services","detail":"Expanded scope for digital providers: managed service providers, managed security service providers, online marketplaces, search engines, social networks, and data centers. Some were partially covered before - NIS2 broadens and clarifies the definitions significantly."}}},"unchanged":{"heading":"What Stayed the Same","items":["The BSI remains the central competent authority and national CSIRT for Germany","IT-Grundschutz remains the recommended methodology for implementing security measures (§44(2) BSIG)","The fundamental principle of 'appropriate and proportionate' measures - you must implement what is reasonable for your size and risk profile, not everything theoretically possible","The requirement to maintain an information security management system (ISMS) in some form - whether formally certified or structured around Grundschutz"]},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"We were already KRITIS - do we still need to do something new?","a":"Yes. Even if you were a fully compliant KRITIS operator, NIS2 adds new obligations: mandatory BSI registration via the §33 portal (if not already done), tighter incident reporting timelines (24h/72h/1 month cascade), explicit management liability under §38, and mandatory supply chain security measures. Your existing security measures likely cover most of the technical requirements, but the regulatory and governance obligations are new."},"q2":{"q":"What are the new sectors that were not in KRITIS?","a":"Seven sectors are newly in scope under NIS2 that were not covered by the old KRITIS regime: waste management, food production and distribution, manufacturing of critical products, postal and courier services, chemical production and distribution, research organizations, and expanded digital infrastructure and services. Companies in these sectors are dealing with mandatory cybersecurity regulation for the first time."},"q3":{"q":"Is NIS2 just KRITIS with a different name?","a":"No. NIS2 is a fundamentally broader and deeper regulatory regime. KRITIS covered approximately 2,000 operators with high thresholds. NIS2 covers approximately 30,000 entities with much lower thresholds. NIS2 adds personal management liability, mandatory registration, structured incident reporting timelines, supply chain obligations, and significantly higher penalties. Think of KRITIS as the pilot program - NIS2 is the full rollout."},"q4":{"q":"What is the biggest practical difference for companies?","a":"Management personal liability under §38 BSIG. Under KRITIS, cybersecurity was an IT department problem. Under NIS2, the Geschäftsführung is personally responsible for approving and overseeing cybersecurity measures, must undergo cybersecurity training, and can be held liable for damages resulting from non-compliance. This liability cannot be waived, even by shareholder resolution. This changes cybersecurity from an IT budget line to a board-level governance issue."}},"sources":{"heading":"Sources","items":["Directive (EU) 2022/2555 - NIS2 Directive, Annex I and Annex II (sector definitions)","BSIG - §28 (Scope and entity definitions), §30 (Cybersecurity measures), §32 (Incident reporting), §33 (Registration), §38 (Management liability), §65 (Penalties)","BSI-KritisV - Verordnung zur Bestimmung Kritischer Infrastrukturen (previous KRITIS threshold regulation)","BSI - NIS2 scope guidance and sector classification documentation (2025)","NIS2UmsuCG - Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Stärkung der Cybersicherheit"]},"ctaCard":{"heading":"From KRITIS to NIS2 - Close the Gaps","description":"The platform covers all NIS2/BSIG requirements, including the obligations that are new compared to the old KRITIS regime: registration tracking, management sign-offs, supply chain documentation, and the structured incident reporting cascade."},"cta":"Start Your NIS2 Compliance Process"},"glossary":{"meta":{"title":"NIS2 Glossary - Key Terms Explained","description":"Every NIS2 and BSIG term explained in plain language. From Wesentliche Einrichtung to CSIRT - what the terms actually mean for your company."},"title":"NIS2 Terminology Glossary","subtitle":"Every term you will encounter during NIS2 compliance, explained in plain language. No jargon, no legalese - just what each term means and why it matters for your company.","intro":"NIS2 compliance comes with its own vocabulary - a mix of EU legal terminology, German administrative law, and cybersecurity jargon. This glossary explains each term the way you need to understand it: what it means in practice, not just what the letters stand for. Where a term has a commonly used German equivalent from the BSIG, we include it.","terms":{"wesentlicheEinrichtung":{"term":"Essential Entity","definition":"Companies in high-criticality sectors (Annex I of NIS2) above the size threshold. In Germany, these face the strictest requirements and highest penalties under §28 BSIG. Think: energy, transport, banking, health, water, digital infrastructure. Essential entities are subject to proactive BSI audits - the BSI can inspect you without a specific trigger.","german":"Besonders wichtige Einrichtung","legalRef":"§28(1) BSIG, NIS2 Directive Art. 3(1)"},"wichtigeEinrichtung":{"term":"Important Entity","definition":"Companies in other in-scope sectors (Annex II of NIS2) above the size threshold. Same core obligations as essential entities, but lower maximum penalties and reactive rather than proactive supervision - the BSI investigates if something goes wrong, not on a routine schedule. Think: waste, food, manufacturing, postal, chemicals, research.","german":"Wichtige Einrichtung","legalRef":"§28(2) BSIG, NIS2 Directive Art. 3(2)"},"bsig":{"term":"BSIG (BSI-Gesetz)","definition":"The German federal law governing the BSI (Federal Office for Information Security) and cybersecurity obligations. The NIS2UmsuCG amended the BSIG to include all NIS2 requirements. When someone says 'NIS2 compliance in Germany,' they mean compliance with the amended BSIG. This is the law that applies to you - not the NIS2 Directive itself.","german":"Gesetz über das Bundesamt für Sicherheit in der Informationstechnik","legalRef":"BSIG as amended by NIS2UmsuCG"},"nis2Directive":{"term":"NIS2 Directive","definition":"The EU-level legislation (Directive 2022/2555) that required all member states to implement cybersecurity regulation for critical and important entities. It sets the minimum requirements - each country then transposed it into national law. In Germany, this became the amended BSIG. You do not comply with the Directive directly; you comply with the BSIG.","legalRef":"Directive (EU) 2022/2555"},"cir2024":{"term":"CIR 2024/2690","definition":"The EU Implementing Regulation that specifies the exact technical and methodological requirements for NIS2 entities. Unlike the Directive, this applies directly in all member states without transposition. It details what 'appropriate cybersecurity measures' actually means in practice - think of it as the technical rulebook that fills in the details the Directive left open.","legalRef":"Commission Implementing Regulation (EU) 2024/2690"},"bsiRegistration":{"term":"BSI Registration","definition":"The mandatory registration of in-scope entities with the BSI via its online portal. Required by §33 BSIG with its own penalty provision. You provide your company details, sector classification, a cybersecurity contact person, and IP address ranges. This is a standalone legal obligation - completing it does not satisfy your other NIS2 requirements, but not completing it is its own violation.","german":"BSI-Registrierung","legalRef":"§33 BSIG"},"significantIncident":{"term":"Significant Incident","definition":"A cybersecurity event that actually disrupts your service, causes financial damage, or could spread to others. Not every phishing email - only events that cross specific severity thresholds trigger the mandatory BSI reporting cascade. The CIR 2024/2690 defines concrete thresholds: financial loss exceeding €500,000 or 5% of turnover, data exfiltration of trade secrets, or health impact.","german":"Erheblicher Sicherheitsvorfall","legalRef":"§32 BSIG, CIR 2024/2690 Art. 3"},"riskManagement":{"term":"Risk Management Measures","definition":"The ten categories of cybersecurity measures that all NIS2 entities must implement under §30 BSIG. These range from risk assessment and incident handling to supply chain security and cryptography. They must be 'appropriate and proportionate' to your size and risk profile - a 50-person waste company is not expected to implement the same controls as Deutsche Telekom.","german":"Risikomanagementmaßnahmen","legalRef":"§30(2) BSIG"},"supplyChainSecurity":{"term":"Supply Chain Security","definition":"The requirement to assess and manage cybersecurity risks in your supply chain - especially IT service providers, cloud providers, and any supplier with access to your systems or data. You must include security requirements in contracts, assess supplier practices, and monitor them over time. This is new compared to the old KRITIS regime.","german":"Sicherheit der Lieferkette","legalRef":"§30(2)(4) BSIG"},"managementLiability":{"term":"Management Liability","definition":"The personal liability of company management (Geschäftsführung) for NIS2 compliance under §38 BSIG. Management must approve cybersecurity measures, ensure their implementation, undergo cybersecurity training, and can be held personally liable for resulting damages. This liability cannot be waived - not even by shareholder resolution. This is the provision that moves cybersecurity from the IT department to the boardroom.","german":"Leitungsverantwortung","legalRef":"§38 BSIG"},"itGrundschutz":{"term":"IT-Grundschutz","definition":"The BSI's own cybersecurity methodology - a comprehensive framework of security modules (Bausteine) with step-by-step implementation guidance. §44(2) BSIG explicitly recognizes Grundschutz implementation as proof of NIS2 compliance. Since the BSI both publishes Grundschutz and enforces NIS2, using their methodology means you are audited against a standard the auditor knows inside out.","german":"IT-Grundschutz","legalRef":"§44(2) BSIG, BSI-Standards 200-1 through 200-4"},"auditTrail":{"term":"Audit Trail","definition":"A chronological record of who did what, when, and why in your compliance process. NIS2 requires evidence that measures are not just documented but actually implemented and maintained. An audit trail shows the BSI auditor that your policies are living documents, not shelf-ware - who approved a measure, when it was last reviewed, what changed."},"mfa":{"term":"Multi-Factor Authentication (MFA)","definition":"Authentication that requires two or more verification factors - typically something you know (password) and something you have (phone, hardware key). §30(2)(10) BSIG requires MFA for remote access, administrative access, and access to critical systems. If you are not already using MFA on your VPN, admin accounts, and email, this is one of the most concrete technical requirements to implement.","legalRef":"§30(2)(10) BSIG"},"section30":{"term":"§30 BSIG - Cybersecurity Measures","definition":"The central provision of NIS2 in German law. Lists ten categories of cybersecurity risk management measures that all in-scope entities must implement. Covers risk assessment, incident handling, business continuity, supply chain security, secure development, effectiveness assessment, training, cryptography, access control, and multi-factor authentication. The measures must be 'appropriate and proportionate' - not gold-plated, but genuine.","legalRef":"§30 BSIG"},"section32":{"term":"§32 BSIG - Incident Reporting","definition":"The mandatory three-stage incident reporting cascade. When a significant incident occurs: early warning to the BSI within 24 hours, detailed incident notification within 72 hours, final report within one month. Each stage has specific content requirements. Late or missing reports are separate violations with their own penalty provisions.","german":"Meldepflichten","legalRef":"§32 BSIG"},"section33":{"term":"§33 BSIG - Registration Obligation","definition":"The legal obligation for all in-scope entities to register with the BSI. You provide entity information, sector classification, cybersecurity contact details, and IP address ranges. Non-registration is a standalone violation punishable by fines up to €500,000 - separate from any penalties for failing to implement actual security measures.","german":"Registrierungspflicht","legalRef":"§33 BSIG"},"section38":{"term":"§38 BSIG - Management Responsibility","definition":"The provision that makes company management personally liable for NIS2 compliance. The Geschäftsführung must approve risk management measures, oversee their implementation, and complete cybersecurity training. Failure creates personal liability for damages - and this liability cannot be waived by shareholders. This is the paragraph that gets managing directors' attention.","german":"Billigung von Risikomanagementmaßnahmen","legalRef":"§38 BSIG"},"annex1":{"term":"NIS2 Annex I - High-Criticality Sectors","definition":"The list of sectors whose entities are classified as 'essential' (essential entities) when they meet the size threshold. Includes: energy (electricity, oil, gas, hydrogen, district heating), transport (air, rail, water, road), banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space.","legalRef":"NIS2 Directive Annex I, §28(1) BSIG"},"annex2":{"term":"NIS2 Annex II - Other Critical Sectors","definition":"The list of sectors whose entities are classified as 'important' (wichtige Einrichtungen) when they meet the size threshold. Includes: postal and courier services, waste management, chemical manufacturing and distribution, food production and distribution, manufacturing (medical devices, electronics, machinery, vehicles), digital providers (online marketplaces, search engines, social networks), and research organizations.","legalRef":"NIS2 Directive Annex II, §28(2) BSIG"},"csirt":{"term":"CSIRT (Computer Security Incident Response Team)","definition":"The national team responsible for receiving and responding to cybersecurity incident reports. In Germany, the BSI serves as the national CSIRT. When you report a significant incident under §32 BSIG, the BSI-CSIRT receives and processes your report. They can also provide technical assistance during incident response - they are not just a mailbox, but an operational resource.","german":"Computer-Notfallteam","legalRef":"NIS2 Directive Art. 10, §32 BSIG"},"kritis":{"term":"KRITIS (Critical Infrastructure)","definition":"Operators of critical facilities that exceed the thresholds defined in the BSI-KritisV regulation (typically 500,000 people served). KRITIS operators are automatically classified as essential entities and face additional obligations beyond standard NIS2: triennial evidence audits, mandatory attack detection systems, and stricter incident reporting deadlines.","german":"Kritische Infrastrukturen","legalRef":"BSI-KritisV, §28 BSIG"},"nis2umsucg":{"term":"NIS2UmsuCG","definition":"The NIS-2 Implementation and Cybersecurity Strengthening Act - Germany's national transposition of the NIS2 Directive. Adopted on 13 November 2025 and in force since 6 December 2025. It substantially amends the BSIG and brings all NIS2 obligations into German law. When German law refers to 'NIS2 compliance,' it means compliance with the BSIG as amended by NIS2UmsuCG.","german":"NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz","legalRef":"NIS2UmsuCG (BGBl. 2025)"},"naceCode":{"term":"NACE Code","definition":"The Statistical Classification of Economic Activities in the European Community (Nomenclature statistique des Activités économiques dans la Communauté Européenne). NIS2 and the BSIG use NACE codes to define which sectors and economic activities fall in scope. Your company's NACE code is the first thing the BSI checks when assessing applicability.","german":"NACE-Code","legalRef":"Regulation (EC) 1893/2006"},"muk":{"term":"MUK (Mein Unternehmenskonto)","definition":"Germany's central business account for federal administration services, authenticated via ELSTER certificates. A prerequisite for BSI registration: companies must first create a MUK account, then access the BSI registration portal through it. If you do not yet have a MUK account, you cannot register with the BSI - this is the first practical step before any compliance work begins.","german":"Mein Unternehmenskonto","legalRef":"OZG, ELSTER"}},"sources":{"heading":"Sources","items":["BSIG - Act on the Federal Office for Information Security (as amended by NIS2UmsuCG)","NIS2 Directive (EU) 2022/2555 - Official Journal of the European Union","Commission Implementing Regulation (EU) 2024/2690 - Official Journal of the European Union","BSI - IT-Grundschutz Standards BSI-200-1 through BSI-200-4","BSI - IT-Grundschutz Kompendium (current edition)"]},"ctaCard":{"heading":"From glossary to implementation","description":"The platform turns every term in this glossary into practice: registration, risk management, incident reporting, and audit trail - structured around the 49 BSIG requirements."},"cta":"Start NIS2 compliance"},"sectorWaste":{"meta":{"title":"NIS2 for Waste Management","description":"Waste management is newly in NIS2 scope (Annex II). Guide for waste companies with 50+ employees: legal requirements, assets, and first steps."},"title":"NIS2 for Waste Management Companies","subtitle":"Your sector is newly in scope under NIS2 Annex II. If your waste management company has 50+ employees or €10M+ revenue, this is your practical guide to what the law requires and where to start.","badge":"Annex II - Important Entity","why":{"heading":"Why Does NIS2 Apply to Waste Companies?","p1":"Waste management was added to NIS2 because modern waste operations depend heavily on IT systems. Fleet management, route optimization, weighbridge systems, sorting plant controls, billing, and regulatory reporting all run on networked software. A ransomware attack that takes down a waste company's fleet management system does not just stop trucks - it creates a public health risk. Uncollected waste in a city of 200,000 people becomes a crisis within days.","p2":"The EU classified waste management under Annex II of the NIS2 Directive, which means waste companies meeting the size threshold (50+ employees or €10M+ annual revenue) are categorized as 'important entities' (wichtige Einrichtungen) under §28(2) BSIG. This means the full range of NIS2 obligations applies: BSI registration, cybersecurity risk management measures, incident reporting, supply chain security, and management liability.","p3":"Most waste companies have never dealt with cybersecurity regulation before. This is not a criticism - until NIS2, there was no legal reason to. But it does mean there is a steeper learning curve compared to sectors that were already under KRITIS. The good news: waste company IT environments are typically less complex than those in banking or energy, which means the compliance effort is proportionately smaller."},"assets":{"heading":"What Does a Waste Company's Asset Inventory Look Like?","description":"Every NIS2 entity must maintain an inventory of assets that support critical services. For a typical waste management company with 100-200 employees, the inventory is simpler than you might expect - usually 10 to 15 grouped entries.","items":{"fleet":{"title":"Fleet management and GPS","detail":"The software and systems that manage vehicle routing, GPS tracking, driver scheduling, and real-time route optimization. This is usually a cloud-hosted SaaS platform or on-premises server. If this goes down, trucks cannot be dispatched efficiently. Group all fleet management components as one asset entry."},"weighing":{"title":"Weighbridge and weighing systems","detail":"Electronic weighing systems at sites that record incoming and outgoing material weights for billing and regulatory compliance. Often connected to ERP systems. May include older industrial controllers. Group the weighbridge system (hardware + software) as one asset."},"erp":{"title":"ERP and billing system","detail":"The core business system handling customer management, contracts, billing, material tracking, and regulatory reporting. Commonly SAP Business One, DATEV, or sector-specific solutions like RECY or Wastebox. Compromise of this system affects revenue, customer data, and regulatory reporting. One asset entry."},"scada":{"title":"Sorting and processing plant controls","detail":"If your company operates sorting plants, composting facilities, or waste-to-energy plants, you likely have SCADA or industrial control systems managing the physical processes. These are often older systems with limited security features. They represent a distinct risk category because they control physical equipment. Group per facility."},"endpoints":{"title":"Endpoints and office IT","detail":"Laptops, desktops, and mobile devices used by office staff, dispatchers, and management. Standard office applications (Microsoft 365, email, document management). Grundschutz allows grouping identical devices: '45 standard Windows laptops' is one asset entry, not 45."},"network":{"title":"Network infrastructure","detail":"Routers, switches, firewalls, and VPN connections linking offices, depots, and plant sites. Include internet connections and any site-to-site links. If your company has multiple locations, each site's network can be a grouped entry. The network is what connects everything else - its compromise affects all other assets."}}},"priorities":{"heading":"Where to Start - Priority Order for Waste Companies","description":"You do not need to do everything at once. This priority order reflects what the BSI will look for first and what creates the most compliance value per hour of effort.","items":{"registration":{"title":"1. Register with the BSI","description":"Complete your §33 BSIG registration via the BSI portal. This is the most visible obligation and has its own penalty provision (up to €500,000). It takes about 30 minutes and immediately puts you on record as an entity that is engaging with its obligations. Do this before anything else."},"assets":{"title":"2. Build your asset inventory","description":"List the systems that support your waste collection, processing, and disposal services. Use the six categories above as a starting point. For each asset, note what it does, who manages it (internal or supplier), and what happens if it is unavailable for 24 hours. This inventory becomes the foundation for everything that follows."},"incidents":{"title":"3. Set up incident reporting","description":"Define what counts as a significant incident for your company and establish the process for reporting to the BSI within the required timelines (24h/72h/1 month). Designate who makes the reporting decision, who files the report, and how you reach them outside business hours. You do not need a security operations center - you need a clear phone tree and a documented process."},"access":{"title":"4. Review access controls","description":"Audit who has access to your critical systems - especially fleet management, ERP, and any plant control systems. Implement multi-factor authentication on remote access and administrative accounts. Remove access for former employees. This is often the area with the most low-hanging fruit: many waste companies have shared passwords, no MFA, and former employee accounts still active."},"suppliers":{"title":"5. Document supplier relationships","description":"Most waste companies outsource significant IT functions - cloud hosting, ERP maintenance, fleet management software. Document who these suppliers are, what access they have to your systems, and what security commitments they make. This is the beginning of your supply chain security process under §30(2)(4) BSIG. If your IT provider gets breached, your data and your services are at risk."}}},"specifics":{"heading":"What Makes Waste Companies Different","p1":"Waste companies have a unique risk profile. Unlike a software company where almost everything is digital, waste operations involve physical processes: trucks on roads, materials in motion, equipment at sites. A cyberattack on fleet management has immediate physical-world consequences. This operational technology dimension means your risk assessment should consider both IT systems and any industrial controls.","p2":"Most waste companies outsource heavily. Many operate with a small internal IT team (or no dedicated IT staff at all) and rely on external providers for everything from email to ERP to fleet management. Under NIS2, you can outsource operations but not accountability - §30 BSIG holds your company responsible for security measures even when a supplier delivers them. This makes supplier management your most important compliance lever.","p3":"The positive side: waste company IT environments are typically straightforward. A 100-person waste company has perhaps 6 to 10 distinct system groups, compared to 30 or more for a bank or hospital of similar size. This means the compliance effort is proportionate - you are looking at weeks of focused work, not a multi-year program. The BSI's 'appropriate and proportionate' standard works in your favor here."},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"Is our waste company actually in scope for NIS2?","a":"If your company operates in waste collection, treatment, or disposal and has 50 or more employees or €10M or more in annual revenue, you are almost certainly in scope as an important entity under NIS2 Annex II. The sector definition covers the full waste management chain. If you are close to the threshold, check whether connected group companies push you over the limit - NIS2 uses the EU SME definition which considers linked enterprises."},"q2":{"q":"We outsource all IT - does NIS2 still apply to us?","a":"Yes, fully. NIS2 applies to the entity that provides the waste management service, regardless of who manages the IT. You can outsource the work but not the legal responsibility (§30 BSIG). In practice, this means your IT provider becomes your most critical supplier: document the relationship, include cybersecurity requirements in the contract, and verify they have adequate security measures. If they get breached, your reporting obligation triggers - not theirs."},"q3":{"q":"What does an asset inventory look like for a waste company?","a":"Simpler than you think. A typical 100-person waste company has about 10 to 15 grouped asset entries: fleet management system, weighbridge system, ERP/billing, network infrastructure per site, standard endpoints (grouped - e.g., '45 Windows laptops'), email/collaboration (Microsoft 365), and possibly SCADA or sorting plant controls. Grundschutz explicitly allows grouping identical assets, so you do not need a line item for every laptop."},"q4":{"q":"How long does NIS2 compliance take for a company our size?","a":"For a 100-person waste company starting from scratch, expect 3 to 6 months to reach a solid baseline: BSI registration (week 1), asset inventory and risk assessment (weeks 2 to 6), incident reporting process (weeks 4 to 8), access control improvements (weeks 6 to 12), policy documentation (ongoing). You do not need to be perfect by day one - the BSI evaluates trajectory and good faith. After the initial setup, ongoing effort is mainly annual reviews and responding to incidents."}},"sources":{"heading":"Sources","items":["NIS2 Directive (EU) 2022/2555 - Annex II, Sector 4: Waste water and waste management","BSIG - §28 (Scope), §30 (Cybersecurity measures), §33 (Registration), §38 (Management liability)","BSI - Sector-specific NIS2 guidance and registration portal documentation (2025)","IT-Grundschutz Kompendium - OPS.1.2.5 (Fernwartung), IND.1 (Prozessleit- und Automatisierungstechnik)","BDE Bundesverband der Deutschen Entsorgungs-, Wasser- und Kreislaufwirtschaft - NIS2 position papers"]},"ctaCard":{"heading":"NIS2 Compliance for Waste Companies - Structured and Practical","description":"The platform walks you through every §30 BSIG requirement with sector-appropriate guidance: asset inventory templates, risk assessment workflows, supplier documentation, and incident reporting procedures sized for waste management operations."},"cta":"Start Your NIS2 Compliance Process"},"penalties":{"meta":{"title":"NIS2 Fines 2026: Up to €10M + Personal Liability","description":"NIS2 penalty tiers: up to €10M for essential entities, €7M for important, €500K for registration violations. Real examples and personal management liability."},"title":"NIS2 Penalties: What You Actually Risk","subtitle":"Four penalty tiers, concrete calculation examples for three company sizes, realistic enforcement scenarios, and the management personal liability that D&O insurance probably does not cover.","overview":{"heading":"The Penalty Framework Is Real - But Proportionate","p1":"NIS2 penalties are modeled on the GDPR penalty structure - designed to be large enough that companies cannot treat fines as a cost of doing business. The maximum amounts (up to €10M or 2% of global turnover) make headlines, but the reality for most mid-market companies is more nuanced. Fines are assessed based on the severity of the violation, the company's size, whether the company acted in good faith, and what corrective steps were taken.","p2":"That said, the penalty framework is not theoretical. The BSI has enforcement powers, the fines are codified in §65 BSIG, and management personal liability under §38 is a separate legal mechanism. Ignoring NIS2 is not a viable risk management strategy. Understanding the actual penalty structure helps you make proportionate decisions about compliance investment - neither panicking nor dismissing the risks."},"tiers":{"heading":"Four Penalty Tiers","description":"The BSIG establishes different maximum penalties depending on entity type and the nature of the violation.","items":{"essential":{"amount":"Up to €10,000,000 or 2% of global annual turnover","label":"Essential entities - cybersecurity measure violations","detail":"Applies to essential entities (Annex I sectors) that fail to implement adequate cybersecurity measures under §30 BSIG, fail to report significant incidents under §32, or otherwise violate substantive NIS2 obligations. The fine is the HIGHER of €10M or 2% of the previous fiscal year's global turnover."},"important":{"amount":"Up to €7,000,000 or 1.4% of global annual turnover","label":"Important entities - cybersecurity measure violations","detail":"Applies to wichtige Einrichtungen (important entities, Annex II sectors) for the same substantive violations. Lower ceiling reflects the NIS2 Directive's proportionality principle - important entities are in lower-criticality sectors. The fine is the HIGHER of €7M or 1.4% of the previous fiscal year's global turnover."},"registration":{"amount":"Up to €500,000","label":"Registration violations","detail":"Specific penalty for failing to register with the BSI under §33 BSIG or providing incorrect registration information. This is a standalone violation - you can be fined for non-registration even if your actual cybersecurity measures are adequate. The registration penalty applies to both essential and important entities."},"reporting":{"amount":"Up to €500,000","label":"Reporting violations","detail":"Specific penalty for failing to report significant incidents within the required timelines (24h early warning, 72h notification, 1 month final report) or for failing to provide required information during BSI investigations. Each reporting failure is a separate potential violation."}}},"examples":{"heading":"Concrete Calculation Examples","description":"What maximum penalties look like for companies of different sizes. The turnover-based calculation becomes relevant when it exceeds the fixed amount.","headers":{"company":"Company type","turnover":"Annual turnover","maxEssential":"Max fine (essential)","maxImportant":"Max fine (important)"},"rows":{"small":{"company":"Small mid-market","turnover":"€15,000,000","maxEssential":"€10,000,000 (fixed cap applies - 2% would be only €300,000)","maxImportant":"€7,000,000 (fixed cap applies - 1.4% would be only €210,000)"},"medium":{"company":"Medium mid-market","turnover":"€50,000,000","maxEssential":"€10,000,000 (fixed cap applies - 2% would be only €1,000,000)","maxImportant":"€7,000,000 (fixed cap applies - 1.4% would be only €700,000)"},"large":{"company":"Large enterprise","turnover":"€200,000,000","maxEssential":"€10,000,000 (fixed cap applies - 2% would be €4,000,000)","maxImportant":"€7,000,000 (fixed cap applies - 1.4% would be €2,800,000)"}}},"scenarios":{"heading":"Four Realistic Enforcement Scenarios","description":"What actually triggers BSI enforcement and what the consequences look like in practice.","items":{"lateRegistration":{"title":"Late or missing BSI registration","description":"Your company meets the NIS2 scope criteria but has not registered with the BSI under §33 BSIG. The BSI identifies you through sector databases, industry association membership lists, or commercial registers.","consequence":"The BSI issues a compliance order requiring registration within a set deadline. If you comply, the matter may end there - especially if you can show you were genuinely unaware. If you ignore the order, fines of up to €500,000 can be assessed. The registration gap also creates documentation that you were non-compliant from the start, which weakens your position on any other NIS2 violation."},"noIncidentReport":{"title":"Failure to report a significant incident","description":"Your company suffers a ransomware attack that disrupts services for 48 hours. You handle the technical response but do not report to the BSI. The incident becomes public through media coverage or customer complaints.","consequence":"Failure to file the initial early warning within 24 hours is a separate violation from failure to file the 72-hour notification and the final report - each is an independent penalty trigger. The BSI investigates and finds no report was filed. Beyond the fine (up to €500,000 per reporting failure), the non-reporting raises questions about your entire compliance posture, potentially triggering a broader audit."},"noRiskManagement":{"title":"No risk management process in place","description":"During a BSI audit (for essential entities) or following an incident (for important entities), the BSI finds that your company has no documented risk assessment, no asset inventory, and no cybersecurity measures beyond basic IT operations.","consequence":"This is the most serious substantive violation - a complete absence of §30 BSIG compliance. Maximum penalties apply (€10M/2% for essential, €7M/1.4% for important). In practice, the BSI would likely issue binding instructions first and impose penalties for non-compliance with those instructions. But the lack of any risk management process leaves no room for the 'we tried in good faith' defense."},"supplyChainGap":{"title":"Supply chain security gaps","description":"Your company outsources IT operations to a managed service provider. The provider suffers a data breach that exposes your customer data. The BSI investigates and finds no supplier security assessment, no contractual cybersecurity requirements, and no monitoring of the provider's security posture.","consequence":"You are responsible for your supply chain security under §30(2)(4) BSIG, regardless of where the breach occurred. The absence of supplier due diligence means you failed to implement required measures. This can trigger penalties under the cybersecurity measures framework (up to €10M/€7M depending on entity type), plus the incident itself triggers reporting obligations. If you also fail to report, penalties compound."}}},"managementLiability":{"heading":"Management Personal Liability - The Part Most People Miss","description":"Company fines are one thing. Personal liability for the Geschäftsführung is another.","p1":"§38 BSIG creates a personal liability mechanism for company management that is separate from the administrative fines against the company. The Geschäftsführung must approve the cybersecurity risk management measures, oversee their implementation, and complete cybersecurity training. If these duties are neglected and the company suffers damages as a result, the management can be held personally liable for those damages. This is a civil liability - the damages claim comes from the company (or its insolvency administrator) against the individual managers.","p2":"Critically, §38 BSIG states that this liability cannot be waived by shareholder resolution. Even in an owner-managed GmbH where the Geschäftsführer is also the sole shareholder, the liability exists. D&O insurance policies typically exclude regulatory fines and penalties, and coverage for NIS2-specific liability is an evolving area - check your specific policy rather than assuming coverage. The practical implication: NIS2 compliance is now a personal risk management issue for every Geschäftsführer, not just a corporate governance checkbox."},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"What is the maximum fine for my company?","a":"It depends on your entity classification. Essential entities (Annex I sectors): the higher of €10M or 2% of global annual turnover. Important entities (Annex II sectors): the higher of €7M or 1.4% of global annual turnover. For most mid-market companies (under €500M turnover), the fixed amount applies because 2% of turnover is less than €10M. Separate penalties of up to €500,000 apply for registration and reporting violations."},"q2":{"q":"Can I be personally fined as Geschäftsführer?","a":"The administrative fines under §65 BSIG are levied against the company, not the individual. However, §38 BSIG creates personal civil liability for damages resulting from failure to approve and oversee cybersecurity measures. This means you face personal liability for the company's losses - not a government fine, but potentially a damages claim. In an insolvency scenario, the insolvency administrator can pursue this claim against you personally."},"q3":{"q":"Does D&O insurance cover NIS2 penalties?","a":"Most D&O policies exclude regulatory fines and administrative penalties - these are typically uninsurable under German law. The civil liability under §38 BSIG (damages claims) may be covered by D&O insurance, depending on your policy terms. Review your specific policy and discuss NIS2 exposure with your broker. Do not assume coverage exists - ask for written confirmation of what is and is not covered."},"q4":{"q":"What triggers BSI enforcement?","a":"For essential entities: the BSI can conduct proactive audits and inspections without a specific trigger. For important entities: enforcement is typically reactive - triggered by a reported incident, third-party complaint, media coverage of a breach, or failure to register. The BSI also cross-references commercial register and sector databases to identify entities that should be registered but are not."},"q5":{"q":"Are penalties proportional to company size?","a":"Yes, by design. The percentage-of-turnover calculation ensures that penalties scale with company size. For a €15M-turnover company, the maximum essential entity fine is €10M (the fixed cap, since 2% is only €300,000). For a €600M company, the maximum is €12M (2% of turnover exceeds the €10M floor). Additionally, the BSI is required to consider proportionality when assessing penalties - company size, severity of the violation, duration, and good faith efforts all factor into the actual penalty amount."}},"sources":{"heading":"Sources","items":["BSIG - §38 (Management liability), §65 (Administrative fines and penalty framework)","NIS2 Directive (EU) 2022/2555 - Article 34 (Supervisory measures for essential entities), Article 35 (Supervisory measures for important entities), Article 36 (Penalties)","NIS2UmsuCG - Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Stärkung der Cybersicherheit","BMI - Parliamentary documentation on penalty framework design and proportionality considerations","GDV (Gesamtverband der Deutschen Versicherungswirtschaft) - D&O insurance coverage analysis for regulatory liability (2025)"]},"ctaCard":{"heading":"Avoid Penalties - Build a Defensible Compliance Record","description":"The platform creates an auditable trail of your NIS2 compliance work: management sign-offs, risk assessments, incident reporting readiness, and supplier documentation. When the BSI asks what you have done, you have evidence - not excuses."},"cta":"Start Your NIS2 Compliance Process"},"securityObligation":{"meta":{"title":"IT Security Obligation - NIS2 & BSIG","description":"NIS2 is the new IT security obligation for German companies with 50+ employees or 10M+ revenue in critical sectors. What the BSIG requires."},"title":"The New IT Security Obligation for German Companies","subtitle":"If you searched for 'IT Sicherheitspflicht', you are looking for NIS2. Since December 2025, the revised BSIG makes cybersecurity a legal obligation for roughly 29,500 German companies.","overview":{"heading":"NIS2 Is the IT Security Obligation You Have Been Hearing About","p1":"There is no standalone 'IT security obligation law' in Germany. What exists is the NIS2 Directive (EU 2022/2555), transposed into German law through the NIS2UmsuCG, which overhauled the Federal Cybersecurity Act (BSIG). This is the law that creates binding IT security obligations for companies in 18 critical sectors.","p2":"The BSIG entered into force on 6 December 2025. It requires affected companies to implement 10 specific cybersecurity risk management measures (Section 30 BSIG), register with the BSI, report significant incidents within strict timelines, and secure their supply chains. Management is personally liable under Section 38 BSIG for ensuring compliance.","p3":"If your company has 50 or more employees or exceeds 10 million euros in annual revenue and operates in one of the 18 NIS2 sectors, these obligations apply to you right now. The registration deadline was 6 March 2026. Implementation of all measures is required by 17 October 2026."},"check":{"heading":"Does This Apply to My Company?","description":"Four criteria determine whether your company falls under the BSIG. You need to meet the sector criterion AND at least one of the size criteria.","items":{"sector":{"title":"Sector","description":"Your company operates in one of 18 sectors: energy, transport, banking, health, water, digital infrastructure, ICT services, public administration, space, postal services, waste management, chemicals, food production, manufacturing, or digital providers."},"size":{"title":"Employee Count","description":"You have 50 or more employees. This follows the EU SME definition and includes all employees across the group, not just the German entity. Part-time employees count proportionally."},"revenue":{"title":"Annual Revenue","description":"Your annual turnover exceeds 10 million euros AND your balance sheet total exceeds 10 million euros. If you exceed either the employee OR the financial threshold, you are in scope."},"services":{"title":"Critical Services","description":"Some entity types are in scope regardless of size: DNS providers, TLD registries, qualified trust service providers, KRITIS operators, and sole providers of essential services in a region."}}},"steps":{"heading":"What You Need to Do","description":"The BSIG requires five concrete steps. Registration should already be done. The remaining measures must be implemented by October 2026.","items":{"register":{"title":"Register with the BSI","description":"Complete your registration via the BSI portal (muk.bsi.bund.de). This is a legal obligation under Section 33 BSIG with its own penalty of up to 500,000 euros. The portal has been live since January 2026, and the deadline was 6 March 2026. If you missed it, register immediately."},"assess":{"title":"Conduct a Risk Assessment","description":"Identify your critical IT assets, assess the risks to each, and document treatment decisions. Section 30 BSIG requires risk management measures that are proportionate to the risk exposure. You need an asset inventory and a structured risk assessment before you can implement measures."},"implement":{"title":"Implement 10 Security Measures","description":"Section 30 BSIG defines 10 mandatory areas: risk management policies, incident handling, business continuity, supply chain security, network security, vulnerability management, cybersecurity hygiene, cryptography, access control, and multi-factor authentication. Each area requires documented policies and evidence of implementation."},"report":{"title":"Set Up Incident Reporting","description":"Significant cybersecurity incidents must be reported to the BSI within 24 hours (initial early warning), 72 hours (full notification), and 1 month (final report). Define what a significant incident means for your company and establish a clear reporting chain before something happens."},"maintain":{"title":"Maintain Ongoing Compliance","description":"NIS2 is not a one-time project. You need annual risk assessment reviews, regular training for management (Section 38 BSIG requires personal participation), supplier reassessments, and continuous incident monitoring. The platform tracks all deadlines and escalates automatically."}}},"consequences":{"heading":"What Happens If You Do Nothing","p1":"The penalty framework is modeled on GDPR. Essential entities face fines of up to 10 million euros or 2% of global annual turnover. Important entities face up to 7 million euros or 1.4%. Registration violations alone carry fines of up to 500,000 euros. The BSI has enforcement powers and can order compliance or restrict operations.","p2":"Beyond fines, Section 38 BSIG creates personal liability for management. Executives must approve cybersecurity measures, oversee implementation, and complete training. They are liable to their own company for culpable violations. This liability cannot be waived by contract. Claiming you did not understand cybersecurity is explicitly not a defense."},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"Is NIS2 the same as the IT security obligation I keep hearing about?","a":"Yes. There is no separate 'IT Sicherheitspflicht' law. NIS2 is the EU directive that was transposed into German law as the revised BSIG via the NIS2UmsuCG. When people talk about new IT security obligations for German companies, they mean this law. It has been in force since 6 December 2025."},"q2":{"q":"We are a 60-person manufacturing company. Does this really apply to us?","a":"Very likely yes. Manufacturing is listed in NIS2 Annex II (covering medical devices, electronics, electrical equipment, machinery, motor vehicles, and other transport equipment manufacturing). With 60 employees, you exceed the 50-employee threshold. You would be classified as a 'important entity' under Section 28(2) BSIG, and all NIS2 obligations apply."},"q3":{"q":"The registration deadline has passed. What should we do?","a":"Register immediately. The BSI portal at muk.bsi.bund.de is still accepting registrations. Late registration is better than no registration. The fine for non-registration is up to 500,000 euros, but the BSI evaluates good faith. A company that registers a few weeks late and can show it was actively working on compliance is in a vastly better position than one that did nothing."},"q4":{"q":"Can our external IT provider handle NIS2 compliance for us?","a":"They can help implement the technical measures, but the legal obligation stays with your company. Section 30 BSIG explicitly states that you can outsource operations but not accountability. Your management remains personally liable under Section 38 BSIG. You need to document what your IT provider does, verify their security measures, and include them in your supplier management process."},"q5":{"q":"How much does NIS2 compliance cost for a mid-market company?","a":"For a 50 to 250 employee company, expect to spend between 20,000 and 80,000 euros in the first year, depending on your current security maturity. This includes risk assessment, policy documentation, technical improvements, and training. Companies that already have basic IT security measures in place are at the lower end. The ongoing annual cost drops significantly after the first year because most work is setup, not maintenance."}},"ctaCard":{"heading":"Find Out If NIS2 Applies to Your Company","description":"Answer a few questions about your sector, size, and services. The applicability check takes less than 2 minutes and tells you whether the BSIG obligations apply to you."},"cta":"Check If NIS2 Applies to You"},"bsiRegistration":{"meta":{"title":"BSI Registration - NIS2 Portal Guide","description":"Step-by-step guide for BSI registration under §33 BSIG. What you need, how the MUK portal works, and common mistakes to avoid."},"title":"BSI Registration: Step-by-Step Guide","subtitle":"Every NIS2 entity must register with the BSI under Section 33 BSIG. The portal has been live since January 2026. Here is exactly how to complete the process.","overview":{"p1":"Registration with the BSI is one of the most visible NIS2 obligations and has its own penalty provision of up to 500,000 euros. The process uses the 'Mein Unternehmenskonto' (MUK) portal, which requires ELSTER-based authentication. Most companies can complete the registration in 30 to 60 minutes, but you need to prepare several pieces of information beforehand.","p2":"The registration deadline was 6 March 2026 (three months after the BSIG entered into force). If you missed it, register as soon as possible. Late registration demonstrates good faith and is vastly better than no registration. The BSI can also proactively identify companies that should have registered and order them to do so."},"prep":{"heading":"What You Need Before Starting","description":"Gather these four items before you open the BSI portal. Having everything ready makes the process straightforward.","items":{"muk":{"title":"Mein Unternehmenskonto (MUK)","description":"You need an active MUK account at muk.bsi.bund.de. MUK is the federal government's business account system. If your company does not have one yet, create it first - this can take a few days because it requires ELSTER verification. Do not wait until the last minute."},"elster":{"title":"ELSTER Certificate","description":"MUK authentication uses your ELSTER business certificate - the same one you use for tax filings. If your tax advisor handles ELSTER for you, you will need either their help or your own ELSTER certificate. The person registering must be authorized to act on behalf of the company."},"data":{"title":"Company Data","description":"You will need: legal company name, registered address, tax number, commercial register number (Handelsregister), sector classification (which NIS2 sector you fall under), employee count, and annual revenue. Have your most recent annual report or financial statements available."},"contacts":{"title":"Contact Persons","description":"The BSI requires at least one designated contact person for cybersecurity matters. You need their name, role, email, and phone number. This person must be reachable - the BSI will use this contact for incident communication and compliance inquiries. Ideally, designate a primary and secondary contact."}}},"walkthrough":{"heading":"Registration Walkthrough","description":"Six steps from opening the portal to confirmed registration. The entire process takes 30 to 60 minutes if you have prepared everything.","items":{"s1":{"title":"Log in to MUK","description":"Go to muk.bsi.bund.de and log in with your ELSTER certificate. If this is your first time using MUK, you will need to create an account and link it to your ELSTER identity. Make sure your browser allows the ELSTER security plugin. Use Chrome or Edge for the best compatibility."},"s2":{"title":"Select NIS2 Registration","description":"Once logged in, navigate to the BSI registration service. Select 'NIS2-Registrierung' from the available services. The portal will guide you through the process with a multi-step form. You can save your progress and return later if needed."},"s3":{"title":"Enter Company Information","description":"Fill in your company details: legal name, address, registration number, tax ID, sector classification, and size category. The portal will ask you to self-classify as either 'essential entity' or 'important entity' based on your sector and size. If you are unsure, the portal provides guidance."},"s4":{"title":"Declare Services and Infrastructure","description":"Describe the services your company provides that fall under NIS2 scope. For example, a food production company would declare its production and distribution operations. List the Member States where you provide these services. If you operate only in Germany, select Germany only."},"s5":{"title":"Add Contact Persons","description":"Enter your designated contact person(s) for cybersecurity matters. Provide name, role, email, and phone for each contact. The BSI will use these contacts for incident communication, compliance inquiries, and any orders or inspections. Make sure the contact is someone who can actually respond - not a generic info@ email."},"s6":{"title":"Review and Submit","description":"Review all entered information carefully. Once submitted, you will receive a confirmation reference number. Save this number. The BSI may take several weeks to process your registration. You do not need to wait for confirmation before starting your compliance work - the obligation exists from the moment the law applies, not from the moment of registration."}}},"pitfalls":{"heading":"Common Mistakes to Avoid","items":["Starting without an ELSTER certificate - MUK requires ELSTER authentication, and getting a new certificate can take days. Check this first.","Using a personal ELSTER certificate instead of the company's business certificate. The registration must be tied to the legal entity, not an individual.","Misclassifying your entity category. If you are in an Annex I sector with 250+ employees, you are 'essential', not just 'important'. The wrong classification affects your supervision regime.","Entering a generic email address as the contact. The BSI will send time-sensitive incident communications to this address. Use a monitored mailbox with a named person behind it.","Waiting for the BSI to tell you to register. Registration is a self-identification obligation - the BSI does not send notifications. If you meet the criteria, you must register yourself.","Assuming registration equals compliance. Registration is step one of many. It does not satisfy the Section 30 security measures, Section 32 incident reporting, or Section 38 management obligations."]},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"I missed the registration deadline. Is it too late?","a":"No. Register immediately. The portal is still open and accepting registrations. Late registration is far better than no registration. The fine for non-registration is up to 500,000 euros, but the BSI considers the circumstances - a company that registers a few weeks late and shows good faith is in a very different position than one that ignores the obligation entirely."},"q2":{"q":"Can our tax advisor handle the registration for us?","a":"They can help with the ELSTER authentication, but the registration content requires company-specific information about your NIS2 sector, services, and infrastructure that your tax advisor likely does not have. The best approach is to prepare the data yourself and have your advisor assist with the MUK/ELSTER technical setup if needed."},"q3":{"q":"We are not sure if we classify as essential or important. What do we select?","a":"Essential entities (essential entities) are large companies (250+ employees or 50M+ turnover) in Annex I sectors, plus all KRITIS operators. Important entities (wichtige Einrichtungen) are medium companies (50-249 employees or 10-50M turnover) in Annex I sectors, or medium/large companies in Annex II sectors. If you are genuinely uncertain, the BSI portal provides classification guidance during the registration process."},"q4":{"q":"What happens after we register? Does the BSI contact us?","a":"You receive a confirmation reference number. The BSI may take several weeks to process the registration. For essential entities, the BSI may initiate proactive supervision (audits, inspections) at any time. For important entities, supervision is reactive - meaning the BSI only investigates if there is evidence of non-compliance or after an incident. In both cases, start implementing Section 30 measures immediately. Do not wait for the BSI to reach out."},"q5":{"q":"Do we need to register each branch or subsidiary separately?","a":"Each legal entity that independently meets the NIS2 scope criteria must register separately. A subsidiary that is a separate legal entity with 50+ employees in a NIS2 sector needs its own registration. However, branch offices of the same legal entity do not register separately - one registration covers the entire legal entity."}},"ctaCard":{"heading":"Track Your Registration and Next Steps","description":"Registration is step one. The platform guides you through the remaining 49 BSIG requirements with structured forms, deadline tracking, and automatic audit trail."},"cta":"Start Your NIS2 Compliance Process"},"whatToDo":{"meta":{"title":"NIS2 - What Now? 4-Week Quick Start","description":"NIS2 applies to your company. A 4-week plan: BSI registration, asset inventory, risk assessment, and incident reporting process."},"title":"NIS2 Applies to Us - What Now?","subtitle":"You have confirmed your company is in scope. Do not panic, do not hire a consultant for 100,000 euros. Here is a realistic 4-week plan to build the foundation.","tldr":{"heading":"The Short Version","p1":"NIS2 compliance is not a single project with a finish line. It is an ongoing operational practice, like accounting or quality management. But it has a clear starting point: register with the BSI, list your critical systems, assess the risks, and establish an incident reporting process. These four activities give you 80% of the foundation.","p2":"The biggest mistake companies make is treating NIS2 as an all-or-nothing effort. You do not need to be perfect by day one. The BSI evaluates trajectory and good faith. A company that has registered, started a risk assessment, and documented its first policies is in a fundamentally different position than one that has done nothing - even if neither is fully compliant yet."},"plan":{"heading":"4-Week Quick-Start Plan","description":"This plan assumes a 50 to 250 employee company with one person dedicating roughly 2 hours per day to NIS2. Adjust the timeline based on your team's availability.","items":{"w1":{"title":"Week 1 - Registration and Orientation","timeframe":"Days 1-5","actions":["Register with the BSI via muk.bsi.bund.de (if not done already). Takes 30-60 minutes with preparation.","Read Section 30 BSIG to understand the 10 mandatory security measures. This is 2 pages of legal text, not a textbook.","Identify who in your company will own NIS2 compliance. This does not need to be a new hire - it can be your IT manager, CISO, or quality manager.","Brief management on their personal liability under Section 38 BSIG. They need to know about the three duties: approval, oversight, and training.","Set up your compliance tracking - either a platform like NISD2.eu or at minimum a structured spreadsheet with the 10 measure categories."]},"w2":{"title":"Week 2 - Asset Inventory","timeframe":"Days 6-10","actions":["List all IT systems that support your critical business services. Think: ERP, email, production systems, network infrastructure, endpoints.","For each system, note: what it does, who manages it (internal or supplier), where it runs (on-premises, cloud, hybrid), and what happens if it is down for 24 hours.","Group identical assets - Grundschutz allows this. '45 standard Windows laptops' is one entry, not 45. Most mid-market companies have 10 to 20 grouped asset entries.","Identify your key IT suppliers: cloud providers, managed service providers, software vendors. Note what access they have to your systems.","Document everything in a structured format. This becomes the foundation for risk assessment, supplier management, and incident response."]},"w3":{"title":"Week 3 - Risk Assessment and Incident Process","timeframe":"Days 11-15","actions":["For each asset group, identify the main threats: ransomware, data breach, system failure, supplier compromise, human error.","Rate each risk by likelihood (how likely in the next 12 months) and impact (what happens to your business). Use a simple 3-level or 5-level scale.","Decide on treatment for each risk: accept, mitigate, transfer (insurance), or avoid. Document the rationale.","Define what counts as a significant incident for your company and write down the reporting process: who decides, who files the BSI report, how to reach them outside business hours.","Draft your first incident response checklist: detection, containment, BSI notification (24h), evidence preservation, full notification (72h), recovery, final report (1 month)."]},"w4":{"title":"Week 4 - Policies and Management Sign-Off","timeframe":"Days 16-20","actions":["Draft your cybersecurity policy - a 2 to 5 page document covering scope, responsibilities, key measures, and review cycle. This is not a 100-page manual.","Draft your access control policy: who gets access to what, how access is granted and revoked, MFA requirements for remote and admin access.","Schedule management training for Section 38 BSIG. Management must personally participate - this cannot be delegated. Training must cover the 10 Section 30 measures.","Get management to formally approve your risk management measures. This approval is a specific legal requirement under Section 38 BSIG. Document it with timestamp and signature.","Plan the next 3 months: supplier assessments, business continuity planning, detailed technical measures. The first 4 weeks build the foundation, months 2 to 6 fill in the details."]}}},"mistakes":{"heading":"The Four Most Common Mistakes","description":"Based on what we see from companies starting their NIS2 journey, these are the patterns that waste the most time and money.","items":{"waiting":{"title":"Waiting for Perfect Clarity","description":"Some companies postpone action because they are not 100% sure the law applies to them or they want to wait for more BSI guidance. The law is in force. The obligations apply. Start with registration and an asset inventory - these are useful regardless of how the regulatory details evolve."},"overscoping":{"title":"Trying to Do Everything at Once","description":"Companies that try to implement all 10 Section 30 measures simultaneously get overwhelmed and stall. Follow the priority order: register, inventory, risk assessment, incident process. Then layer in policies, access controls, supplier management, and training over the following months."},"noOwner":{"title":"No Clear Owner","description":"NIS2 compliance cannot be a side task that nobody owns. Designate one person who is responsible for driving the process. This does not mean they do everything themselves - it means there is someone who tracks progress, escalates blockers, and reports to management. Without an owner, nothing moves."},"perfectDocs":{"title":"Perfecting Documentation Before Starting","description":"A 3-page policy that exists today is worth more than a 30-page policy that will be finished 'next quarter.' Start with short, practical documents. You can refine them over time. The BSI wants to see that you have a process, not that you have perfect prose."}}},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"Do we need to hire a dedicated CISO for NIS2?","a":"Not necessarily. The BSIG requires that someone is responsible for cybersecurity, but it does not mandate a dedicated CISO role. For a 50 to 150 person company, this can be your IT manager, quality manager, or another technical leader who takes on NIS2 as a primary responsibility. What matters is that the person has authority to make decisions and direct access to management. For companies over 150 employees or in high-criticality sectors, a dedicated role becomes more practical."},"q2":{"q":"How much time per week does NIS2 compliance take after the initial setup?","a":"After the first 3 to 6 months of setup, ongoing NIS2 compliance for a mid-market company typically requires 4 to 8 hours per week from the responsible person. This covers monitoring, incident triage, supplier follow-ups, and periodic reviews. Annual activities like full risk reassessment and management training require additional focused time. Most of the work is not technical - it is documentation, process, and communication."},"q3":{"q":"Can we use ISO 27001 certification instead of NIS2 compliance?","a":"ISO 27001 covers significant overlap with NIS2, but it is not a direct substitute. Having ISO 27001 means you already have most of the management system in place (risk assessment, policies, access controls, incident management). You still need to satisfy NIS2-specific requirements: BSI registration, the specific incident reporting timelines (24h/72h/1 month), supply chain security as defined by Section 30(2)(4) BSIG, and management liability documentation under Section 38. An ISO 27001-certified company can typically reach NIS2 compliance in weeks rather than months."},"q4":{"q":"What if we get audited before we are fully compliant?","a":"For important entities (wichtige Einrichtungen), the BSI only audits reactively - meaning after an incident or evidence of non-compliance. For essential entities, proactive audits can happen. In either case, the BSI evaluates your overall posture, not just whether every requirement is perfectly met. A company that can show it has registered, started a risk assessment, is implementing measures, and has management engagement is in a defensible position. A company that has done nothing is not."},"q5":{"q":"Should we do this ourselves or hire a consultant?","a":"For a 50 to 250 person company, a combination works best. Use a structured platform or guide for the framework (this keeps costs under control and ensures nothing is missed), and bring in a consultant for specific topics where you lack expertise - typically risk assessment methodology, technical security measures, or legal review of policies. Avoid open-ended consulting engagements. Define the scope and deliverables upfront. The total cost for external support should be proportionate to your risk - typically 15,000 to 40,000 euros for the initial setup."}},"ctaCard":{"heading":"Start Your 4-Week Plan Today","description":"The platform structures the entire NIS2 process into manageable steps. Register, inventory your assets, assess risks, and build your incident reporting process - all guided, all tracked, all audit-ready."},"cta":"Start Your NIS2 Compliance Process"},"sectorFood":{"meta":{"title":"NIS2 for Food Production","description":"Food production and distribution is NIS2 Annex II scope. Guide for food companies with 50+ employees: requirements, assets, and first steps."},"badge":"Annex II - Important Entity","title":"NIS2 for Food Production and Distribution Companies","subtitle":"Food production, processing, and wholesale distribution are in scope under NIS2 Annex II. If your company has 50+ employees or exceeds 10M euros in revenue, this is your practical guide to what the BSIG requires.","why":{"heading":"Why Does NIS2 Apply to Food Companies?","p1":"Modern food production is deeply dependent on IT systems. ERP systems manage orders and invoicing. Production control systems (MES) schedule and monitor manufacturing lines. Cold chain monitoring systems track temperatures from production through delivery. Laboratory information systems manage quality testing. If ransomware takes out your ERP, you cannot ship. If your cold chain monitoring fails, you cannot prove product safety. That is why the EU classified food as a critical sector.","p2":"The EU placed food production, processing, and wholesale distribution under Annex II of the NIS2 Directive. Companies meeting the size threshold (50+ employees or over 10 million euros in annual revenue) are classified as 'wichtige Einrichtungen' (important entities) under Section 28(2) BSIG. This means the full set of NIS2 obligations applies: BSI registration, 10 cybersecurity risk management measures, incident reporting, supply chain security, and management liability.","p3":"Most food companies have not dealt with cybersecurity regulation before. Food safety regulations (HACCP, IFS, BRC) are familiar, but IT security obligations are new. The good news: if your company already runs a structured quality management system, many of the concepts transfer. Risk assessment, documentation, audits, corrective actions - the framework is similar, just applied to IT instead of production hygiene."},"assets":{"heading":"What Does a Food Company's Asset Inventory Look Like?","description":"Every NIS2 entity must maintain an inventory of assets that support critical services. For a typical food production company with 100 to 200 employees, expect 10 to 15 grouped entries.","items":{"erp":{"title":"ERP and order management","detail":"The core business system handling customer orders, invoicing, procurement, and inventory management. Commonly SAP Business One, Microsoft Dynamics, proALPHA, or sector-specific solutions like CSB-System. Compromise of this system stops order processing, shipping, and billing. One asset entry."},"production":{"title":"Production control (MES)","detail":"Manufacturing Execution Systems that schedule production runs, track batch numbers, and monitor line output. Often connected to ERP for demand-driven production. May include PLCs and SCADA components on production lines. If this goes down, production stops or runs blind. Group per production facility."},"coldChain":{"title":"Cold chain monitoring","detail":"Temperature and humidity monitoring systems for storage, transport, and retail display. These systems provide the continuous records required for HACCP compliance. Data loggers, sensors, and monitoring software - often cloud-based. Failure means you lose the proof chain for food safety. One grouped entry."},"logistics":{"title":"Logistics and delivery","detail":"Fleet management, route planning, delivery tracking, and warehouse management systems. May include handheld scanners for picking and loading. These systems ensure products move from production to customer. Disruption delays deliveries and can cause spoilage for temperature-sensitive products."},"lab":{"title":"Laboratory information system (LIMS)","detail":"Systems managing quality testing - microbiological analysis, chemical testing, sensory evaluation. LIMS tracks samples, results, and release decisions. If your lab system is compromised, you cannot verify product safety and may need to halt shipments until manual verification is complete."},"endpoints":{"title":"Endpoints and office IT","detail":"Laptops, desktops, and mobile devices used by office staff, quality managers, and logistics coordinators. Standard office applications, email, and document management. Grundschutz allows grouping: '50 standard Windows laptops' is one asset entry. Include network infrastructure (routers, switches, firewalls, Wi-Fi) as a separate grouped entry."}}},"priorities":{"heading":"Where to Start - Priority Order for Food Companies","description":"You do not need to do everything at once. This priority order reflects what creates the most compliance value per hour of effort.","items":{"registration":{"title":"1. Register with the BSI","description":"Complete your Section 33 BSIG registration via muk.bsi.bund.de. This takes about 30 to 60 minutes and immediately puts you on record. The penalty for non-registration is up to 500,000 euros. If the deadline has passed, register immediately."},"assets":{"title":"2. Build your asset inventory","description":"List the systems that support your food production, quality assurance, and distribution operations. Use the six categories above as a starting point. For each asset, note what it does, who manages it, and what happens if it is unavailable for 24 hours. Pay special attention to systems that affect food safety - these have the highest regulatory impact."},"incidents":{"title":"3. Set up incident reporting","description":"Define what a significant cybersecurity incident means for your company. A ransomware attack that stops production is clearly significant. A phishing email that was caught is not. Establish the reporting chain: who decides, who files the BSI report (24h/72h/1 month timelines), and how to reach them outside business hours."},"suppliers":{"title":"4. Document supplier relationships","description":"Food companies typically rely heavily on external IT - cloud-hosted ERP, cold chain monitoring SaaS, managed IT services. Document who these suppliers are, what access they have, and what security measures they commit to. Under Section 30(2)(4) BSIG, supply chain security is a mandatory measure. If your cloud ERP provider gets breached, it is your problem."},"access":{"title":"5. Review access controls","description":"Audit who has access to your critical systems - especially ERP, production control, and cold chain monitoring. Implement multi-factor authentication on remote access and admin accounts. Remove accounts for former employees. Many food companies have shared passwords for production terminals - document this and plan to fix it."}}},"specifics":{"heading":"What Makes Food Companies Different","p1":"Food companies sit at the intersection of IT security and food safety regulation. Your HACCP system, IFS or BRC certifications, and quality documentation already create a culture of documented processes, regular audits, and corrective actions. This is an advantage - the NIS2 framework uses very similar concepts. Risk assessment, control measures, monitoring, documentation, and periodic review are things your quality team already understands.","p2":"The unique risk for food companies is the connection between IT systems and food safety. If your cold chain monitoring system is compromised, you may not know whether products have been stored at safe temperatures. If your LIMS is manipulated, you may release unsafe products. If your ERP is down, you cannot trace a contaminated batch. These scenarios make IT security a food safety issue, not just an IT issue.","p3":"Most food companies outsource significant IT. Cloud-based ERP, SaaS cold chain monitoring, managed IT services - this is standard. Under NIS2, you own the accountability even when you outsource the operations. Your most important compliance activity is supplier management: documenting relationships, including security requirements in contracts, and verifying that suppliers maintain adequate security. Section 30 BSIG is clear - you cannot outsource responsibility."},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"We already have IFS/BRC certification. Does that cover NIS2?","a":"Not directly, but it gives you a significant head start. IFS and BRC require documented processes, risk assessments, corrective actions, and regular audits - the same framework NIS2 uses. What is missing is the IT-specific content: asset inventory of IT systems, cybersecurity risk assessment, incident reporting to the BSI, access control policies, and encryption documentation. Think of NIS2 as extending your quality management system to cover IT security."},"q2":{"q":"Our production runs on older machines with Windows 7. Is that a problem?","a":"Older operating systems on production equipment are common in food manufacturing and represent a real NIS2 risk. You do not necessarily need to replace the machines immediately, but you need to document the risk and implement compensating controls: network segmentation (isolate these machines from the internet and office network), restricted access, monitoring for unusual activity, and a plan for eventual upgrade or replacement. Document this in your risk assessment with a clear timeline."},"q3":{"q":"Is our cold chain monitoring system an 'asset' under NIS2?","a":"Yes, absolutely. Any system that supports the delivery of your critical services (food production and distribution) is an asset under NIS2. Cold chain monitoring is particularly important because it directly affects food safety. If the monitoring system fails or is compromised, you lose the ability to prove your products were stored safely. List it as an asset, assess the risks, and ensure your supplier (if it is cloud-based) meets adequate security standards."},"q4":{"q":"How long does NIS2 compliance take for a food company our size?","a":"For a 100 to 200 employee food production company starting from scratch, expect 3 to 6 months to reach a solid baseline. Companies with existing IFS/BRC certification can move faster because the process discipline already exists. The first month covers registration, asset inventory, and risk assessment. Months 2 and 3 cover incident process, access controls, and initial policies. Months 4 to 6 fill in supplier management, business continuity, and technical measures. After setup, ongoing effort is mainly annual reviews."}},"ctaCard":{"heading":"NIS2 Compliance for Food Companies - Structured and Practical","description":"The platform walks you through every Section 30 BSIG requirement with guidance sized for food production operations: asset inventory templates, risk assessment workflows, supplier documentation, and incident reporting procedures."},"cta":"Start Your NIS2 Compliance Process"},"sectorManufacturing":{"meta":{"title":"NIS2 for Manufacturing","description":"Manufacturing is NIS2 Annex II scope. Guide for 50+ employee companies: OT/IT convergence, SCADA/MES security, and BSIG compliance basics."},"badge":"Annex II - Important Entity","title":"NIS2 for Manufacturing Companies","subtitle":"Manufacturing of medical devices, electronics, electrical equipment, machinery, and vehicles is in scope under NIS2 Annex II. If your company has 50+ employees, here is what the BSIG requires and how to handle the OT/IT challenge.","why":{"heading":"Why Does NIS2 Apply to Manufacturing?","p1":"Modern manufacturing depends on the convergence of IT and OT (operational technology). ERP systems drive production scheduling. MES platforms manage shop floor execution. SCADA systems control machinery and process automation. CAD/CAM systems define what gets built. When these systems are interconnected - and in most factories they are - a cyberattack on one can cascade across the entire production chain. A ransomware infection in the office network that reaches the MES can shut down production lines.","p2":"The EU classified manufacturing under Annex II of the NIS2 Directive, covering: medical device manufacturing, computer and electronics manufacturing, electrical equipment manufacturing, machinery and equipment manufacturing, motor vehicle manufacturing, and other transport equipment manufacturing. Companies meeting the size threshold (50+ employees or over 10 million euros annual revenue) are 'wichtige Einrichtungen' (important entities) under Section 28(2) BSIG.","p3":"Manufacturing has a unique challenge that most other NIS2 sectors do not face at the same scale: OT security. Production equipment often runs specialized operating systems, uses proprietary protocols, and has lifecycle constraints that make patching difficult. A CNC machine from 2015 may run Windows 7 Embedded and cannot be updated without the manufacturer's involvement. NIS2 does not ignore this reality - Section 30 BSIG requires measures that are 'proportionate' to the risk. But you must document the risks and the compensating controls."},"assets":{"heading":"What Does a Manufacturer's Asset Inventory Look Like?","description":"Manufacturing asset inventories typically span both IT and OT. For a company with 100 to 250 employees, expect 12 to 20 grouped entries across six categories.","items":{"mes":{"title":"Manufacturing Execution System (MES)","detail":"The system that manages shop floor operations: production scheduling, work order execution, quality tracking, and performance monitoring. Common systems include SAP ME, MPDV HYDRA, Forcam, or custom solutions. MES sits between ERP and the production floor. If it goes down, you lose production visibility and scheduling. One asset entry per facility."},"scada":{"title":"SCADA and industrial controls","detail":"Supervisory Control and Data Acquisition systems, PLCs (programmable logic controllers), HMIs (human-machine interfaces), and CNC controllers. These directly control physical production processes. Often running older operating systems with limited security capabilities. They represent the highest-impact risk because compromise can damage equipment or cause safety incidents. Group per production line or cell."},"erp":{"title":"ERP system","detail":"The core business system for order management, procurement, inventory, finance, and production planning. Commonly SAP, proALPHA, Microsoft Dynamics, or abas. ERP drives what gets produced and when. Compromise stops order processing, supplier payments, and customer deliveries. One asset entry."},"cad":{"title":"CAD/CAM and engineering","detail":"Computer-Aided Design and Computer-Aided Manufacturing systems: SolidWorks, AutoCAD, Siemens NX, CATIA, or similar. These contain your intellectual property - product designs, manufacturing processes, tolerances. A breach here can mean loss of trade secrets. Also includes PLM (Product Lifecycle Management) if used. One grouped entry."},"network":{"title":"Network infrastructure","detail":"The network connecting office IT, engineering, and the production floor. Critically includes the IT/OT boundary: firewalls, DMZ segments, and data diodes between the office network and the shop floor network. If your IT and OT networks are flat (no segmentation), this is your highest-priority risk. Include VPN and remote access for supplier maintenance."},"endpoints":{"title":"Endpoints and office IT","detail":"Laptops, desktops, and mobile devices for office staff, engineering, and production management. Standard office applications, email, collaboration tools. Grundschutz allows grouping: '80 standard Windows laptops' is one entry. Also include servers (file, print, application) as a separate grouped entry if significant."}}},"priorities":{"heading":"Where to Start - Priority Order for Manufacturers","description":"Focus on the actions that create the most compliance value first. OT security is critical but comes after the foundation is in place.","items":{"registration":{"title":"1. Register with the BSI","description":"Complete your Section 33 BSIG registration via muk.bsi.bund.de. This takes 30 to 60 minutes and puts you on record. The penalty for non-registration is up to 500,000 euros. If the deadline has passed, register immediately."},"assets":{"title":"2. Build your asset inventory (IT and OT)","description":"This is where manufacturing differs from other sectors. You need to inventory both IT systems (ERP, email, engineering) and OT systems (MES, SCADA, PLCs, CNC machines). For OT assets, document the operating system, firmware version, network connectivity, and whether the manufacturer provides security updates. This inventory is the foundation for everything that follows."},"otSecurity":{"title":"3. Assess and segment your OT network","description":"The single most impactful technical measure for manufacturers. If your office IT and production OT share a flat network, a ransomware infection in the office can reach your production controllers. Implement network segmentation: separate IT and OT into distinct network zones with a firewall between them. This is Grundschutz requirement IND.1 and the BSI's top recommendation for industrial environments."},"incidents":{"title":"4. Set up incident reporting","description":"Define what a significant incident means for your manufacturing operations. A ransomware attack that stops production lines is clearly significant. An attempted phishing email that was blocked is not. Establish the reporting chain, including who has authority to file the BSI report and how to reach them outside business hours. Test the process with a tabletop exercise."},"suppliers":{"title":"5. Document supplier relationships","description":"Manufacturing companies often have multiple OT suppliers with remote access to production systems for maintenance and updates. Document every supplier with access to your network, what they can reach, and what security measures they commit to. Remote maintenance connections to SCADA systems are a common attack vector - ensure these are properly secured and monitored."}}},"specifics":{"heading":"What Makes Manufacturing Different","p1":"The IT/OT convergence challenge defines manufacturing NIS2 compliance. Your office IT team understands patching, access controls, and network security. But production equipment operates on different rules: you cannot reboot a CNC machine during a production run to apply patches. PLCs may run firmware that has not been updated in years because the manufacturer has not released an update. SCADA systems may use proprietary protocols that standard IT security tools do not understand.","p2":"The solution is not to force IT security practices onto OT. It is to build a security model that respects the constraints. Network segmentation isolates OT from IT risks. Monitoring detects anomalies without requiring agents on controllers. Compensating controls (restricted physical access, dedicated maintenance networks, logging) provide protection where traditional IT controls are not feasible. Document everything - the BSI expects 'proportionate' measures, and documenting why you chose compensating controls over direct patching is a valid approach.","p3":"Manufacturing companies also face intellectual property risk that other sectors may not. CAD files, production processes, tolerances, and supplier specifications are valuable trade secrets. A breach that exposes these does not just create a compliance issue - it creates a competitive disadvantage. Access controls on engineering systems and encryption for design files should be prioritized alongside the OT segmentation work."},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"Our production machines run Windows 7 or older. Does NIS2 require us to upgrade?","a":"NIS2 does not mandate specific operating system versions. It requires 'appropriate and proportionate' risk management. For older OT systems, this means: document the risk (unsupported OS, no patches), implement compensating controls (network isolation, restricted access, monitoring), and plan for lifecycle replacement. The BSI expects you to acknowledge the risk and manage it, not to perform impossible upgrades on equipment that cannot be updated."},"q2":{"q":"Do we need to separate our IT and OT networks?","a":"Network segmentation between IT and OT is the single most impactful security measure for manufacturers, and it is strongly recommended by both the BSI (Grundschutz IND.1) and the CIR 2024/2690. If your networks are currently flat, this should be your top technical priority. At minimum, deploy a firewall between the office network and the production network, restrict traffic to only what is necessary, and log all cross-zone connections."},"q3":{"q":"Our machine supplier has remote access for maintenance. Is that a problem?","a":"Remote maintenance access is common and necessary, but it is a significant risk vector. Under NIS2, you must document this access, include security requirements in the supplier contract, and implement controls: dedicated VPN connections (not open ports), time-limited access (enabled only when needed), logging of all remote sessions, and multi-factor authentication. The supplier becomes part of your supply chain security assessment under Section 30(2)(4) BSIG."},"q4":{"q":"We are a Tier 2 automotive supplier. Does NIS2 apply even if our OEM has not asked about it?","a":"If you manufacture motor vehicles, parts, or transport equipment and have 50+ employees, NIS2 applies to you regardless of what your OEM customer requires. Manufacturing of motor vehicles and other transport equipment is explicitly listed in Annex II. In practice, automotive OEMs will increasingly require NIS2 compliance from their supply chain - TISAX already covers similar ground. Getting ahead of this requirement is strategically smart."}},"ctaCard":{"heading":"NIS2 Compliance for Manufacturing - Including OT Security","description":"The platform covers both IT and OT asset management, network segmentation documentation, supplier access tracking, and all 49 BSIG requirements with guidance sized for manufacturing operations."},"cta":"Start Your NIS2 Compliance Process"},"sectorHealth":{"meta":{"title":"NIS2 for Healthcare","description":"Healthcare is an Annex I essential entity under NIS2. Guide for hospitals and clinics: patient data, medical device security, and BSIG compliance."},"badge":"Annex I - Essential Entity","title":"NIS2 for Healthcare Organizations","subtitle":"Healthcare is classified under Annex I of NIS2, making hospitals and medical facilities essential entities with the highest compliance requirements. Here is your practical guide.","why":{"heading":"Why Does NIS2 Apply to Healthcare?","p1":"Healthcare was already one of the most targeted sectors for cyberattacks before NIS2. The combination of sensitive patient data, life-critical systems, and often outdated IT infrastructure makes hospitals and clinics attractive targets. The 2020 Duesseldorf University Hospital ransomware attack - which forced emergency room closures and patient diversions - demonstrated that cyberattacks on healthcare can directly threaten lives. NIS2 codifies what the sector already knows: IT security in healthcare is patient safety.","p2":"The EU classified health under Annex I (sectors of high criticality) of the NIS2 Directive, covering hospitals, reference laboratories, pharmaceutical manufacturing, and medical device manufacturers. Large healthcare entities (250+ employees) are classified as 'essential entities' under Section 28(1) BSIG. Medium entities (50-249 employees) are 'wichtige Einrichtungen' (important entities). Essential entities face proactive BSI supervision - the BSI can audit you at any time, without requiring evidence of non-compliance first.","p3":"Healthcare already operates under strict data protection rules (GDPR, patient confidentiality) and sector-specific regulation (KHZG, BSI KRITIS for larger hospitals). NIS2 adds a systematic cybersecurity management layer: not just protecting patient data, but securing the entire IT infrastructure that delivers care. If your HIS goes down, you cannot access patient records. If your PACS fails, radiology stops. If your medical devices are compromised, patient safety is at risk. NIS2 requires you to assess and manage all of these risks."},"assets":{"heading":"What Does a Healthcare Asset Inventory Look Like?","description":"Healthcare IT is complex. A mid-sized hospital or clinic group with 100 to 300 employees will typically have 15 to 25 grouped asset entries across six core categories.","items":{"his":{"title":"Hospital Information System (HIS/KIS)","detail":"The central clinical system: patient records, admissions, scheduling, clinical documentation, ordering, and billing. Systems like SAP IS-H, Dedalus ORBIS, Agfa HealthCare ORBIS, or iMedOne. This is the single most critical IT asset - if the HIS is down, clinical operations revert to paper and care quality drops immediately. One asset entry."},"pacs":{"title":"PACS and imaging systems","detail":"Picture Archiving and Communication Systems store and distribute medical images (X-ray, CT, MRI, ultrasound). Tightly integrated with the HIS via DICOM/HL7. Systems like Sectra, Agfa Enterprise Imaging, or Philips IntelliSpace. PACS stores massive amounts of data and is often connected to imaging modalities throughout the facility. Compromise can block radiology and diagnostics."},"medDevices":{"title":"Networked medical devices","detail":"Patient monitors, infusion pumps, ventilators, surgical robots, and diagnostic equipment connected to the hospital network. Many run embedded operating systems (Windows CE, Linux variants) with limited update capabilities. FDA/MDR certification constraints may prevent patching. Group by device type - for example, '35 patient monitors (Philips IntelliVue)' is one entry. These require special security treatment due to regulatory constraints."},"lab":{"title":"Laboratory information system (LIS)","detail":"Systems managing laboratory workflows: sample tracking, test ordering, result reporting, and quality control. Connected to analyzers and the HIS. LIS directly affects diagnostic turnaround times. If the LIS is compromised, lab results cannot be verified or communicated, potentially delaying treatment decisions."},"network":{"title":"Network infrastructure","detail":"The clinical network connecting HIS, PACS, medical devices, and administrative systems. Includes wired and wireless infrastructure, firewalls, network segmentation between clinical and administrative zones, and VPN for remote access. Network segmentation is critical in healthcare - medical devices, clinical systems, guest Wi-Fi, and administrative IT should be on separate network segments."},"endpoints":{"title":"Endpoints and administrative IT","detail":"Clinical workstations, nursing stations, office PCs, and mobile devices (tablets for ward rounds, smartphones). Standard office applications, email, and communication tools. Grundschutz allows grouping: '120 clinical workstations (thin clients)' is one entry. Include mobile device management (MDM) as a grouped asset if used for clinical communication."}}},"priorities":{"heading":"Where to Start - Priority Order for Healthcare","description":"Healthcare has unique urgency because of patient safety implications. Start with the foundation, then layer in the sector-specific requirements.","items":{"registration":{"title":"1. Register with the BSI","description":"Complete your Section 33 BSIG registration. Healthcare entities classified as essential face proactive BSI supervision, which means the BSI may audit you at any time. Being registered and demonstrating active compliance work puts you in a far better position than being discovered as unregistered during an audit."},"assets":{"title":"2. Build your asset inventory","description":"List all systems supporting clinical care, diagnostics, and administration. Pay special attention to networked medical devices - many healthcare organizations do not have a complete inventory of devices connected to their network. Walk the floors, check with biomedical engineering, and document what is connected. You cannot secure what you do not know exists."},"incidents":{"title":"3. Set up incident reporting","description":"Healthcare cybersecurity incidents can be life-threatening. Your incident response plan must account for clinical impact: which systems can operate in degraded mode, what manual fallback procedures exist, when to divert patients, and who makes those decisions. Establish the BSI reporting chain (24h/72h/1 month) and the internal clinical escalation chain in parallel."},"access":{"title":"4. Strengthen access controls","description":"Healthcare has a unique access control challenge: clinicians need fast access to patient data in time-critical situations, but broad access creates risk. Implement role-based access controls (RBAC) for the HIS, enforce MFA for remote access and administrative accounts, conduct quarterly access reviews, and ensure that departed staff have access revoked promptly. Emergency access procedures ('break glass') should be documented and audited."},"encryption":{"title":"5. Encrypt patient data","description":"Patient data is among the most sensitive data categories under both GDPR and NIS2. Implement encryption at rest for databases containing patient records and encryption in transit for all clinical data flows. PACS images, HL7/FHIR messages, and lab results should all travel encrypted. Document your encryption standards and key management procedures - this is a specific Section 30 requirement."}}},"specifics":{"heading":"What Makes Healthcare Different","p1":"Healthcare faces a tension between security and clinical workflow that no other sector experiences at the same intensity. A locked-down system that requires 30 seconds of authentication at each workstation costs time in an emergency department where seconds matter. NIS2 compliance in healthcare requires finding the right balance: strong security for administrative and remote access, streamlined but audited access for clinical workflows, and emergency override procedures that are logged and reviewed.","p2":"Networked medical devices are the sector's biggest unsolved challenge. A patient monitor from 2018 may run an embedded OS that the manufacturer no longer patches. FDA/MDR certification means you cannot modify the device's software without recertification. The answer is compensating controls: network segmentation (isolate medical devices on their own VLAN), traffic monitoring, restricted communication (devices only talk to the systems they need), and lifecycle planning. Document everything - the BSI understands the medical device constraint and evaluates compensating controls as valid.","p3":"Healthcare organizations that already participated in KRITIS (under the original BSI-KritisV) have a significant head start. The KRITIS requirements overlap substantially with NIS2. If you have KRITIS audit evidence, use it as the baseline and extend it to cover the additional NIS2 requirements: formal management liability documentation (Section 38), supply chain security assessment, and the specific incident reporting timelines. For non-KRITIS healthcare organizations, the NIS2 requirements are the first time you face structured cybersecurity regulation - start with the 4-week plan and adapt it for your clinical environment."},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"We are a hospital with 200 beds. Are we essential or important?","a":"Healthcare falls under Annex I (sectors of high criticality). If your hospital has 250 or more employees, you are classified as an essential entity. With fewer than 250 employees but more than 50, you are an important entity. If you are already classified as KRITIS (critical infrastructure), you are automatically essential regardless of size. Essential entities face proactive BSI supervision and the higher penalty tier (up to 10 million euros)."},"q2":{"q":"We cannot patch our medical devices. How do we comply with NIS2?","a":"NIS2 requires 'appropriate and proportionate' measures, not impossible ones. For medical devices that cannot be patched due to manufacturer or regulatory constraints: document the risk in your risk assessment, implement compensating controls (network segmentation, traffic monitoring, restricted communication), include the limitation in your supplier assessment for the device manufacturer, and maintain a lifecycle plan for eventual replacement. The BSI explicitly recognizes that OT and medical device environments require adapted security approaches."},"q3":{"q":"Does GDPR compliance already cover our NIS2 patient data obligations?","a":"GDPR covers data protection (privacy, consent, processing lawfulness), while NIS2 covers the security infrastructure that protects that data. They complement each other but do not substitute. Your GDPR compliance means you understand data flows and have processing records - that helps. NIS2 adds: systematic risk management for the IT systems processing that data, incident reporting to the BSI (not just the data protection authority), supply chain security for IT suppliers, and management liability for cybersecurity measures."},"q4":{"q":"How does NIS2 relate to KHZG (Hospital Future Act) funding?","a":"KHZG funded IT modernization in German hospitals, including IT security investments. If your hospital received KHZG funding for cybersecurity projects, those investments likely address some NIS2 requirements. However, KHZG was about investment, not about ongoing compliance management. NIS2 requires continuous risk management, regular reviews, incident reporting processes, and management oversight - these are operational practices, not one-time projects. Use your KHZG investments as the technical foundation and build the NIS2 management framework on top."}},"ctaCard":{"heading":"NIS2 Compliance for Healthcare - Protecting Patients and Data","description":"The platform covers all 49 BSIG requirements with guidance adapted for healthcare environments: HIS/PACS asset management, medical device risk documentation, clinical incident response, and patient data encryption tracking."},"cta":"Start Your NIS2 Compliance Process"},"sectorLogistics":{"meta":{"title":"NIS2 for Logistics and Transport","description":"Logistics is NIS2 Annex I scope. Guide for 50+ employee companies: TMS, fleet management, warehouse systems, and BSIG compliance."},"badge":"Annex I - Essential / Important Entity","title":"NIS2 for Logistics and Transport Companies","subtitle":"Transport is classified under Annex I of NIS2, covering road, rail, water, and air transport. If your logistics company has 50+ employees, here is what the BSIG requires and where to start.","why":{"heading":"Why Does NIS2 Apply to Logistics Companies?","p1":"Logistics is the backbone of the physical economy. A cyberattack that stops a major logistics provider does not just affect one company - it disrupts supply chains for dozens or hundreds of clients. The 2017 NotPetya attack cost Maersk alone over 300 million euros and disrupted global shipping for weeks. The EU classified transport under Annex I (sectors of high criticality) because logistics disruptions cascade through the entire economy.","p2":"NIS2 covers all transport modes: road freight, rail transport, inland waterways, maritime shipping, and air cargo. Companies meeting the size threshold (50+ employees or over 10 million euros in revenue) are in scope. Large companies (250+ employees) in Annex I sectors are classified as essential entities. Medium companies (50-249 employees) are important entities (wichtige Einrichtungen). Both face the full set of NIS2 obligations.","p3":"Modern logistics companies run on interconnected IT systems. Transport Management Systems (TMS) orchestrate shipments. Fleet management tracks vehicles in real time. Warehouse Management Systems (WMS) control inventory and picking. Telematics units in trucks transmit position, speed, temperature, and driver data. If any of these systems fail, operations stop or become dangerously inefficient. NIS2 requires you to identify these dependencies and manage the cybersecurity risks systematically."},"assets":{"heading":"What Does a Logistics Company's Asset Inventory Look Like?","description":"For a logistics company with 100 to 250 employees, expect 10 to 18 grouped asset entries across six categories. The exact mix depends on whether you operate road, rail, warehouse, or multimodal operations.","items":{"tms":{"title":"Transport Management System (TMS)","detail":"The central system for shipment planning, carrier management, route optimization, and freight billing. Common systems include SAP TM, Oracle Transportation Management, Transporeon, or CargoWise. If the TMS goes down, you cannot plan or dispatch shipments. One asset entry."},"fleet":{"title":"Fleet management and telematics","detail":"GPS tracking, vehicle diagnostics, driver hours logging (digital tachograph integration), fuel management, and route tracking. Telematics units in each vehicle transmit data continuously. Systems like Webfleet, Trimble, Samsara, or fleet-specific solutions. Compromise could mean loss of vehicle visibility, manipulation of driver records, or unauthorized tracking. Group as one asset."},"warehouse":{"title":"Warehouse Management System (WMS)","detail":"Inventory management, picking optimization, goods receipt and dispatch, and integration with TMS and ERP. May include barcode/RFID scanners, automated storage and retrieval systems, and conveyor controls. Systems like SAP EWM, Manhattan Associates, or Korber. If WMS fails, warehouse operations revert to manual processes at a fraction of normal throughput."},"erp":{"title":"ERP and finance system","detail":"Customer management, contract administration, invoicing, procurement, and financial reporting. Commonly SAP, Microsoft Dynamics, or Sage. In logistics, ERP often integrates tightly with TMS for billing and customer portals. Compromise affects revenue, customer relationships, and financial reporting. One asset entry."},"network":{"title":"Network infrastructure","detail":"The network connecting offices, warehouses, and vehicle telematics. Includes WAN links between locations, VPN connections for mobile workers and drivers, Wi-Fi in warehouses, and cellular connections for fleet telematics. Logistics companies often have distributed networks across many locations - each site's infrastructure should be documented. Group by site type."},"endpoints":{"title":"Endpoints and mobile devices","detail":"Office PCs, warehouse terminals, handheld scanners, driver tablets, and smartphones. Logistics has a higher proportion of mobile and ruggedized devices than most sectors. Include mobile device management (MDM) if used. Grundschutz allows grouping: '60 warehouse handheld scanners' is one entry. Also include driver tablets as a separate grouped entry."}}},"priorities":{"heading":"Where to Start - Priority Order for Logistics Companies","description":"Focus on the areas that create the most compliance value first. Logistics companies benefit from starting with the systems that directly control operations.","items":{"registration":{"title":"1. Register with the BSI","description":"Complete your Section 33 BSIG registration. Transport is an Annex I sector, so large companies face proactive BSI supervision. Registration takes 30 to 60 minutes via muk.bsi.bund.de. If the deadline has passed, register immediately - the penalty for non-registration is up to 500,000 euros."},"assets":{"title":"2. Build your asset inventory","description":"Map your TMS, fleet management, WMS, ERP, and supporting infrastructure. For each system, document what it does, where it runs, who manages it, and what happens if it is unavailable for 4 hours (logistics is time-sensitive). Pay special attention to telematics - dozens or hundreds of connected devices in the field represent a unique attack surface."},"incidents":{"title":"3. Set up incident reporting","description":"Logistics operates on tight schedules. A cyberattack that delays shipments by even a few hours can have contractual and financial consequences. Define what counts as a significant incident, establish the BSI reporting chain (24h/72h/1 month), and create internal escalation procedures that account for the 24/7 nature of logistics operations. Include weekend and night-shift scenarios."},"suppliers":{"title":"4. Document supplier relationships","description":"Logistics companies rely heavily on third-party IT: cloud-hosted TMS, telematics SaaS providers, EDI partners, and carrier platforms. Document every IT supplier, what data they access, and what security measures they commit to. Your TMS provider likely has more access to your operational data than any single employee. Include them in your supply chain security assessment under Section 30(2)(4) BSIG."},"access":{"title":"5. Review access controls","description":"Logistics has a distributed workforce: office staff, warehouse workers, drivers, and dispatchers - each needing different system access. Implement role-based access controls, enforce MFA for remote and administrative access, and ensure that driver and temporary worker accounts are deactivated promptly when employment ends. Shared accounts on warehouse terminals are common but should be replaced with individual logins where feasible."}}},"specifics":{"heading":"What Makes Logistics Companies Different","p1":"Logistics companies operate one of the most distributed IT environments of any sector. Assets are not in one building - they are spread across offices, warehouses, distribution centers, and hundreds of vehicles on the road. Every truck with a telematics unit is a connected endpoint. Every warehouse scanner is a device on your network. This distributed footprint makes traditional perimeter security less effective and increases the importance of device management, network segmentation, and identity-based access controls.","p2":"The time sensitivity of logistics creates a unique incident response challenge. In a manufacturing company, you might be able to tolerate a 24-hour system outage. In logistics, 4 hours of TMS downtime means missed delivery windows, contract penalties, and cascading delays. Your incident response plan needs to account for this: what manual fallback procedures exist? Can dispatchers route shipments by phone? Can warehouse operations continue with paper-based picking? These business continuity questions are as important as the technical recovery plan.","p3":"Logistics companies are also deeply integrated with their customers' and carriers' systems via EDI (Electronic Data Interchange), API connections, and shared platforms. A security breach at your company can propagate to customers through these connections, and vice versa. Your supply chain security assessment should cover not just your IT suppliers but also the electronic connections with your business partners. Securing these interfaces - proper authentication, encrypted transmission, input validation - is both a NIS2 requirement and a business protection measure."},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"We are a road freight company with 80 trucks. Are we essential or important?","a":"Road transport falls under Annex I (sectors of high criticality). If your company has 250 or more employees, you are an essential entity with proactive BSI supervision. With 50 to 249 employees, you are an important entity with reactive supervision. With 80 trucks, you likely have 100 to 150 employees (drivers, dispatchers, warehouse, office). Check your total headcount against the threshold - the full range of NIS2 obligations applies either way."},"q2":{"q":"Are our truck telematics units considered 'assets' under NIS2?","a":"Yes. Any system that supports your critical transport services is an asset. Telematics units transmit real-time location, speed, temperature (for refrigerated transport), and driver hours data. They are connected devices on your network. Group them as one asset entry - for example, '80 Webfleet telematics units' rather than 80 separate entries. The key risks are: unauthorized access to vehicle tracking data, manipulation of tachograph records, and potential use as a network entry point."},"q3":{"q":"We use a cloud-based TMS. Is that our problem or the provider's?","a":"Both, but the legal obligation is yours. Under Section 30 BSIG, you can outsource operations but not accountability. Your cloud TMS provider is a critical supplier under Section 30(2)(4). You must: document the provider in your supply chain security assessment, include cybersecurity requirements in the contract, verify the provider has adequate security measures (certifications, audit reports, incident notification commitments), and have a contingency plan if the provider suffers a breach or outage."},"q4":{"q":"How does NIS2 relate to the EU Mobility Data Act and digital tachograph regulations?","a":"NIS2, the Mobility Data Act, and tachograph regulations (EU 165/2014) are separate legal frameworks that overlap on data security. Tachograph regulations require tamper-proof recording of driver data. The Mobility Data Act addresses data sharing obligations. NIS2 adds the cybersecurity management layer: securing the IT systems that process and transmit this data. Compliance with NIS2 strengthens your position on all three because a well-secured IT environment protects the integrity of regulated data."}},"ctaCard":{"heading":"NIS2 Compliance for Logistics - From Fleet to Warehouse","description":"The platform covers all 49 BSIG requirements with guidance for logistics operations: fleet and telematics asset management, distributed network documentation, supplier security tracking, and incident reporting for time-critical operations."},"cta":"Start Your NIS2 Compliance Process"},"europeanStandard":{"meta":{"title":"EU-Wide NIS2 Compliance Standard","description":"One platform combining NIS2 Directive, CIR 2024/2690, and BSIG/Grundschutz into a unified compliance process. Comply once, comply everywhere."},"badge":"EU-Wide Compliance","title":"One platform. Every EU requirement. No gaps.","subtitle":"The EU created NIS2 to harmonize cybersecurity across Europe. Then 27 countries implemented it differently. We fixed that.","problem":{"heading":"The standardization that never was","p1":"NIS2 was supposed to be the great unifier - one directive to align cybersecurity requirements across all 27 EU member states. In practice, it did the opposite. The directive sets minimum requirements, and every country is free to go stricter. Most did. The result is a patchwork of national laws, each with its own interpretation, its own thresholds, and its own enforcement expectations.","p2":"Then the European Commission added CIR 2024/2690, an implementing regulation that specifies technical requirements for the most critical cross-border entities. It does not replace national law - it stacks on top of it. So now companies face three layers of requirements that overlap, contradict, and confuse in roughly equal measure.","p3":"If you operate in multiple EU countries, or if you simply want to know what \"NIS2 compliant\" actually means in concrete terms, you are on your own. There is no single source of truth. Until now."},"layers":{"heading":"Four layers of requirements","description":"To understand why NIS2 compliance is confusing, you need to understand the four layers that define what \"compliant\" actually means.","items":{"directive":{"title":"NIS2 Directive (EU 2022/2555)","description":"The EU-level directive that sets minimum cybersecurity requirements for essential and important entities. Deliberately vague on implementation details - it tells you what to achieve, not how to achieve it. Every member state must transpose it into national law, and they are explicitly allowed to go further."},"nationalLaw":{"title":"BSIG - German National Transposition","description":"Germany transposed NIS2 into the BSIG (BSI-Gesetz). It goes significantly beyond the directive's minimums: stricter incident reporting timelines, broader scope of affected entities, and explicit management liability under section 38. If you operate in Germany, the directive alone is not enough - the BSIG is what auditors enforce."},"cir":{"title":"CIR 2024/2690 - EU Implementing Regulation","description":"The Commission Implementing Regulation specifies detailed technical and methodological requirements for entities that provide cross-border services (DNS, cloud, CDN, data centers, and more). Unlike the directive, it is directly applicable - no national transposition needed. It adds granular requirements for risk management, incident handling, and supply chain security that go well beyond the directive's text."},"grundschutz":{"title":"IT-Grundschutz - BSI Implementation Methodology","description":"The BSI's IT-Grundschutz standards (BSI-200-1, 200-2, 200-3) define exactly how to implement the requirements in practice. Under section 44(2) BSIG, implementing Grundschutz is explicitly recognized as fulfilling NIS2 obligations in Germany. It is the most detailed and prescriptive layer - and the one that turns vague policy statements into concrete, auditable controls."}}},"approach":{"heading":"The strictest common denominator","p1":"Our platform does not pick one framework and hope for the best. For every compliance topic - risk management, incident reporting, access control, encryption, training, supply chain - we identify the strictest requirement across all three normative sources: the NIS2 Directive, the CIR 2024/2690, and the BSIG with IT-Grundschutz methodology.","p2":"Then we build that strictest version into the platform as the default. Every form, every workflow, every evidence requirement is designed to satisfy the highest bar. When you complete a requirement on our platform, you do not just meet the German standard or the EU minimum - you meet all of them simultaneously.","p3":"The result: comply once, be compliant everywhere. Whether you operate only in Germany, across the EU, or fall under the CIR's cross-border scope, your compliance posture holds up. No duplicate work, no gaps, no surprises during an audit in a different jurisdiction."},"comparison":{"heading":"Where the requirements diverge","description":"The table below shows how requirements differ across the three normative layers. Our platform implements the strictest column for each area - so you never have to figure out which standard applies to you.","colArea":"Compliance area","colDirective":"NIS2 Directive","colCir":"CIR 2024/2690","colBsig":"BSIG / Grundschutz","rows":{"riskManagement":{"area":"Risk management","directive":"\"Appropriate and proportionate\" measures, no prescribed methodology","cir":"Explicit risk assessment methodology with defined criteria, documented risk acceptance","bsig":"Full asset-based risk analysis per BSI-200-3, threat modeling per IT-Grundschutz Compendium, mandatory annual review"},"incidentReporting":{"area":"Incident reporting","directive":"Early warning within 24h, full notification within 72h","cir":"Same timelines, plus recurring incidents must be aggregated and reported as a pattern","bsig":"24h/72h plus mandatory reporting to BSI, management must be notified immediately, root cause analysis required"},"supplyChain":{"area":"Supply chain security","directive":"Consider supply chain risks, account for supplier vulnerabilities","cir":"Documented supplier assessment, contractual security requirements, periodic reassessment","bsig":"Supplier risk register linked to asset inventory, NIS2 registration status tracked, Grundschutz-level supplier auditing"},"encryption":{"area":"Encryption & cryptography","directive":"\"Where appropriate\" - use of cryptography and encryption","cir":"Cryptography policy required, key management documented, algorithm suitability assessed","bsig":"BSI Technical Guidelines (TR-02102) define approved algorithms, key lengths, and protocols - no room for interpretation"},"accessControl":{"area":"Access control","directive":"Policies for access control to network and information systems","cir":"Role-based access, privileged access management, regular access reviews","bsig":"Need-to-know principle, separation of duties, mandatory MFA for administrative access, documented RBAC with annual recertification"},"training":{"area":"Cybersecurity training","directive":"Regular training for management and all employees","cir":"Role-specific training, management must demonstrate competence in risk oversight","bsig":"Annual awareness training for all employees, role-specific training for IT staff, mandatory section 38 BSIG liability training for management"}}},"benefits":{"heading":"Why this approach wins","description":"Meeting the highest bar is not just about compliance - it is the only strategy that scales across jurisdictions, survives regulatory tightening, and eliminates ambiguity.","items":{"crossBorder":{"title":"Cross-border by default","description":"Operate in Germany, expand to France, serve clients in the Netherlands - your compliance holds up everywhere. No jurisdiction-specific rework, no second audit. One process covers all 27 member states because you already meet the strictest interpretation."},"noGuesswork":{"title":"Zero ambiguity","description":"The NIS2 Directive is deliberately vague. \"Appropriate measures\" means different things to different auditors. Our platform eliminates that ambiguity by defaulting to the most specific, most prescriptive requirement available. You never have to guess whether your interpretation is \"enough\"."},"futureProof":{"title":"Future-proof compliance","description":"Regulations only tighten. Countries that transposed NIS2 at the minimum level today will go stricter tomorrow. By already meeting the highest current standard, you are ahead of every future tightening - not scrambling to catch up."},"auditReady":{"title":"Audit-ready from day one","description":"BSI auditors expect Grundschutz-level evidence. ENISA assessments check CIR compliance. Our platform generates evidence that satisfies both, automatically. Assignments, sign-offs, deadlines, and audit trails are built into the workflow - they are the compliance process, not an afterthought."}}},"myth":{"heading":"\"Isn't the strictest standard the most work?\"","p1":"This is the most common objection - and it is wrong. The difference between meeting the NIS2 Directive's minimum requirements and meeting the BSIG/Grundschutz standard is not more data entry, more documents, or more busywork. It is more structure. The same information a company provides for a bare-minimum NIS2 checkbox exercise is the same information needed for a Grundschutz-level implementation.","p2":"The extra \"work\" is understanding: knowing which assets to document, how to structure a risk assessment, what constitutes adequate evidence. That is exactly what our platform handles for you. The forms guide you through the right questions. The workflows enforce the right process. The evidence is generated as you work.","p3":"In practice, a company using our platform spends no more time than one using a minimum-compliance checklist tool. The difference is that our output actually holds up in an audit - in any EU country, under any applicable regulation. The effort is identical. The result is incomparably better."},"faq":{"heading":"Frequently asked questions","q1":{"q":"Isn't this overkill for a company that only operates in one country?","a":"No. Even within a single country, you face multiple overlapping requirements: the national transposition, potentially the CIR if you provide cross-border services, and the practical expectations of your national auditor. Meeting the strictest common denominator means you never have to worry about which specific regulation applies to which part of your business. It is not overkill - it is the only approach that removes ambiguity entirely."},"q2":{"q":"What if my country has different requirements than Germany's BSIG?","a":"Every EU country transposed NIS2 at or above the directive's minimum. Germany's BSIG is among the strictest transpositions. If you meet BSIG-level requirements, you automatically exceed whatever your country requires. Think of it as a superset: the strictest national law plus the CIR plus the directive covers every possible interpretation any member state could enforce."},"q3":{"q":"Does the stricter approach cost more or take longer?","a":"No. The platform guides you through the same number of steps regardless. The difference is in how those steps are structured - our forms and workflows are designed to capture information at the level of detail that satisfies Grundschutz methodology. You are not doing more work; you are doing the same work more precisely. The time investment is comparable to any compliance tool, but the output is defensible across all EU jurisdictions."},"q4":{"q":"What about ISO 27001? Do I still need it?","a":"ISO 27001 is a management system standard, not a legal requirement. NIS2, BSIG, and CIR are legal obligations. There is significant overlap - if you comply with our platform's requirements, you have covered roughly 70-80% of ISO 27001's Annex A controls. But they serve different purposes: NIS2 compliance is mandatory and legally enforced, ISO 27001 certification is voluntary and market-driven. Our platform focuses on the legal obligations first. ISO 27001 alignment will follow as a future feature."},"q5":{"q":"How does CIR 2024/2690 relate to national law like the BSIG?","a":"The CIR is an EU implementing regulation - it applies directly in all member states without national transposition. It does not replace national law; it adds to it. For entities in scope of the CIR (primarily cross-border digital infrastructure providers), you must comply with both your national transposition (e.g., BSIG in Germany) and the CIR. Where they overlap, the stricter requirement applies. Where they do not overlap, both apply independently. Our platform handles this layering so you do not have to."}},"ctaCard":{"heading":"Comply everywhere. Set up once.","description":"Our platform implements the strictest common denominator of NIS2, CIR 2024/2690, and BSIG/Grundschutz. Complete your compliance process once and meet every EU requirement automatically - no duplicate work, no jurisdiction gaps, no audit surprises."},"cta":"Start your compliance process"},"entityTypes":{"meta":{"title":"NIS2 Entity Types Explained","description":"NIS2 entity types have identical compliance work. The difference: supervision intensity and penalties. Essential, important, and KRITIS explained."},"title":"Important vs Essential vs KRITIS: The Same Work, Different Consequences","subtitle":"NIS2 defines three tiers of regulated entities. The security measures are identical across all three. What changes is how closely BSI watches you and how hard they hit if you fail.","overview":{"heading":"Three Tiers, One Set of Rules","p1":"The German NIS2 transposition (BSIG) classifies regulated entities into three categories: wichtige Einrichtungen (important entities), essential entities (essential entities), and Betreiber kritischer Anlagen (KRITIS operators). Many companies spend weeks trying to figure out which category they fall into before starting their compliance work.","p2":"Here is the key insight: it does not matter for the work itself. All three categories must implement the same 10 security measure categories defined in §30(2) BSIG. The same risk management. The same incident reporting. The same supply chain security. The same access controls. The same encryption policies. The same business continuity planning.","p3":"The differences are in supervision (how BSI monitors you), penalties (how much you pay if caught non-compliant), and three extra obligations that only apply to KRITIS operators. The compliance process you go through on NISD2 covers all three categories identically."},"classification":{"heading":"How Entities Are Classified","description":"Classification is based on company size, sector, and whether you operate critical infrastructure. Defined in §28 BSIG.","headers":{"criterion":"Criterion","important":"Important (Wichtig)","essential":"Essential (Besonders Wichtig)","kritis":"KRITIS"},"rows":{"size":{"criterion":"Company Size","important":"50+ employees OR >10M EUR revenue and >10M EUR balance sheet","essential":"250+ employees OR >50M EUR revenue and >43M EUR balance sheet","kritis":"Any size - determined by infrastructure thresholds (e.g. 500,000 people served)"},"sectors":{"criterion":"Sectors","important":"Annex I (energy, transport, finance, health, water, digital infra, space) + Annex II (postal, waste, chemicals, food, manufacturing, digital services, research)","essential":"Annex I sectors only (medium-sized entities in Annex I are classified as important, not essential)","kritis":"Subset of essential - only entities operating infrastructure whose failure would disrupt public supply"},"sizeIndependent":{"criterion":"Size-Independent Inclusions","important":"Non-qualified trust service providers, small telecom providers","essential":"Qualified trust services, TLD registries, DNS providers, large telecom providers","kritis":"Operators of critical installations as defined in BSI-KritisV (power grids, water treatment, hospitals, etc.)"}}},"edgeCases":{"heading":"Edge Cases: When Size Classification Is Not Obvious","description":"NIS2 uses the EU SME definition (Recommendation 2003/361/EC). The thresholds combine employees with financials in ways that catch many companies off guard.","intro":"The EU medium enterprise threshold is: 50+ employees OR (>€10M turnover AND >€10M balance sheet). Both financial criteria must be met simultaneously - high revenue alone is not enough. For essential entities, the large enterprise threshold is: 250+ employees OR (>€50M turnover AND >€43M balance sheet). These examples show how the rules apply in practice.","headers":{"scenario":"Scenario","employees":"Employees","turnover":"Turnover","balanceSheet":"Balance Sheet","sector":"Sector","result":"Classification"},"rows":{"e1":{"scenario":"High-revenue trading firm, small team","employees":"12","turnover":"€25M","balanceSheet":"€18M","sector":"Annex I - Banking","result":"Important - both financial thresholds exceeded (>€10M), employee count irrelevant"},"e2":{"scenario":"Large manufacturer, low margin","employees":"200","turnover":"€5M","balanceSheet":"€3M","sector":"Annex II - Manufacturing","result":"Important - employee count ≥50 is sufficient, revenue does not matter"},"e3":{"scenario":"SaaS startup, high revenue, tiny team","employees":"8","turnover":"€15M","balanceSheet":"€4M","sector":"Annex I - Digital infrastructure","result":"Not in scope - revenue exceeds €10M but balance sheet is below €10M. Need BOTH"},"e4":{"scenario":"Regional hospital","employees":"400","turnover":"€60M","balanceSheet":"€45M","sector":"Annex I - Health","result":"Essential - 250+ employees in Annex I sector. If >30,000 inpatient cases/year: KRITIS"},"e5":{"scenario":"Energy trader, asset-light","employees":"15","turnover":"€120M","balanceSheet":"€55M","sector":"Annex I - Energy","result":"Essential - both large financial thresholds exceeded (>€50M turnover AND >€43M balance sheet)"},"e6":{"scenario":"Waste management company","employees":"80","turnover":"€8M","balanceSheet":"€6M","sector":"Annex II - Waste","result":"Important - 80 employees ≥50 threshold, despite low revenue. NACE E.38 only (not remediation E.39)"},"e7":{"scenario":"Managed service provider (MSP)","employees":"45","turnover":"€12M","balanceSheet":"€11M","sector":"Annex I - ICT service management","result":"Important - below 50 employees but both financial thresholds exceeded. Also subject to CIR 2024/2690"},"e8":{"scenario":"Food processor, seasonal workforce","employees":"55 (annual average)","turnover":"€9M","balanceSheet":"€7M","sector":"Annex II - Food","result":"Important - headcount uses annual work units (Rec. 2003/361/EC Art. 5). Seasonal peaks count proportionally"},"e9":{"scenario":"Qualified trust service provider (qTSP)","employees":"3","turnover":"€500K","balanceSheet":"€200K","sector":"Annex I - Digital infrastructure","result":"Essential - size-independent under §28(1) BSIG. qTSPs are always essential regardless of size"},"e10":{"scenario":"Chemical distributor, large subsidiary","employees":"180","turnover":"€70M","balanceSheet":"€50M","sector":"Annex II - Chemicals","result":"Important - despite large financials, Annex II sectors max out at important. Only Annex I + large = essential"}},"legalBasis":"Size thresholds per EU Recommendation 2003/361/EC Art. 2, referenced by NIS2 Directive Art. 2(1). Employee count uses annual work units (Art. 5). Linked/partner enterprise rules (Annex Art. 3) may aggregate parent company headcount and financials. Sector classification per NIS2 Directive Annex I/II, transposed in BSIG §28 Anlage 1/2. Size-independent cases per §28(1) BSIG."},"sameWork":{"heading":"What Is Identical Across All Three Categories","p1":"The compliance obligations defined in §30(2) BSIG are the same for important, essential, and KRITIS. There is no lighter version for important entities and no heavier version for essential entities. The 10 security measure categories apply equally:","items":["Risk management policies and procedures (§30(2) Nr. 1)","Incident handling and reporting - 24h initial, 72h detailed, 1 month final report (§32)","Business continuity and disaster recovery (§30(2) Nr. 3)","Supply chain security (§30(2) Nr. 4)","Security in procurement, development, and maintenance (§30(2) Nr. 5)","Policies for evaluating the effectiveness of security measures (§30(2) Nr. 6)","Cybersecurity hygiene and training (§30(2) Nr. 7)","Cryptography and encryption policies (§30(2) Nr. 8)","Human resources security and access control (§30(2) Nr. 9)","Multi-factor authentication and secure communications (§30(2) Nr. 10)","Registration with BSI within 3 months (§33)","Management liability - personal responsibility for approving and monitoring security measures (§38)"],"p2":"This means the NISD2 platform covers all entity types with the same set of requirements. Whether you are an important food company or an essential energy provider, the compliance process is identical. You complete the same requirements, produce the same evidence, and meet the same standards."},"comparison":{"heading":"What Actually Differs","description":"The differences between entity types are about enforcement, not about what you need to do.","headers":{"obligation":"Obligation","important":"Important","essential":"Essential","kritis":"KRITIS"},"rows":{"measures":{"obligation":"10 Security Measures (§30)","important":"Required","essential":"Required","kritis":"Required"},"reporting":{"obligation":"Incident Reporting (§32)","important":"24h / 72h / 1 month","essential":"24h / 72h / 1 month","kritis":"24h / 72h / 1 month"},"registration":{"obligation":"BSI Registration (§33)","important":"Basic","essential":"Basic","kritis":"Enhanced - critical service, supply metrics, facility location, 24/7 contact"},"management":{"obligation":"Management Liability (§38)","important":"Personal liability","essential":"Personal liability","kritis":"Personal liability"},"supervision":{"obligation":"BSI Supervision","important":"Reactive only (§62) - BSI acts only when evidence of non-compliance exists","essential":"Proactive (§61) - BSI can audit at any time without cause","kritis":"Proactive + mandatory 3-year proof cycle (§39)"},"fineBase":{"obligation":"Maximum Fine (Base)","important":"7,000,000 EUR","essential":"10,000,000 EUR","kritis":"10,000,000 EUR"},"fineRevenue":{"obligation":"Maximum Fine (Revenue)","important":"1.4% of global turnover","essential":"2% of global turnover","kritis":"2% of global turnover"},"attackDetection":{"obligation":"Attack Detection Systems (§31)","important":"Not required","essential":"Not required","kritis":"Required - continuous SIEM/SOC capability"},"complianceProof":{"obligation":"Mandatory Compliance Proof (§39)","important":"Not required","essential":"Not required","kritis":"Required - every 3 years, submitted to BSI"}}},"kritisExtras":{"heading":"KRITIS: Three Additional Obligations","intro":"KRITIS operators - entities running infrastructure whose failure would disrupt public supply (power grids, water treatment, hospitals) - must meet three additional requirements beyond what important and essential entities must do.","items":{"attackDetection":{"title":"§31 - Attack Detection Systems (Angriffserkennungssysteme)","detail":"You need a system watching your network around the clock that can spot attacks in progress or detect that someone has already broken in. In practice, this means deploying a SIEM (Security Information and Event Management) - software that collects logs from every server, firewall, and endpoint, correlates them, and alerts on anomalies. It must use pattern matching AND anomaly detection, not just signatures. Most companies outsource this to a managed SOC (Security Operations Center) provider, which typically costs 5,000-15,000 EUR per month. Normal NIS2 entities can get by with basic monitoring - KRITIS operators explicitly cannot."},"enhancedRegistration":{"title":"§33(2) - Enhanced Registration with BSI","detail":"On top of the standard registration (name, sector, contact), KRITIS operators must tell BSI exactly what critical service they provide (e.g. 'drinking water supply for 200,000 people'), what critical components they use, the physical facility location, and a 24/7 contact person reachable at any hour. Supply metrics must be reported annually - BSI uses these to verify you still exceed the KRITIS threshold (defined in BSI-KritisV, e.g. 500,000 people served for water, 104 MW for power)."},"complianceProof":{"title":"§39 - Mandatory Compliance Proof Every 3 Years (Nachweispflicht)","detail":"Every 3 years, you must proactively submit audit results, security reports, or certifications to BSI proving compliance with all §30 measures and §31 attack detection. BSI does not have to come find you - you come to them. If BSI finds deficiencies, they issue binding remediation orders with deadlines and demand proof that you fixed the issues. Think of it as a mandatory ISO certification cycle, except the auditor is the government. First deadline: December 2028 (5 years for hospitals: December 2030)."}}},"takeaway":{"heading":"What This Means for Your Company","p1":"If you are a 50-250 employee company in Germany - the typical NISD2 user - you are almost certainly classified as a wichtige Einrichtung (important entity). Your manufacturing company, food processing business, or IT service provider falls into this category. The compliance work you need to do is exactly the same as what a large essential entity or even a KRITIS operator does. The only practical difference: BSI will not proactively audit you unless they have a reason to (an incident, a complaint, or a tip-off).","p2":"That is not a reason to do less. If BSI does audit you - reactively, after an incident - and finds you non-compliant, fines up to 7 million EUR or 1.4% of global turnover apply. And your management is personally liable under §38. The safest position is full compliance regardless of category. NISD2 gives you the same compliance process used by essential and KRITIS entities, because the requirements are identical."},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"Can my company be both important and essential?","a":"No. The categories are mutually exclusive under §28 BSIG. If you meet the essential threshold (250+ employees or >50M revenue in an Annex I sector), you are essential. If you meet the important threshold but not the essential one, you are important. KRITIS is a subset of essential - KRITIS operators are automatically classified as essential with additional obligations on top."},"q2":{"q":"I am an important entity. Do I need to do less compliance work?","a":"No. The 10 security measure categories in §30(2) BSIG apply identically to both important and essential entities. The only difference is enforcement: BSI supervises essential entities proactively (random audits) and important entities reactively (only after evidence of non-compliance). But the measures themselves, the incident reporting timelines, and management liability are all the same."},"q3":{"q":"How do I know if I am KRITIS?","a":"KRITIS classification is defined in the BSI-KritisV regulation, based on specific supply thresholds: 500,000 people served for water, 104 MW installed capacity for power, 30,000 inpatient cases per year for hospitals, etc. If your infrastructure failure would not directly disrupt public supply at these scales, you are not KRITIS. Most mid-market companies are not KRITIS - they are important or essential entities."},"q4":{"q":"What happens if I get my entity classification wrong?","a":"Classification determines supervision intensity and penalty caps, not what you need to implement. If you implement all 10 measure categories (which NISD2 guides you through), you are compliant regardless of classification. The risk of misclassification is underestimating your supervision exposure - thinking BSI will not audit you when they actually can."},"q5":{"q":"Does the CIR 2024/2690 distinguish between important and essential entities?","a":"No. The CIR applies to specific entity types (cloud providers, DNS providers, managed service providers, etc.) regardless of whether they are classified as important or essential. The technical requirements in the CIR are identical for both categories."}},"sources":{"heading":"Legal Sources","items":["§28 BSIG - Entity classification (essential and important entities)","§30 BSIG - Risk management measures (10 categories, identical for all entity types)","§31 BSIG - Attack detection systems (KRITIS only)","§32 BSIG - Incident reporting obligations (identical timelines for all entity types)","§33 BSIG - Registration obligations (enhanced for KRITIS)","§38 BSIG - Management liability (identical for all entity types)","§39 BSIG - Compliance proof (KRITIS only, every 3 years)","§61 BSIG - Supervision of essential entities (proactive)","§62 BSIG - Supervision of important entities (reactive)","§65 BSIG - Penalties and fines","CIR 2024/2690 - EU implementing regulation (no entity type distinction)","BSI-KritisV - KRITIS threshold regulation"]},"ctaCard":{"heading":"One Platform, All Entity Types","description":"NISD2 implements the full set of NIS2/BSIG requirements - the same ones that apply to important, essential, and KRITIS entities. Complete your compliance once. The requirements are identical regardless of your classification."},"cta":"Start your compliance process"},"faq":{"meta":{"title":"NIS2 FAQ - Compliance in Germany","description":"Common NIS2 questions answered: entity types, penalties, management liability, BSI registration, incident reporting, and costs for German companies."},"title":"NIS2 Frequently Asked Questions","subtitle":"Clear answers to the questions German companies ask most about NIS2, the BSIG, and what compliance actually requires.","categories":{"basics":"NIS2 Basics","scope":"Scope & Applicability","frameworks":"NIS2 vs Other Frameworks","liability":"Management Liability","registration":"BSI Registration","incidents":"Incident Reporting","penalties":"Penalties & Fines","implementation":"Implementation"},"basics":{"q1":{"q":"What is the difference between NIS2 essential and important entities?","a":"Essential entities (essential entities) are companies in high-criticality sectors like energy, transport, banking, health, water, and digital infrastructure (NIS2 Annex I). Important entities (wichtige Einrichtungen) are in other critical sectors like waste management, food, manufacturing, postal, and chemicals (Annex II). The key differences: essential entities face higher maximum fines (€10M / 2% turnover vs €7M / 1.4%), proactive BSI audits (the BSI can inspect at any time without a trigger), and stricter supervision. Important entities are only audited reactively - after an incident or on evidence of non-compliance. Both must implement the same 10 cybersecurity measures under §30 BSIG."},"q2":{"q":"How many companies are affected by NIS2 in Germany?","a":"The BSI estimates approximately 29,500 companies in Germany fall under NIS2 scope. This is a massive expansion from the previous KRITIS regime, which covered only about 2,000 operators. The increase comes from lower size thresholds (50+ employees instead of hundreds of thousands of people served) and seven newly added sectors including waste management, food production, manufacturing, postal services, chemicals, research, and expanded digital services."},"q3":{"q":"When did NIS2 become law in Germany?","a":"The German NIS2 transposition law (NIS2UmsuCG) was passed by the Bundestag on 13 November 2025, approved by the Bundesrat on 21 November 2025, published in the Bundesgesetzblatt on 5 December 2025, and entered into force on 6 December 2025. The BSI registration portal went live on 6 January 2026, with the registration deadline on 6 March 2026. Germany missed the original EU transposition deadline of 17 October 2024 by over a year."},"q4":{"q":"Is there a transition period for NIS2 in Germany?","a":"No. There is no transition period. All obligations - risk management measures, incident reporting, management liability, and BSI registration - applied from the day the law entered into force on 6 December 2025. The BSI registration deadline was 6 March 2026 (3 months after entry into force). Companies that have not yet started compliance work are already technically non-compliant."},"q5":{"q":"Does NIS2 apply to small companies with fewer than 50 employees?","a":"Generally no. NIS2 uses the EU SME definition (Recommendation 2003/361/EC): companies need at least 50 employees OR more than €10M annual turnover AND €10M balance sheet to be in scope. Both financial thresholds must be met - high revenue alone is not enough if the balance sheet is below €10M. However, certain entity types are in scope regardless of size: DNS providers, TLD registries, qualified trust service providers, KRITIS operators, and sole providers of essential services in a region. If you are close to the 50-employee threshold, check whether linked group companies push you over the limit. See our entity types article for 10 real-world edge case examples."}},"scope":{"q1":{"q":"Which sectors are covered by NIS2?","a":"NIS2 covers 18 sectors in total. Annex I (high-criticality, essential entities): energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space. Annex II (other critical, important entities): postal and courier services, waste management, chemicals, food production and distribution, manufacturing (medical devices, electronics, machinery, vehicles), digital providers (marketplaces, search engines, social networks), and research organizations."},"q2":{"q":"What is the difference between NIS2 Annex I and Annex II sectors?","a":"Annex I lists 11 'sectors of high criticality' - companies here are classified as essential entities if they are large, or as important entities if medium-sized. Annex II lists 7 'other critical sectors' - companies here are classified as important entities regardless of whether they are medium or large. This means a chemical distributor with 180 employees, €70M revenue, and €50M balance sheet is still classified as important - not essential - because chemicals are Annex II. The practical difference: Annex I essential entities face proactive BSI audits, higher fines (€10M vs €7M), and stricter supervision. Annex II important entities face reactive supervision only."},"q3":{"q":"Does NIS2 apply to manufacturing companies?","a":"Yes, if you manufacture medical devices, computers, electronics, optical products, electrical equipment, machinery, motor vehicles, or other transport equipment and have 50+ employees or €10M+ revenue. Manufacturing is listed in NIS2 Annex II, making affected companies 'important entities' (wichtige Einrichtungen). A significant number of German Mittelstand companies fall into this category. All 10 cybersecurity measures under §30 BSIG apply."},"q4":{"q":"We outsource all IT to a managed service provider. Does NIS2 still apply?","a":"Yes, fully. NIS2 applies to the entity providing the regulated service, regardless of who manages the IT. You can outsource operations but not accountability (§30 BSIG). Your IT provider becomes your most critical supplier: document the relationship, include cybersecurity requirements in the contract, and verify their security measures. If they get breached, your reporting obligation triggers - not theirs. Management remains personally liable under §38 BSIG."},"q5":{"q":"Our company operates in multiple EU countries. Do we need to comply with each country's NIS2 law?","a":"Yes. An incident at a company with operations in multiple member states may trigger reporting obligations in each country where affected services are provided. By early 2026, only about 6-8 of 27 EU member states had fully transposed NIS2. Each country has its own registration portal and procedures. Germany's BSIG is among the most detailed implementations. For cross-border operations, comply with each national law where you provide services."}},"frameworks":{"q1":{"q":"What is the difference between NIS2 and KRITIS?","a":"NIS2 does not replace KRITIS - it extends it dramatically. KRITIS covered roughly 2,000 operators with high thresholds (e.g., 500,000 people served). NIS2 covers approximately 30,000 entities with much lower thresholds (50+ employees). NIS2 adds seven new sectors, personal management liability (§38 BSIG), mandatory BSI registration, structured incident reporting (24h/72h/1 month), and significantly higher penalties (up to €10M vs €100K). KRITIS operators are automatically classified as essential entities under NIS2."},"q2":{"q":"Does an ISO 27001 certification mean I'm NIS2 compliant?","a":"No. ISO 27001 covers approximately 70% of NIS2 technical requirements, but it misses the areas with the highest enforcement risk: BSI registration (§33), incident reporting timelines (24h/72h/1 month under §32), management personal liability (§38), enhanced supply chain due diligence, and the statutory penalty framework. ISO 27001 is a voluntary management standard; NIS2 is a legal obligation with government reporting and personal liability. Your ISO certification is a strong foundation, but you need gap-filling for the NIS2-specific regulatory requirements."},"q3":{"q":"What is IT-Grundschutz and why does it matter for NIS2?","a":"IT-Grundschutz is the BSI's own cybersecurity methodology - a comprehensive framework with step-by-step implementation guidance. §44(2) BSIG explicitly recognizes Grundschutz implementation as proof of NIS2 compliance. This is a legal shortcut: the BSI both publishes Grundschutz and enforces NIS2, so using their methodology means you are audited against a standard the auditor knows inside out. Grundschutz covers 100% of CIR 2024/2690 requirements and is more detailed than ISO 27001 for NIS2 purposes."},"q4":{"q":"What is CIR 2024/2690 and how does it relate to NIS2?","a":"CIR 2024/2690 is the EU Implementing Regulation published on 17 October 2024 that specifies the exact technical and methodological requirements for NIS2 compliance. Unlike the NIS2 Directive, it applies directly in all EU member states without national transposition. It answers the question 'what exactly do we have to implement?' by breaking the 10 measure areas into specific, auditable requirements. In Germany, the BSIG extends these technical requirements to all NIS2-covered sectors, making the CIR the de facto technical standard for everyone."}},"liability":{"q1":{"q":"What are the three management duties under §38 BSIG?","a":"§38 BSIG defines three personal duties for management (Geschäftsleitung) that cannot be delegated: (1) Approval (Billigung) - formally approve cybersecurity risk management measures with documented, traceable sign-off. (2) Oversight (Überwachung) - actively monitor implementation through regular status reviews, not passive awareness. (3) Training (Schulung) - personally complete cybersecurity training to develop sufficient knowledge to evaluate risks. Failing any one of these creates personal liability exposure - even if the company has implemented reasonable measures."},"q2":{"q":"Can I delegate NIS2 responsibility to my IT department?","a":"You can delegate execution, but not responsibility. §38 BSIG explicitly names Geschäftsleiter - not IT managers, CISOs, or external consultants. You must personally approve measures, oversee their implementation, and complete cybersecurity training. Your IT team implements; you approve and monitor. Claiming you delegated everything to IT is not a defense - it is proof of an oversight violation."},"q3":{"q":"Does D&O insurance cover NIS2 liability?","a":"Most D&O policies exclude regulatory fines and penalties - these are typically uninsurable under German law. The civil liability under §38 BSIG (damages claims from your own company) may be covered, depending on your policy terms. Insurers can also deny claims if management knowingly failed to comply with statutory duties. Check your specific policy's exclusion clauses - 'failure to comply with mandatory regulations' is a standard exclusion in German D&O policies. Do not assume coverage exists - ask for written confirmation."},"q4":{"q":"Can shareholders waive management liability for NIS2?","a":"No. §38(2) BSIG explicitly states that claims for damages arising from violations of §30 BSIG duties cannot be waived by shareholders, nor can they be settled in a manner that is disproportionate to the company's financial situation. This overrides the normal GmbHG §43 rules. Even in an owner-managed GmbH where the Geschäftsführer is the sole shareholder, the liability exists. If the company goes bankrupt due to a cyber incident, the insolvency administrator can come after your personal assets."},"q5":{"q":"I'm not technical - can I really be held liable for cybersecurity?","a":"Yes. §38(3) BSIG imposes the training obligation precisely to eliminate this defense. The law assumes that after completing adequate cybersecurity training, management has sufficient knowledge to fulfill their duties. 'I don't understand technology' is not a defense - it is proof of a training violation. The training does not require you to become an IT expert, but you must understand your company's risk profile and the measures in place."}},"registration":{"q1":{"q":"How do I register with the BSI for NIS2?","a":"Registration uses a two-step process: (1) Create an account via Mein Unternehmenskonto (MUK) using your ELSTER business certificate at muk.bsi.bund.de. (2) Log in and complete the NIS2 registration form, providing your company details, sector classification, contact person for cybersecurity matters, and IP address ranges. The process takes 30-60 minutes if you have everything prepared. You will need your ELSTER certificate, commercial register number, and a designated cybersecurity contact person."},"q2":{"q":"I missed the BSI registration deadline. Is it too late?","a":"No. The portal is still open - register immediately. The March 6, 2026 deadline has passed, but a significant number of the estimated 30,000 in-scope companies have still not registered. The BSI has signaled that it will prioritize enforcement against companies that ignore obligations entirely - not those who registered late but are acting in good faith. The fine for non-registration is up to €500,000, but the BSI considers circumstances. Late registration with visible compliance progress is fundamentally different from no registration at all."},"q3":{"q":"What is the fine for not registering with the BSI?","a":"§65 BSIG provides for fines of up to €500,000 specifically for registration violations. This is a standalone violation - separate from any penalties for failing to implement security measures. You can be fined for non-registration even if your actual cybersecurity measures are adequate. However, fines are assessed on a case-by-case basis considering severity, duration, and good faith."},"q4":{"q":"Can I register if I'm not sure my company is in scope?","a":"Yes, and the BSI recommends erring on the side of registration if you are uncertain. Registering when you turn out to be out of scope has no negative consequences - the registration can be corrected. Not registering when you are in scope carries real legal risk. When in doubt, register."},"q5":{"q":"Does BSI registration mean I'm NIS2 compliant?","a":"No. Registration fulfills one obligation (§33 BSIG) but does not satisfy the substantive requirements: cybersecurity measures (§30), incident reporting (§32), or management liability duties (§38). Think of registration like filing a tax return - you still have to pay the tax. After registering, you need to implement all 10 mandatory security measures, set up incident reporting processes, and ensure management fulfills their personal duties."}},"incidents":{"q1":{"q":"What is the NIS2 incident reporting timeline?","a":"NIS2 requires a three-stage reporting cascade to the BSI: (1) Early warning within 24 hours - confirm a significant incident has occurred, whether it is malicious, and whether it could have cross-border impact. (2) Incident notification within 72 hours - severity assessment, indicators of compromise, initial root cause analysis, and measures taken. (3) Final report within 1 month - detailed description, confirmed root cause, mitigation measures, and lessons learned. If the incident is still ongoing at the one-month mark, an interim report is required."},"q2":{"q":"What counts as a 'significant' incident under NIS2?","a":"An incident is significant if it: causes severe operational disruption to services, causes financial loss exceeding €500,000 or 5% of annual turnover, affects other natural or legal persons with considerable damage, involves unauthorized access or alteration of data, or causes an extended service outage. CIR 2024/2690 adds that recurring minor incidents can be aggregated and treated as significant if they collectively meet the criteria within a six-month period. Not every phishing email triggers reporting - only events crossing these severity thresholds."},"q3":{"q":"Where do I report NIS2 incidents?","a":"All incident reports must be submitted via the BSI's official reporting portal under the NIS2 section. The BSI does not accept reports by email, telephone, or letter as a substitute for portal submission. Access requires prior registration under §33 BSIG - which means unregistered entities face a compounded problem: they cannot file incident reports through the proper channel. Telephone contact with CERT-Bund is appropriate for coordinating response in parallel."},"q4":{"q":"What happens if I don't report an incident to the BSI?","a":"Failure to report is penalized independently of the incident itself. Each missing stage (24h, 72h, 1 month) is a separate violation with fines up to €500,000. For essential entities, the broader penalty framework (up to €10M) can also apply. If management was aware of an incident and failed to ensure reporting, this constitutes a personal oversight violation under §38 BSIG. Non-reporting also raises questions about your entire compliance posture, potentially triggering a broader BSI audit."},"q5":{"q":"Does NIS2 incident reporting replace GDPR breach notification?","a":"No. NIS2 incident reporting under §32 BSIG is separate from and additional to GDPR breach notification under Articles 33/34 GDPR. Both obligations may apply simultaneously to the same incident. If a cyberattack exposes personal data and disrupts services, you must report to the BSI under NIS2 AND to the data protection authority under GDPR. Different timelines, different authorities, different forms."}},"penalties":{"q1":{"q":"What is the maximum NIS2 fine for my company?","a":"It depends on your entity classification. Essential entities (Annex I sectors): the higher of €10M or 2% of global annual turnover. Important entities (Annex II sectors): the higher of €7M or 1.4% of global annual turnover. For most mid-market companies under €500M turnover, the fixed amount applies because the percentage is lower. Separate penalties of up to €500,000 apply for registration and reporting violations. Multiple violations can compound."},"q2":{"q":"Can I be personally fined as a managing director (Geschäftsführer)?","a":"The administrative fines under §65 BSIG are levied against the company, not the individual. However, §38 BSIG creates personal civil liability for damages resulting from failure to approve and oversee cybersecurity measures. This means you face personal liability for the company's losses - not a government fine, but potentially a damages claim from your own company. In an insolvency scenario, the insolvency administrator can pursue this claim against you personally."},"q3":{"q":"Are NIS2 penalties proportional to company size?","a":"Yes, by design. The percentage-of-turnover calculation ensures penalties scale with company size. For a €15M-turnover company, the maximum essential entity fine is €10M (the fixed cap, since 2% is only €300K). For a €600M company, the maximum is €12M (2% exceeds the €10M floor). The BSI is also required to consider proportionality: company size, severity, duration, and good faith efforts all factor into the actual penalty amount."},"q4":{"q":"What triggers BSI enforcement action?","a":"For essential entities: the BSI can conduct proactive audits and inspections without a specific trigger - risk-based spot checks. For important entities: enforcement is reactive - triggered by a reported incident, third-party complaint, media coverage of a breach, or failure to register. The BSI also cross-references commercial registers and sector databases to identify entities that should be registered but are not. The BSI has indicated it will prioritize companies that have not registered at all."},"q5":{"q":"How do NIS2 penalties compare to GDPR fines?","a":"NIS2 penalties are modeled on the GDPR structure. Maximum NIS2 fines (€10M / 2% turnover for essential entities) are comparable to GDPR Tier 1 fines (€10M / 2% turnover). GDPR Tier 2 fines go higher (€20M / 4%). The key difference: NIS2 adds personal management liability (§38 BSIG) which GDPR does not have. Also, NIS2 fines can compound - non-registration, non-reporting, and non-compliance with measures are separate violations with separate penalties."}},"implementation":{"q1":{"q":"How long does NIS2 compliance take for a mid-market company?","a":"For a company with 50-250 employees starting from scratch, expect 3-6 months to reach a solid baseline: BSI registration (week 1), asset inventory and risk assessment (weeks 2-6), incident reporting process (weeks 4-8), access control improvements (weeks 6-12), and policy documentation (ongoing). Most of the 49 BSIG requirements are write-once documentation - policies, risk assessments, procedures. Only a handful require ongoing operational processes. The BSI evaluates trajectory and good faith, not perfection on day one."},"q2":{"q":"How much does NIS2 compliance cost?","a":"For a 50-250 employee company: management consultants cost €150K-500K, enterprise GRC platforms €100K+/year, US compliance tools (Vanta, Drata) from €7,500/year but lack BSIG specifics, and DIY approaches €20K-80K in staff time. Realistic first-year costs for a 100-person company: gap assessment (€5K-15K), policy documentation (€10K-30K), technical measures (€15K-50K), training (€3K-8K), totaling €33K-103K one-time plus €20K-53K annually. Companies with existing security measures are at the lower end."},"q3":{"q":"What are the 10 mandatory NIS2 cybersecurity measures?","a":"§30(2) BSIG defines 10 mandatory measures: (1) Risk analysis and information security policies, (2) Incident handling, (3) Business continuity and crisis management, (4) Supply chain security, (5) Security in acquisition, development, and maintenance, (6) Effectiveness assessment, (7) Cybersecurity training and awareness, (8) Cryptography and encryption, (9) Personnel security, access control, and asset management, (10) Multi-factor authentication and secured communications. All essential and important entities must implement all 10 measures, proportionate to their risk profile."},"q4":{"q":"What does an asset inventory look like for a mid-market company?","a":"Simpler than you think. A typical 100-person company has about 10-15 grouped asset entries. IT-Grundschutz explicitly allows grouping identical assets: '45 Windows laptops' is one entry, not 45. Typical categories: ERP/billing system, email and collaboration (Microsoft 365), network infrastructure per site, standard endpoints (grouped), servers and databases, cloud services, and any operational technology. For waste companies add fleet management and weighbridge systems, for manufacturers add production line controls."},"q5":{"q":"Do I need to hire a CISO or security team for NIS2?","a":"No. For mid-market companies (50-250 employees), NIS2 compliance is manageable with existing staff in part-time roles: a compliance lead (4-8 hours/week, usually the IT manager or quality manager), an IT contact (2-4 hours/week), and a management sponsor (1-2 hours/week, required by §38 BSIG). The law requires 'appropriate and proportionate' measures - a 100-person waste company does not need a SOC or a SIEM. Match controls to your actual risk profile, not Fortune 500 infrastructure."},"q6":{"q":"What is the recommended priority order for implementing NIS2 measures?","a":"Start immediately with measures 1 (risk analysis), 2 (incident handling), and 9 (access control and assets) - these are foundational and everything else builds on them. Weeks 3-6: measures 3 (business continuity), 4 (supply chain), and 7 (training), which require the asset inventory from measure 1. Weeks 7-12: measures 5 (procurement security), 6 (effectiveness assessment), 8 (cryptography), and 10 (MFA). The sequence matters because later measures depend on earlier ones."}},"cta":"Start Your NIS2 Compliance Process"},"nis2Timeline":{"meta":{"title":"NIS2 Regulatory Timeline - NISD2.eu","description":"Live-updating timeline of NIS2 Directive, BSIG, CIR 2024/2690, and IT-Grundschutz developments across the EU and Germany."},"badge":"Live Timeline","title":"NIS2 Regulatory Timeline","subtitle":"Key milestones and latest developments across the NIS2 Directive, BSIG, CIR 2024/2690, IT-Grundschutz, and ENISA - automatically updated."},"changelog":{"meta":{"title":"Changelog - what has changed on NISD2.eu","description":"Curated changes to the NISD2.eu platform, managing director course, compliance documents, and content - not every commit. With RSS feed."},"title":"Changelog","subtitle":"Curated list of meaningful changes to the platform, course, and compliance documents. Not a full commit history - only what matters to users, buyers, and auditors.","empty":"No entries in this category.","tabs":{"all":"All","product":"Product","content":"Content","course":"Course","compliance":"Compliance","regulatory":"Regulatory"}},"openSource":{"meta":{"title":"Open Source - NISD2.eu","description":"We publish the data structures we work with on nisd2.eu under github.com/NISD2 — typed Zod schemas, MIT licence for code and CC BY 4.0 for content."},"title":"Open Source","subtitle":"We publish the data structures we work with on nisd2.eu — so other consultants, GRC tools, and auditors can use them without paying anyone.","why":{"heading":"Why","p1":"NIS2 affects roughly 29,500 German companies and tens of thousands more across the EU. Most have no compliance budget. Closed-source compliance tooling charges €7,000 to €12,000 per year for a checklist over a public legal text.","p2":"The legal text belongs to everyone, the checklist that decomposes it should belong to everyone, and the only legitimate value capture is in the implementation work that follows. A single well-maintained, publicly auditable data base is more valuable than ten proprietary forks."},"repos":{"heading":"What we publish"},"gapAssessment":{"title":"NIS2 Gap Assessment — 116 questions, 15 domains","description":"A structured self-assessment as a typed Zod schema. Every question is anchored to a specific legal source (NIS2 Directive, BSIG, CIR 2024/2690, BSI IT-Grundschutz). Includes reference scoring logic and a Drizzle storage example for responses."},"supplierQuestionnaire":{"title":"NIS2 Supplier Questionnaire — 56 fields, 6 sections","description":"The questions a NIS2-regulated entity needs to ask its suppliers. Anchored to NIS2 Art. 21(2), CIR 2024/2690, ENISA TIG, BSI IT-Grundschutz, and GDPR Art. 28. With a visibleWhen mechanism that gates optional sections by service type."},"grcDataModel":{"title":"GRC Data Model — RoPA, DPA, TOMs, NIS2 ↔ GDPR mappings","description":"Relational data model for EU GRC. Records of Processing Activities, Data Processing Agreement clause checklists, Technical and Organisational Measures catalog, plus field-level mappings between NIS2 Art. 21 measure-areas and GDPR articles. Zod source of truth, npm subpath exports."},"euResources":{"title":"EU Compliance Resources — curated index","description":"Single-page index of regulations, guidance, national authorities, open-source schemas, and toolkits for EU compliance regimes (NIS2, GDPR, CRA, DORA, AI Act). License visible per entry. CC0 public domain — take it."},"viewOnGitHub":"View on GitHub","licence":{"heading":"Licence","p1":"Both repositories are dual-licensed: MIT for code (Zod schemas, helpers, examples), Creative Commons Attribution 4.0 (CC BY 4.0) for content (questions, descriptions, legal citations).","p2":"You may share, adapt, and use the content commercially as long as you credit nisd2.eu. Suggested attribution wording is in the LICENSE file in each repository."},"contribute":{"heading":"Contributing","p1":"Pull requests welcome — particularly corrections to legal citations (with a primary-source reference), additional language translations, sector-specific extensions (KRITIS, energy, healthcare), and national transposition deltas. For substantial changes please open an issue first."}},"status":{"meta":{"title":"Platform Status - NISD2.eu","description":"Current operational status of the NISD2.eu platform: application, database, reported incidents. Checked live on every page load."},"title":"Platform Status","subtitle":"Current operational status of nisd2.eu — application, database, and history of reported incidents.","lastChecked":"Last checked","overall":{"operational":"All systems operational","degraded":"Degraded operation","description":"Status is checked live when this page loads."},"components":{"heading":"Components","platform":"Application","database":"Database (PostgreSQL, Hetzner Falkenstein/Nuremberg)"},"componentState":{"ok":"Operational","error":"Degraded"},"incidents":{"heading":"Reported incidents","none":"No incidents reported.","active":"Active","resolved":"Resolved"},"contact":{"heading":"Report an incident","p1":"Seeing a problem not listed here? Please get in touch:"}},"nis2Roadmap":{"meta":{"title":"NIS2 Roadmap for Managing Directors | NISD2.eu","description":"The prioritised roadmap for managing directors. Personal time: ~3 hours per year. One page, A4 print-ready.","ogTitle":"NIS2 Roadmap — what a managing director needs to know","ogDescription":"Personal time: ~3 hours per year. Everything else is delegable. With paragraph citations and concrete actions."},"heroBadge":"For managing directors","heroTitle":"NIS2 Roadmap for managing directors","heroSubtitle":"The prioritised steps. Your personal time: ~3 hours per year — everything else is delegable.","triageHeading":"Before you read further","triageBody":"Are you actually in scope of NIS2? The 2-minute check is free, no login.","triageCta":"Check applicability","delegableBadge":"delegable","personalBadge":"personal · non-delegable","lawLabel":"Legal basis","ownerLabel":"Owner","timeLabel":"Effort","deadlineLabel":"Deadline","actionLabel":"Concrete action","stepsHeading":"The roadmap","step1":{"title":"Check applicability","law":"§28 BSIG","owner":"Managing director","time":"2 minutes","deadline":"now","what":"Check thresholds (employees, revenue, sector) to confirm whether your entity is classified as 'essential' or 'important'.","actionText":"2-minute check, no login","actionHref":"/applicability"},"step2":{"title":"Register with your national NIS2 authority","law":"NIS2 Art. 27 · §33 BSIG (DE)","owner":"IT lead files, managing director signs","time":"~1 hour per country + national identity setup (e.g. ELSTER in DE: 5–10 working days)","deadline":"National deadlines apply — DE: 06.03.2026 passed; obligation continues","what":"You register with the NIS2 authority of every EU Member State you operate in — not only Germany. 'Operate in' means physical establishment: your own company, a branch, an office, or your own employees on the ground in that country. Cross-border sales alone do not count. Example: a German GmbH with a Vienna office registers with the BSI (DE) and the NIS-Stelle (AT).","actionText":"See authorities by country","actionHref":"/nis2-registration-portals"},"step3":{"title":"Complete the management training","law":"§38(3) BSIG","owner":"Managing director, personally","time":"~2 hours initial · annual refresh recommended","deadline":"before first audit","what":"The one obligation that cannot be delegated. Demonstrate sufficient knowledge of cybersecurity risk management.","actionText":"Start the free MD course","actionHref":"/training/nis2-ceo"},"step4":{"title":"Asset inventory and risk register","law":"§30(2) BSIG · NIS2 Art. 21(2)(a)","owner":"IT lead produces, managing director signs (§38(1) BSIG)","time":"~1 day initial pass · maintained ongoing, signed off yearly","deadline":"Q1","what":"Complete list of the systems, applications, and data your operations depend on — and the risks against each. Both are the foundation for every other NIS2 obligation and the first thing an auditor asks to see. In the NISD2 platform, your IT lead and CISO build and maintain the inventory and risk register, and the incident reporting workflow (24h / 72h / 1 month under §32 BSIG) is wired in automatically.","actionText":"Build asset and risk register in the platform","actionHref":"/features"},"step5":{"title":"Supplier inventory and supplier risk management","law":"§30(2)(4) BSIG · NIS2 Art. 21(2)(d)","owner":"Procurement / IT produces, managing director signs","time":"~½ day initial pass · maintained ongoing","deadline":"Q1–Q2","what":"Inventory of your direct suppliers, linked to your asset register (which supplier runs which system). Continuous cybersecurity risk management — not a one-shot questionnaire: per-supplier security posture, incident notifications received via their supplier portal, risk scoring. The platform ships with the NIS2-anchored standard questionnaire (open source, MIT + CC BY 4.0) and maintains the inventory.","actionText":"Build supplier inventory in the platform","actionHref":"/features"},"step6":{"title":"Implement the rest of NIS2","law":"§30(2) Nr. 1–10 BSIG · NIS2 Art. 21","owner":"IT lead / CISO implements, managing director signs off yearly","time":"ongoing, alongside normal IT work","deadline":"Q2 onwards","what":"The ten measure areas under NIS2 Art. 21 — incident handling, business continuity (backups, recovery), training, access control, cryptography, vulnerability and patch management, network security, monitoring, supplier contracts, communications. The platform covers all ten with templates, automatic evidence capture, and a full audit trail; you sign off the annual summary.","actionText":"See platform features","actionHref":"/features"},"anchor":{"heading":"Your personal minimum","lineSchulung":"1× training (~2 hours, one-time)","lineSign":"5× document sign-offs (~40 minutes total)","lineYearly":"Annual refresh recommended","totalLabel":"Total","total":"~3 hours per year.","footer":"Everything else is handled by your IT lead or CISO."},"disclaimer":"This page is structured guidance based on NIS2, BSIG, CIR 2024/2690, and ENISA TIG. It does not constitute legal advice. Your IT lead or CISO handles the operational work.","actions":{"print":"Print page","share":"Share via email","shareSubject":"NIS2 Roadmap — for managing directors","shareBody":"Hi,\n\nhere is a compact NIS2 roadmap for managing directors. Personal time: about 3 hours per year, everything else is delegable.\n\n%URL%\n\nBest"},"transparency":{"heading":"Sources and transparency","sources":"NIS2 Directive (EU) 2022/2555 · BSIG (as of 06.12.2025) · CIR 2024/2690 · ENISA Technical Implementation Guidance v1.0","openSource":"Open-source tooling (MIT + CC BY 4.0)","openSourceUrl":"https://github.com/NISD2","hosting":"Hosted in Germany · GDPR-compliant"}},"corrections":{"meta":{"title":"Corrections - NISD2.eu","description":"Found an error in our NIS2 course, platform, or gap assessment? Let us know. We fix verified corrections within 48 hours."},"badge":"Accuracy","title":"Corrections","subtitle":"We take accuracy seriously. If you find an error, we want to know.","body":"Our managing director course, gap assessment, and compliance platform are built by reading the actual NIS2 Directive, CIR 2024/2690, BSIG, and BSI IT-Grundschutz guidance. We cite specific articles and paragraphs throughout. But we're engineers, not lawyers, and the regulatory landscape changes. If you find a factual error, an outdated reference, or a misinterpretation of the law, please let us know.","emailLabel":"Report a correction","response":"We review every submission and fix verified corrections within 48 hours. If your correction leads to a significant change, we'll credit you on the affected page."},"teamPage":{"meta":{"title":"Team - NISD2.eu","description":"Meet the team behind NISD2.eu. Two founders cutting Europe's NIS2 compliance bill in half."},"badge":"Team","title":"Who we are","subtitle":"Two founders trying to cut the NIS2 bill in half. No consulting firm, no VC backing. Just the conviction that compliance shouldn't cost six figures.","simon":"10+ years in software engineering across security-critical industries. Senior engineer and tech lead building systems for a top 5 EU bank, Europe's largest motion plastics manufacturer, and VC-backed platforms. Researched and mapped the full NIS2 legal chain (Directive, CIR 2024/2690, BSIG, IT-Grundschutz) to build the NISD2 platform, the 47-lesson managing director course, and the 116-question gap assessment. Also builds AI-powered legal tech for German case law. Based in Cologne.","cory":"M.Eng Mechatronics with a focus on embedded systems and AI integration. Handles business development, partnerships, and client-facing implementation support. Background in software engineering across Python, TypeScript, and IoT systems. Bridges the gap between technical compliance requirements and the business reality of companies that need to implement them. Based in Germany.","whyUs":{"heading":"Why us","body":"We're not a consulting firm. We're not selling you a tool and then charging for the training to use it. We built everything on this platform by reading the actual law, the implementing regulation, and the BSI guidance. Every lesson in the managing director course cites its legal basis. Every requirement in the platform maps to a specific BSIG paragraph. We're engineers who decided compliance shouldn't cost six figures."},"ctaMission":"Read our mission","ctaPlatform":"Start free"},"gapAssessmentLanding":{"meta":{"title":"Free NIS2 Gap Assessment","description":"116 questions across 15 domains. Find out exactly where your NIS2 gaps are, which ones create personal liability, and what to fix first. Free, no lock-in.","ogTitle":"Free NIS2 Gap Assessment - nisd2.eu","ogDescription":"116 questions. 15 domains. Find your NIS2 gaps. Free."},"badge":"Free Gap Assessment","title":"How Ready Are You for NIS2?","subtitle":"116 questions across 15 compliance domains. Find out exactly where your gaps are, which ones create personal liability, and what to fix first. Takes about 30 minutes per day over 5 days.","cta":"Start Your Gap Assessment","highlights":{"questions":{"title":"116 questions, 15 domains","description":"Covers every NIS2 obligation: governance, risk management, incident handling, business continuity, supply chain, training, access control, cryptography, and more."},"time":{"title":"~30 minutes per day","description":"Split into 5 days. Complete at your own pace. Progress is saved automatically. Stop and resume anytime."},"scoring":{"title":"Scored maturity per domain","description":"See exactly where you stand: Critical, Initial, Developing, Managed, or Optimized. Know which gaps to fix first based on legal risk."},"report":{"title":"Board-ready report","description":"Export a PDF showing your readiness score, priority gaps, and what creates personal liability. Built for the managing director to show the board."}},"structure":{"heading":"The 5-Day Structure","body":"Each day focuses on a different set of domains. Day 1 is for the managing director. Days 2-5 can be completed by whoever manages IT, HR, or procurement. One person can also do the whole thing.","day1":{"title":"Day 1: Scoping & Governance","description":"Are you in scope? Does your management understand their personal liability? Have you registered with the BSI? 26 questions."},"day2":{"title":"Day 2: Risk Management","description":"Do you know your assets, your risks, and your security policies? Do you have a risk register? 17 questions."},"day3":{"title":"Day 3: Incident & Business Continuity","description":"Can you detect, respond to, and report incidents within 24 hours? Do you have tested backups? 19 questions."},"day4":{"title":"Day 4: People, Suppliers & Access","description":"Are employees trained? Suppliers assessed? Access controlled? Physical security in place? 26 questions."},"day5":{"title":"Day 5: Technical Controls & Evidence","description":"Patching, cryptography, network security, effectiveness testing, and audit-ready documentation. 28 questions."}},"output":{"heading":"What You Get","body":"A maturity score per domain, an overall readiness percentage, and a prioritized list of gaps ranked by legal risk. Each gap shows whether it creates fine exposure or personal liability, and how long it takes to fix. The results link directly to the compliance platform so you can start closing gaps immediately."},"whoFor":{"heading":"Who Is This For","body":"Any company that knows it falls under NIS2 but hasn't started yet. Or any company that has started but wants to know how far along it actually is. The questions are written in plain language. No prior compliance knowledge required."},"ctaCard":{"heading":"Find Out Where You Stand","body":"Create a free account and start Day 1. No lock-in, no upsell. The assessment is free and the results are yours."}},"trainingCeo":{"meta":{"title":"Free NIS2 Management Training - Articles 20 + 21","description":"NIS2 management training covering Articles 20 + 21: risks, the 10 cybersecurity measures, and oversight. Meets the Art. 20(2) training duty. 47 lessons, free.","ogTitle":"NIS2 Management Training - Articles 20 + 21","ogDescription":"47 lessons. 4 hours. Articles 20 and 21 of the NIS2 Directive. Meets the Art. 20(2) training duty. Free."},"badge":"NIS2 Articles 20 + 21","title":"NIS2 Management Training","subtitle":"Everything the NIS2 Directive requires you to know as a member of the management body - structured, free, and built for the auditor's questions.","startCourse":"Start the course","viewOutline":"View course outline","downloadPdf":"Download PDF","lessonsLabel":"lessons","learnerCount":"{count} people have started this course","highlights":{"lessons":{"title":"47 lessons","description":"Structured around the BSI's three competence areas and the ten Article 21 measures"},"hours":{"title":"~4 hours","description":"Short lessons you can complete at your own pace, between meetings"},"quizzes":{"title":"Quizzes after every lesson","description":"Verify your understanding as you go - no final exam, no pressure"},"certificate":{"title":"Certificate of Completion","description":"Dated training evidence for the auditor - documents content covered and time spent"}},"whoFor":{"heading":"Who this is for","body":"If you sit on the leadership team of a company covered by NIS2 - as a managing director, executive board member, COO, CFO, or any role the law calls a \"member of the management body\" - this course is for you. Article 20(2) makes the training duty personal and non-delegable. You cannot send your CISO in your place."},"whatLearn":{"heading":"What you will learn","body":"The training must cover three competence areas: identifying risks, assessing the measures used to manage them, and understanding how those risks affect the services your company provides. This course covers all three, structured into {moduleCount} modules:"},"whyFree":{"heading":"Why is this free?","body":"No EU member state has established a state-backed certification authority for NIS2 training. Until official certification pathways exist, training documentation is the universal standard. We built this course so that every covered managing director in the EU can meet their Article 20(2) duty without paying a consultant. The platform is free. The certificate is free. No lock-in, no upsell wall."},"cta":{"heading":"Ready to meet your training duty?","body":"Create a free account and start with Lesson 0.1. Takes about four hours total.","button":"Start for free"},"testimonials":{"heading":"Voices from practitioners"}},"trainingTabletop":{"meta":{"title":"Free NIS 2 Tabletop Exercise Training - Articles 21 + 23","description":"NIS 2 tabletop training for information security officers, IT managers, and BCM leads. Articles 21(2)(b)+(c) + 23 reporting cascade. 8 lessons, 50 minutes, free.","ogTitle":"NIS 2 Tabletop Exercise Training","ogDescription":"8 lessons. 50 minutes. Design, run, and document the annual tabletop the directive demands. Free."},"badge":"NIS 2 Articles 21 + 23","title":"NIS 2 Tabletop Exercise Training","subtitle":"Design, run, and document the annual exercise the directive demands. Built for facilitators - 50 minutes, audit-grade, free.","startCourse":"Start the course","viewOutline":"View course outline","downloadPdf":"Download PDF","lessonsLabel":"lessons","learnerCount":"{count} people have started this course","highlights":{"lessons":{"title":"8 lessons","description":"Legal basis, role assignments, facilitator separation, one full scenario walkthrough, hot wash debrief, protocol contents, cadence"},"hours":{"title":"~50 minutes","description":"Single-sitting course built for facilitators with limited time"},"quizzes":{"title":"7 quizzes","description":"Six per-lesson quizzes plus the 8-question attestation quiz"},"certificate":{"title":"Attestation PDF","description":"Dated evidence of Article 21(2)(g) facilitator training - the document the auditor asks for"}},"whoFor":{"heading":"Who this is for","body":"Information security officers, CISOs, IT managers, BCM leads, and crisis managers in essential and important entities under NIS 2. The facilitator who runs your annual tabletop. EU-wide framing with German transposition examples."},"whatLearn":{"heading":"What you will be able to do","body":"Identify the legal basis for the exercise duty, rehearse the Article 23 reporting cascade end to end, assign mandatory and recommended roles, separate the facilitator from the participants, walk through one complete scenario with decision points, run the hot wash debrief that produces improvement items, and write an audit-grade protocol with management body sign-off. Structured across {moduleCount} modules:"},"whyFree":{"heading":"Why is this free?","body":"No EU body certifies NIS 2 training providers. The exercise duty in Articles 21(2)(b)+(c) reaches every essential and important entity, but consulting tabletops cost €15,000-50,000 per engagement. We built this course and the Live-System Tabletop platform module so that every facilitator can produce defensible exercise evidence without paying a consultant. The platform is free. The attestation is free. Open source, no lock-in."},"cta":{"heading":"Ready to run your first tabletop?","body":"Create a free account and start with Lesson 0.1. Fifty minutes total. Pair with the Live-System Tabletop platform module to run the exercise itself.","button":"Start for free"}},"trainingCraSbom":{"meta":{"title":"Free CRA SBOM Training - Article 13(5) Cyber Resilience Act","description":"CRA SBOM training for product managers, engineers, and security leads. CRA Article 13(5) obligations, CycloneDX and SPDX formats, tooling, and Article 14 vulnerability monitoring. 9 lessons, ~50 minutes, free.","ogTitle":"CRA SBOM Fundamentals Training","ogDescription":"9 lessons. ~50 minutes. Build, maintain, and retain the SBOM the Cyber Resilience Act demands. Free."},"badge":"CRA Article 13(5) + Article 14","title":"CRA SBOM Fundamentals","subtitle":"Build, maintain, and retain the Software Bill of Materials the Cyber Resilience Act demands. Built for product teams selling into the EU - 60 minutes, audit-grade, free.","startCourse":"Start the course","viewOutline":"View course outline","downloadPdf":"Download PDF","lessonsLabel":"lessons","learnerCount":"{count} people have started this course","highlights":{"lessons":{"title":"9 lessons","description":"Legal basis, required fields, top-level vs transitive dependencies, CycloneDX, SPDX, tooling, and vulnerability monitoring"},"hours":{"title":"~60 minutes","description":"Single-sitting course built for product teams with limited time"},"quizzes":{"title":"8 quizzes","description":"Seven per-lesson quizzes plus the 8-question attestation quiz"},"certificate":{"title":"Attestation PDF","description":"Dated evidence of SBOM compliance training - the document a market surveillance authority asks for"}},"whoFor":{"heading":"Who this is for","body":"Product managers, software engineers, security leads, and compliance officers at companies manufacturing or distributing products with digital elements in the EU. Any team that must meet CRA Article 13(5) SBOM obligations or Article 14 vulnerability reporting requirements."},"whatLearn":{"heading":"What you will be able to do","body":"Explain the CRA Article 13(5) SBOM obligation, identify the required fields in an SBOM component entry, distinguish top-level from transitive dependencies and why best practice covers both, choose between CycloneDX and SPDX for your use case, generate an SBOM from a CI/CD pipeline, run automated vulnerability monitoring against an SBOM, and document Article 14 reporting decisions with VEX statements. Structured across {moduleCount} modules:"},"whyFree":{"heading":"Why is this free?","body":"The CRA SBOM obligation reaches every manufacturer of products with digital elements sold in the EU. Most guidance is buried in regulatory text and draft standards. We built this course so that every product team can understand and implement their Article 13(5) obligations without paying a consultant. The platform is free. The attestation is free. Open source, no lock-in."},"cta":{"heading":"Ready to build your first CRA-compliant SBOM?","body":"Create a free account and start with Lesson 0.1. About fifty minutes total. Pair with the platform's vulnerability monitoring tools to implement Article 14 continuous monitoring.","button":"Start for free"}},"registrationPortals":{"meta":{"title":"NIS2 Registration Portals - All EU","description":"Complete list of NIS2 national registration platforms across the EU. Find your country's competent authority, registration portal, deadlines, and national law."},"badge":"EU-27 Registration","title":"NIS2 National Registration Portals","subtitle":"Each EU member state has its own NIS2 registration process, competent authority, and deadlines. Find the right portal for your country.","lastUpdated":"Last updated","headers":{"country":"Country","authority":"Competent Authority","portal":"Registration Portal","status":"Status","deadline":"Registration Deadline","law":"National Law","entryIntoForce":"Entry into Force"},"status":{"operational":"Operational","pre-registration":"Pre-Registration","planned":"Planned","not-yet-available":"Not Yet Available"},"countries":{"DE":"Germany","BE":"Belgium","IT":"Italy","FR":"France","AT":"Austria","CZ":"Czech Republic","DK":"Denmark","NL":"Netherlands","PL":"Poland","SE":"Sweden","HR":"Croatia","LT":"Lithuania","LV":"Latvia","GR":"Greece","SK":"Slovakia","RO":"Romania","FI":"Finland","EE":"Estonia","PT":"Portugal","ES":"Spain","HU":"Hungary","BG":"Bulgaria","CY":"Cyprus","IE":"Ireland","LU":"Luxembourg","MT":"Malta","SI":"Slovenia"},"noPortal":"Not yet available","noDeadline":"TBD","noLaw":"Not yet enacted","visitPortal":"Open Portal","visitAuthority":"Authority Website","operationalSection":"Operational Registration Portals","operationalDescription":"These countries have active registration platforms where entities can register now.","preRegSection":"Pre-Registration Available","preRegDescription":"These countries offer pre-registration or early notification. Full registration will follow.","plannedSection":"Registration Planned","plannedDescription":"National law enacted but registration portal not yet launched.","notAvailableSection":"Not Yet Available","notAvailableDescription":"National transposition still in progress. Registration details will follow.","directIdentification":"Entities are identified directly by the competent authority — no self-registration required.","sources":{"heading":"Sources","items":["ECSO NIS2 Directive Transposition Tracker (ecs-org.eu)","European Commission NIS2 Status (digital-strategy.ec.europa.eu)","Wavestone NIS2 Transposition Analysis","OpenKRITIS: NIS2 EU Member States (openkritis.de)","National competent authority websites (BSI, CCB, ACN, ANSSI, NUKIB, etc.)"]},"ctaCard":{"heading":"Start Your NIS2 Compliance in Germany","description":"The BSI registration deadline has passed. Start your BSIG compliance process now with our free platform."},"cta":"Start Free NIS2 Compliance"},"supplyChain":{"meta":{"title":"NIS2 for Suppliers - Supply Chain","description":"Your company is too small for NIS2? If you supply to NIS2-regulated companies, you still need to comply. Learn what Section 30 BSIG means for suppliers."},"badge":"Supply Chain","title":"NIS2 Compliance for Suppliers","subtitle":"Your company may not fall under NIS2 directly — but your customers do. And they will require you to prove cybersecurity compliance.","why":{"heading":"Why small suppliers are affected by NIS2","p1":"NIS2 (Section 30 BSIG, measure 4) explicitly requires regulated companies to secure their entire supply chain. This means every essential and important entity — roughly 29,500 companies in Germany alone — must contractually require cybersecurity standards from their suppliers.","p2":"If your company has fewer than 50 employees or falls below the revenue thresholds, you are not directly regulated by NIS2. But if you provide IT services, software, components, logistics, or any other service to a company that is regulated, you will face NIS2 requirements through your contracts.","p3":"This is not theoretical. Large companies are already updating their procurement terms, adding cybersecurity clauses, and requesting compliance evidence from suppliers. Companies that cannot demonstrate adequate security measures risk losing contracts to competitors who can."},"legalBasis":{"heading":"Section 30(2) No. 4 BSIG — Supply chain security","text":"Regulated entities must implement \"security measures in the supply chain, including security-related aspects of the relationships between each entity and its direct suppliers or service providers.\" This obligation flows down to every supplier in the chain."},"reasons":{"heading":"5 reasons your customers will require NIS2 compliance","description":"Even without direct regulation, these pressures will reach every supplier in the chain.","items":{"contracts":{"title":"Contractual requirements","description":"NIS2-regulated companies must include cybersecurity requirements in supplier contracts. Expect new clauses covering risk management, incident reporting, and access controls. Existing contracts will be renegotiated."},"audits":{"title":"Supplier audits and questionnaires","description":"Your customers will send security questionnaires and may conduct audits. Companies that use nisd2.eu can generate compliance evidence instantly — those without a system scramble for weeks."},"incidents":{"title":"Incident notification obligations","description":"If a security incident at your company affects a NIS2-regulated customer, they must report it to the BSI within 24 hours. They need you to have incident detection and reporting processes in place."},"reputation":{"title":"Competitive advantage","description":"When a regulated company chooses between two suppliers and one can demonstrate NIS2-aligned security while the other cannot — the choice is obvious. Compliance becomes a sales differentiator."},"insurance":{"title":"Cyber insurance requirements","description":"Cyber insurers increasingly require supply chain security evidence. Your customers' insurance policies may mandate that their suppliers meet minimum cybersecurity standards."}}},"requirements":{"heading":"What your customers will expect from you","description":"The most common requirements flowing down from NIS2 to suppliers.","items":{"riskManagement":{"title":"Risk assessment","detail":"Identify and document risks to systems you use for customer work. Doesn't need to be complex — a structured list with treatment plans is enough."},"accessControl":{"title":"Access control","detail":"Who can access customer data and systems? Role-based access, MFA for remote access, and documented user management."},"incidentReporting":{"title":"Incident handling","detail":"A documented process for detecting, responding to, and reporting security incidents. Your customer needs to know within hours, not weeks."},"businessContinuity":{"title":"Business continuity","detail":"What happens if your systems go down? Backup strategy, recovery procedures, and tested plans to continue delivering to your customers."},"documentation":{"title":"Policies and evidence","detail":"Written security policies, training records, and an audit trail proving you follow your own rules. This is what auditors actually check."}}},"steps":{"heading":"5 steps to get supply chain compliant","description":"A practical path for small companies that need to meet NIS2 supplier requirements.","items":{"check":{"title":"Check your exposure","description":"Use our free applicability check to confirm your NIS2 status. Even if you're not directly in scope, identify which of your customers are NIS2-regulated — those contracts will come with new requirements."},"gap":{"title":"Run a gap assessment","description":"Compare your current security practices against the 10 measures in Section 30 BSIG. Most small companies already do some of this informally — the gap is usually documentation, not practice."},"implement":{"title":"Implement the basics","description":"Start with the highest-impact items: access control, backup strategy, incident response process. The nisd2.eu platform walks you through each requirement with pre-built templates."},"evidence":{"title":"Build your evidence package","description":"When your customer sends a security questionnaire, you need answers ready. Policies, training records, risk assessments, and technical measures — all documented and exportable."},"maintain":{"title":"Review annually","description":"NIS2 compliance is not a one-time project. Schedule an annual review of your risks, update your policies, and refresh employee training. The platform tracks deadlines automatically."}}},"faqHeading":"Frequently asked questions","faq":{"q1":{"q":"Am I legally required to comply with NIS2 as a small supplier?","a":"Not directly — NIS2 applies to companies above the medium enterprise threshold (50+ employees or EUR 10M+ turnover). However, your NIS2-regulated customers are legally required to secure their supply chain (Section 30 BSIG). This creates a contractual obligation that flows down to you. You won't be fined by the BSI, but you may lose contracts."},"q2":{"q":"What happens if I don't comply?","a":"Your NIS2-regulated customers face fines up to EUR 10M or 2% of global turnover for supply chain security failures. They will either require you to comply or replace you with a supplier who can. The practical consequence is lost business, not a BSI fine."},"q3":{"q":"How much does supplier compliance cost?","a":"The nisd2.eu platform is free. For a small company (10-50 employees), the main cost is time — typically 2-4 weeks of part-time work to set up initial policies, risk assessments, and processes. Ongoing maintenance is a few hours per quarter."},"q4":{"q":"Can I use NIS2 compliance as a selling point?","a":"Absolutely. When you can demonstrate NIS2-aligned security practices with documented evidence, you become a preferred supplier. Some companies are already advertising NIS2 supply chain compliance as a competitive differentiator in RFPs and proposals."},"q5":{"q":"What if my customer hasn't asked yet?","a":"They will. The BSI registration deadline passed in March 2026 and over 18,000 companies are still catching up. As they implement NIS2, supply chain security is one of the 10 mandatory measures. Getting ahead of the request positions you as a proactive, trusted partner."}},"cta":{"heading":"Start your supply chain compliance: free","description":"The nisd2.eu platform guides you through every requirement, generates your evidence package, and keeps you audit-ready. No cost, no credit card.","checkButton":"Check applicability","startButton":"Start free compliance"}},"multiCountryReg":{"meta":{"title":"NIS2 Multi-Country Registration","description":"Operating in multiple EU countries? You must register with each NIS2 authority. Rules and all national registration authorities listed."},"badge":"Multi-Country NIS2","title":"NIS2 Registration Across Multiple EU Countries","subtitle":"Operating in more than one EU member state? You must register with each country's national authority, not just where your headquarters are located.","hannover":{"heading":"A question from Hannover Messe","p1":"During our visit to Hannover Messe, one of Europe's largest industrial trade fairs, we were asked a question that many cross-border businesses are grappling with: if your company operates in more than one EU country, where do you register for NIS2?","p2":"It's a genuinely complex question, and the answer catches many companies off guard. The rule is not tied to where you sell, it is tied to where you are genuinely operational as a legal entity."},"rule":{"heading":"Selling in a country is not the same as operating in a country","p1":"Many companies sell their products or services across the EU through a single legal entity registered in one country. In that case, registration with your home country's authority is sufficient, you are not \"established\" in every country you sell into.","p2":"However, if your company is fully operational in a country, meaning you have a registered legal presence, employees on the ground, and pay corporate tax there, then that country's NIS2 law applies to you as an entity established in that jurisdiction.","p3":"The NIS2 Directive requires each EU member state to transpose the directive into their own national law. That national law applies to entities established in that country. If you have subsidiaries or branches registered as legal entities in France, Germany, and the Netherlands, each of those legal entities is subject to that country's NIS2 legislation — and must register with that country's national authority."},"onestop":{"heading":"Exception: digital service providers use a one-stop-shop","description":"NIS2 Article 26 creates an important exception for specific digital service types: cloud computing providers, managed service providers, managed security service providers, data centre providers, content delivery networks, DNS service providers, online marketplaces, online search engines, and social networking platforms. These entities register in a single EU member state, the one where cybersecurity risk-management decisions are predominantly taken. If you operate one of these services, you do not need to register in every country where you are established. All other types of entities (manufacturers, food companies, energy suppliers, transport operators, hospitals, etc.) fall under the standard rule and must register in each country where they have a legal establishment."},"tax":{"heading":"The tax test","description":"A practical rule of thumb: if you pay corporate income tax in a country as a locally registered entity, you almost certainly need to register with that country's NIS2 authority. This covers subsidiaries, branches, and locally incorporated companies, not agents, distributors, or customers based in that country."},"authorities":{"heading":"NIS2 National Authorities: Complete List","description":"Every EU member state, plus EEA countries Norway and Iceland, has designated a national authority responsible for NIS2 registration and enforcement. Find yours below.","headers":{"country":"Country","authority":"National Authority"}},"practical":{"heading":"What this means in practice","p1":"For a company with operations in three EU countries, this means three separate registration processes, each with different timelines, forms, and technical requirements. Some countries have operational portals (Germany's BSI, France's ANSSI, Romania's DNSC launched registration in August 2025), while others are still in the process of establishing registration infrastructure.","p2":"The good news: registration is typically straightforward once you know which authority to contact and what information they require. The challenge is tracking multiple obligations across jurisdictions with different implementation timelines, as of mid-2025, only around 8 of 27 EU member states had fully completed NIS2 transposition.","p3":"Companies with operations across five or more EU countries should consider designating a compliance lead for each jurisdiction. Deadlines, annual reporting requirements, and incident notification windows vary by country and can diverge significantly from the baseline NIS2 directive."},"steps":{"heading":"How to approach multi-country NIS2 compliance","items":{"map":{"title":"Map your legal entities","description":"List every country where your company has a registered legal entity — subsidiary, branch, or local company. This is your compliance footprint, not your sales footprint."},"check":{"title":"Check each country's threshold","description":"NIS2 applies to medium and large entities (50+ employees or €10M+ turnover). Apply the threshold test per legal entity, not group-wide, a small subsidiary may fall below the threshold."},"register":{"title":"Register with each national authority","description":"Use the authority table above to find the correct registration contact in each country where you meet the threshold. Some countries require additional sector-specific registration."},"track":{"title":"Track country-specific deadlines","description":"Each country has its own implementation timeline and reporting deadlines. Set reminders per jurisdiction, do not assume all countries are aligned on timing."}}},"faq":{"heading":"Frequently asked questions","q1":{"q":"I have a sales office in Germany but my headquarters are in France, do I register with the BSI?","a":"It depends on how the German sales office is structured. If it is a registered GmbH or Zweigniederlassung (branch) that files its own tax return in Germany, you likely need to register with the BSI in addition to ANSSI in France. If it is simply a cost centre of the French parent with no separate legal status in Germany, French registration alone may suffice. Consult a lawyer familiar with NIS2 in both jurisdictions."},"q2":{"q":"Do I need to comply with different security requirements in each country?","a":"NIS2 sets a harmonized baseline, but each country's transposition can add stricter sector-specific requirements. In practice, implementing the NIS2 baseline, risk management, incident reporting, access control, supply chain security, will meet requirements in most EU countries. Check each country's national law for any additional obligations."},"q3":{"q":"What if a country hasn't finished transposing NIS2 yet?","a":"Some EU countries were late transposing the directive (the deadline was October 2024). Until national law is in force, registration may not yet be possible. Monitor the relevant national authority's website and register as soon as the process opens. Late transposition by the government does not reduce your eventual legal obligation."},"q4":{"q":"Can I register once at EU level and cover all countries?","a":"No. There is no single EU-level NIS2 registry. Each country operates its own registration system. This is one of the known complexities of the directive's decentralised implementation and creates significant compliance overhead for pan-European companies."}},"sources":{"heading":"Sources & References"},"ctaCard":{"heading":"Manage your NIS2 compliance across all jurisdictions","description":"The nisd2.eu platform helps you track obligations, manage evidence, and stay compliant, whether you operate in one country or ten."},"cta":"Start free compliance"}},"internalAudits":{"title":"Internal Audits","description":"Internal audit schedule, execution, and findings. Required by NIS2 Art. 21 effectiveness assessment.","helpText":"Schedule and document internal audits of your cybersecurity measures. Record scope, findings, and corrective actions. NIS2 requires regular assessment of whether security measures are effective.","add":"Add Audit","edit":"Edit Audit","empty":"No internal audits planned yet. Schedule your first audit.","deleteConfirm":"Are you sure you want to delete this audit?","actions":"Actions","status":{"planned":"Planned","in_progress":"In Progress","completed":"Completed","cancelled":"Cancelled"},"fields":{"title":"Title","auditArea":"Audit Area","scope":"Scope","status":"Status","scheduledDate":"Scheduled Date","completedAt":"Completed At","auditorName":"Auditor"},"fieldDescriptions":{"title":"Name of this internal audit (e.g., 'Q2 Access Control Audit', 'Annual NIS2 Compliance Review').","auditArea":"Security domain or control area being audited (e.g., access control, incident response, supply chain).","scope":"Define the boundaries of this audit: which systems, processes, departments, or controls are included.","status":"Current audit status: planned, in progress, completed, or cancelled.","scheduledDate":"Date when this audit is planned to begin.","completedAt":"Date when all audit activities and the final report were completed.","auditorName":"Name of the internal auditor or audit team lead conducting this assessment."}},"landing":{"title":"Halve Europe's NIS2 bill.","subtitle":"€31 billion every year. We're cutting it in half.","productLine":"Free NIS2 compliance for regulated companies and their suppliers.","badge":"NIS2 / BSIG - Deadline: March 2026","badgeTooltip":"The German BSIG (BSI-Gesetz) transposing the EU NIS2 Directive requires affected entities to implement all cybersecurity measures by March 2026. Non-compliance carries fines up to €10M or 2% of global turnover, and personal liability for managing directors.","nis2Badge":"NIS2 Directive (EU) 2022/2555","nis2BadgeTooltip":"Built on the full NIS2 Directive covering all 27 EU member states. All 10 Article 21 cybersecurity measures mapped and implemented. Valid across every EU country, not just Germany.","cirBadge":"CIR 2024/2690","cirBadgeTooltip":"Commission Implementing Regulation (EU) 2024/2690 defines the strictest technical requirements for NIS2 compliance. It establishes the common baseline across all EU member states for DNS providers, TLD registries, cloud providers, data centres, CDNs, managed services, managed security services, online marketplaces, search engines, social networks, and trust service providers.","bsigBadge":"BSIG §30 | IT-Grundschutz defaults","bsigBadgeTooltip":"Built on the German BSIG §30 -- the strictest NIS2 transposition in the EU -- with IT-Grundschutz methodology defaults. Comply once, valid across 27 EU member states. §44(2) BSIG recognises Grundschutz implementation as NIS2 compliance.","checkApplicability":"Check if NIS2 applies to you","scheduleDemo":"Schedule a Demo","startTraining":"Free NIS2 Managing Director Training","signIn":"Sign in to start the process","stats":{"urgency":"160,000+ EU entities in scope · Fines up to €10M or 2% of global annual turnover (Art. 34 NIS2) · Management personally liable (Art. 20 NIS2)"},"nav":{"pricing":"Pricing","about":"About","cta":"Get started"}},"kpis":{"title":"KPI Measurements","description":"Security performance metrics tracked over time. Demonstrates effectiveness per NIS2 Art. 21.","helpText":"Record security KPI measurements regularly (e.g., patch compliance rate, training completion %, mean time to detect). KPIs demonstrate to auditors that your security measures are effective and improving over time.","add":"Add Measurement","empty":"No KPI measurements yet. Record your first measurement.","status":{"green":"On Target","amber":"At Risk","red":"Below Target"},"fields":{"kpiName":"KPI Name","measuredAt":"Measured At","value":"Value","target":"Target","unit":"Unit","status":"Status","notes":"Notes"},"fieldDescriptions":{"kpiName":"Name of the security metric being measured (e.g., 'Patch compliance rate', 'Mean time to detect', 'Training completion %').","measuredAt":"Date when this measurement was taken.","value":"Enter the measured numeric value for this KPI.","target":"Enter the target value this KPI should meet or exceed.","unit":"Unit of measurement (e.g., %, hours, days, count).","status":"Select the status: green (on target), amber (at risk of missing target), or red (below target).","notes":"Additional context or explanation for this measurement, especially if status is amber or red."}},"managementReviews":{"title":"Management Reviews","description":"Management oversight meetings and strategic decisions. Required by NIS2 Art. 20(1).","helpText":"Document management review meetings where leadership evaluates cybersecurity posture. NIS2 Art. 20 makes management personally responsible for approving and overseeing cybersecurity measures. Record attendees, topics discussed, and decisions made.","add":"Add Review","edit":"Edit Review","empty":"No management reviews recorded yet. Schedule your first review.","deleteConfirm":"Are you sure you want to delete this review?","actions":"Actions","fields":{"title":"Title","reviewDate":"Review Date","decisions":"Decisions","actionItems":"Action Items","nextReviewDate":"Next Review Date"},"fieldDescriptions":{"title":"Title of the management review meeting (e.g., 'Q1 2025 Cybersecurity Review').","reviewDate":"Date when the management review meeting took place.","decisions":"Document key decisions made by management regarding cybersecurity posture, resource allocation, and risk acceptance.","actionItems":"List specific follow-up actions assigned during the review, including responsible parties and deadlines.","nextReviewDate":"Date when the next management review is scheduled. NIS2 Art. 20 requires ongoing management oversight."}},"methodology":{"title":"Risk Assessment Methodology","loading":"Loading methodology...","saved":"Methodology saved","saveFailed":"Failed to save methodology","edit":"Edit","save":"Save","cancel":"Cancel","methodologyName":"Methodology Name","likelihoodScale":"Likelihood Scale","impactScale":"Impact Scale","label":"Label","description":"Description","addLevel":"Add level","removeLevel":"Remove last","riskMatrix":"Risk Matrix","acceptanceThreshold":"Acceptance Threshold","thresholdHelp":"Risks with score ≤ {threshold} can be accepted without treatment","includesOt":"Methodology covers OT/ICS systems (§30(2) BSIG)","clickToSelect":"Click a cell to select likelihood × impact","selectedScore":"Selected score"},"notifications":{"title":"Notifications","description":"View and manage your notifications","empty":"No notifications","acknowledge":"Acknowledge","acknowledged":"Acknowledged","unread":"{count} unread","actions":"Actions","markRead":"Mark as read","markAllRead":"Mark all as read","fields":{"subject":"Subject","entityType":"Type","scheduledFor":"Scheduled For","status":"Status"}},"onboarding":{"title":"Welcome to NIS2 Compliance","subtitle":"Set up your organization to get started.","step":"Step {current} of {total}","steps":{"company":"Organization Details","team":"Key Personnel","ai":"AI Assistant"},"nav":{"back":"Back","next":"Next","skip":"Skip for Now","submit":"Create Organization"},"creating":"Setting up your organization...","createError":"Failed to create organization. Please try again.","mode":{"title":"You're all set!","subtitle":"How would you like to proceed?","guided":"Guided Setup","guidedDescription":"Walk through each compliance category step by step. Defaults are already applied - just review and customize.","manual":"Manual Setup","manualDescription":"Go straight to your dashboard and work at your own pace."}},"organization":{"title":"Organization Setup","description":"Register your organization to start the compliance assessment.","editTitle":"Organization Settings","editDescription":"Update your organization details.","formTitle":"Organization Details","name":"Organization Name","namePlaceholder":"Acme GmbH","sector":"NIS2 Sector","sectorPlaceholder":"Select sector...","entityType":"Entity Classification","entityTypeHelp":"As defined in BSIG 2025 §28","entityTypes":{"essential":"Essential Entity","important":"Important Entity","kritis":"KRITIS Operator"},"legalForm":"Legal Form","legalFormPlaceholder":"e.g. GmbH, AG, KG","employees":"Employee Count","contactEmail":"Compliance Contact Email","cisoName":"CISO / IT Security Officer","cisoNamePlaceholder":"Jane Smith","cisoReportsTo":"CISO Reports To","cisoReportsToPlaceholder":"e.g. CEO, Board of Directors","bsiContactName":"BSI Contact Person","bsiContactNamePlaceholder":"Max Mustermann","bsiContactEmail":"BSI Contact Email","bsiContactPhone":"BSI Contact Phone","bsiRegistrationId":"BSI Registration ID","annualSecurityBudget":"Annual Security Budget (EUR)","primaryLocations":"Primary Locations","primaryLocationsPlaceholder":"e.g. Berlin, Munich","profileSection":"Security Profile","profileSectionDescription":"These fields are referenced across multiple NIS2 requirements and captured in sign-off snapshots.","submit":"Start Assessment","creating":"Setting up your organization...","createError":"Failed to create organization. Please try again.","save":"Save Changes","saving":"Saving...","saved":"Changes saved successfully.","saveError":"Failed to save changes. Please try again.","sectors":{"energy":"Energy","transport":"Transport","banking":"Banking","financial_market":"Financial Market Infrastructure","health":"Health","drinking_water":"Drinking Water","waste_water":"Waste Water","digital_infrastructure":"Digital Infrastructure","ict_service_management":"ICT Service Management (B2B)","public_administration":"Public Administration","space":"Space","postal_courier":"Postal & Courier Services","waste_management":"Waste Management","chemicals":"Chemicals","food":"Food Production & Distribution","manufacturing":"Manufacturing","digital_providers":"Digital Providers","research":"Research"},"teamRoles":{"title":"Key Personnel","description":"You can invite team members now or do it later from Settings. Each person you add will be invited and can be assigned as owner for compliance categories.","name":"Name","email":"Email","role":"Role","rolePlaceholder":"Select role...","addMember":"Add Team Member","removeMember":"Remove","back":"Back","skip":"Skip for Now","submit":"Continue","roles":{"ceo":{"label":"CEO / Managing Director","namePlaceholder":"Jane Doe","emailPlaceholder":"ceo@company.com"},"ciso":{"label":"CISO / IT Security Officer","namePlaceholder":"John Smith","emailPlaceholder":"ciso@company.com"},"cto":{"label":"CTO / Head of Engineering","namePlaceholder":"Alex Johnson","emailPlaceholder":"cto@company.com"},"coo":{"label":"COO / Operations Director","namePlaceholder":"Sam Williams","emailPlaceholder":"coo@company.com"},"cpo":{"label":"CPO / Procurement Lead","namePlaceholder":"Pat Taylor","emailPlaceholder":"cpo@company.com"},"hr_director":{"label":"HR Director","namePlaceholder":"Chris Miller","emailPlaceholder":"hr@company.com"},"legal":{"label":"Legal / Compliance Officer","namePlaceholder":"Morgan Davis","emailPlaceholder":"legal@company.com"},"dpo":{"label":"Data Protection Officer","namePlaceholder":"Robin Garcia","emailPlaceholder":"dpo@company.com"}}}},"patches":{"title":"Patch Management","description":"Patch and vulnerability tracking per asset. Required by NIS2 Art. 21(2)(e).","helpText":"Track patches and known vulnerabilities for your registered assets. Record patch status (pending, applied, deferred), CVE references, and deadlines. NIS2 requires timely vulnerability handling and patch management.","add":"Add Patch Record","edit":"Edit Patch Record","empty":"No patch records yet. Add your first patch record.","deleteConfirm":"Are you sure you want to delete this patch record?","actions":"Actions","severity":{"critical":"Critical","high":"High","medium":"Medium","low":"Low"},"status":{"pending":"Pending","applied":"Applied","exception":"Exception","not_applicable":"Not Applicable"},"fields":{"patchIdentifier":"Patch ID","severity":"Severity","title":"Title","assetId":"Asset","status":"Status","releaseDate":"Release Date","appliedAt":"Applied At","exceptionReason":"Exception Reason"},"fieldDescriptions":{"patchIdentifier":"Vendor patch identifier or CVE number (e.g., 'KB5034441', 'CVE-2024-1234').","severity":"Select the severity rating of the vulnerability this patch addresses: critical, high, medium, or low.","title":"Brief description of what this patch fixes or the vulnerability it addresses.","assetId":"Select the asset from the asset register that this patch applies to.","status":"Current patch status: pending (not yet applied), applied, exception (risk-accepted deferral), or not applicable.","releaseDate":"Date when the vendor released this patch.","appliedAt":"Date when this patch was successfully applied to the target asset.","exceptionReason":"If status is Exception, provide the justification for deferring or not applying this patch."}},"policies":{"title":"Policies","description":"Security policies, procedures, and guidelines with approval tracking. Foundation of NIS2 Art. 21(1).","helpText":"Create and manage your information security policies. Each policy follows a lifecycle: draft, review, approved, archived. Track version history and ensure all relevant staff acknowledge current policies. NIS2 requires documented policies for risk management, access control, encryption, and more.","add":"Add Policy","edit":"Edit Policy","empty":"No policies yet. Create your first policy document.","deleteConfirm":"Are you sure you want to delete this policy?","actions":"Actions","status":{"draft":"Draft","approved":"Approved","archived":"Archived"},"fields":{"title":"Title","type":"Type","version":"Version","content":"Content","status":"Status","effectiveFrom":"Effective From","reviewDue":"Review Due"},"fieldDescriptions":{"title":"Name of the policy document (e.g., 'Information Security Policy', 'Access Control Policy').","type":"Select the policy type (e.g., policy, procedure, guideline, standard).","version":"Version number for this policy revision (e.g., 1.0, 2.1). Increment on each approval cycle.","content":"Full text content of the policy. Include scope, objectives, responsibilities, and specific requirements.","status":"Current lifecycle status: Draft (in preparation), Approved (active and enforced), or Archived (superseded).","effectiveFrom":"Date when this policy version becomes active and enforceable.","reviewDue":"Date by which this policy must be reviewed and updated. NIS2 expects regular policy reviews."}},"policyConfig":{"loading":"Loading policy configuration...","saved":"Policy configuration saved","saveFailed":"Failed to save policy configuration","edit":"Edit","save":"Save","cancel":"Cancel","resetDefaults":"Reset to defaults","crypto":{"title":"Cryptography Policy (BSI TR-02102)","algorithms":"Approved & Prohibited Algorithms","algorithm":"Algorithm","keyLength":"Key Length","category":"Category","status":"Status","approved":"Approved","deprecated":"Deprecated","prohibited":"Prohibited","symmetric":"Symmetric","hash":"Hash","asymmetric":"Asymmetric","keyExchange":"Key Exchange","tls":"TLS Cipher Suite","addAlgorithm":"Add algorithm","removeAlgorithm":"Remove","minTlsVersion":"Minimum TLS Version","keyRotation":"Key Rotation Frequency (years)","triggerOnCompromise":"Trigger immediate rotation on compromise","reviewCycle":"Review Cycle (years)","postQuantum":"Post-quantum readiness considered"},"accessControl":{"title":"Access Control Policy (CIR 11.1, ORP.4)","model":"Access Control Model","rbac":"Role-Based (RBAC)","abac":"Attribute-Based (ABAC)","hybrid":"Hybrid (RBAC + ABAC)","reviewFrequency":"Access Review Frequency","standardReview":"Standard accounts","privilegedReview":"Privileged accounts","deprovisioningSla":"De-provisioning SLA (hours)","sharedAccountPolicy":"Shared / Generic Account Policy","sharedProhibited":"Prohibited - unique identifiers only (ORP.4.A3)","sharedDocumentedExceptions":"Documented exceptions allowed (CIR 11.5.3)","authReviewCycle":"Authentication Review Cycle (years)"},"procurement":{"title":"Secure Procurement (CIR Art. 5)","threshold":"Security Review Threshold (EUR)","requiredClauses":"Required Contract Clauses (CIR 5.1.4)","cybersecurityRequirements":"Cybersecurity requirements (a)","trainingCertification":"Training & certification (b)","backgroundChecks":"Background checks (c)","incidentNotification":"Incident notification obligations (d)","auditRights":"Audit rights (e)","vulnerabilityDisclosure":"Vulnerability disclosure (f)","subcontractorFlowdown":"Subcontractor flow-down (g)","secureDecommissioning":"Secure decommissioning (h)","customClauses":"Custom Contract Clauses","clauseLabel":"Clause","addClause":"Add clause","evaluationCriteria":"Security Evaluation Criteria","criterion":"Criterion","weight":"Weight (%)","addCriterion":"Add criterion","removeCriterion":"Remove","reviewFrequency":"Review Frequency"},"secureDev":{"title":"Secure Development & Hardening (CIR Art. 6(2)-(3), CON.8)","sdlcFramework":"SDLC Framework","owaspSamm":"OWASP SAMM","bsimm":"BSIMM","msSdl":"Microsoft SDL","custom":"Custom","hardeningBaseline":"Hardening Baseline","cis":"CIS Benchmarks","bsi":"BSI IT-Grundschutz","disaStig":"DISA STIG","testingRequirements":"Security Testing Requirements","sast":"Static Application Security Testing (SAST)","dast":"Dynamic Application Security Testing (DAST)","sca":"Software Composition Analysis (SCA)","pentest":"Penetration Testing","codeReview":"Code Review","environmentSegregation":"Environment segregation (dev/test/prod) - CIR 6(2)","reviewCycle":"Review Cycle (years)"},"patchMgmt":{"title":"Patch Management (CIR Art. 6(6), OPS.1.1.3)","patchSla":"Patch SLA by Severity","severity":"Severity","slaHours":"SLA (hours)","critical":"Critical","high":"High","medium":"Medium","low":"Low","reviewCycle":"Review Cycle (years)"},"items":{"progress":"{count} of {total} configured","noItems":"No items yet.","goToRegister":"Go to register","viewAll":"View all in register","encryptionAtRest":"Encryption at Rest","encryptionInTransit":"Encryption in Transit","cryptoImplementation":"Implementation","notConfigured":"Not configured","selectAlgorithm":"Select algorithm","accessAssignment":"Per-Asset Access Control","policyModel":"Policy model","accessModel":"Access Model","accessModel_rbac":"Role-Based (RBAC)","accessModel_abac":"Attribute-Based (ABAC)","accessModel_hybrid":"Hybrid (RBAC + ABAC)","owner":"Owner","accessMethod":"Access Method","privAccounts":"Priv. Accounts","mfaMethod":"MFA Method","noneMfa":"None","totp":"TOTP","hardwareKey":"Hardware Key","ssoSaml":"SSO / SAML","pushNotification":"Push Notification","asset":"Asset","supplier":"Supplier","sla":"SLA","clausesTitle":"Clauses","clausesMet":"{count} of {total} clauses","riskLevel":"Risk","contractDates":"Contract","patchesOnTime":"On time","patchesOverdue":"Overdue","noPatchSla":"No patch SLA defined","hoursLabel":"{count}h","daysLabel":"{count}d","slaTarget":"SLA: {sla}","maxRiskScore":"Max risk: {score}"}},"pricing":{"meta":{"title":"Pricing - NIS2 Compliance Platform","description":"Halve Europe's NIS2 bill. The platform is free, forever. €31 billion every year - and we're cutting it in half."},"title":"The platform is free. Forever.","subtitle":"That's how we cut Europe's €31 billion NIS2 bill in half. When you need professional help, we connect you with a consultant.","free":{"name":"Platform","description":"Everything to become and stay NIS2-compliant","price":"€0","priceSub":"forever","cta":"Start for free","features":{"f1":"All 49 BSIG requirements step by step","f2":"Evidence upload and documentation","f3":"PDF export for auditors and management","f4":"Complete audit trail","f5":"Deadline tracking and reminders","f6":"BSI registration guidance","f7":"Unlimited team members","f8":"Risk, asset, and supplier registers","f9":"AI-powered form assistance","f10":"No contract, no cancellation needed"}},"consultant":{"name":"Find a Consultant","description":"Professional implementation support","price":"Custom","cta":"Request a consultant","note":"We connect you with vetted NIS2 consultants who guide you through implementation. No referral fee for you.","features":{"c1":"Vetted NIS2 compliance consultants","c2":"Matched to your sector and company size","c3":"Gap analysis, implementation, or audit prep","c4":"Direct connection, no cost to you"}}},"portal":{"overview":"Overview","nis2":"NIS2","dsgvo":"GDPR","aiact":"EU AI Act","cra":"Cyber Resilience Act","auditTrail":"Activity Log","team":"Team","notifications":"Notifications","organization":"Organization","defaultUser":"User","signOut":"Sign Out","language":"Language","english":"English","german":"Deutsch","dutch":"Nederlands","review":"Review","export":"Export","progressLabel":"{completed} of {total} requirements","trainingPortal":"Training Portal","registers":"Registers","riskRegister":"Risk Register","assets":"Assets","incidents":"Incidents","suppliers":"Suppliers","policies":"Policies","training":"Training","exercises":"Emergency Drills","managementReviews":"Mgmt Reviews","kpis":"Security Metrics","changes":"Changes","patches":"Security Updates","vulnerabilities":"Vulnerabilities","internalAudits":"Self-Assessments","improvements":"Action Items","dashboard":"Dashboard","gapAssessment":"Gap Assessment","compliance":"Compliance","portal":"Portal","auditReadiness":"Audit Readiness","settings":"Settings","system":"System","phaseRegistration":"Registration","phaseFoundation":"Foundation","phaseControls":"Controls","phaseOperations":"Operations","phaseVerification":"Verification","phaseAdmin":"Admin","blockedBy":"Complete first: {codes}"},"requirements":{"1_1":{"title":"Management Cybersecurity Training","description":"Management Cybersecurity Training"},"1_2":{"title":"Roles and Responsibilities","description":"Roles and Responsibilities"},"1_3":{"title":"Budget Allocation for Cybersecurity","description":"Budget Allocation for Cybersecurity"},"1_4":{"title":"Personal Liability Acknowledgment","description":"Personal Liability Acknowledgment"},"2_1":{"title":"Risk Assessment Methodology","description":"Risk Assessment Methodology"},"2_2":{"title":"Asset Inventory, Scope & Classification","description":"Asset Inventory, Scope & Classification"},"2_3":{"title":"Risk Register & Treatment","description":"Risk Register & Treatment"},"2_4":{"title":"Risk Acceptance & IS Policy Sign-Off","description":"Risk Acceptance & IS Policy Sign-Off"},"3_1":{"title":"Incident Response Plan & Team","description":"Incident Response Plan & Team"},"3_2":{"title":"Detection, Classification & Logging","description":"Detection, Classification & Logging"},"3_3":{"title":"BSI Reporting (24h/72h/1m)","description":"BSI Reporting (24h/72h/1m)"},"3_4":{"title":"Incident Response Drill","description":"Incident Response Drill"},"3_5":{"title":"Post-Incident Review & Communication","description":"Post-Incident Review & Communication"},"4_1":{"title":"Business Impact Analysis & Recovery Targets","description":"Business Impact Analysis & Recovery Targets"},"4_2":{"title":"Business Continuity & Crisis Management Plan","description":"Business Continuity & Crisis Management Plan"},"4_3":{"title":"Disaster Recovery Plan","description":"Disaster Recovery Plan"},"4_4":{"title":"Backup & Restore","description":"Backup & Restore"},"4_5":{"title":"BCP/DR Testing","description":"BCP/DR Testing"},"5_1":{"title":"Supplier Register & Classification","description":"Supplier Register & Classification"},"5_2":{"title":"Supplier Security in Contracts","description":"Supplier Security in Contracts"},"5_3":{"title":"Supplier Assessment & Monitoring","description":"Supplier Assessment & Monitoring"},"5_4":{"title":"Supplier Incident Notification","description":"Supplier Incident Notification"},"6_1":{"title":"Secure Procurement","description":"Secure Procurement"},"6_2":{"title":"Secure Development & Configuration","description":"Secure Development & Configuration"},"6_3":{"title":"Vulnerability Management","description":"Vulnerability Management"},"6_4":{"title":"Patch Management","description":"Patch Management"},"6_5":{"title":"Change Management","description":"Change Management"},"7_1":{"title":"Security KPIs & Metrics","description":"Security KPIs & Metrics"},"7_2":{"title":"Internal Audit","description":"Internal Audit"},"7_3":{"title":"Management Review","description":"Management Review"},"7_4":{"title":"Corrective Actions & Continuous Improvement","description":"Corrective Actions & Continuous Improvement"},"8_1":{"title":"IT Security Policy & Acceptable Use","description":"IT Security Policy & Acceptable Use"},"8_2":{"title":"Security Awareness Program","description":"Security Awareness Program"},"8_3":{"title":"Role-Specific & Management Training","description":"Role-Specific & Management Training"},"8_4":{"title":"Phishing Simulations & Training Effectiveness","description":"Phishing Simulations & Training Effectiveness"},"9_1":{"title":"Cryptography Policy & Standards","description":"Cryptography Policy & Standards"},"9_2":{"title":"Data Encryption","description":"Data Encryption"},"9_3":{"title":"Key & Certificate Management","description":"Key & Certificate Management"},"10_1":{"title":"Access Control Policy & Model","description":"Access Control Policy & Model"},"10_2":{"title":"Per-Asset Access Assignment","description":"Per-Asset Access Assignment"},"10_3":{"title":"User Lifecycle & PAM","description":"User Lifecycle & PAM"},"10_4":{"title":"Access Reviews","description":"Access Reviews"},"11_1":{"title":"Multi-Factor Authentication","description":"Multi-Factor Authentication"},"11_2":{"title":"Secure & Emergency Communications","description":"Secure & Emergency Communications"},"11_3":{"title":"Authentication Standards","description":"Authentication Standards"},"12_1":{"title":"NIS2 Classification & Scope","description":"NIS2 Classification & Scope"},"12_2":{"title":"BSI Registration","description":"BSI Registration"},"12_3":{"title":"Registration Maintenance","description":"Registration Maintenance"},"12_4":{"title":"Compliance Evidence & KRITIS","description":"Compliance Evidence & KRITIS"},"G-DPA_1":{"title":"Data Processing Agreements","description":"Maintain a register of every processor that handles personal data on your behalf, with a signed DPA covering the eight Art. 28(3) clauses."},"G-DPA_2":{"title":"Sub-processor Authorisation","description":"Track each processor's sub-processors and confirm prior authorisation per Art. 28(2)/(4)."},"G-ROP_1":{"title":"Records of Processing Activities","description":"Document every processing activity for each system that handles personal data — purpose, legal basis, recipients, retention, deletion (Art. 30)."},"G-TOM_1":{"title":"Technical and Organisational Measures","description":"Document the security measures protecting personal data — encryption, access control, backups, training (Art. 32)."},"G-BRC_1":{"title":"Personal Data Breach Response Process","description":"Establish written procedure for assessing and notifying the supervisory authority of personal data breaches within 72 hours (Art. 33)."},"G-BRC_2":{"title":"Personal Data Breach Documentation","description":"Internally document every personal data breach (notifiable or not) for supervisory-authority verification (Art. 33(5))."},"G-DSR_1":{"title":"Data Subject Rights Workflow","description":"Process for handling access, erasure, rectification, portability, restriction, and objection requests within one month (Art. 12-22)."}},"review":{"title":"Review Dashboard","pending":"Pending Review","approved":"Approved","rejected":"Rejected","company":"Company","framework":"Framework","requirement":"Requirement","category":"Category","submittedAt":"Submitted","evidenceCount":"Evidence","viewSubmission":"Review","approveButton":"Approve","rejectButton":"Reject","feedbackLabel":"Feedback","feedbackPlaceholder":"Explain what needs to change...","feedbackRequired":"Feedback is required for rejection","approveConfirm":"Submission approved","rejectConfirm":"Submission rejected with feedback","noSubmissions":"No submissions pending review","formData":"Submitted Form Data","evidenceFiles":"Evidence Files","companyInfo":"Company Information","requirementInfo":"Requirement Details","reviewHistory":"Review History","reviewedBy":"Reviewed by","signOut":"Sign out","feedbackFromReviewer":"Reviewer Feedback","downloadEvidence":"Download","noFormData":"No form data submitted","noEvidence":"No evidence files uploaded","stats":"{pending} pending, {approved} approved, {rejected} rejected","confirmRejection":"Confirm Rejection","cancel":"Cancel","notReviewable":"Status: {status} - not reviewable.","signOffDetails":"Sign-Off Details","signedOffAs":"Signed off as","signedOffDate":"Signed off on","templateVersion":"Template version","operationalData":"Operational data"},"risks":{"title":"Risk Register","description":"Documented risks with likelihood, impact, and treatment decisions. Core requirement of NIS2 Art. 21(2)(a).","helpText":"Identify threats to your information systems, assess their likelihood and impact (1-5 scale), and document how you will treat each risk (mitigate, accept, transfer, or avoid). Risk score is calculated automatically. High-scoring risks (15+) require documented treatment plans.","add":"Add Risk","addRisk":"Add Risk","edit":"Edit Risk","empty":"No risks registered yet. Add your first risk to begin risk management.","deleteConfirm":"Are you sure you want to delete this risk?","actions":"Actions","score":"Risk Score","cancel":"Cancel","save":"Save","treatment":{"mitigate":"Mitigate","accept":"Accept","transfer":"Transfer","avoid":"Avoid"},"fields":{"title":"Title","description":"Description","category":"Category","likelihood":"Likelihood","impact":"Impact","riskScore":"Risk Score","treatment":"Treatment","treatmentDescription":"Treatment Description","residualLikelihood":"Residual Likelihood","residualImpact":"Residual Impact","riskOwner":"Risk Owner","nextReviewDate":"Next Review Date"},"fieldDescriptions":{"title":"Short descriptive name for this risk (e.g., 'Ransomware attack on ERP system').","description":"Detailed description of the risk scenario, including threat actors, vulnerabilities, and potential consequences.","category":"Select the risk category (e.g., cyber, operational, compliance, supply chain).","likelihood":"Rate the probability of this risk materializing using your configured methodology scale.","impact":"Rate the potential business impact if this risk materializes using your configured methodology scale.","riskScore":"Automatically calculated as likelihood multiplied by impact. Scores of 15+ require a documented treatment plan.","treatment":"Select how this risk will be handled: mitigate, accept, transfer (e.g., insurance), or avoid.","treatmentDescription":"Describe the specific actions planned to implement the chosen treatment strategy.","residualLikelihood":"Expected likelihood after treatment measures are applied (1-5 scale).","residualImpact":"Expected impact after treatment measures are applied (1-5 scale).","riskOwner":"Enter the person or role accountable for monitoring and managing this risk.","nextReviewDate":"Date when this risk assessment must be reviewed and updated."},"linkedAssets":{"title":"Linked Assets","link":"Link Asset","empty":"No assets linked to this risk.","unlink":"Unlink","selectAsset":"Select an asset to link","alreadyLinked":"Already linked"},"addRiskToAsset":"Add risk to this asset","selectThreat":"Select BSI threat...","searchThreats":"Search threats...","noThreatsFound":"No threats found.","customThreat":"Custom threat","noRisksYet":"No risks registered yet.","noAssetsYet":"No assets registered. Add assets in step 2.2 first.","assetsNoRisks":"Assets without risks","unlinkedRisks":"Risks not linked to any asset","riskAssessment":"Risk Assessment","treatmentMeasures":"Treatment Measures","addMeasure":"Add Measure","measureAction":"Action","measureActionPlaceholder":"Describe the treatment measure...","acceptRisk":"Accept Risk","riskAccepted":"Risk accepted on {date}","acceptedRisks":"Accepted / Below Threshold","risksAboveThreshold":"{count} risks above acceptance threshold (>{threshold})","initialScore":"Initial","residualScore":"Residual","belowThreshold":"Below threshold","setResidual":"Set Residual Score","updateResidual":"Update Residual","treatmentStatus":{"not_started":"Not Started","in_progress":"In Progress","completed":"Completed"},"critical":"Critical","ot":"OT","riskCount":"{count, plural, one {# risk} other {# risks}}"},"settings":{"title":"Settings","description":"Manage your organization's platform settings.","aiDataSharing":{"title":"AI Data Sharing","description":"Control what organization data is shared with the AI assistant when generating compliance guidance. Personal data (emails, phone numbers, individual names) is never sent.","none":{"label":"No company data","description":"Only field names, types, and requirement title are sent. Guidance is generic.","preview":"Sent: field definitions, requirement title, legal reference"},"basic":{"label":"Non-sensitive only","description":"Adds sector, entity type, and legal form for more relevant guidance.","preview":"Sent: above + sector, sub-sector, entity type, legal form"},"full":{"label":"Full context","description":"Includes company name and size metrics for the most tailored guidance.","preview":"Sent: above + company name, employee count, annual revenue"}},"saved":"Settings saved","saveError":"Failed to save settings","saving":"Saving...","adminOnly":"Only admins can change settings."},"suppliers":{"title":"Supplier Register","description":"Third-party vendors and their cybersecurity risk profiles. Required by NIS2 Art. 21(2)(d).","helpText":"Register all ICT suppliers, cloud providers, and service vendors. Assess each supplier's cybersecurity risk level and track contract security clauses. NIS2 requires you to manage supply chain risks and monitor supplier security posture.","add":"Add Supplier","edit":"Edit Supplier","empty":"No suppliers registered. Add your first supplier to track supply chain security.","deleteConfirm":"Are you sure you want to delete this supplier?","actions":"Actions","critical":"Critical","nonCritical":"Non-Critical","riskLevel":{"critical":"Critical","high":"High","medium":"Medium","low":"Low"},"fields":{"name":"Supplier Name","description":"Description","contactEmail":"Contact Email","contactName":"Contact Name","riskLevel":"Risk Level","serviceType":"Service Type","hasAccessToSystems":"System Access","hasAccessToData":"Data Access","isCritical":"Critical Supplier","contractStartDate":"Contract Start","contractEndDate":"Contract End","hasSecurityClauses":"Security Clauses","hasIncidentNotificationClause":"Incident Notification Clause","hasAuditRights":"Audit Rights","hasSubcontractorFlowDown":"Subcontractor Flow-Down","nis2RegistrationId":"NIS2 Registration ID","hasSecurityCertification":"Security Certification","securityCertificationType":"Certification Type","contractSecurityClauses":"Contract Security Clauses","auditFrequency":"Audit Frequency","monitoringMethod":"Monitoring Method","lastReviewDate":"Last Review Date","dueDiligenceProcess":"Due Diligence Process","relationshipType":"GDPR Relationship Type","processesPersonalData":"Processes Personal Data","processesOnlyOnInstructions":"Processes Only on Documented Instructions","assistsWithDataSubjectRights":"Assists with Data Subject Rights","internationalTransfer":"Transfers Data Outside EEA","transferMechanism":"Transfer Mechanism"},"auditFrequency":{"annual":"Annual","biennial":"Biennial","on_change":"On Change"},"relationshipType":{"processor":"Processor (Art. 28)","joint_controller":"Joint Controller (Art. 26)","separate_controller":"Separate Controller","internal":"Internal / Intra-group"},"transferMechanism":{"adequacy":"Adequacy Decision (Art. 45)","sccs":"Standard Contractual Clauses (Art. 46)","bcr":"Binding Corporate Rules (Art. 47)","derogation":"Derogation (Art. 49)","none":"No Transfer"},"fieldDescriptions":{"name":"Legal or trading name of the supplier organization.","description":"Brief description of the services or products this supplier provides to your organization.","contactEmail":"Primary email address for security-related communications with this supplier.","contactName":"Name of the primary security or account contact at this supplier.","riskLevel":"Assessed cybersecurity risk level based on the supplier's access, criticality, and security posture.","serviceType":"Type of service provided (e.g., cloud hosting, managed security, software development, hardware).","hasAccessToSystems":"Enable if this supplier has direct or remote access to your IT/OT systems.","hasAccessToData":"Enable if this supplier processes, stores, or has access to your organization's data.","isCritical":"Enable if disruption of this supplier's services would directly impact your essential services under NIS2.","contractStartDate":"Date when the contract with this supplier became effective.","contractEndDate":"Date when the contract expires or is due for renewal.","hasSecurityClauses":"Enable if the contract includes specific cybersecurity requirements and obligations.","hasIncidentNotificationClause":"Enable if the contract requires the supplier to notify you of security incidents within a defined timeframe.","hasAuditRights":"Enable if the contract grants you the right to audit the supplier's security practices.","hasSubcontractorFlowDown":"Enable if security requirements are contractually flowed down to the supplier's subcontractors.","nis2RegistrationId":"If this supplier is NIS2-regulated, enter their BSI registration number. Allows you to reference their compliance status.","hasSecurityCertification":"Enable if this supplier holds a recognized security certification (ISO 27001, SOC 2, BSI C5, etc.).","securityCertificationType":"Type of certification held (e.g., ISO 27001, SOC 2 Type II, BSI C5, TISAX).","contractSecurityClauses":"Specific security clauses in this supplier's contract (SLAs, audit rights, incident notification, data handling, termination obligations).","auditFrequency":"How often this supplier is audited for security compliance.","monitoringMethod":"How this supplier's security posture is monitored (e.g., questionnaire, SecurityScorecard, SOC 2 review).","lastReviewDate":"Date of the most recent security review for this supplier.","dueDiligenceProcess":"Due diligence performed when onboarding this supplier (e.g., questionnaire, cert check, reference call).","relationshipType":"Under GDPR: is this supplier a processor (Art. 28), joint controller (Art. 26), separate controller, or internal? Drives which contract obligations apply.","processesPersonalData":"Enable if any personal data flows to or through this supplier (triggers GDPR-specific contract obligations).","processesOnlyOnInstructions":"Art. 28(3)(a) — the processor only processes personal data on documented instructions from the controller.","assistsWithDataSubjectRights":"Art. 28(3)(e) — the processor assists you in responding to data subject requests (access, deletion, portability).","internationalTransfer":"Enable if personal data is transferred outside the European Economic Area (EEA).","transferMechanism":"Legal mechanism for the cross-border transfer: adequacy decision, SCCs, binding corporate rules, or derogation."},"addRiskToSupplier":"Add risk to this supplier","suppliersNoRisks":"Suppliers without risks","unlinkedRisks":"Risks not linked to any supplier","noSuppliersYet":"No suppliers registered. Add suppliers in step 5.1 first.","supplierRiskAssessment":"Supplier Risk Assessment"},"supplierPortal":{"marketing":{"eyebrow":"NIS2 Supplier Portal","headline1":"Fill the unified NIS2 supplier questionnaire once.","headline2":"Share it with every customer.","intro":"Structured to ENISA NIS2 Technical Implementation Guidance v1.0 (June 2025). Every question maps to a specific paragraph of CIR 2024/2690, BSIG §30, or BSI IT-Grundschutz. One questionnaire. One standard. Your data stays portable — no lock-in, exportable as JSON anytime.","ctaCreate":"Create your supplier profile","ctaEntity":"Are you a NIS2 entity?","anchorBadge":"Structured to ENISA NIS2 Technical Implementation Guidance v1.0 (June 2025) §5","bsiQuote":"Wir begrüßen aktuelle Vorstöße der Wirtschaft, einen einheitlichen Fragenkatalog für Lieferanten zu erarbeiten.","bsiAttribution":"— BSI NIS-2 FAQ (Lieferketten und Sicherheit). The supplier portal is that initiative — a private-sector unified questionnaire structured to the canonical EU taxonomy (ENISA TIG §5) so every NIS2-regulated entity can satisfy CIR §5.1.4 with a single source.","benefit1Title":"One questionnaire, every customer","benefit1Body":"Answer the BSI / CIR questions once. Every customer you invite sees the same vetted answers — no more bespoke security questionnaires per relationship.","benefit2Title":"Anchored to ENISA TIG v1.0","benefit2Body":"Every section header and field cites a specific paragraph of ENISA's NIS2 Technical Implementation Guidance (June 2025) plus the underlying CIR 2024/2690 article. Auditors recognise the taxonomy. Customers trust the structure. No invented categories.","benefit3Title":"Notify customers about asset-level incidents","benefit3Body":"When an asset you manage has a security incident, you notify the affected customer with one click. Each customer sees only their own assets and their own notifications. They satisfy their NIS2 §30 supplier monitoring obligation by reading your update.","benefit4Title":"Bilateral and private. No public profile.","benefit4Body":"Built in Germany, hosted in the EU, aligned with BSI Grundschutz defaults. Your data is shared only with the customers you explicitly invite — no public URL, no search engine indexing. Customers access via a private magic link with no platform account required.","footerHeadline":"Start in two minutes.","footerBody":"Sign in with Google. Fill in your company name and primary domain. Answer the questionnaire at your own pace. Invite your customers when you are ready.","footerCta":"Create your supplier profile"},"questionnaire":{"title":"BSI / CIR Supplier Questionnaire","intro":"Every question maps to a specific paragraph of CIR 2024/2690 — the binding EU regulation under NIS2 — or to BSI IT-Grundschutz. Fill it once; every customer who subscribes sees the same answers.","save":"Save draft","submit":"Sign off and publish","submitting":"Saving…","saved":"Saved","saveError":"Could not save — please try again.","submitError":"Could not sign off — fix the validation errors first.","savedAt":"Last saved {time}","sectionIdentity":"Identity (CIR §5.2 / ENISA TIG §5.2 supplier register)","sectionIncidentContact":"Customer-facing incident contact","sectionType":"Service type","sectionContract":"Mandatory contract clauses (CIR / ENISA TIG §5.1.4)","sectionBaseline":"Cybersecurity practices (NIS2 Art. 21(2) / ENISA TIG §5.1.2)","sectionContractTips":"Additional contract clauses (ENISA TIG §5.1.4 TIPS)","sectionSaas":"SaaS technicals","sectionOnPrem":"On-prem software technicals","sectionProServices":"Professional services details","sectionManaged":"Managed service details"},"fields":{"legalName":"Legal name","registeredAddress":"Registered address","country":"Country","securityContactName":"Security contact name","primaryDomain":"Primary domain","tagline":"Tagline (one line, customer-facing)","description":"Public description (longer)","incidentContactEmail":"Incident contact email","incidentContactPhone":"Incident contact phone (24/7)","incidentSlaHours":"Incident notification SLA (hours)","serviceDescription":"Description of services provided","dataProcessingLocations":"Countries / regions where customer data is processed","bsiRegistrationId":"BSI registration ID (only if your company is itself NIS2-regulated)","isSaas":"We provide SaaS / hosted services","isOnPrem":"We deliver on-prem software","isProfessionalServices":"We provide professional services / consulting","isManagedService":"We provide managed services / MSP","hasIsms":"Documented Information Security Management System (ISMS)","hasIso27001OrEquivalent":"Hold ISO 27001, BSI Grundschutz, or equivalent certification","staffSecurityTraining":"Annual security awareness training for all staff","backgroundChecks":"Background checks on staff with customer data access","vulnerabilityHandling":"Documented vulnerability handling and patching process","acceptRightToAudit":"Accept customer right to audit (or provide audit reports)","hasSubprocessors":"Use subprocessors / sub-suppliers","subprocessorList":"List of subprocessors","dataReturnOnTermination":"Commit to return / destroy customer data on termination","dpaAvailable":"Standard data processing agreement (DPA) available","securityPolicyReviewedAnnually":"Security policies reviewed at least annually","hasIncidentResponsePlan":"Documented incident response plan","hasBusinessContinuityPlan":"Documented business continuity / disaster recovery plan","hasCryptographyPolicy":"Documented cryptography policy","hasPrivilegedAccessMgmt":"Privileged access management (PAM) for internal staff","mfaEnforcedInternal":"MFA enforced for all internal admin / privileged accounts","hasAssetInventory":"Maintain an inventory of information assets","hasPenetrationTestingProgram":"Annual or biennial penetration testing program","pastBreachesDisclosed":"We disclose past notifiable cybersecurity events when asked by customers","incidentAssistanceCommitment":"Provide incident assistance to customers at no / ex-ante cost","cooperateWithAuthorities":"Fully cooperate with competent authorities (BSI, ENISA, national CSIRTs)","notifyMaterialChanges":"Notify customers of any material change affecting service delivery","notifyOnLocationChange":"Notify customers in advance if data-processing locations change","hasExitPlan":"Documented exit strategy with mandatory transition period","saasHostingRegion":"Hosting region","saasEncryptionAtRest":"Encryption at rest","saasEncryptionInTransit":"Encryption in transit (TLS ≥ 1.2)","saasMfaEnforced":"MFA enforced for all admin accounts","saasRtoHours":"Recovery time objective (RTO) in hours","onPremSbomProvided":"Provide a Software Bill of Materials (SBOM)","onPremSignedReleases":"Releases are cryptographically signed","onPremVulnerabilityDisclosurePolicy":"Published vulnerability disclosure policy","onPremPatchSlaCriticalHours":"Patch SLA for critical CVEs (hours)","proServicesBackgroundCheckScope":"Background check scope","proServicesNdaInPlace":"NDA in place with all consultants","proServicesCustomerPremisesPolicy":"Documented customer-premises behaviour policy","managedPrivilegedAccessMgmt":"Privileged access management (PAM) in place","managedSessionRecording":"Admin sessions are recorded","managedOnCall24x7":"24/7 on-call coverage"},"fieldDescriptions":{"legalName":"Required by CIR 2024/2690 §5.2(a) — supplier register entry.","registeredAddress":"Required by CIR 2024/2690 §5.2(a) — supplier register entry.","country":"ISO 3166-1 alpha-2 code, e.g. DE, FR, IT.","securityContactName":"Required by CIR 2024/2690 §5.1.4(d) — incident notification chain.","serviceDescription":"Required by ENISA TIG §5.2(b) + §5.1.4 TIPS — clear and complete description of the ICT products and services you provide. One paragraph.","dataProcessingLocations":"Required by ENISA TIG §5.1.4 TIPS — list every country / region where your customers' data is produced, processed or stored. Comma-separated.","bsiRegistrationId":"Optional. ENISA TIG §5.1.2 — if your company is itself a NIS2-regulated entity with a BSI registration, your customers can use this fact to satisfy their §5.1.2 supplier-selection criteria.","isSaas":"Determines which technical questions you'll see next. Pick all that apply.","isOnPrem":"Software your customers install on their own hardware.","isProfessionalServices":"Consulting, implementation, training, audit work.","isManagedService":"Operating the customer's IT under contract (MSP, MSSP).","hasIsms":"Required by CIR 2024/2690 §5.1.2(a) — cybersecurity practices of suppliers.","hasIso27001OrEquivalent":"Required by CIR 2024/2690 §5.1.2(b). Upload the certificate via the Certifications tab.","staffSecurityTraining":"Required by CIR 2024/2690 §5.1.4(b) — awareness, skills and training.","backgroundChecks":"Required by CIR 2024/2690 §5.1.4(c) — verification of staff background.","vulnerabilityHandling":"Required by CIR 2024/2690 §5.1.4(f) — handle vulnerabilities that present a risk.","acceptRightToAudit":"Required by CIR 2024/2690 §5.1.4(e) — right to audit or to receive audit reports.","hasSubprocessors":"Required by CIR 2024/2690 §5.1.4(g) — subcontracting requirements.","subprocessorList":"List the subprocessors and what they do for you. CIR 2024/2690 §5.1.4(g).","dataReturnOnTermination":"Required by CIR 2024/2690 §5.1.4(h) — retrieval and disposal of information at termination.","dpaAvailable":"GDPR Art. 28 — written data processing agreement.","securityPolicyReviewedAnnually":"Required by CIR 2024/2690 §5.1.1(c) — security policies must be reviewed and updated regularly.","hasIncidentResponsePlan":"Required by CIR 2024/2690 §5.1.3 / NIS2 Art. 21(2)(b) — documented incident handling procedures.","hasBusinessContinuityPlan":"Required by CIR 2024/2690 §5.1.5 / NIS2 Art. 21(2)(c) — business continuity and crisis management.","hasCryptographyPolicy":"Required by CIR 2024/2690 §5.1.6 / NIS2 Art. 21(2)(h) — policies and procedures regarding the use of cryptography.","hasPrivilegedAccessMgmt":"Required by CIR 2024/2690 §5.1.7 / NIS2 Art. 21(2)(i) — access control policies for privileged accounts.","mfaEnforcedInternal":"Required by NIS2 Art. 21(2)(j) — multi-factor authentication for accounts with elevated privileges.","hasAssetInventory":"Required by CIR 2024/2690 §5.1.8 / NIS2 Art. 21(2)(i) — asset management.","hasPenetrationTestingProgram":"Required by CIR 2024/2690 §5.1.12 — testing of cybersecurity risk-management measures.","pastBreachesDisclosed":"ENISA TIG §5.1.2 — selection criteria require entities to consider 'the supplier's history in relation to cybersecurity events and breaches'.","incidentAssistanceCommitment":"ENISA TIG §5.1.4 TIPS — supplier obligation to assist the customer at no / ex-ante cost during a cyber incident caused by the ICT product or service.","cooperateWithAuthorities":"ENISA TIG §5.1.4 TIPS — supplier obligation to fully cooperate with competent authorities during inspections, audits and incident handling.","notifyMaterialChanges":"ENISA TIG §5.1.4 TIPS — notification of any development that might have a material impact on the supplier's ability to effectively provide the ICT products or services.","notifyOnLocationChange":"ENISA TIG §5.1.4 TIPS — notify the customer in advance if data-processing locations envisaged to change.","hasExitPlan":"ENISA TIG §5.1.4 TIPS — exit strategy with a mandatory adequate transition period, IP provisions and supplier responsibilities during the exit period.","saasHostingRegion":"BSI IT-Grundschutz OPS.2.2 Cloud-Nutzung — where customer data is stored.","saasEncryptionAtRest":"BSI IT-Grundschutz OPS.2.2.A11. AES-256 or equivalent.","saasEncryptionInTransit":"BSI IT-Grundschutz OPS.2.2.A11. TLS 1.2 minimum, TLS 1.3 preferred.","saasMfaEnforced":"BSI IT-Grundschutz ORP.4.A23 — second-factor authentication for privileged accounts.","saasRtoHours":"BSI IT-Grundschutz DER.4 — maximum tolerated downtime for customer service.","onPremSbomProvided":"CRA / NIS2 supply-chain transparency. Format: CycloneDX or SPDX.","onPremSignedReleases":"BSI IT-Grundschutz CON.8 Software-Entwicklung — signed releases prevent supply-chain tampering.","onPremVulnerabilityDisclosurePolicy":"BSI IT-Grundschutz CON.10. Public security.txt or contact for vulnerability reports.","onPremPatchSlaCriticalHours":"Time from CVE disclosure to patch availability for critical vulnerabilities.","proServicesBackgroundCheckScope":"BSI IT-Grundschutz ORP.2.A14 — staff vetting for sensitive roles.","proServicesNdaInPlace":"BSI IT-Grundschutz ORP.2.A2 — confidentiality agreements with all consultants.","proServicesCustomerPremisesPolicy":"BSI IT-Grundschutz ORP.3.A4 — security awareness on customer premises.","managedPrivilegedAccessMgmt":"BSI IT-Grundschutz ORP.4.A26 — PAM for administrative remote access.","managedSessionRecording":"BSI IT-Grundschutz OPS.1.2.5.A11 — recorded remote maintenance sessions.","managedOnCall24x7":"BSI IT-Grundschutz DER.2.1 — incident detection and response coverage."}},"team":{"pageTitle":"Team","pageDescription":"Manage team members and invitations","members":{"title":"Members","description":"{count, plural, one {# member} other {# members}} in your company","name":"Name","email":"Email","role":"Role","you":"you","assignedCategories":"Assigned Categories","complianceRole":"Assign Role"},"invites":{"title":"Pending Invites","description":"{count, plural, one {# pending invitation} other {# pending invitations}}","email":"Email","expires":"Expires","linkCopied":"Link copied"},"invite":{"title":"Invite Member","description":"Enter an email address to generate an invite link","email":"Email","emailPlaceholder":"colleague@company.com","complianceRole":"Compliance Role","complianceRolePlaceholder":"Select role (optional)","submit":"Invite","submitting":"Inviting..."},"assignRole":{"label":"Assign Role","placeholder":"Select role...","success":"Role assigned successfully","noCategories":"No categories for this role"},"remove":{"success":"Member removed"},"revoke":{"success":"Invite revoked"},"inline":{"sent":"Invite sent to {email}","linkCopied":"Link copied"},"invalidTitle":"Invalid Invite","invalidDescription":"This invite link is invalid or has already been used.","usedTitle":"Invite Already Used","usedDescription":"This invite has already been accepted or revoked.","expiredTitle":"Invite Expired","expiredDescription":"This invite link has expired. Ask your admin for a new one.","accept":{"joinTitle":"Join {company}","joinDescription":"You've been invited to join as {role}.","signInDescription":"You've been invited to join as {role}. Sign in with Google to continue.","signInGoogle":"Sign in with Google","alreadyMemberTitle":"Already a Member","alreadyMemberDescription":"You are already a member of a company. You cannot join another one.","goToDashboard":"Go to Dashboard","wrongAccountTitle":"Wrong Account","wrongAccountDescription":"This invite was sent to {inviteEmail}. You're signed in as {userEmail}.","signOutRetry":"Sign out and try again","joining":"Joining...","acceptInvite":"Accept Invite","joined":"Joined {company}"},"roles":{"ceo":"CEO / Managing Director","ciso":"CISO / IT Security Officer","cto":"CTO / Head of Engineering","coo":"COO / Operations Director","cpo":"CPO / Procurement Lead","hr_director":"HR Director","legal":"Legal / Compliance Officer","dpo":"Data Protection Officer"}},"training":{"title":"Training Records","description":"Employee and management cybersecurity training records. Required by NIS2 Art. 21(2)(g) and BSIG §38(3).","helpText":"Record all cybersecurity training completions. NIS2 mandates regular awareness training for all employees and specific training for management (BSIG §38(3) - personal liability). Track who completed what training and when.","add":"Add Training","edit":"Edit Training","empty":"No training records yet. Add your first training record.","deleteConfirm":"Are you sure you want to delete this training record?","actions":"Actions","yes":"Yes","no":"No","participants":"Participants","selectParticipants":"Select participants","noParticipants":"Select at least one participant","inviteNew":"Invite new member","certificate":"Training Certificate","certificateHint":"Upload certificate or proof of completion (PDF, image)","uploadingCert":"Uploading...","certUploaded":"Certificate uploaded","certUploadFailed":"Upload failed","removeCert":"Remove","managementTraining":"Management Training (§38 BSIG)","managementHint":"Auto-detected from role. Override if needed.","batchCreated":"{count} training records created","saveTraining":"Save Training","fields":{"title":"Title","trainingType":"Training Type","description":"Description","participantName":"Participant","participantRole":"Role","isManagement":"Management Training","providerName":"Provider","trainerName":"Trainer","startedAt":"Started","completedAt":"Completed","durationMinutes":"Duration (min)","nextTrainingDue":"Next Training Due"},"fieldDescriptions":{"title":"Name of the training course or session (e.g., 'Annual Cybersecurity Awareness', 'Incident Response Workshop').","trainingType":"Select the type of training (e.g., awareness, technical, management, incident response).","description":"Brief description of the training content, objectives, and target audience.","participantName":"Full name of the person who attended or completed this training.","participantRole":"Job title or role of the participant within the organization.","isManagement":"Enable if this is management-level training. BSIG Section 38(3) requires specific cybersecurity training for management with personal liability.","providerName":"Name of the training provider or organization delivering the training.","trainerName":"Name of the individual instructor or facilitator.","startedAt":"Date when the participant started this training.","completedAt":"Date when the participant successfully completed this training.","durationMinutes":"Total duration of the training session in minutes.","nextTrainingDue":"Date when this participant's next refresher or follow-up training is due."}},"trainingPortal":{"title":"Training Portal","courses":"Courses","courseOverview":"Course Overview","lesson":"Lesson","lessons":"Lessons","module":"Module","progress":"Progress","completed":"Completed","inProgress":"In Progress","notStarted":"Not Started","comingSoon":"Coming Soon","startCourse":"Start Course","continueCourse":"Continue","viewCourse":"View Course","nextLesson":"Next Lesson","previousLesson":"Previous Lesson","completeLesson":"Mark as Complete","lessonCompleted":"Lesson Completed","textView":"Text","videoView":"Video","dictionary":"Terms","definedTerms":"Key Terms","vocabularyWords":"Vocabulary","quiz":{"title":"Quiz","question":"Question","of":"of","submit":"Submit Answers","retry":"Try Again","score":"Your Score","passed":"Passed!","failed":"Not Passed","passMessage":"You scored {score}%. You can move on to the next lesson.","failMessage":"You scored {score}%. You need {required}% to pass. Review the lesson and try again.","explanation":"Explanation","nextLesson":"Next Lesson","correct":"Correct","incorrect":"Incorrect"},"progressLabel":"{completed} of {total} lessons completed","estimatedTime":"{minutes} min read"},"vulnerabilities":{"title":"Vulnerability Management","description":"Track discovered vulnerabilities through their lifecycle. Required by CIR 2024/2690 Art. 6.10.","helpText":"Log vulnerabilities found through scans, pentests, or advisories. Track triage, treatment decisions, and resolution. CIR requires vulnerability handling as a separate documented process from patch management.","add":"Add Vulnerability","edit":"Edit Vulnerability","empty":"No vulnerabilities recorded yet. Add your first vulnerability.","deleteConfirm":"Are you sure you want to delete this vulnerability?","actions":"Actions","severity":{"critical":"Critical","high":"High","medium":"Medium","low":"Low"},"status":{"discovered":"Discovered","assessed":"Assessed","treating":"Treating","resolved":"Resolved","accepted":"Accepted","mitigated":"Mitigated"},"source":{"vulnerability_scan":"Vulnerability Scan","pentest":"Penetration Test","bug_bounty":"Bug Bounty","vendor_advisory":"Vendor Advisory","internal_review":"Internal Review"},"fields":{"cveId":"CVE ID","title":"Title","description":"Description","severity":"Severity","cvssScore":"CVSS Score","source":"Source","assetId":"Asset","status":"Status","discoveredAt":"Discovered","treatmentNote":"Treatment","acceptanceReason":"Acceptance Reason","resolvedAt":"Resolved"},"fieldDescriptions":{"cveId":"CVE identifier if available (e.g., CVE-2024-1234). Leave empty for internally discovered vulnerabilities without a CVE.","title":"Brief description of the vulnerability (e.g., 'SQL injection in login form', 'Outdated TLS 1.0 on web server').","description":"Detailed description: affected components, versions, potential impact, and exploitation conditions.","severity":"CVSS-based severity rating: critical, high, medium, or low.","cvssScore":"Optional numeric CVSS score (0.0-10.0) for precise prioritization.","source":"How this vulnerability was discovered: scan, pentest, bug bounty, vendor advisory, or internal review.","assetId":"Asset affected by this vulnerability, if applicable. Select from the asset register.","status":"Current lifecycle status: discovered, assessed, treating, resolved, accepted (risk), or mitigated (compensating control).","discoveredAt":"Date when the vulnerability was first identified.","treatmentNote":"What is being done to address this vulnerability (patch, configuration change, compensating control, etc.).","acceptanceReason":"If accepting the risk, document the justification per CIR 6.6.2. Required for status 'Accepted'.","resolvedAt":"Date when the vulnerability was resolved, accepted, or mitigated."}}},"now":"$undefined","timeZone":"UTC","children":"$L35"}]