Implementation

Implementation

What do I actually need to do?

NIS 2 in five steps
The practical roadmap for management and IT leadership.
NIS 2 requirements
§30 BSIG and Art. 21(2) NIS 2 — the ten measures in detail.
Reporting duty under §32 BSIG / Art. 23 NIS 2
The 24h / 72h / 1-month reporting cascade to the BSI.
Implementing NIS 2 in the Mittelstand
Pragmatic implementation guide without €50,000 of consulting.
NIS 2 gap assessment
How to find your gaps between current state and required state.
NIS 2 documents and templates
Which evidence and policies you actually need.
NIS 2 registration portals across the EU
National registration authorities across all member states.
Cost of NIS 2 implementation
What does NIS 2 actually cost — consulting vs self-implementation.
NIS 2 supply chain security
Art. 21(2)(d) NIS 2 / CIR §5 — supplier assessment in practice.
NIS 2 risk management under Art. 21(2)(a)
What Article 21(2)(a) NIS 2 requires, what CIR §2 operationalises and what that means day to day.
Management body training under Art. 20(2) NIS 2
Art. 20(2) NIS 2 requires every member of the management body to complete cybersecurity training. What that means, what you must be able to prove, and how §38(3) BSIG implements it in Germany.
MFA requirement under Art. 21(2)(j) NIS 2 and CIR §11.7
Multi-factor authentication is its own obligation under Art. 21(2)(j). CIR §11.7 says where and how. What it means for privileged accounts and for all users.
Cryptography policy under Art. 21(2)(h) NIS 2 and CIR §9
Art. 21(2)(h) requires a cryptography policy. CIR §9 sets out what has to be in it: algorithms, key management, twelve points on the key lifecycle.
NIS 2 incident handling under Art. 21(2)(b) and CIR §3
What internal incident handling means (detect, contain, recover) and how it differs from the duty to report to the BSI.
NIS 2 business continuity under Art. 21(2)(c) and CIR §4
Business continuity plan, backup management, crisis management: what the directive asks for to keep operations running.
NIS 2 secure development under Art. 21(2)(e) and CIR §6
Security in procurement, development and maintenance of network and information systems. Eight CIR sub-sections.
NIS 2 vulnerability management under Art. 21(2)(e) and CIR §6.10
Identify, assess, treat and coordinate disclosure of vulnerabilities. What CIR §6.10 actually requires.
NIS 2 effectiveness evaluation under Art. 21(2)(f) and CIR §7
How to measure whether risk management measures are working. KPIs, methodology, reporting to the management body.
NIS 2 cyber hygiene and training under Art. 21(2)(g) and CIR §8
Basic cyber hygiene practices plus awareness and role-specific training. What CIR §8 means in practice.
NIS 2 personnel security under Art. 21(2)(i) and CIR §10
Background checks, responsibilities, end of employment, disciplinary procedures.
NIS 2 asset management under Art. 21(2)(i) and CIR §12
Classification, handling, removable media, and the complete asset and value inventory.
NIS 2 access control under Art. 21(2)(i)+(j) and CIR §11
Access control policy, rights management, privileged accounts, identification, authentication. MFA as its own duty.
NIS 2 backup strategy under CIR §4.2
Backup and redundancy management: recovery times, storage locations, tests, retention periods.
NIS 2 network security under CIR §6.7 and §6.8
Network documentation, internal domains, secure communications, network segmentation and DMZ concepts.
NIS 2 logging and monitoring under CIR §3.2
Which twelve event types the CIR wants logged, from network traffic to privileged access.
How do I conduct a NIS 2 risk assessment?
Step by step: asset scope, threat model, likelihood-impact, treatment plan, sign-off. What CIR §2 requires in practice.
How do I build a NIS 2 asset inventory?
CIR §12.4 in practice: processes plus systems, Grundschutz grouping, CIA classification. How a Mittelstand builds the inventory in one week.
How do I prepare for a BSI audit?
Which evidence the BSI asks for, in what order, with what documentation depth. What has to be ready before the audit.
How do I report an incident to the BSI within 24 hours?
Article 23 NIS 2 and §32 BSIG: early warning 24h, notification 72h, final report 1 month. What goes in, what stays out, who decides.