Changelog
Curated list of meaningful changes to the platform, course, and compliance documents. Not a full commit history - only what matters to users, buyers, and auditors.
May 2026
Two new entries in the regulatory timeline. On 19 May 2026 the European Commission published its draft Guidelines on the classification of high-risk AI systems under Article 6 of the AI Act; consultation runs until 23 June 2026, and the guidelines clarify that critical-infrastructure high-risk classification is triggered by a CER (Directive 2022/2557) designation, not by NIS 2 essential-entity status. The BMI/BKA Bundeslagebild Cybercrime 2025 from 12 May 2026 was also added (about 335,000 cases and EUR 202.4 billion in economic damage), providing the political backdrop for the BSI's emerging NIS 2 audit phase.
Three new entries in the regulatory timeline. On 13 May 2026 the BSI–Mecklenburg-Vorpommern cybersecurity cooperation was added (the BSI now cooperates with twelve federal states). The BSI Geschäftsleitungs-Schulung guidance v1.0 (published 17 April 2026) was backfilled — it sets the supervisor's expectations for §38(3) BSIG management training organisation, content, and self-check. On 19 May 2026 the Dutch Senate (Eerste Kamer) opened the written input phase on the Cyberbeveiligingswet (NIS 2 transposition).
An 8-lesson tabletop exercise for management bodies covering the typical NIS 2 decisions during a crisis: ransomware entry, customer notification under §35 BSIG, the 24-hour early warning, supply-chain impact, and recovery. Available in German and English.
A new free course on the Cyber Resilience Act (Regulation 2024/2847) with focus on Software Bill of Materials (SBOM) — requirements, formats (SPDX, CycloneDX), and manufacturer obligations for digital products. The course library now also includes a course switcher so multiple courses are accessible side by side.
A new public page compares 145 GRC/ISMS platforms for the European market — pricing, category (SMB, mid-market, enterprise), regional availability, open-source status, and data-export portability. The dataset is the result of six weeks of market research; each entry links to the vendor's own page so claims remain verifiable.
Every NIS 2 requirement in the compliance portal now carries a structured reference to the relevant Annex passage of EU Implementing Regulation 2024/2690 (CIR). Auditors and compliance advisors can navigate directly from a requirement to its EU legal source.
Three new entries in the regulatory timeline. On 7 May 2026 BSI and the Federal Ministry for Transport published the first joint report on IT security of public EV charging infrastructure, sitting at the intersection of the NIS 2 transport and energy sectors. On 11 May the BSI Cybersecurity Monitor 2026 was released with consumer survey data. On 12 May BSI and Italy's ACN co-published the G7 minimum-elements guideline "SBOM for AI", directly relevant to the NIS 2 supply-chain duty under Art 21(2)(d) and to the AI Act compliance pathway.
Learners enrolled in the free CEO course now receive a single daily bundled reminder of open lessons, each followed by a short comprehension question. The reminder series can be unsubscribed per course; separate opt-outs cover the daily deadline emails and the weekly compliance digest. Every transactional email now carries a visible unsubscribe link.
Two regulatory timeline additions. Luxembourg transposed NIS 2 via the Act of 5 May 2026, in force since 10 May 2026, with the ILR self-registration portal live. On 29 April 2026 the European Commission referred Bulgaria, France, Luxembourg, the Netherlands, Poland, Spain and Sweden to the CJEU for failing to transpose CER, requesting financial sanctions. First major CJEU enforcement action under the CER/NIS 2 package.
NIS 2 content pages now consistently use the EU directive terminology ("wesentliche Einrichtungen", "essential entities", "essentiële entiteiten") rather than the BSIG transposition wording ("besonders wichtige Einrichtungen"). The BSIG term remains as a cross-reference in the glossary and the EU-vs-BSIG terminology table.
Signing off a requirement now automatically credits every linked requirement across NIS 2, GDPR, EU AI Act, and Cyber Resilience Act whose evidence shares the same underlying artefact (same incident record, same supplier register, same risk methodology). 16 pairs are tagged 'equivalent' and chain transitively; 22 'overlapping' pairs grant credit one hop only.
The compliance portal now covers four EU frameworks: NIS 2, GDPR, EU AI Act (10 categories, 24 requirements anchored to Regulation 2024/1689), and EU Cyber Resilience Act (10 categories, 21 requirements anchored to Regulation 2024/2847). 27 cross-framework satisfaction pairs link related obligations so a single sign-off can satisfy multiple regimes at once.
On 7 May 2026 the Council of the EU and the European Parliament reached provisional political agreement on the AI Act Digital Omnibus. Annex III high-risk obligations delayed to 2 December 2027, Annex I embedded high-risk to 2 August 2028, watermarking under Art 50(2) deferred to 2 December 2026. New Art 5 prohibition on AI generating non-consensual intimate imagery and CSAM. Tracked in the regulatory timeline.
The public /nis2-meldepflicht page now documents the complete Article 23 NIS 2 reporting cascade as five distinct stages: 24-hour early warning, 72-hour incident notification, intermediate report on request, 1-month final report, and progress report when the incident is still ongoing. Each stage cites its directive article.
Public info pages now use locale-specific path slugs routed through next-intl's pathnames feature. Sitemap and hreflang headers are emitted automatically so search engines index the correct URL per locale. No action required from existing users.
On 4 May 2026, BSI together with CISO Bund and the Federal Ministry for Digital Affairs and State Modernization launched CyberGovSecure — the cross-departmental framework to implement NIS 2 cybersecurity measures across all German federal authorities. Tracked in the regulatory timeline.
The `asset_supplier_offering` table and `asset_service_type` enum (saas / on_prem / pro_services / managed) now live in the OSS package alongside `asset` and `supplier` — they used to sit in the app repo despite FK-ing into two package tables. Pure code relocation, zero database migration diff.
New reference page at /nis2-documents lists the documents and records NIS 2 (Directive 2022/2555) and Implementing Regulation 2024/2690 require — with article reference, CIR annex section, and the platform module that maintains the document as live data. 42 documents across 14 topic areas.
The GRC data layer (49 NIS 2 requirements, 7 GDPR requirements, 11 cross-framework pairs, Drizzle schemas for suppliers / assets / risks / incidents) is now a standalone MIT-licensed package on GitHub and npm. REFERENCE.md surfaces every entry, every pair, every mapping in one document. The platform itself uses the same package.
The platform now covers GDPR alongside NIS 2. 11 GDPR↔NIS 2 satisfaction pairs are wired: a sign-off on a NIS 2 requirement automatically closes the overlapping GDPR requirement (or vice versa). GDPR sidebar groups, Art. 28 fields on supplier / asset / incident, and seeded onboarding data are included.
Five high-impression pages (penalties, incident reporting, registration, missed registration, NIS 2 in Germany) were retitled with sharper queries — no more brand suffix. New: /llms.txt listing core content for LLM crawlers, complemented by Article / Breadcrumb / FAQ JSON-LD on key info pages.
The language switcher inside the training portal stopped persisting locale on some routes. Fixed.
April 2026
New public page at /training/nis2-ceo/outline shows all 47 lessons with module structure and time estimates — no account or OAuth required. Indexed in the sitemap for both locales.
New one-pager at /5-schritte (DE) and /5-steps (EN): the five NIS2 duties a managing director cannot personally delegate, in order. Step 4 links straight to the gap assessment.
The self-attestation was replaced with direct links to the relevant national authority for DE, AT, BE, FR, IT, and NL. We no longer claim whether a company falls under NIS2 — only the authority answers that bindingly.
Internal security review completed. Hardening applied across authenticated endpoints, the account-creation flow, and content loaders. No customer action required.
New /status page publicly shows platform status and past incidents.
Standard disclosure endpoint at /.well-known/security.txt for security researchers: contact, preferred languages, canonical URL, expiry.
Two repositories under github.com/NISD2: nis2-gap-assessment-schema (116 questions, 15 domains, Zod schema with scoring logic) and nis2-supply-chain-questionnaire-schema (56 fields, 6 sections). Dual-licensed (MIT for code, CC BY 4.0 for content). Every question and field is anchored to a specific legal source.
New /changelog page documents visible changes to the platform, course, and compliance documents - curated, not every commit. Filterable by category (product, content, course, compliance, regulatory) with monthly headers.
Landing page now shows the full NIS2 fine ceiling: up to €10M or 2% of global group turnover, whichever is higher. Previously only the €10M figure was shown.
New public documents at /avv and /toms. Audit log now captures IP address and user agent on every authenticated mutation. AWS S3 sets AES256 server-side encryption explicitly on every upload. Dependabot is enabled. Impressum extended with EUID, § 18(2) MStV responsibility, and EU online dispute resolution.
Landing page now shows the full EU legal chain as badges: NIS2 directive → BSIG → CIR 2024/2690 → IT-Grundschutz. New /corrections page publicly documents when we correct content — transparency over silent edits.
Dedicated /about page with managing director Simon Orzel and COO Cory Sales. Clear responsibilities and backgrounds — visible in the top navigation.
The NIS2 CEO course is now also available in Dutch — complete translation of all 47 lessons.
Full German localisation of the CEO course: 329 dictionary terms, 47 lesson titles, 45 quizzes — with proper umlauts, BSIG terminology, and article format.
Public NIS2 gap assessment with 116 structured questions across 15 domains, designed for a 5-day completion. PDF export of results available.
Dutch NIS2 transposition tracked in /nis2-timeline. Also: ENISA NCAF 2.0 update and NL registration portal status refreshed.
Consolidated overview of all national NIS2 registration portals across the EU with status, direct links, and per-country instructions.
CEO course participants receive a citable HTML certificate on completion, printable as PDF.
CIR badge replaced with BSIG § 30 + IT-Grundschutz on the landing page — more precise anchoring in the German transposition.
February 2026
Requirements can now be satisfied through operational modules (asset inventory, risk register, suppliers, incidents) rather than separate forms — the platform itself is the evidence.