By size
From 50 employees or €10m turnover in one of the covered sectors you are usually directly in scope – as an important or essential entity.
NIS2 & BSIG
Understand NIS2 and implement it safely
NIS2 sounds like a complicated IT law – at its core it's a simple question: is your company doing enough to stay operational when something goes wrong? I translate the requirements into clear steps that fit you and protect your budget.
Basics
What is NIS2 – in plain words?
NIS2 is a European Union directive for stronger cybersecurity. "Directive" means each EU country casts it into its own law. In Germany this happens through the NIS2 implementation act, which mainly extends the BSI Act (BSIG). So if you want to know what concretely needs doing, you look at the BSIG – and that's exactly where I'm at home.
The goal isn't bureaucracy but resilience: your company should detect attacks and outages early, stay operational in a crisis and report incidents. NIS2 distinguishes two groups – essential and important entities. The difference is mainly size, sector and the strictness of supervision. The duties themselves are similar.
Scope
Who does NIS2 affect?
Around 18 sectors, from energy and engineering to digital services. Rule of thumb: a critical sector plus a certain company size. But you can be affected even without being directly in scope.
By sector
Some activities – data centres, DNS, telecommunications or KRITIS operation – are often in scope regardless of size.
By supply chain
Even if you're not directly in scope: your affected customers must secure their suppliers – and pass the requirements on to you.
Duties
What NIS2 concretely requires
Four areas in which the BSIG puts you on the hook – and in which I take the load off you.
Registration & reporting
Affected entities must register with the BSI and report significant incidents within short deadlines. I set up the process so it simply works under pressure.
Risk management (§ 30 BSIG)
Appropriate technical and organisational measures – risk-based, not a blanket shopping list. From access control and backups to the supply chain.
Management (§ 38 BSIG)
Leadership must approve the measures, oversee implementation – and undergo training. They are liable for breaches. This duty cannot be delegated.
Evidence & supervision
Essential entities must be able to demonstrate their measures. I make sure your documentation is audit-proof – before the BSI asks.
My promise
NIS2 doesn't have to be expensive
The biggest cost driver in NIS2 isn't the law – it's redundant measures bought on suspicion. A SOC here, a pentest there, one tool for everything.
As a former CISO and lawyer I do it differently: first we clarify which assets and risks you really have and what the BSIG requires in your case. Then we implement exactly the measures that reduce your risk – in the right order. More thinking up front saves a lot of money later. That's not cutting corners on security – it's the opposite: your budget lands where it works.
Working together
How I guide you through NIS2
1
Scoping & gap analysis
Clarity on whether and how you're in scope, plus a prioritised roadmap. With a workshop on request. View services
2
Implementation
A lean ISMS to ISO 27001, lived processes, only the technology that's truly needed.
3
Audit & evidence support
Preparation for the BSIG audit, the IT-Sicherheitskatalog or ISO 27001 certification – as a lead auditor with additional ISACA audit-procedure competence for § 8a BSIG, I know both sides.
4
Interim CISO
On request I take full responsibility – operationally, strategically, including communication with authorities.
FAQ
NIS2 – answered briefly
The duties apply through the NIS2 implementation act, which amends the BSIG. Registration, reporting and risk-management duties already apply – waiting is a risk. The sensible first step is a clean scoping and gap analysis.
Essential entities are larger companies in highly critical sectors; they face the strictest supervision including an evidence duty. Important entities are medium-sized companies or companies from further critical sectors. The measures are similar, the supervision differs in strictness.
Not strictly – but ISO 27001 is the proven framework for meeting the BSIG requirements in a structured, demonstrable way. For energy grid operators the IT-Sicherheitskatalog under § 11 EnWG applies on top, requiring an ISMS to ISO 27001 (and 27019). I make sure these don't duplicate.
Yes. Under § 38 BSIG management must approve and oversee the risk-management measures and undergo training. This duty cannot be fully delegated. That's why I offer dedicated management training.
Unsure where you stand on NIS2?
Start with the free scoping check or let's clarify it directly in a no-obligation intro call.