The Cybervize platform supports the implementation and evidence trail for the 10 minimum measures per § 30 BSIG: risks, controls, evidence in one system. External CISOs implement in 12 weeks, from €4,500. Fixed-fee packages instead of hourly billing.
Free initial consultation
Germany's NIS-2 implementation law (NIS2UmsuCG) has been in force since 6 December 2025 with no transition period. What this means for affected companies, and what is at stake for non-compliance.
Germany's NIS-2 implementation law entered into force the day after publication in the Federal Law Gazette (5 Dec 2025). No transition period.
Affected entities were generally required to register within three months (cut-off date 6 Mar 2026). Entities not yet registered should review their scope and file a late notification promptly.
Early warning within 24 hours, full report within 72 hours of becoming aware of a significant security incident.
Employee training, audit preparation and effectiveness reviews of measures are continuous obligations, not a one-time exercise.
The NIS-2 directive applies to all essential and important entities, typically mid-market companies with more than 50 employees and €10M annual revenue, plus all critical infrastructure operators. Suppliers of these entities are pulled in via the supply-chain clause. Non-compliance can trigger fines up to €10M or 2 % of global annual revenue, plus personal liability for management.
NIS-2 covers significantly more industries than the original NIS directive. Annex I lists sectors of high criticality (essential entities); Annex II lists other critical sectors (important entities). Both must implement the ten minimum measures.
NIS-2 distinguishes two entity classes. Both must implement the ten minimum measures, but supervision intensity and fine levels differ.
Proactive BSI inspections, on-site audits, random spot checks. The BSI can demand evidence and documents at any time.
Up to €10M or 2 % of global annual revenue, whichever is higher.
Reactive supervision by the BSI, typically triggered by an incident, a complaint or a specific suspicion. No routine on-site audits.
Up to €7M or 1.4 % of global annual revenue, whichever is higher.
Both classes must register with the BSI, implement the ten minimum measures per § 30 BSIG, and comply with the 24-hour and 72-hour reporting obligations. Personal liability of management applies equally to both classes.
NIS-2 requires in-scope entities to actively manage cybersecurity along their supply chain. This pulls many suppliers, who are not themselves directly in scope, indirectly under NIS-2 expectations.
Practical tip: suppliers of NIS-2 obligated entities should aim for ISO 27001 or equivalent maturity even if they are not directly in scope. It substantially simplifies evidence handling towards the customer.
NIS-2 mandates a risk-based approach with ten concrete minimum measures every in-scope organisation must implement.
Cyber-risk assessment methodology and binding security policies for the entire organisation.
Detection, containment, remediation, and reporting processes for security incidents, with clear ownership and timelines.
Continuity plans, backup strategies, recovery procedures: tested, documented, exercise-ready.
Assessment of critical suppliers and service providers, contractual cybersecurity requirements, ongoing monitoring.
Secure-by-design for IT procurement, secure development processes, patch and vulnerability management.
Periodic verification that implemented cybersecurity measures meet their objectives, with measurable indicators.
Mandatory awareness training for all employees, periodically refreshed and demonstrably documented.
Concepts and procedures for encryption of data in transit and at rest, key management, algorithm governance.
Clear access concepts (least privilege), asset inventory, and lifecycle management.
MFA for all privileged and remote access, secured communication channels including in emergency scenarios.
Source: § 30 NIS-2 Implementation and Cybersecurity Reinforcement Act (NIS2UmsuCG), which transposes EU Directive (EU) 2022/2555 into German law.
Three clearly defined packages along your NIS-2 maturity. Transparent fixed fees, no hourly billing.
Structured scoping, gap evaluation, prioritised roadmap.
Audit-ready NIS-2 readiness: ISMS build-out, processes, documentation, evidence. The legally binding compliance statement remains a matter for counsel.
Ongoing NIS-2 compliance, BSI reporting readiness, annual effectiveness review. Scope and pricing tailored to your setup.
Final pricing for Gap Assessment and Implementation depends on company size, number of sites, and IT complexity. Maintenance & Audit is priced individually based on audit frequency, maturity level, and required response times. We define the precise scope in a free initial call.
Four phases over twelve weeks. Each phase with a clear output, management sign-off, and structured handover.
Clarify NIS-2 status, scope, ownership, critical services and processes. Output: stakeholder map and scope document.
Structured evaluation of the ten minimum measures using the Cybervize platform, maturity score, gap analysis, risk assessment.
Prioritised roadmap, effort and cost estimates, management sign-off, implementation plan with ownership.
Execution of prioritised measures, documentation, training, effectiveness measurement, audit preparation.
Memberships, programmes and partnerships
Companies with ISO 27001 or TISAX don't need to build NIS-2 from scratch. The Cybervize platform automatically maps controls between frameworks: no duplicate implementation, no isolated compliance silos.
ISMS module per ISO 27001:2022. Assessment module with OSCAL import for IEC 62443, BSI Grundschutz, NIST and your own standards. All modules share risks, assets, and measures.
Eight of ten NIS-2 minimum measures are covered by ISO 27001 Annex A controls. The platform automatically shows what's already addressed and which NIS-2-specific gaps remain.
Incident management addresses the GDPR 72h notification requirement and NIS-2 24h early warning in one workflow. Records of processing and asset inventory share the same data foundation.
Every action logged: who, when, what, from which IP. Auditor roles with cross-module read access. CSV export, audit-proof snapshots, automated reports.
Because the platform and methodology grew out of 25 years of ISMS implementation in mid-market companies, not from a SaaS whiteboard.
Cybervize's founder led ISMS implementations at PwC, Deloitte and KPMG for over two decades, from mid-market to DAX-listed enterprise, across financial services, telecommunications, public sector and manufacturing. ISO 27001 Lead Auditor since 2006, BSI IT-Grundschutz auditor, CISA, BS 25999.
Cybervize was founded in 2021 with a clear thesis: NIS-2 compliance must not become a tick-box exercise running parallel to day-to-day operations, the way classic GRC tools force it to. Instead, compliance requirements have to be woven into the running security and IT processes, so that evidence is generated within day-to-day operations. Cybervize Consulting GmbH (2021) runs the consulting, Cybervize Operations GmbH (2023) built the platform, funded by the German federal government's StartupSecure programme in a 14-month research partnership with the CISPA incubator at the Helmholtz Center for Information Security. When our vCISO leads your NIS-2 implementation, they work with a tool designed by someone who has run the same engagements personally.
Sector-specific obligations, risks and platform building blocks for the most NIS-2-affected industries. Each page with indicative classification, minimum measures at the sector example, and path recommendation.
Annex II · important entity
Open sector pageAnnex I · essential entity · KRITIS
Open sector pageAnnex I · plus DORA
Open sector pageAnnex II · plus TISAX
Open sector pageAnnex II · plus major-accident regulation
Open sector pageAnnex I · plus MDR · plus §75c SGB V
Open sector pageAnnex II · plus IFS · plus FSSC 22000
Open sector pageAnnex I · ICT service management
Open sector pageSchedule a free initial consultation. In 30 minutes we clarify your scope, the next steps, and whether the gap assessment is the right entry point for you.
Schedule consultationMany companies treat NIS2 as a tick-box exercise. But compliance is not the same as resilience. The Cross-Border Cybersecurity Tour #2 in Saarbrücken made it clear: a functioning security operation outweighs any tool collection.
70% of SMEs treat NIS2 as a compliance checkbox. But organizations that see it as a strategic lever can turn regulatory requirements into operational excellence and genuine resilience.
Alexander Busse speaks at the CROSSBORDER CYBERSECURITY TOUR #2 in Saarbrücken on how NIS2 compliance can drive operational excellence. Why 70% of SMEs misjudge the regulation – and how to turn it into a genuine competitive advantage.
Free self-check: where do you stand on the ten §30 BSIG measures? 30 questions, instant traffic light.
Learn moreStrategy, compliance and operational security for mid-market companies.
Learn moreComprehensive analysis of your IT security posture with actionable roadmap.
Learn more