Cybervize - Cybersecurity Beratung
All articles

Virtual CISO and NIS2: How a vCISO Helps with Compliance

Alexander Busse·March 6, 2026

NIS2 is no longer optional. Since December 18, 2024, the Directive on Network and Information Security is valid across the European Union, and Germany has implemented it into national law. For operators of critical infrastructure and large enterprises, NIS2 compliance is now mandatory. For mid-market companies with 100 to 500 employees, a critical question arises: How do we achieve NIS2 compliance without hiring a full-time CISO? The answer is often: A Virtual CISO.

What is NIS2 and who is affected?

NIS2 is the European Union's Directive on Network and Information Security. It requires companies and infrastructure operators to implement robust cybersecurity measures and defined reporting obligations. NIS2 applies not only to energy suppliers and water utilities but also to healthcare providers, digital infrastructure operators, transport, banking, and a broad mid-market segment.

Company size categories and thresholds

Large enterprises: 250 or more employees or annual turnover of EUR 50 million or total balance sheet of EUR 25 million. These entities must comply with all NIS2 requirements without exception.

SMEs (Small and Medium Enterprises): Below these thresholds but with exceptions. SMEs in critical sectors (energy, water, healthcare, finance) or as providers of critical infrastructure fall under NIS2. Other SMEs have reporting obligations but somewhat reduced requirements.

Personal liability of management: NIS2 makes executives directly liable. A violation of NIS2 requirements is not just an IT issue but can result in fines up to EUR 10 million or 2 percent of global annual turnover. Executives and board members can be held personally responsible.

The 10 core NIS2 requirements and vCISO solutions

NIS2 defines ten core requirements for cybersecurity. A Virtual CISO systematically structures how a mid-market company addresses each one.

1. Risk management and security governance

Every company must establish an Information Security Management System (ISMS), assess risks, and create a governance model with escalation paths. A vCISO defines relevant risks, creates a risk matrix, and provides monthly executive updates on critical risks.

2. Incident reporting: 24-hour obligation

Serious incidents must be reported to authorities within 24 hours. This requires an incident response plan, an escalation team, and a documentation system. The vCISO defines the reporting chain and trains relevant teams during quarter one of engagement.

3. Supply chain security

Suppliers and service providers with access to critical systems must themselves be NIS2-compliant or sign a security contract. A vCISO establishes a vendor assessment process, evaluates suppliers, and documents compliance.

4. Business continuity and disaster recovery

The company must demonstrate a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP). A vCISO defines Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for critical systems, tests plans semi-annually, and documents the tests.

5. Management training and awareness

Executives and the board must receive training in cybersecurity and NIS2 at least once per year. A vCISO organizes these trainings and builds a cybersecurity culture.

6. Access control and authentication

Multi-Factor Authentication (MFA), encryption of sensitive data, and regular password updates are mandatory. A vCISO reviews the current state, recommends measures, and oversees implementation.

7. Cryptographic procedures and data protection

Data in transit and at rest must be encrypted. A vCISO conducts a data protection audit, identifies gaps, and orchestrates encryption implementation.

8. Security architecture and network segmentation

Critical systems must be segmented, firewalls and Intrusion Detection Systems (IDS) are required. A vCISO reviews network architecture and recommends incremental improvements.

9. Patch and vulnerability management

All systems must be updated with current software versions and security patches. A vCISO establishes a patch management process and monitors compliance monthly.

10. Monitoring and logging

Security events must be logged and monitored (Security Information and Event Management, SIEM). A vCISO designs the logging concept and oversees implementation.

Why most mid-market companies cannot handle NIS2 alone

A typical mid-market company with 100 to 300 employees often lacks a dedicated security team. The IT director manages servers and desktops, the business leader focuses on sales. Cybersecurity is an additional task, if at all. NIS2 compliance without external support is nearly impossible under these conditions.

Common gaps without a CISO

No ISMS structure: There is no documented security policy, no defined roles, no escalation paths. Security is ad hoc, not strategic.

No incident reporting processes: If a security incident occurs, no one knows whom to inform, within what timeframes, or with what information.

Weak vendor control: External IT service providers, cloud vendors, and consultants are not formally integrated into the security process.

No documented disaster recovery: There may be backups, but no tested plan for critical scenarios.

Inadequate logging: Security events are not centrally captured. Investigations after incidents are tedious or impossible.

The vCISO roadmap: How you become NIS2-compliant in 12 months

A Virtual CISO structures NIS2 compliance in three four-month phases. This roadmap is realistic, achievable, and cost-effective.

Months 1 to 3: Gap analysis and quick wins

Weeks 1-2: The vCISO conducts a gap analysis. What do you have in place? Where are the gaps against NIS2? Result: A gap assessment report prioritized by risk and effort.

Weeks 3-4: Quick wins: Activate MFA for critical accounts, build a vendor inventory, define the first incident response team, write initial IT security policies.

Weeks 5-12: Formalization: Develop ISMS documents, build training plan, define incident reporting process, conduct first business continuity review.

Months 4 to 6: ISMS foundation and documentation

ISMS policy: A written security policy is developed with the vCISO and management, then signed.

Risk assessment: All critical assets are inventoried, threats are assessed, risks are prioritized.

Compliance documentation: All suppliers receive security contracts, all systems are recorded in a configuration management system.

Training: First IT security training for the IT team and management occurs.

Months 7 to 12: Complete compliance and testing

Patch and vulnerability management: A monthly scanning and patch process is established and documented.

Business continuity tests: Disaster recovery plans are written and tested semi-annually.

Logging and monitoring: A central logging infrastructure is built, security events are monitored.

Annual compliance audit: The vCISO conducts a compliance check against NIS2 and documents results for management and, if needed, for regulators.

Costs: NIS2 non-compliance vs. vCISO

Investment in a vCISO is minimal compared to the risk of NIS2 violation.

Fines for NIS2 violations

Categories 1 and 2 (Critical infrastructure): Up to EUR 10 million or 2 percent of global annual turnover, whichever is higher.

Categories 3 and 4 (Larger SMEs): Up to EUR 5 million or 1 percent of global annual turnover.

Operational impact: After an incident, business may not operate for several weeks. Data value diminishes hourly.

Costs of a Virtual CISO for NIS2

Typical engagement: 4 to 6 days per month for the first 12 months, then 2 to 3 days per month for ongoing compliance and annual reviews.

Costs: EUR 5,000 to EUR 8,000 per month during buildup phase, then EUR 2,500 to EUR 4,000 per month for ongoing support. Annual total: EUR 60,000 to EUR 96,000 in year one, then EUR 30,000 to EUR 48,000 per year.

Comparison: A full-time CISO costs EUR 150,000 to EUR 250,000 per year, plus recruiting and onboarding time. For NIS2 compliance, a vCISO is typically 60 to 70 percent more cost-effective and significantly faster to productivity.

What to look for when selecting a vCISO for NIS2 projects

Not all vCISOs are equally suited for NIS2 compliance. Here are the key selection criteria.

Verifiable CISO experience

The vCISO should have 10 or more years of experience as Chief Information Security Officer in an enterprise environment. Cloud security consultants or IT project managers calling themselves vCISOs are typically insufficient. Ask: In which large enterprises was this person CISO? Which processes did they build? What budgets did they manage? References from previous clients are mandatory.

NIS2-specific expertise

The vCISO must know NIS2 in detail. Has this person guided companies through NIS2 compliance? Do they understand the German regulatory implementation guidance? Can they explain the difference between NIS1 and NIS2? A good vCISO keeps you updated on changes in NIS2 implementation guidance.

Ability to collaborate with your IT team

The vCISO must be a facilitator and trainer, not just an auditor. A good vCISO works with your IT director to develop processes and plans collaboratively rather than imposing top-down demands. Your team should view the vCISO as a partner, not a threat.

Transparency on costs and deliverables

Good vCISOs offer clear Service Level Agreements (SLAs): how many days per month, what is included, what costs extra? They deliver monthly status reports and present to management. Beware of vCISOs who cannot provide clear cost frameworks or delivery guarantees.

Certifications and methodology

The vCISO should hold relevant certifications such as CISSP, CISM, or ISO/IEC 27001 Lead Auditor. The vCISO should have a clear methodology: Which standard is used as the basis for the ISMS (ISO/IEC 27001, BSI C5, or similar)? How are project phases structured?

Conclusion: A vCISO is the pragmatic path to NIS2 compliance

NIS2 is serious but not overwhelming. For most mid-market companies, a Virtual CISO is the best solution: industry expertise, reduced costs, rapid productivity, and no hiring complexity. In 12 months, you can be NIS2-compliant without restructuring management.

The key is choosing the right partner. A vCISO with genuine CISO experience and NIS2 expertise will guide your company systematically through requirements, engage your IT teams in the process, and deliver complete documentation and verifiable compliance at the end.

Ready to tackle NIS2 systematically? Contact us for a complimentary consultation. We show you how your company achieves compliance in realistic time.

Back to all articles

Related Podcast Episodes

These episodes dive deeper into the topic.

CISO & Führung

Mehr Regulierung für Cybersicherheit?

With Tobias Glemser, Geschäftsführer der Secuvera

33 minListen
Jahresrückblick

Cybervize Jahresrückblick | 2021 | Teil 1

41 minListen
Awareness & Kultur

Storytelling für CISOs und Security-Teams

With Milena Thalmann

35 minListen

Related services

Virtual CISO (vCISO)

Strategic security leadership at C-level, flexible and cost-effective.

Learn more

Cybersecurity Assessment

Comprehensive analysis of your IT security posture with actionable roadmap.

Learn more

NIS-2 & DORA Training

Executive training on NIS-2 and DORA regulatory requirements.

Learn more

Related articles

What Does a Virtual CISO Really Cost? Deep Dive into vCISO Pricing and ROI

Retainer, project-based, hourly, or hybrid? Concrete price ranges in DACH market (EUR 2,500-15,000/month), hidden costs, ROI calculation, and budgeting guidance for virtual CISO solutions.

March 6, 2026

vCISO vs. CISO: Which Model Fits Your Company?

Virtual CISO, Interim CISO, or Full-Time CISO? Detailed comparison with costs, availability, capabilities, and a clear decision matrix for every company.

March 6, 2026

Virtual CISO: The Complete Guide for Mid-Market Companies 2026

What a vCISO delivers, what it costs, and why mid-market companies need strategic cybersecurity leadership now. Practical guide with 90-day plan, NIS2 context, and selection criteria.

March 6, 2026