Fundamentals
What does it all actually mean?
What is NIS 2?
EU Directive 2022/2555 explained in five minutes.
Section 30 BSIG: the ten cybersecurity measures
The ten risk management measures under Section 30(2) BSIG, their relationship to Article 21 NIS 2 and CIR (EU) 2024/2690, proportionality, and penalties.
Section 32 BSIG: the NIS 2 incident reporting duty
The reporting duty under Section 32 BSIG: early warning in 24 hours, notification in 72 hours, final report after one month, what significant means, and the relationship to the GDPR.
Section 38 BSIG: management body obligations
The management body obligations under Section 38 BSIG: implementing and monitoring the Section 30 risk management measures, attending training, personal internal liability under subsection 2, and the relationship to Article 20 NIS 2.
CIR 2024/2690 — the technical regulation
The EU implementing regulation that operationalises NIS 2 for digital infrastructure.
IT-Grundschutz and NIS 2
How the BSI standard relates to German NIS 2 implementation.
IT security duty explained
What directors legally owe — beyond NIS 2, also in corporate law.
Glossary
Terms around NIS 2, BSIG, CIR and cybersecurity.
Frequently asked questions
The questions we hear most often about NIS 2.
ENISA Technical Implementation Guidance and NIS 2
What the EU Cybersecurity Agency ENISA does under NIS 2, what the Technical Implementation Guidance (TIG) is and how it relates to Commission Implementing Regulation 2024/2690.
Significant incident under NIS 2 and CIR 2024/2690
Article 23(3) NIS 2 names two triggers. CIR 2024/2690 quantifies thresholds for digital infrastructure. For other sectors the threshold remains unquantified.
The Cooperation Group under Article 14 NIS 2
What the NIS 2 Cooperation Group does: Member States, Commission, ENISA. Strategic cooperation, guidelines, peer reviews.
CSIRT Network and EU-CyCLONe under Articles 15 and 16 NIS 2
How national CSIRTs cooperate operationally and how EU-CyCLONe coordinates large-scale cyber crises.
Coordinated risk assessments of critical supply chains under Article 22 NIS 2
What Article 22 requires: joint EU assessment of cybersecurity risks for specific critical ICT supply chains by Cooperation Group, Commission and ENISA.
NIS 2 for the management body in five minutes
The shortest defensible summary of NIS 2 for the management body. What Article 20 requires, what auditors look for, what cannot be delegated.
What changed from NIS 1 to NIS 2
Broader scope, new governance duties, tougher reporting, higher fines. The key shifts between Directive 2016/1148 and 2022/2555.
What is the BSI?
Federal Office for Information Security, established under §1 BSIG. Under NIS 2 the competent authority, single notification point and operator of the national CSIRT.
The BSI reporting portal
One platform, two NIS 2 obligations: first-time registration under §33 BSIG and incident notification under §32 BSIG. Access via ELSTER organisation certificate.
What is an asset under NIS 2?
An asset under NIS 2 is anything that processes, stores or transmits information your operations depend on. Art. 21(2) and CIR 2024/2690 require an inventory; BSI 200-2 §8.1 allows grouping identical objects.
What is an ISMS and do I need one for NIS 2?
An ISMS is the way an organisation manages information security. NIS 2 never uses the word but Art. 21(2) requires exactly what an ISMS does. ISO 27001 certification is not mandatory.