2e:["$","$L31",null,{"formats":"$undefined","locale":"nl","messages":{"applicability":{"title":"NIS2 Applicability Check - Am I Affected?","metaDescription":"Check in under 2 minutes if your company falls under NIS2. Free quick check by sector, size, and special cases.","subtitle":"Find out if your company falls under the NIS2 directive in under 2 minutes.","cta":"Book a Demo","steps":{"exclusion":"Exclusion check","sector":"Sector selection","size":"Company size","specialCases":"Special cases","result":"Result"},"step":"Step {current} of {total}","exclusion":{"title":"Does your organization fall into an excluded category?","description":"The following entity types are exempt from NIS2 by law. If any apply to you, NIS2 does not cover your organization and the check ends here.","noneOfTheAbove":"No - none of these apply to us","noneHelp":"Select this to continue. Most private-sector companies will choose this option."},"sector":{"title":"What sector does your company operate in?","description":"Select all applicable sectors. A company can operate in multiple NIS2 sectors.","annexI":"Sectors of high criticality","annexII":"Other critical sectors","noSector":"None of these sectors apply to my company","selectedCount":"{count, plural, =0 {No sectors selected} =1 {1 sector selected} other {# sectors selected}}"},"size":{"title":"What is the size of your organization?","description":"Size is calculated at the entire enterprise group level, including parent companies and subsidiaries.","employees":"Total employees (FTE)","employeesHelp":"Include all group companies unless your entity has fully independent IT infrastructure.","turnover":"Annual turnover (EUR millions)","turnoverHelp":"Worldwide consolidated turnover of the entire enterprise group.","balanceSheet":"Annual balance sheet total (EUR millions)","balanceSheetHelp":"Worldwide consolidated balance sheet of the entire enterprise group.","independentIt":"Our German entity has fully independent IT systems from the parent group","independentItHelp":"If checked, only your German entity's own figures apply."},"specialCases":{"title":"Does any of the following apply?","description":"These entities fall under NIS2 regardless of company size.","noneOfTheAbove":"None of the above","noneHelp":"Most organizations will select this option.","selectedCount":"{count, plural, =1 {1 selected} other {# selected}}"},"result":{"notInScope":"Likely not in scope","important":"Important entity","importantLabel":"Likely an important entity","essential":"Essential entity","essentialLabel":"Likely an essential entity","kritis":"Betreiber kritischer Anlagen","kritisLabel":"Likely a KRITIS operator","reason":{"excluded":"Your organization appears to be excluded from NIS2 scope (sovereign function exemption).","no_sector":"Based on your selection, your company does not appear to operate in any sector covered by NIS2. If you are unsure, consult the full NIS2 sector list or seek legal advice.","below_threshold":"Your company appears to operate in a NIS2 sector but may fall below the medium enterprise threshold. However, you may still face NIS2 requirements through supply chain contracts with in-scope customers.","special_case":"Based on its classification, your organization likely falls in scope regardless of size.","size_and_sector":"Based on the information provided, your company appears to meet both the sector and size criteria for NIS2."},"disclaimer":"This is an indicative assessment, not a legal determination. NIS2 applicability depends on factors that may not be fully captured here, including corporate group structure, independent IT infrastructure, and regulatory interpretations. Consult a qualified advisor to confirm your status.","obligations":"Key obligations","penalty":"Penalty ceiling","penaltyValue":"{amount} or {percent} of global turnover","penaltyInfo":"Maximum fine for violations of cybersecurity measures, incident reporting, or BSI directives. The turnover-based alternative applies to companies with > EUR 500M revenue. Fines are set per the severity of the violation by the BSI.","supervisionLabel":"Supervision","supervisionProactive":"Proactive (ex-ante) - BSI can audit at any time","supervisionReactive":"Reactive (ex-post) - BSI acts on evidence of non-compliance","supervisionInfo":"Proactive: BSI can conduct unannounced audits, request documentation, and order specific security measures at any time. Reactive: BSI only investigates after an incident or upon justified suspicion of non-compliance.","registration":"BSI Registration","registrationDeadline":"By March 6, 2026 via BSI portal","registrationInfo":"You must self-register via the BSI portal (live since Jan 6, 2026). Requires: entity name, address, sectors, IP ranges, and entity category declaration. First create a \"Mein Unternehmenskonto\" (MUK) via ELSTER, then register on the BSI portal.","riskManagement":"Risk Management","riskManagementValue":"10 mandatory measures (Section 30 BSIG)","riskManagementInfo":"You must implement all 10 measures from Section 30 BSIG: risk analysis, incident handling, business continuity, supply chain security, secure development, effectiveness assessment, cyber hygiene training, cryptography, access control/asset management, and multi-factor authentication.","incidentReporting":"Incident Reporting","incidentReportingValue":"24h / 72h / 1 month cascade to BSI","incidentReportingInfo":"Significant security incidents must be reported to BSI in three stages: (1) Early warning within 24 hours - suspected cause and cross-border impact, (2) Updated notification within 72 hours - severity, impact, indicators of compromise, (3) Final report within 1 month - root cause, mitigation, preventive steps.","managementLiability":"Management Liability","managementLiabilityValue":"Personal liability for board members (Section 38 BSIG)","managementLiabilityInfo":"Board members (Vorstand/Geschäftsführer) are personally liable for NIS2 compliance. Three duties: (1) formally approve cybersecurity measures, (2) actively monitor implementation, (3) complete mandatory cybersecurity training. Liability cannot be waived by shareholders. D&O insurance does not remove the statutory obligations.","managementTraining":"Management Training","managementTrainingValue":"Mandatory cybersecurity training every 3 years","managementTrainingInfo":"All members of the management body must personally participate in cybersecurity training at least every 3 years. This duty cannot be delegated to a CISO or IT department. Failure to comply contributes to personal liability under Section 38 BSIG.","cta":"Book a walkthrough","ctaVoluntary":"Book a walkthrough anyway","restart":"Start over","supplyChainNote":"Even if not directly in scope, you may face NIS2 requirements through contracts with in-scope customers."},"nav":{"back":"Back","next":"Continue","checkResult":"See result"},"leadCapture":{"title":"Get your free compliance roadmap","description":"We'll send you a personalized action plan based on your classification — no spam, just the steps you need to take.","placeholder":"your@company.de","cta":"Send roadmap","success":"Check your inbox — your compliance roadmap is on the way.","error":"Something went wrong. Please try again."}},"assets":{"title":"Assetregister","description":"Inventaris van alle IT- en OT-systemen die essentiële diensten ondersteunen. Vereist door CIR 2024/2690 §12 en NIS2 Art. 21(2)(i).","helpText":"Registreer elk IT-systeem, OT-apparaat, clouddienst en fysiek asset waarop uw organisatie vertrouwt. Markeer kritieke assets en OT-systemen apart — deze vallen onder strengere NIS2-vereisten.","add":"Asset toevoegen","edit":"Asset bewerken","empty":"Nog geen assets. Voeg uw eerste asset toe om te beginnen.","deleteConfirm":"Weet u zeker dat u deze asset wilt verwijderen?","actions":"Acties","critical":"Kritiek","ot":"OT","otherType":"Overig","otherTypePlaceholder":"Voer aangepast assettype in","types":{"application":"Applicatie","server":"Server","endpoint":"Eindpunt","network":"Netwerk","database":"Database","cloud_service":"Clouddienst","data_store":"Gegevensopslag","ot_ics":"OT / ICS","iot":"IoT","physical":"Fysiek"},"typeDescriptions":{"application":"Bedrijfsapplicaties (ERP, CRM, e-mail)","server":"Fysieke of virtuele servers","endpoint":"Laptops, werkstations, mobiele apparaten","network":"Routers, switches, firewalls, VPN","database":"Databases, datawarehouses","cloud_service":"SaaS, IaaS, PaaS","data_store":"Bestandsshares, back-ups, archieven","ot_ics":"SCADA, PLC, industriële controllers","iot":"IoT-apparaten, sensoren","physical":"Gebouwen, ruimtes, infrastructuur"},"fields":{"name":"Naam asset","type":"Type","description":"Beschrijving","status":"Status","isOT":"OT-asset","isCritical":"Kritieke asset","owner":"Eigenaar","location":"Locatie","ipAddress":"IP-adres","hostname":"Hostnaam","operatingSystem":"Besturingssysteem","softwareVersion":"Softwareversie","hasMfa":"MFA ingeschakeld","encryptionAtRest":"Versleuteling in rust","encryptionInTransit":"Versleuteling in transit","cryptoImplementation":"Crypto-implementatie","hasBackup":"Back-up ingeschakeld","lastPatchDate":"Datum laatste patch","lastVulnScanDate":"Laatste kwetsbaarhedenscan","backupFrequency":"Back-upfrequentie","backupLocation":"Back-uplocatie","lastBackupTestDate":"Datum laatste back-uptest","rto":"RTO (uren)","rpo":"RPO (uren)","endOfLife":"Einde levensduur","quantity":"Aantal","processesPersonalData":"Processes Personal Data"},"fieldDescriptions":{"name":"Unieke naam die deze asset in de inventaris van uw organisatie identificeert.","type":"Categorie van asset conform NIS2 all-hazards reikwijdte.","description":"Korte beschrijving van het doel en de rol van de asset bij het ondersteunen van essentiële diensten.","status":"Selecteer de huidige operationele status van deze asset.","isOT":"Inschakelen als dit een Operationele Technologie-asset is (SCADA, ICS, PLC). OT-assets vallen onder strengere NIS2-vereisten.","isCritical":"Inschakelen als deze asset direct essentiële of belangrijke diensten ondersteunt binnen het NIS2-toepassingsgebied.","owner":"Persoon of rol verantwoordelijk voor het beheren en onderhouden van deze asset (CIR 2024/2690 Overweging).","location":"Fysieke of logische locatie waar de asset is ingezet (bijv. datacenter, cloudregio, kantoor).","ipAddress":"Primair IP-adres toegewezen aan deze asset.","hostname":"Volledig gekwalificeerde hostnaam of DNS-naam van deze asset.","operatingSystem":"Besturingssysteem en hoofdversie (bijv. Ubuntu 22.04, Windows Server 2022).","softwareVersion":"Primaire applicatie- of firmwareversie geïnstalleerd op deze asset.","hasMfa":"Of multi-factor authenticatie verplicht is voor toegang tot deze asset.","encryptionAtRest":"Goedgekeurd algoritme uit het cryptografiebeleid toegepast op gegevens in rust (bijv. AES-256-GCM).","encryptionInTransit":"Goedgekeurd TLS-pakket uit het cryptografiebeleid toegepast op gegevens in transit (bijv. TLS_AES_256_GCM_SHA384).","cryptoImplementation":"Tool of hardware die versleuteling implementeert (bijv. BitLocker + TPM, AWS KMS, Let's Encrypt).","hasBackup":"Of regelmatige back-ups zijn geconfigureerd en actief voor deze asset.","lastPatchDate":"Datum waarop de meest recente beveiligingspatch werd toegepast (CIR 2024/2690 Overweging).","lastVulnScanDate":"Datum waarop de laatste kwetsbaarhedenscan werd uitgevoerd.","backupFrequency":"Hoe vaak back-ups worden gemaakt.","backupLocation":"Waar back-upgegevens worden opgeslagen.","lastBackupTestDate":"Datum waarop de laatste back-uphersteltest werd voltooid.","rto":"Hersteltijddoelstelling in uren.","rpo":"Herstelpuntdoelstelling in uren.","endOfLife":"Datum waarop deze asset het einde van de levensduur / ondersteuning bereikt (CIR 2024/2690 Overweging).","quantity":"Aantal identieke eenheden in deze assetgroep (BSI-200-2 §8.1 groepering).","processesPersonalData":"Enable if this asset stores, processes, or transmits personal data (triggers GDPR considerations and feeds the RoPA inventory)."}},"auth":{"title":"Start NIS2 compliance","description":"Create an account or sign in.","email":"Email","password":"Password","signIn":"Sign in","register":"Create account","signInGoogle":"Continue with Google","switchToRegister":"No account yet? Register now","switchToLogin":"Already have an account? Sign in","or":"or","orgDomain":"Organisation: {domain}","errorInvalid":"Invalid email or password.","errorGeneric":"Something went wrong. Please try again.","errorConsentRequired":"Please accept the Terms and Privacy Policy to continue.","errorEmailNotVerified":"Verifieer eerst je e-mailadres. Controleer je inbox voor de code.","consentLabel":"I accept the Terms of Service and acknowledge the Privacy Policy.","backToHome":"Back to nisd2.eu","verifyTitle":"Verifieer je e-mailadres","verifyDescription":"We hebben een 6-cijferige code naar {email} gestuurd. Voer hem hieronder in om je account af te ronden.","verifyCodeLabel":"Verificatiecode","verifyCodePlaceholder":"123456","verifySubmit":"Verifiëren en aanmelden","verifyVerifying":"Bezig…","verifyResend":"Code opnieuw sturen","verifyResent":"Nieuwe code verstuurd. Controleer je inbox.","verifyResendCooldown":"Wacht een paar minuten voordat je een nieuwe code aanvraagt.","verifyErrorInvalidCode":"Ongeldige of verlopen code. Probeer opnieuw of vraag een nieuwe code aan.","verifyBack":"Ander e-mailadres gebruiken","mfaTitle":"Aanmelding bevestigen","mfaDescription":"We hebben een aanmeldcode verzonden naar {email}. Voer de 6-cijferige code in om je aanmelding te voltooien.","mfaCodeSent":"Aanmeldcode verzonden. Controleer je inbox.","mfaSubmit":"Aanmelden","mfaVerifying":"Bezig met verifiëren…","mfaInvalid":"Ongeldige of verlopen code. Probeer opnieuw.","mfaRateLimited":"Te veel verzoeken voor dit adres. Wacht een paar minuten.","mfaSendFailed":"Aanmeldcode kon niet worden verzonden. Probeer opnieuw.","forgotPasswordLink":"Wachtwoord vergeten?","forgotPassword":{"title":"Wachtwoord opnieuw instellen","description":"Voer je e-mailadres in. We sturen je een 6-cijferige code waarmee je een nieuw wachtwoord kunt instellen.","sendCode":"Code versturen","codeSentInfo":"Als er een account met dit adres bestaat, is een code onderweg. Voer hieronder de code en een nieuw wachtwoord in.","resetTitle":"Nieuw wachtwoord instellen","resetDescription":"Voer de code uit de e-mail aan {email} en een nieuw wachtwoord in.","newPassword":"Nieuw wachtwoord","submit":"Wachtwoord instellen","errorResetFailed":"Code ongeldig of verlopen. Vraag een nieuwe code aan.","mfaCodeSent":"Wachtwoord ingesteld. We hebben een aanmeldcode naar je e-mailadres verzonden.","backToSignIn":"Terug naar aanmelden"}},"audit":{"title":"Audit Trail","subtitle":"Tamper-evident log of all compliance-relevant actions","noEntries":"No audit log entries yet.","description":"Description","action":"Action","user":"User","time":"Time"},"audit-readiness":{"title":"Audit Readiness","subtitle":"Evaluate your BSIG/NIS2 audit readiness with AI analysis","startEvaluation":"Start Evaluation","evaluating":"Evaluating all sections...","reEvaluate":"Re-evaluate","reEvaluating":"Re-evaluating...","overallScore":"Overall Score","verdict":"Verdict","pass":"Audit Ready","partial":"Needs Work","fail":"Major Gaps","sectionsPassing":"{count} passing","sectionsPartial":"{count} partial","sectionsFailing":"{count} failing","strengths":"Strengths","structureGaps":"Structure Gaps","dataGaps":"Data Gaps","recommendations":"Recommendations","showDetails":"Show details","hideDetails":"Hide details","severity":{"critical":"Critical","important":"Important","nice-to-have":"Nice to have"},"fieldKey":"Field","requirement":"Requirement","issue":"Issue","recommendation":"Recommendation","noGaps":"No gaps identified","disclaimer":"AI-generated evaluation - does not replace a formal audit"},"changes":{"title":"Change Management","description":"IT/OT change requests with risk assessment and approval workflow. Supports NIS2 Art. 21(2)(e).","helpText":"Track all changes to IT and OT systems through a formal approval process. Each change request includes risk assessment, implementation plan, and rollback procedure. NIS2 requires controlled change management to prevent security regressions.","add":"New Change Request","edit":"Edit Change Request","empty":"No change requests yet. Create your first change request.","deleteConfirm":"Are you sure you want to delete this change request?","actions":"Actions","type":{"standard":"Standard","normal":"Normal","emergency":"Emergency"},"changeType":{"standard":"Standard","normal":"Normal","emergency":"Emergency"},"status":{"draft":"Draft","submitted":"Submitted","approved":"Approved","implementing":"Implementing","implemented":"Implemented","rolled_back":"Rolled Back","closed":"Closed"},"fields":{"title":"Title","description":"Description","changeType":"Change Type","status":"Status","createdAt":"Created At","businessJustification":"Business Justification","securityImpactAssessment":"Security Impact Assessment","rollbackPlan":"Rollback Plan"},"fieldDescriptions":{"title":"Short descriptive title for this change request (e.g., 'Upgrade firewall firmware to v4.2').","description":"Detailed description of the proposed change, including affected systems and expected outcome.","changeType":"Select the type: standard (pre-approved, low risk), normal (requires review), or emergency (urgent, post-approval).","status":"Current status of the change request in the approval and implementation workflow.","createdAt":"Date when this change request was submitted.","businessJustification":"Explain why this change is necessary, including business drivers and security benefits.","securityImpactAssessment":"Describe the potential security impact of this change, including risks introduced or mitigated.","rollbackPlan":"Describe the steps to revert this change if implementation fails or causes unexpected issues."}},"common":{"save":"Opslaan","saving":"Opslaan...","cancel":"Annuleren","back":"Terug","next":"Volgende","open":"Openen","optional":"optioneel","loading":"Laden...","entries":"{count} vermeldingen","select":"Selecteren...","yes":"Ja","no":"Nee","noData":"Geen gegevens","user":"Gebruiker","modules":{"asset":"Assets","risk":"Risico's","incident":"Incidenten","supplier":"Leveranciers","policy":"Beleid","training_record":"Trainingsregistraties","exercise":"Oefeningen","management_review":"Managementreviews","kpi_measurement":"KPI-metingen","change_request":"Wijzigingsverzoeken","patch_record":"Patchregistraties","internal_audit":"Interne audits","improvement_item":"Verbeterpunten","bsi_registration":"BSI-registratie","bsi_incident_report":"BSI-incidentrapporten"},"moduleRef":{"confirmCompliance":"Naleving bevestigen","noRecords":"Nog geen registraties — voeg eerst gegevens toe in de module"}},"status":{"not_started":"Open","in_progress":"In behandeling","completed":"Voltooid","not_applicable":"N.v.t.","needs_review":"Beoordeling vereist","approved":"Goedgekeurd","rejected":"Afgekeurd"},"priority":{"P0":"Kritiek – onmiddellijke actie vereist","P1":"Hoog – aanpakken binnen huidige cyclus","P2":"Gemiddeld – plannen voor volgende cyclus","P3":"Laag – aanpakken wanneer mogelijk"},"metadata":{"title":"NIS2 Compliance Platform","description":"NIS2/BSIG 2025 Compliancebeheer"},"companyLookup":{"title":"Is your company affected by NIS2?","subtitle":"Start typing your company name - we'll find it automatically and check your NIS2 status in seconds. Not sure if your company qualifies? See real-world edge cases for examples.","placeholder":"Enter company name (e.g. Stadtwerke München)","noResults":"No companies found. Check the spelling or try the full legal name.","error":"Company lookup is currently unavailable. Please try again later.","sectors":"NIS2 Sectors","companyData":"Company data","legalForm":"Legal form","register":"Trade register","founded":"Founded","capital":"Share capital","companySize":"Company size","revenue":"Revenue","industryCodes":"Industry codes (WZ)","purpose":"Business purpose","missingData":"Some data could not be retrieved automatically. The classification is based on available information and may change when all data is available.","ctaInScope":"Let's discuss next steps","checkNis2":"Check NIS2 status","loading":"Analyzing company data…","ctaNotInScope":"Get protected anyway","disclaimer":"Company data is sourced from public registers and stored to improve our service.","holdingWarning":"This company appears to be a holding or group parent. NIS2 applicability is assessed per entity — subsidiaries with their own operations, employees, and IT systems may be independently in scope, even if the holding itself is not. Check each subsidiary separately.","resultDisclaimer":"This is an indicative assessment based on publicly available register data, not a legal determination. Actual NIS2 applicability depends on factors not fully captured here. Consult a qualified advisor to confirm.","result":{"not_in_scope":"Likely not in scope","important":"Likely an important entity","essential":"Likely an essential entity","kritis":"Likely a KRITIS operator"},"reason":{"excluded":"Your organization appears to be exempt from NIS2 scope.","no_sector":"None of the registered industry codes appear to fall under a NIS2 sector.","below_threshold":"Your company appears to operate in a NIS2 sector but may be below the size threshold based on available data.","special_case":"Based on its classification, your organization likely falls in scope regardless of size.","size_and_sector":"Based on available data, both sector and size criteria for NIS2 appear to be met."},"orSeparator":"or check manually","manualFallback":"Can't find your company?","manualLink":"Start manual check"},"compliance":{"title":"NIS2 Compliance","subtitle":"BSIG 2025 - {totalReqs} vereisten in {steps} stappen","startAssessment":"Compliance-beoordeling starten","startDescription":"Ga systematisch door alle NIS2/BSIG-vereisten. Vereisten worden per domein weergegeven en kunnen direct worden afgehandeld.","startButton":"Beoordeling starten","continueButton":"Doorgaan","completeAssessment":"Beoordeling afronden","domains":"{count} compliance-domeinen","loadingCategories":"Categorieën laden...","loadingRequirements":"Vereisten laden...","categoryNotFound":"Categorie niet gevonden.","noFrameworkData":"Geen raamwerkgegevens beschikbaar.","noRequirements":"Geen vereisten gevonden voor deze categorie.","frequency":"Frequentie: {value}","mandatory":"Verplicht","requiredEvidence":"Vereist bewijs","progress":"{completed} van {total}","progressTooltip":"{completed} van {total} vereisten afgerond ({percentage}%)","assign":"Toewijzen","categoryOwner":"Verantwoordelijke","noOwner":"Geen verantwoordelijke toegewezen","assignedTo":"Toegewezen aan {name}","assignedCount":"{count} toegewezen","unassigned":"Niet toegewezen","readOnlyBanner":"Deze categorie is toegewezen aan {name}. Neem contact op met uw beheerder voor toegang.","noUsersToAssign":"Geen teamleden beschikbaar","inviteMember":"Nieuw lid uitnodigen","invitePlaceholder":"naam@bedrijf.nl","assignFailed":"Toewijzen mislukt","unassignFailed":"Ontkoppelen mislukt","moduleBacked":"Module-gekoppeld – verbonden met operationele gegevens","signOff":"Aftekenen","signOffAllCount":"Alles aftekenen ({count})","bulkSignOffSuccess":"{count} vereisten afgetekend","signedOffBy":"Afgetekend door {role} op {date}","notApplicable":"Niet van toepassing","notApplicablePlaceholder":"Verklaar waarom deze vereiste niet van toepassing is op uw organisatie (§30 BSIG proportionaliteit)...","confirmNotApplicable":"N.v.t. bevestigen","exportPolicy":"Beleid exporteren","completedSectionCount":"Afgetekend ({count})","implementationGuide":"Implementatiehandleiding","showMore":"Meer tonen","showLess":"Minder tonen","deadline":{"overdue":"{days}d achterstallig","dueToday":"Vandaag te doen","dueIn":"Over {days}d"},"guided":{"banner":"Begeleide instelling","progress":"Categorie {current} van {total}","skipToDashboard":"Naar dashboard overslaan","finish":"Instelling afronden"},"overview":{"title":"Compliance-overzicht","subtitle":"Volg uw voortgang in alle NIS2-vereistecategorieën","requirements":"{count} vereisten"},"requirement":{"backToCategory":"Terug naar {category}","whatSection":"Wat is vereist","whySection":"Waarom dit belangrijk is","howSection":"Hoe hieraan te voldoen","specificsSection":"Uw specifieke gegevens","evidenceSection":"Bewijs","noFieldsNeeded":"Geen specifieke gegevens nodig – controleer de richtlijnen en teken af wanneer gereed.","viewDetails":"Details bekijken","prevRequirement":"Vorige","nextRequirement":"Volgende","threatContext":"Dreigingscontext","legalConsequence":"Juridische consequentie","businessValue":"Bedrijfswaarde","signedOff":"Afgetekend","signedOffByOn":"Afgetekend door {name} op {date}","rejectionFeedback":"Beoordelingsfeedback","moduleData":"Operationele gegevens","goToRegister":"Naar register","requiredRole":"Voor aftekening van deze vereiste is de volgende rol vereist: {role}","signOffProgress":"{signed} van {total} aftekeningen voltooid","details":"Details","priority":"Prioriteit","frequency":"Frequentie","deadline":"Deadline","importance":"Belang","implSteps":"Implementatiestappen","whyItMatters":"Waarom het belangrijk is","prerequisitesTitle":"Vereisten","prerequisiteComplete":"Voltooid","prerequisitePending":"Vereist","prerequisitesBlocked":"Voltooi eerst de volgende vereisten:","ceoCourseTitle":"NIS 2 CEO-cursus beschikbaar","ceoCourseDescription":"Voltooi de ingebouwde managementtrainingscursus om te voldoen aan de trainingsverplichting uit §38(3) BSIG / Art. 20(2) NIS 2.","takeCourse":"Cursus starten"},"frameworkName":"NIS2 / BSIG 2026","categories":{"GOV":{"name":"Governance & Aansprakelijkheid","description":"Managementtoezicht, persoonlijke aansprakelijkheid en organisatiebestuur","legalBasis":"Art. 20 NIS2 · §38 BSIG","threatLandscape":"Zonder duidelijke governance missen cyberbeveiligingsmaatregelen richting en verantwoordelijkheid. Management dat zich niet bezighoudt met beveiliging creëert een cultuur van nalatigheid, waardoor de organisatie kwetsbaar blijft voor systematische fouten.","bsiGuidance":"Het BSI verwacht dat het management cyberbeveiligingsrisicomaatregelen formeel goedkeurt, verantwoordelijke personen aanwijst, een adequaat budget toewijst en regelmatige cyberbeveiligingstraining volgt (§38 BSIG). Persoonlijke aansprakelijkheid geldt voor directeuren."},"RSK":{"name":"Risicobeheer","description":"Risicoidentificatie, -beoordeling en -behandeling via een all-hazards aanpak (cyber, fysiek, milieu)","legalBasis":"Art. 21(2)(a) NIS2 · §30(2) Nr. 1 BSIG","threatLandscape":"Organisaties zonder een gestructureerd risicobeoordelingsproces kunnen beveiligingsinvesteringen niet effectief prioriteren, waardoor kritieke systemen onbeschermd blijven terwijl middelen worden verspild aan laagrisico-gebieden.","bsiGuidance":"Het BSI verwacht een gedocumenteerde risicobeoordelingsmethodologie, een volledig risicoregister, een behandelplan met door het management goedgekeurde risicoaanvaarding en een regelmatige reviewcyclus (minimaal jaarlijks). Moet alle kritieke informatiesystemen bestrijken via een all-hazards aanpak."},"INC":{"name":"Incidentbeheer","description":"Detectie, respons en BSI-melding","legalBasis":"Art. 21(2)(b), Art. 23 NIS2 · §30(2) Nr. 2, §32 BSIG","threatLandscape":"Cyberincidenten zijn onvermijdelijk. Zonder een ingestudeerd responsplan verliezen organisaties kritieke uren tijdens het 24-uurs BSI-vroegewaarschuwingsvenster en de 72-uurs meldingstermijn, wat het risico op regelgevende boetes boven op operationele schade vergroot.","bsiGuidance":"Het BSI verwacht een incidentresponsplan met duidelijke rollen en escalatiepaden, 24-uurs vroegewaarschuwingscapaciteit (§32(1)), 72-uurs incidentmelding met impactbeoordeling, classificatieschema, bewijs van oefeningen en een post-incidentreviewproces."},"BCP":{"name":"Bedrijfscontinuïteit","description":"Back-up, herstel en crisismanagement","legalBasis":"Art. 21(2)(c) NIS2 · §30(2) Nr. 3 BSIG","threatLandscape":"Ransomware en infrastructuuruitval kunnen de bedrijfsvoering volledig stilleggen. Zonder geteste back-up/herstelprocedures en een crisismanagementplan lopen hersteltijden op van uren tot weken, wat de bedrijfscontinuïteit bedreigt.","bsiGuidance":"Het BSI verwacht een bedrijfsimpactanalyse, gedocumenteerd BCP met RPO/RTO-doelstellingen, regelmatige back-up- en hersteltests, crisiscommunicatieprocedures en bewijs van ten minste jaarlijkse BCP-tests."},"SUP":{"name":"Toeleveringsketenbeveiliging","description":"Risicobeheer van derden","legalBasis":"Art. 21(2)(d) NIS2 · §30(2) Nr. 4 BSIG","threatLandscape":"Aanvallen op de toeleveringsketen (SolarWinds, Kaseya) tonen aan dat één gecompromitteerde leverancier kan leiden tot een cascade-effect bij duizenden organisaties. Risico's van derden zijn nu een primaire aanvalsvector.","bsiGuidance":"Het BSI verwacht een leveranciersregister met beveiligingskritikaliteitsclassificatie, beveiligingsvereisten in contracten (SLA's, auditrechten), doorlopende leveranciersmonitoring, clausules voor incidentmelding en beoordeling van enkelvoudige storingspunten."},"PRO":{"name":"Inkoop & Ontwikkeling","description":"Veilige inkoop, patchbeheer, wijzigingsbeheer","legalBasis":"Art. 21(2)(e) NIS2 · §30(2) Nr. 5 BSIG","threatLandscape":"Niet-gepatchte kwetsbaarheden zijn het meest voorkomende toegangspunt voor aanvallers. Organisaties zonder gestructureerde kwetsbaarheids- en patchbeheerprocessen blijven wekenlang of maandenlang blootgesteld aan bekende exploits.","bsiGuidance":"Het BSI verwacht beveiligingsvereisten in inkoop, een veilige SDLC bij softwareontwikkeling, kwetsbaarheidsscanning en patching met gedefinieerde SLA's, een beleid voor gecoördineerde disclosure, basislijnen voor configuratieverharding en het bijhouden van componenten van derden."},"EFF":{"name":"Effectiviteitsbeoordeling","description":"Audits, KPI's en managementreviews","legalBasis":"Art. 21(2)(f) NIS2 · §30(2) Nr. 6 BSIG","threatLandscape":"Beveiligingsmaatregelen verslechteren in de loop van de tijd. Zonder regelmatige effectiviteitsbeoordelingen ontwikkelen organisaties een vals gevoel van veiligheid terwijl de daadwerkelijke beschermingsniveaus afnemen door configuratiedrift en evoluerende dreigingen.","bsiGuidance":"Het BSI verwacht gedefinieerde KPI's/statistieken voor de effectiviteit van cyberbeveiliging, regelmatige interne audits, managementreviews, trendanalyse van incidenten en bevindingen en het bijhouden van corrigerende maatregelen uit beoordelingen."},"TRN":{"name":"Cyberhygiëne & Training","description":"Bewustzijn, phishingtests, managementtraining","legalBasis":"Art. 21(2)(g) NIS2 · §30(2) Nr. 7 BSIG","threatLandscape":"Menselijke fouten zijn verantwoordelijk voor meer dan 80% van de beveiligingsinbreuken. Phishing, social engineering en misbruik van inloggegevens zijn de meest effectieve aanvalstechnieken, allemaal gericht op ongetrainde medewerkers.","bsiGuidance":"Het BSI verwacht een cyberbeveiligingsbewustzijnstrainingsprogramma voor alle medewerkers, rolspecifieke training voor IT/beveiligingspersoneel, bijhouding van trainingsdeelname, ten minste jaarlijkse opfriscursussen, phishingsimulaties en beveiligingsinwerking voor nieuwe medewerkers."},"CRY":{"name":"Cryptografie & Versleuteling","description":"Versleutelingsbeleid en sleutelbeheer","legalBasis":"Art. 21(2)(h) NIS2 · §30(2) Nr. 8 BSIG","threatLandscape":"Zwakke of verouderde versleuteling stelt gegevens in rust en in transit bloot. Slecht sleutelbeheer kan zelfs sterke versleuteling nutteloos maken, en kwantumcomputing bedreigt huidige cryptografische standaarden.","bsiGuidance":"Het BSI verwacht een cryptografiebeleid met goedgekeurde algoritmen (per BSI TR-02102), versleuteling van gegevens in rust en in transit, sleutelbeheerprocessen (generatie, rotatie, intrekking), certificaatbeheer en een inventaris van cryptografische middelen."},"ACC":{"name":"Toegangsbeheer & HR-beveiliging","description":"Identiteitsbeheer, bevoorrecht toegangsbeheer, HR-processen","legalBasis":"Art. 21(2)(i) NIS2 · §30(2) Nr. 9 BSIG","threatLandscape":"Overmatige toegangsrechten versterken elk ander type aanval. Een gecompromitteerd account met brede rechten kan veel meer gegevens raadplegen, exfiltreren of vernietigen dan nodig. Insider threats profiteren van slechte toegangscontroles.","bsiGuidance":"Het BSI verwacht een toegangscontrolebeleid gebaseerd op minimale rechten, een gebruikersprovisionerings/-deprovisioneringsproces, regelmatige toegangsreviews, bevoorrecht toegangsbeheer (PAM), een assetbeheerbeleid en HR-beveiligingsprocessen inclusief indiensttreding-overdracht-uitstroom."},"AUT":{"name":"Authenticatie & Communicatie","description":"MFA of continue authenticatie, beveiligde communicatie, noodkanalen","legalBasis":"Art. 21(2)(j) NIS2 · §30(2) Nr. 10 BSIG","threatLandscape":"Diefstal van inloggegevens en authenticatie met alleen een wachtwoord zijn de primaire vectoren voor accountcompromis. Zonder MFA geeft één gestolen wachtwoord volledige toegang. Onveilige communicatie kan worden onderschept voor spionage.","bsiGuidance":"Het BSI verwacht multi-factor of continue authenticatie voor kritieke systemen en externe toegang, beveiligde spraak/video/tekstcommunicatieoplossingen, een nood-out-of-band communicatiekanaal, gecentraliseerd identiteitsbeheer en sessiebeheerbeleidsregels."},"REG":{"name":"Registratie & Rapportage","description":"BSI-registratie, jaarlijkse updates, compliance-bewijs","legalBasis":"Art. 3, Art. 23 NIS2 · §33, §34, §39 BSIG","threatLandscape":"Nalaten te registreren bij het BSI en actuele contactgegevens bij te houden betekent dat de organisatie geen dreigingswaarschuwingen kan ontvangen en niet kan voldoen aan verplichte meldingsplichten, wat het regelgevingsrisico vergroot.","bsiGuidance":"Het BSI verwacht voltooide registratie (§33), een aangewezen contactpunt, actuele registratiegegevens (jaarlijkse update), naleving van informatie-uitwisselingsverplichtingen (§34), onderhoud van het domeinnaamregister (§39 indien van toepassing) en gedocumenteerde regelgevingscorrespondentie."},"ISMS":{"name":"ISMS Verplichte Clausules","description":"ISO 27001:2022 clausules 4–10: context, leiderschap, planning, ondersteuning, uitvoering, evaluatie, verbetering","legalBasis":"ISO 27001:2022 Cl. 4–10","threatLandscape":"Een ongedocumenteerd of niet afgebakend ISMS kan niet worden geaudit. Hiaten in leiderschapsbetrokkenheid, risicoplanning of gedocumenteerde informatie zijn de meest voorkomende redenen waarom organisaties falen bij Stage 1 van een ISO 27001-audit.","bsiGuidance":"Verplichte clausules gelden zonder uitzondering. De auditor verifieert: toepassingsgebieddocument, risicobeoordelingsmethodologie, IS-beleid ondertekend door het topmanagement, gedocumenteerde rollen, intern auditplan, directiebeoordelingsverslagen en een continu verbeterproces."},"ORG":{"name":"Organisatorische Maatregelen","description":"Bijlage A.5 — Beleid, rollen, leveranciersbeveiliging, incidentbeheer, bedrijfscontinuïteit en wettelijke naleving","legalBasis":"ISO 27001:2022 Bijlage A.5","threatLandscape":"Organisatorische maatregelen vormen de governancelaag. Zonder duidelijk beleid, gedefinieerde rollen en leveranciersbeveiligingseisen hebben technische maatregelen geen mandaat en geen verantwoording — wat hiaten achterlaat die aanvallers uitbuiten.","bsiGuidance":"Auditors zoeken bewijs dat beleid is goedgekeurd, gecommuniceerd en herzien. Leveranciersovereenkomsten moeten beveiligingsclausules bevatten. Incidentbeheer moet worden gepland vóór een incident plaatsvindt."},"PPL":{"name":"Persoonsgerichte Maatregelen","description":"Bijlage A.6 — Screening, arbeidsvoorwaarden, bewustwordingstraining, disciplinaire procedure, thuiswerken","legalBasis":"ISO 27001:2022 Bijlage A.6","threatLandscape":"Mensen zijn zowel de primaire aanvalsvector (phishing, social engineering) als de laatste verdedigingslinie. Ongetraind personeel en slechte offboarding behoren tot de meest uitgebuite zwakheden.","bsiGuidance":"Vereist bewijs: achtergrondcontroleprocedure, ondertekende geheimhoudingsovereenkomsten, jaarlijkse IS-bewustwordingstrainingsrapporten, thuiswerkbeleid."},"PHY":{"name":"Fysieke Maatregelen","description":"Bijlage A.7 — Fysieke perimeters, toegangscontrole, apparatuurbeveiliging, veilige verwijdering","legalBasis":"ISO 27001:2022 Bijlage A.7","threatLandscape":"Fysieke toegang tot systemen omzeilt alle logische controles. Onbeveiligde kantoren, ontgrendelde schermen en onjuiste verwijdering van apparatuur worden frequent uitgebuit — vaak door opportunistische, niet geavanceerde aanvallers.","bsiGuidance":"Voor een remote-first bedrijf met co-workingruimtes richten fysieke maatregelen zich op: clean-deskbeleid, schermblokkering, beveiliging van activa buiten het terrein en veilige verwijdering van laptops en opslagmedia."},"TEC":{"name":"Technologische Maatregelen","description":"Bijlage A.8 — Eindpuntbeveiliging, toegangsrechten, kwetsbaarheidsbeheer, cryptografie, logging, wijzigingsbeheer","legalBasis":"ISO 27001:2022 Bijlage A.8","threatLandscape":"De grootste Bijlage A-sectie (34 maatregelen). Technologische hiaten — niet-gepatchte systemen, verkeerd geconfigureerde cloudresources, ontbrekende MFA, ontoereikende logging — zijn de grondoorzaak van de meerderheid van beveiligingsincidenten.","bsiGuidance":"Auditors controleren of maatregelen daadwerkelijk zijn geïmplementeerd, niet alleen gedocumenteerd. Verwacht technisch bewijs: configuratieschermafdrukken, patchlogs, SIEM-uitvoer, resultaten van back-uphersteltests en toegangsbeoordelingsverslagen."},"AI-LIT":{"name":"AI Literacy","description":"Ensure staff and persons operating AI systems on the company's behalf have a sufficient level of AI literacy.","legalBasis":"Art. 4 EU AI Act","threatLandscape":"Untrained staff using AI tools cause data leakage, hallucination-driven errors, and deepfake exposure that organisations cannot defend in audit or court.","bsiGuidance":""},"AI-PRO":{"name":"Prohibited Practices","description":"Screen AI use cases against the eight (plus one) banned practices in Art. 5 and document the screening outcome.","legalBasis":"Art. 5 EU AI Act","threatLandscape":"Using a prohibited practice triggers the highest penalty tier (EUR 35M or 7% of global turnover) regardless of intent.","bsiGuidance":""},"AI-INV":{"name":"AI System Inventory","description":"Maintain an inventory of every AI system in use, classify each by risk tier, and re-classify on substantial modification.","legalBasis":"Art. 6, 25, 26 EU AI Act","threatLandscape":"Without an inventory, shadow-AI deployments evade oversight and create unmitigated compliance and liability exposure.","bsiGuidance":""},"AI-RSK":{"name":"AI Risk Management","description":"Operate a documented risk management system for high-risk AI systems, with annual review and treatment of identified risks.","legalBasis":"Art. 9 EU AI Act","threatLandscape":"Unmanaged AI risks (bias, drift, robustness failures) translate directly into incident exposure under Art. 73.","bsiGuidance":""},"AI-FRI":{"name":"Fundamental Rights Impact Assessment","description":"Conduct a Fundamental Rights Impact Assessment before deploying high-risk AI systems in public, financial, or insurance contexts.","legalBasis":"Art. 27 EU AI Act","threatLandscape":"Skipping the FRIA exposes the deployer to civil claims from affected persons and to market-surveillance enforcement.","bsiGuidance":""},"AI-OVS":{"name":"Human Oversight","description":"Designate a competent human overseer per high-risk AI system and verify oversight effectiveness annually.","legalBasis":"Art. 14, Art. 26(2) EU AI Act","threatLandscape":"Autonomous high-risk AI systems without effective human override breach Art. 14 and create direct provider/deployer liability.","bsiGuidance":""},"AI-TRA":{"name":"Transparency","description":"Disclose AI interactions and AI-generated content to end users; watermark synthetic content; disclose deepfakes.","legalBasis":"Art. 50 EU AI Act","threatLandscape":"Lack of disclosure on chatbots and synthetic content breaches Art. 50 and undermines trust with customers and regulators.","bsiGuidance":""},"AI-INC":{"name":"AI Incident Reporting","description":"Document the AI incident response procedure; notify the market surveillance authority of serious incidents within 15 days.","legalBasis":"Art. 73 EU AI Act","threatLandscape":"Failure to notify within the 15-day window triggers the second penalty tier (EUR 15M or 3% of turnover).","bsiGuidance":""},"AI-DOC":{"name":"Technical Documentation","description":"Maintain Annex IV technical documentation, automatic logging, and the EU Declaration of Conformity for high-risk AI systems.","legalBasis":"Art. 11, 12, 18, 19, 47 · Annex IV, V EU AI Act","threatLandscape":"Incomplete technical documentation prevents conformity assessment and blocks placing on the EU market.","bsiGuidance":""},"AI-GPI":{"name":"General-Purpose AI","description":"GPAI provider obligations: model card, copyright policy, training-content summary, plus systemic-risk evaluation when training compute exceeds 10^25 FLOPs.","legalBasis":"Art. 51-55 EU AI Act","threatLandscape":"GPAI providers that miss transparency obligations face EU AI Office enforcement directly, with fines under Art. 101.","bsiGuidance":""},"CRA-MFG":{"name":"Manufacturer Obligations","description":"Per-product cybersecurity risk assessment and management body sign-off before placing the product on the EU market.","legalBasis":"Art. 13 EU CRA","threatLandscape":"Manufacturers that ship without a documented risk assessment have no defence when actively exploited vulnerabilities surface.","bsiGuidance":""},"CRA-ESS":{"name":"Essential Cybersecurity Requirements","description":"Compliance with Annex I Part I: no known exploitable vulnerabilities at placing on market, secure by default, protection of data confidentiality, integrity, availability.","legalBasis":"Annex I Part I EU CRA","threatLandscape":"Products that fail essential requirements cannot legally remain on the EU market and trigger the highest penalty tier.","bsiGuidance":""},"CRA-VLN":{"name":"Vulnerability Handling","description":"Documented vulnerability handling, coordinated disclosure policy, security updates without delay, and public disclosure of fixed vulnerabilities.","legalBasis":"Annex I Part II EU CRA","threatLandscape":"Vendors without a vulnerability handling process cannot meet the 24h / 72h / 14-day reporting cascade and become liable for downstream incidents.","bsiGuidance":""},"CRA-INC":{"name":"Active Exploitation Reporting","description":"24-hour early warning to ENISA and CSIRT, 72-hour notification, 14-day final report for actively exploited vulnerabilities and severe incidents.","legalBasis":"Art. 14 EU CRA","threatLandscape":"Missed reporting deadlines (other than the 24h deadline for SMEs) trigger the highest penalty tier and product-recall powers.","bsiGuidance":""},"CRA-CONF":{"name":"Conformity Assessment","description":"Conformity assessment route per product class (self-assessment Module A, Module B+C with notified body, or Module H quality system) followed by CE marking.","legalBasis":"Art. 24, Art. 27 EU CRA","threatLandscape":"Products without valid conformity assessment cannot be placed on the EU market from 11 December 2027.","bsiGuidance":""},"CRA-DOC":{"name":"Technical Documentation","description":"Maintain Annex VII technical documentation for each product placed on the EU market.","legalBasis":"Art. 28 · Annex VII EU CRA","threatLandscape":"Missing or incomplete technical documentation blocks market surveillance verification and triggers product withdrawal.","bsiGuidance":""},"CRA-SUP":{"name":"Support Period","description":"Publicly commit to a security update support period (default five years or expected product life, whichever is longer).","legalBasis":"Art. 13(8) EU CRA","threatLandscape":"Failure to support the full period exposes the manufacturer to claims from customers stranded on insecure products.","bsiGuidance":""},"CRA-SBOM":{"name":"Software Bill of Materials","description":"Generate and maintain a machine-readable Software Bill of Materials for each product placed on the EU market.","legalBasis":"Annex I Part II §1 EU CRA","threatLandscape":"Without an SBOM, manufacturers cannot trace which products contain a vulnerable component and miss the Art. 14 reporting window.","bsiGuidance":""},"CRA-IMP":{"name":"Importer and Distributor","description":"Importers verify manufacturer compliance before placing on market; distributors perform due diligence on conformity markings.","legalBasis":"Art. 18, Art. 19 EU CRA","threatLandscape":"Importers and distributors that miss verification inherit manufacturer liability under Art. 22.","bsiGuidance":""},"CRA-OSS":{"name":"Open-Source Steward","description":"Open-source software stewards adopt a cybersecurity policy, coordinated vulnerability disclosure, and report actively exploited vulnerabilities.","legalBasis":"Art. 24 EU CRA","threatLandscape":"OSS stewards are penalty-exempt under Art. 64(10), but downstream commercial users still depend on their reporting.","bsiGuidance":""}}},"intake":{"bsiContext":"Wat het BSI verwacht","threatLandscape":"Dreigingslandschap","grundschutzModule":"IT-Grundschutz-module","companyContext":"Uw bedrijfsprofiel","completeSection":"Deze sectie voltooien","operationalData":"Uit uw platformgegevens","saveDraft":"Concept opslaan","submitSignOff":"Indienen & aftekenen","saved":"Concept opgeslagen","submitted":"Categorie ingediend en afgetekend","submitFailed":"Indiening mislukt","incomplete":"Vul alle verplichte velden in voordat u indient.","alreadySignedOff":"Afgetekend op {date}","fieldProgress":"{completed} van {total} velden","statusDraft":"Concept","statusSubmitted":"Ingediend","statusSignedOff":"Afgetekend","validate":"Valideren met BSI-panel","validating":"BSI-panelevaluatie uitvoeren...","validateFailed":"Validatie mislukt","noSchema":"Geen invulformulier beschikbaar voor deze categorie.","autoSaved":"Automatisch opgeslagen","categoryOwner":"Categorieverantwoordelijke","noOwner":"Geen verantwoordelijke toegewezen","onlyOwnerCanSubmit":"Alleen de toegewezen verantwoordelijke of een beheerder kan deze categorie indienen.","responsiblePerson":"Verantwoordelijke persoon","responsiblePersonDescription":"De persoon die hier wordt toegewezen, kan deze categorie aftekenen.","frequencyOneTime":"Eenmalig","frequencyMonthly":"Maandelijks","frequencyQuarterly":"Kwartaals","frequencySemiAnnual":"Halfjaarlijks","frequencyAnnual":"Jaarlijks","frequencyEvery3Years":"Elke 3 jaar","frequencyOnChange":"Bij wijziging","frequencyOngoing":"Doorlopend"},"form":{"completeRequirement":"Vereiste voltooien","noFields":"Geen formuliervelden gedefinieerd.","requirementCompleted":"{code} voltooid","requirementSaved":"Vereiste is opgeslagen.","edit":"Bewerken","save":"Opslaan","saving":"Opslaan...","failedToSave":"Opslaan mislukt"},"evidence":{"loading":"Loading files…","uploading":"Uploading…","uploadFailed":"Upload failed. Please try again.","deleteFailed":"Delete failed. Please try again."},"signoff":{"title":"Goedkeuring management vereist","description":"Het management moet de implementatie van \"{title}\" bevestigen en goedkeuren.","roleLabel":"Rol / Functie","rolePlaceholder":"bijv. CEO, CISO, IT-manager","confirm":"Ik bevestig dat de vereiste is beoordeeld en de implementatie door het management is goedgekeurd.","saving":"Opslaan...","submit":"Goedkeuring verlenen","granted":"Goedkeuring verleend","grantedDescription":"{code} is goedgekeurd door {role}."},"llm":{"title":"AI-voorinvulling","extractTitle":"Gegevens extraheren via AI","extractDescription":"Plak tekst of sleep bestand hierheen (PDF, DOCX, TXT). De AI extraheert de relevante gegevens voor het formulier.","extractPlaceholder":"Plak tekst hier of sleep bestand hierheen...\n\nVoorbeeld: Müller GmbH gevestigd in Berlijn, energiesector, 120 medewerkers, jaarlijkse omzet EUR 15M, geclassificeerd als belangrijke entiteit onder NIS2...","extractButton":"Gegevens extraheren","unsupportedFormat":"Niet-ondersteund formaat: {name}. Ondersteund: {formats}","noText":"Geen tekst gevonden in document.","fileError":"Fout bij verwerken van bestand","dropHere":"Bestand hier neerzetten","processing":"Document verwerken...","selectFile":"Bestand selecteren","fieldsFilled":"{count} velden ingevuld","extracting":"Extraheren...","assistButton":"AI-assistent","assistTitle":"Formulierbegeleiding","assistDescription":"AI-gegenereerde begeleiding voor het invullen van dit vereistenformulier. Er worden geen werkelijke gegevens verstuurd – alleen veldnamen en typen.","assistLoading":"Begeleiding genereren...","assistError":"Genereren van begeleiding mislukt. Probeer het opnieuw.","assistOverview":"Overzicht","assistWhatThisIs":"Wat dit is","assistWhyThisExists":"Waarom dit bestaat","assistApplicability":"Is dit van toepassing?","assistQuickStart":"Snel starten","assistExample":"Voorbeeld van een goede inzending","assistExampleWhyGood":"Waarom dit goed is","assistFieldGuidance":"Veld-voor-veld begeleiding","assistMeaning":"Wat het betekent","assistExamples":"Goede voorbeelden","assistWhereToFind":"Waar te vinden","assistField":"Veld","assistValue":"Waarde"},"dashboard":{"title":"Dashboard","description":"Overzicht beveiligingscompliance","risks":"Risico's","openRisks":"Open risico's","highRisks":"Hoge risico's","assets":"Assets","criticalAssets":"Kritiek","otAssets":"OT","incidents":"Incidenten","suppliers":"Leveranciers","criticalSuppliers":"Kritiek","policies":"Beleid","approved":"Goedgekeurd","training":"Training","managementTraining":"Management","exercises":"Nooddriloefeningen","completed":"Voltooid","kpis":"Beveiligingsmetrieken","changes":"Wijzigingen","openChanges":"Open","patches":"Beveiligingsupdates","pendingPatches":"In behandeling","audits":"Zelfevaluaties","plannedAudits":"Gepland","improvements":"Actiepunten","openImprovements":"Open","complianceByCategory":"Compliance per categorie","riskMatrix":"Risicomatrix","riskTreatmentDistribution":"Verdeling risicobehandeling","noRisksRegistered":"Geen risico's geregistreerd","noData":"Geen gegevens","incidentsBySeverity":"Incidenten per ernst","treatmentLabel":{"mitigate":"Mitigeren","accept":"Accepteren","transfer":"Overdragen","avoid":"Vermijden"},"severity":{"nearMiss":"Bijna-incident","incident":"Incident","significant":"Significant"},"complianceProgress":"Compliancevoortgang","requirementsCompleted":"{completed} van {total} vereisten","allModules":"Alle modules","deadlines":{"overdue":"Achterstallig","dueThisWeek":"Deze week te doen","dueThisMonth":"Deze maand te doen","upcoming":"Aankomende deadlines","overdueDays":"{days}d achterstallig","dueToday":"Vandaag te doen","dueDays":"Over {days}d"}},"exercises":{"title":"Exercises","description":"BC/DR drills and incident response exercises. Required by NIS2 Art. 21(2)(c).","helpText":"Plan and document business continuity and disaster recovery exercises. NIS2 requires regular testing of your continuity plans. Record exercise type, participants, findings, and follow-up actions.","add":"Add Exercise","edit":"Edit Exercise","empty":"No exercises planned yet. Schedule your first drill.","deleteConfirm":"Are you sure you want to delete this exercise?","actions":"Actions","type":{"tabletop":"Tabletop","technical":"Technical","red_team":"Red Team","full_scale":"Full Scale"},"exerciseType":{"tabletop":"Tabletop","technical":"Technical","red_team":"Red Team","full_scale":"Full Scale"},"fields":{"title":"Title","exerciseType":"Exercise Type","domain":"Domain","scheduledDate":"Scheduled Date","completedAt":"Completed At","scenarioDescription":"Scenario","facilitator":"Facilitator","lessonsLearned":"Lessons Learned"},"fieldDescriptions":{"title":"Name of the exercise or drill (e.g., 'Q1 Ransomware Tabletop', 'DR Failover Test').","exerciseType":"Select the exercise format: tabletop (discussion-based), technical (hands-on), red team (adversary simulation), or full scale (live drill).","domain":"Security domain being tested (e.g., incident response, business continuity, disaster recovery, crisis communication).","scheduledDate":"Date when this exercise is planned to take place.","completedAt":"Date when this exercise was actually completed.","scenarioDescription":"Describe the simulated scenario, including threat actor, attack vector, and expected organizational response.","facilitator":"Name of the person responsible for planning and leading this exercise.","lessonsLearned":"Document key findings, gaps identified, and recommended improvements from this exercise."}},"export":{"title":"Export Reports","subtitle":"Download compliance reports for your assessments","noAssessments":"No assessments found. Complete the setup first.","download":"Download PDF","started":"Started","progress":"{completed} of {total} requirements","compliance":"Compliance"},"funnel":{"meta":{"title":"NIS2 Compliance Platform – Book a Demo","description":"Step-by-step NIS2 compliance for German mid-market companies. 49 BSIG requirements, guided forms, automatic evidence tracking, audit-ready from day one."},"hero":{"headline":"49 BSIG requirements. We guide you through every one.","subhead":"The fastest path from 'NIS2 applies to us' to 'we're audit-ready.' Structured forms, deadline management, and automatic evidence tracking. Start in 48 hours.","cta":"Book Your 30-Minute Demo","trust":"Made in Cologne · Hosted in Germany"},"stats":{"heading":"The regulatory reality","companies":"29,500","companiesLabel":"companies in scope in Germany alone","penalty":"€10M / 2%","penaltyLabel":"fine or 2% of global annual turnover","liability":"§38 BSIG","liabilityLabel":"management personally liable","description":"The NIS2 directive is transposed into German law via the BSIG. Registration deadlines are approaching, and management boards carry personal liability for non-compliance. Waiting is no longer an option."},"alternatives":{"heading":"Why existing options fall short","consultants":{"title":"Consultants","price":"€150K–500K","items":["Spreadsheet-based tracking","No automation or audit trail","Months of back-and-forth","Knowledge leaves when they leave"]},"enterprise":{"title":"Enterprise GRC","price":"€100K+/year","items":["6–12 month implementation","Built for Fortune 500 complexity","Overkill for mid-market","Requires dedicated GRC team"]},"usPlatforms":{"title":"US Platforms","price":"€7,500+/year","items":["English-first, bolt-on translations","No BSIG-specific guidance","US data hosting defaults","Generic framework mapping"]},"nisd2":{"title":"NISD2.eu","items":["Step-by-step through all 49 requirements","Audit-ready from day one","German-language, EU-hosted","Live in 48 hours"]},"callout":"Purpose-built for NIS2 and BSIG. Nothing more, nothing less."},"features":{"heading":"What you get","obligations":{"title":"49 requirements, guided step-by-step","description":"Every BSIG requirement broken down into structured forms with clear instructions. No compliance background needed, just answer the questions."},"evidence":{"title":"Automatic evidence & audit trail","description":"Upload documents, track approvals, and maintain a tamper-evident audit trail. Everything timestamped and ready for BSI review."},"deadlines":{"title":"Deadline tracking & escalation","description":"BSI registration, incident reporting cascades (24h / 72h / 1m), training renewals. Every deadline tracked with automatic escalation so nothing slips."},"bsiRegistration":{"title":"BSI registration support","description":"Guided preparation for your BSI registration, including all required documentation and pre-submission checklists."}},"offer":{"heading":"Founding Partner Program","subtitle":"We're onboarding our first 10 companies with hands-on support.","items":["3 months free, full platform access","White-glove onboarding within 48 hours","Direct founder access for the lifetime of your account","Lock in preferential pricing before general availability"],"exchange":"In return, we ask for honest feedback to shape the product.","cta":"Book Your Free Demo"},"faq":{"heading":"Common questions","q1":"Are we affected by NIS2?","a1":"If your company operates in one of the 18 critical sectors (energy, transport, health, digital infrastructure, etc.) and has 50+ employees or €10M+ revenue, you are very likely in scope. Our free applicability check takes 2 minutes and gives you a clear answer.","q2":"We already have ISO 27001. Isn't that enough?","a2":"ISO 27001 covers roughly 60–70% of NIS2 requirements. But NIS2 adds obligations around incident reporting (24h/72h), supply chain security, management liability, and BSI registration that ISO 27001 does not address. Our platform covers all of these.","q3":"How much does it cost after the free period?","a3":"We're finalizing pricing for general availability. Founding partners lock in preferential pricing for the lifetime of their account. We'll share details during the demo call.","q4":"How long does implementation take?","a4":"Most companies complete their initial compliance baseline within 2–4 weeks. We onboard you within 48 hours, and the platform guides you through each step. No 6-month implementation projects.","q5":"What about data security?","a5":"All data is hosted in Germany. We use encryption at rest and in transit, role-based access controls, and maintain a complete audit trail. We practice what we preach.","q6":"What happens after the free months?","a6":"You transition to a paid plan at the rate discussed during onboarding. No surprise pricing. If you decide it's not for you, we help you export all your data. No lock-in."},"finalCta":{"headline":"The BSI registration deadline is March 2026. We can onboard you within 48 hours.","cta":"Book Your 30-Minute Demo","email":"Or email us directly: contact@nisd2.eu"}},"gap-assessment":{"title":"NIS2 Gap Assessment","subtitle":"Evaluate your NIS2 readiness across 15 domains","startAssessment":"Start Assessment","resumeAssessment":"Resume Assessment","viewResults":"View Results","day":"Day {number}","dayOf":"Day {current} of {total}","questionsAnswered":"{answered} of {total} answered","saving":"Saving...","saved":"Saved","overview":{"heading":"Assessment Overview","description":"A structured self-assessment covering all NIS2 compliance domains. Answer honestly about your current state. No right or wrong answers.","day1":"Scoping & Governance","day1desc":"Are you in scope? Does your management understand their liability?","day2":"Risk Management","day2desc":"Do you know your assets, your risks, and your security policies?","day3":"Incident & Business Continuity","day3desc":"Can you detect, respond to, and recover from incidents?","day4":"People, Suppliers & Access","day4desc":"Are your employees trained, suppliers managed, and access controlled?","day5":"Technical Controls & Evidence","day5desc":"Are your technical protections and documentation audit-ready?","questions":"{count} questions","estimatedTime":"~{minutes} min","noActiveSession":"You have not started an assessment yet.","pastSessions":"Previous Assessments","score":"Score: {score}%","completedOn":"Completed {date}","inProgress":"In progress"},"question":{"yes":"Yes","partially":"Partially","no":"No","notApplicable":"N/A","showExplanation":"What does this mean?","hideExplanation":"Hide explanation","legalBasis":"Legal basis","criticality":"Importance","criticalityLevels":{"0":"Informational","1":"Low","2":"Medium","3":"High"},"respondent":{"0":"CEO / Management","1":"IT / Security","2":"HR","3":"Procurement","4":"Anyone"},"suggestedRespondent":"Best answered by"},"navigation":{"previousDay":"Previous Day","nextDay":"Next Day","completeAssessment":"Complete Assessment","backToOverview":"Back to Overview"},"results":{"heading":"Assessment Results","overallScore":"Overall Score","domainScores":"Domain Scores","maturityLevel":"Maturity Level","priorityGaps":"Priority Gaps","exportPdf":"Export PDF","domain":"Domain","score":"Score","maturity":"Maturity","answered":"Answered","noGaps":"No gaps identified. Excellent.","gapRank":"Priority","gapQuestion":"Finding","gapDomain":"Domain","gapConsequence":"Consequence","gapTimeToFix":"Effort","fineRisk":"Fine Risk","viewInPlatform":"View in Platform","maturityLevels":{"critical":"Critical","initial":"Initial","developing":"Developing","managed":"Managed","optimized":"Optimized"},"consequenceLevels":{"0":"Audit Finding","1":"Operational Risk","2":"Fine","3":"Personal Liability"},"timeToFixLevels":{"0":"Quick Win","1":"Days","2":"Weeks","3":"Months"},"summary":{"criticalGaps":"{count} critical gaps","fineExposed":"{count} create fine exposure","personalLiability":"{count} create personal liability for the CEO","quickWins":"{count} can be fixed immediately"},"startCompliance":"Start Closing Gaps","retakeAssessment":"Take Assessment Again"}},"grcComparison":{"meta":{"title":"GRC / ISMS / NIS2 prijsvergelijking: 136 commerciële leveranciers gecontroleerd","description":"Op 17 mei 2026 hebben we de prijspagina's van 136 commerciële GRC-, ISMS- en NIS2-platforms bezocht. 103 daarvan vertellen je niet wat ze kosten zonder een demo-call. Hier is de hele lijst, sorteerbaar en filterbaar. Negen open-source alternatieven zijn bewust niet opgenomen."},"hero":{"eyebrow":"Marktonderzoek · 17 mei 2026","title":"We hebben 136 commerciële GRC/ISMS-platforms onderzocht. 103 vertellen je niet wat ze kosten.","subtitle":"We hebben elke prijspagina woordelijk vastgelegd. Waar prijzen achter een demo-formulier verborgen zijn, schrijven we 'Demo-call vereist'. Geen schattingen, geen derde bronnen. Negen open-source alternatieven (verinice, CISO Assistant, Deming, ISMS Builder, Unicis CE, wijzelf en anderen) staan niet in deze lijst omdat ze je geen abonnement verkopen.","ctaPlatform":"Gratis starten","ctaMethodology":"Methodologie"},"stats":{"totalLabel":"Leveranciers onderzocht","transparentLabel":"Openbare prijzen","partialLabel":"Alleen startprijs","gatedLabel":"Demo-call vereist","nis2Label":"NIS2 als framework","ossLabel":"Open source","countriesLabel":"Landen","lastUpdatedPrefix":"Per:"},"thesis":{"title":"Waarom deze markt klaar is voor disruptie","body":"76% van deze 136 commerciële GRC/ISMS-leveranciers verbergt hun prijzen. De producten zijn formulieren, sjablonen en checklists bovenop een database. De marginale kosten per extra klant zijn bijna nul. De prijs niet. Hier zijn de bewijzen.","points":[{"title":"Vijfcijferige jaarcontracten voor een formulier","body":"Vanta, Drata, Secureframe, OneTrust, MetricStream, IBM OpenPages, ServiceNow GRC, Archer, Diligent — alle enterprise GRC-suites verbergen prijzen en vragen €30.000+/jaar voor een workflow-tool met templates."},{"title":"Oost-EU-leveranciers zijn 10x goedkoper en transparant","body":"Copla (LT) verkoopt NIS2 voor €3.500/jaar als eigen SKU. NIS2 Manager (CZ) voor ~€980/maand. Conformio (HR) voor €145/maand. Zelfde productcategorie, andere prijsbeslissing."},{"title":"OSS-concurrentie groeit uit Duitsland en Frankrijk","body":"ISMS Builder (DE, AGPL), CISO Assistant (FR, AGPLv3, 130+ frameworks), Little-ISMS-Helper (DACH), Deming (FR) — allemaal gratis self-hosted, allemaal NIS2 expliciet."},{"title":"Marktconsolidatie versnelt","body":"AuditBoard → Optro. CONTECHNET → i-doit. DocSetMinder → Allgeier. 3rdRisk → Diligent. RISMA + Wired Relations + ComplyCloud → Cerivo. StandardFusion → Wolters Kluwer. Galvanize → Diligent. Tugboat → OneTrust. Archer → Cinven."}]},"filters":{"searchPlaceholder":"Leverancier zoeken…","tierLabel":"Prijsmodel","tierAll":"Alle","tierTransparent":"Transparant","tierPartial":"Gedeeltelijk","tierGated":"Demo-call","tierUnverifiable":"Niet te verifiëren","countryLabel":"Land","countryAll":"Alle landen","categoryLabel":"Categorie","categoryAll":"Alle categorieën","categoryIsms":"ISMS","categoryGrc":"GRC","categoryTprm":"Leveranciersrisico","categoryConsultancy":"Consultancy + SaaS","categoryAudit":"Audit","categoryRatings":"Cyber-ratings","categoryTemplate":"Template-shop","categoryAiGrc":"AI-GRC","categoryEndpoint":"Endpoint","categoryVuln":"Kwetsbaarheden","categoryCspm":"Cloud-security","categoryIam":"IAM/Insider","categoryTraining":"Awareness","categoryAsset":"Asset mgmt","categoryReporting":"Rapportage","categoryComms":"Veilige comms","nis2OnlyLabel":"Alleen NIS2-leveranciers","freeTierLabel":"Met gratis variant","ossLabel":"Alleen open source","resetButton":"Filters wissen"},"table":{"name":"Leverancier","country":"Land","category":"Categorie","tier":"Prijs","entryPrice":"Instap","nis2":"NIS2","freeTier":"Gratis","source":"Bron","noResults":"Geen leveranciers gevonden. Wis de filters.","tierBadgeTransparent":"Transparant","tierBadgePartial":"Gedeeltelijk","tierBadgeGated":"Demo-call","tierBadgeUnverifiable":"Niet te verifiëren","nis2Yes":"Ja","nis2No":"Nee","freeTierNone":"—","freeTierTrial":"Trial","freeTierFreemium":"Free","freeTierOss":"OSS","viewVendorPricing":"Prijspagina openen","lastVerified":"Gecontroleerd","dataExport":"Data-export","dataExportFullOpen":"Volledig open","dataExportPartial":"Gedeeltelijk","dataExportReportOnly":"Alleen rapporten","dataExportNone":"Niets gedocumenteerd","dataExportUnknown":"—"},"methodology":{"title":"Methodologie","verified":"Gecontroleerd op","rules":["We hebben elke prijspagina handmatig bezocht.","Prijzen zijn woordelijk overgenomen van de website van de leverancier.","Geen extrapolatie uit G2, Capterra, blogs van derden of LinkedIn.","Waar prijzen achter een demo-formulier liggen: 'Demo-call vereist'.","Waar prijzen alleen als 'vanaf €X' worden vermeld: 'Gedeeltelijk transparant'.","Driemaandelijkse heraudit. Leveranciers kunnen correcties indienen."],"correctionsTitle":"Correctie indienen","correctionsBody":"Zijn onze gegevens over jouw product onjuist? Mail simon@nisd2.eu met de URL van je prijspagina. We werken binnen 48 uur bij en houden een wijzigingslog bij."},"cta":{"title":"Gratis + Open Source + geen lock-in","body":"We verkopen geen NIS2-compliance. We maken het toegankelijk. Gratis, open source, geen verkoopteam dat je belt.","button":"Platform starten"}},"improvements":{"title":"Improvements","description":"Continuous improvement items from audits, incidents, and reviews. Supports PDCA cycle per NIS2.","helpText":"Track improvement actions identified from audits, incident post-mortems, management reviews, and KPI trends. Each item has a source, priority, owner, and target date. This register demonstrates your organization's commitment to continuous improvement.","add":"Add Improvement","edit":"Edit Improvement","empty":"No improvement items yet. Add items from audits, incidents, or reviews.","deleteConfirm":"Are you sure you want to delete this improvement item?","actions":"Actions","source":{"audit":"Audit","incident":"Incident","pentest":"Pentest","management_review":"Management Review","kpi_breach":"KPI Breach","gap_analysis":"Gap Analysis","regulatory_change":"Regulatory Change","suggestion":"Suggestion"},"status":{"open":"Open","in_progress":"In Progress","resolved":"Resolved","verified":"Verified","deferred":"Deferred"},"priority":{"P0":"P0 - Immediate","P1":"P1 - 3 months","P2":"P2 - 6 months","P3":"P3 - 12 months"},"fields":{"title":"Title","description":"Description","source":"Source","priority":"Priority","status":"Status","targetDate":"Target Date","deferralReason":"Deferral Reason","verificationNotes":"Verification Notes"},"fieldDescriptions":{"title":"Short descriptive title for this improvement action (e.g., 'Implement MFA for VPN access').","description":"Detailed description of the improvement, including current gap and desired outcome.","source":"Select where this improvement was identified: audit finding, incident post-mortem, management review, KPI breach, etc.","priority":"Select the priority level which determines the implementation timeframe (P0: immediate, P1: 3 months, P2: 6 months, P3: 12 months).","status":"Current status of the improvement: open, in progress, resolved, verified (effectiveness confirmed), or deferred.","targetDate":"Date by which this improvement action should be completed.","deferralReason":"If status is Deferred, provide the justification and expected resumption timeline.","verificationNotes":"Document how the effectiveness of this improvement was verified after implementation."}},"incidents":{"title":"Incidentregister","description":"Beveiligingsincidentenlog met ernstclassificatie en tijdlijnbewaking. Vereist door NIS2 Art. 23.","helpText":"Registreer elk beveiligingsincident wanneer het plaatsvindt. NIS2 vereist een vroegtijdige waarschuwing aan het BSI binnen 24 uur en een volledige melding binnen 72 uur voor significante incidenten. Leg ernst, getroffen systemen, tijdlijn en oplossingstappen vast.","add":"Incident melden","edit":"Incident bewerken","empty":"Geen incidenten geregistreerd. Meld een incident wanneer dit zich voordoet.","deleteConfirm":"Weet u zeker dat u dit incident wilt verwijderen?","actions":"Acties","severity":{"near_miss":"Bijna-incident","incident":"Incident","significant":"Significant"},"fields":{"title":"Titel","description":"Beschrijving","severity":"Ernst","situationColor":"Situatiekleur","discoveredAt":"Ontdekt op","occurredAt":"Opgetreden op","resolvedAt":"Opgelost op","confidentialityImpacted":"Vertrouwelijkheid aangetast","integrityImpacted":"Integriteit aangetast","availabilityImpacted":"Beschikbaarheid aangetast","threatType":"Type dreiging","rootCause":"Oorzaak","countermeasures":"Tegenmaatregelen","preventiveMeasures":"Preventieve maatregelen","requiresGdprNotification":"GDPR Breach Notification Required","dataSubjectsAffected":"Data Subjects Affected","gdprNotifiedAt":"GDPR Authority Notified","notifiedDataSubjectsAt":"Data Subjects Notified"},"bsiDeadlines":{"title":"BSI-meldingstermijnen","overdue":"Achterstallig","dueIn":"Over {days}d","dueToday":"Vandaag te doen","reportType":{"early_warning":"24u Vroegtijdige waarschuwing","notification":"72u Melding","intermediate":"Tussentijds rapport","final":"Eindrapport","progress":"Voortgangsrapport"}},"fieldDescriptions":{"title":"Korte beschrijvende naam voor dit incident (bijv. 'Phishing-aanval op financiële afdeling').","description":"Gedetailleerde beschrijving van wat er is gebeurd, welke systemen en gegevens zijn getroffen en de reikwijdte van de impact.","severity":"Selecteer het ernstniveau. 'Significante' incidenten vereisen BSI-melding binnen 24u (vroegtijdige waarschuwing) en 72u (volledig rapport) onder NIS2 Art. 23.","situationColor":"Verkeerslichtindicator van de huidige incidentstatus: groen (ingedamd), oranje (lopend), rood (kritiek).","discoveredAt":"Datum en tijd waarop dit incident voor het eerst werd gedetecteerd of gemeld.","occurredAt":"Datum en tijd waarop dit incident daadwerkelijk begon (kan afwijken van ontdekking).","resolvedAt":"Datum en tijd waarop dit incident volledig was opgelost en normale activiteiten werden hervat.","confidentialityImpacted":"Inschakelen als ongeoorloofde openbaarmaking van informatie heeft plaatsgevonden of wordt vermoed.","integrityImpacted":"Inschakelen als ongeoorloofde wijziging of beschadiging van gegevens heeft plaatsgevonden of wordt vermoed.","availabilityImpacted":"Inschakelen als diensten of systemen zijn verstoord of onbeschikbaar zijn geworden.","threatType":"Selecteer het type dreiging (bijv. malware, DDoS, insider, phishing, exploitatie van kwetsbaarheid).","rootCause":"Beschrijf de onderliggende oorzaak van het incident na voltooiing van het onderzoek.","countermeasures":"Beschrijf de onmiddellijke acties om het incident in te dammen en te verhelpen.","preventiveMeasures":"Beschrijf de langetermijnmaatregelen om herhaling van dit type incident te voorkomen.","requiresGdprNotification":"Enable if this incident involved a personal data breach requiring notification to the supervisory authority under GDPR Art. 33 (within 72 hours of awareness).","dataSubjectsAffected":"Approximate number of data subjects whose personal data was compromised (Art. 33(3)(a) — required content of notification).","gdprNotifiedAt":"Date and time the supervisory authority was notified of the breach.","notifiedDataSubjectsAt":"Date and time affected data subjects were informed (Art. 34 — required when breach poses high risk)."}},"info":{"footer":{"nis2Info":"NIS2 Information","whatIsNis2":"What is NIS2?","nis2InGermany":"NIS2 in Germany","nis2Requirements":"NIS2 Requirements","ceoLiability":"Management Liability (§38)","grundschutz":"NIS2 & IT-Grundschutz","costs":"Implementation Costs","smeGuide":"Guide for Mid-Market","checklist":"Requirements Checklist","platform":"Platform","documentation":"Wiki","applicabilityCheck":"Applicability Check","company":"Over ons","nis2Roadmap":"NIS2 Roadmap for Managing Directors","signIn":"Sign In","trainingPortal":"Training Portal","scheduleDemo":"Schedule a Demo","pricing":"Prijzen","copyright":"NISD2.eu - NIS2 Compliance Platform","disclaimer":"This platform is a compliance management tool and does not constitute legal advice. All compliance responsibility remains with the user.","features":"Features","nis2Tool":"NIS2 Tool: Buyer's Guide","nis2Documents":"NIS 2 Documents (Required List)","featureGuided":"Step-by-step guided","featureLiability":"Management liability protection","featureRequirements":"49 structured BSIG requirements","featureDeadlines":"Deadline tracking & escalation","featureModules":"12 operational security modules","featureAuditTrail":"Permanent audit trail & data","legal":"Legal","mission":"Our Mission","terms":"Terms of Service","impressum":"Legal Notice","datenschutz":"Privacy Policy","avv":"Data Processing Agreement (DPA)","toms":"TOMs (Art. 32 GDPR)","changelog":"Changelog","openSource":"Open Source","status":"Status","contact":"Contact","hostedInGermany":"Hosted in Germany","gdprCompliant":"GDPR-compliant","avvBadge":"DPA available","tomsBadge":"TOMs published","trustCenter":"Trust Center","trustCenterBadge":"Trust Center →","expertArticles":"Expert Articles","registration":"NIS2 Registration Gap","cirGuide":"CIR 2024/2690 Guide","isoMapping":"ISO 27001 vs NIS2","incidentReporting":"Incident Reporting","euImplementation":"NIS2 Across Europe","multiCountryReg":"NIS2 in Multiple EU Countries","missedRegistration":"Missed Registration?","kritisComparison":"NIS2 vs KRITIS","penalties":"Penalties & Fines","sectorWaste":"Waste Management","glossary":"NIS2 Glossary","securityObligation":"IT Security Obligation","bsiRegistration":"BSI Registration Guide","whatToDo":"NIS2 - What To Do Now","sectorFood":"NIS2 for Food Industry","sectorManufacturing":"NIS2 for Manufacturing","sectorHealth":"NIS2 for Healthcare","sectorLogistics":"NIS2 for Logistics","europeanStandard":"NIS2 European Standard","entityTypes":"NIS2 Entity Types","gapAssessment":"NIS2 Gap Assessment","faq":"NIS2 FAQ","timeline":"NIS2 Timeline","registrationPortals":"Registration Portals","supplyChainCompliance":"NIS2 for Suppliers"},"relatedArticles":{"heading":"Related Articles"},"impressum":{"meta":{"title":"Impressum - NISD2.eu","description":"Legal notice (Impressum) for NISD2.eu pursuant to Section 5 DDG."},"title":"Impressum","subtitle":"Legal notice pursuant to Section 5 DDG (Digitale-Dienste-Gesetz).","responsible":{"heading":"Information pursuant to Section 5 DDG","company":"Kardashev Catalyst UG (haftungsbeschränkt)","represented":"Represented by: Simon Orzel (Geschäftsführer)","registration":"Amtsgericht Köln, HRB 126993","euid":"EUID: DER3306.HRB126993","address":"Trierer Str. 6, 50676 Köln, Germany","emailLabel":"Email","email":"contact@nisd2.eu"},"mstv":{"heading":"Responsible for content pursuant to Section 18(2) MStV","name":"Simon Orzel","address":"Trierer Str. 6, 50676 Köln, Germany"},"dispute":{"heading":"EU Online Dispute Resolution","p1":"The European Commission provides a platform for online dispute resolution (ODR):","url":"https://ec.europa.eu/consumers/odr/","p2":"We are neither willing nor obligated to participate in dispute resolution proceedings before a consumer arbitration board."},"liability":{"heading":"Liability for Content","p1":"As a service provider, we are responsible for our own content on these pages in accordance with general laws pursuant to Section 7(1) DDG. According to Sections 8 to 10 DDG, however, we are not obligated as a service provider to monitor transmitted or stored third-party information or to investigate circumstances that indicate illegal activity.","p2":"Obligations to remove or block the use of information under general law remain unaffected. However, liability in this regard is only possible from the time of knowledge of a specific legal violation. Upon becoming aware of such violations, we will remove this content immediately."},"links":{"heading":"Liability for Links","p1":"Our website contains links to external third-party websites over whose content we have no influence. Therefore, we cannot assume any liability for this third-party content. The respective provider or operator of the pages is always responsible for the content of the linked pages.","p2":"The linked pages were checked for possible legal violations at the time of linking. Illegal content was not recognizable at the time of linking. Permanent content control of linked pages is unreasonable without concrete evidence of a legal violation. Upon becoming aware of legal violations, we will remove such links immediately."},"copyright":{"heading":"Copyright","p1":"The content and works created by the site operators on these pages are subject to German copyright law. Duplication, processing, distribution, and any kind of use beyond the limits of copyright law require the written consent of the respective author or creator.","p2":"Insofar as the content on this site was not created by the operator, the copyrights of third parties are respected. In particular, third-party content is marked as such. Should you nevertheless become aware of a copyright infringement, please inform us accordingly. Upon becoming aware of legal violations, we will remove such content immediately."}},"datenschutz":{"meta":{"title":"Privacy Policy - NISD2.eu","description":"Privacy policy for NISD2.eu in accordance with the EU General Data Protection Regulation (GDPR)."},"title":"Privacy Policy","subtitle":"Information on data processing in accordance with the EU General Data Protection Regulation (GDPR).","responsible":{"heading":"Responsible Party","p1":"The responsible party for data processing on this website is:","company":"Kardashev Catalyst UG (haftungsbeschränkt)","represented":"Represented by: Simon Orzel (Geschäftsführer)","registration":"Amtsgericht Köln, HRB 126993","address":"Trierer Str. 6, 50676 Köln, Germany","emailLabel":"Email","email":"contact@nisd2.eu"},"dataCollected":{"heading":"Data We Collect","p1":"When you use our platform, we process the following personal data:","account":"Account data: name and email address provided via Google OAuth during sign-in","forms":"Form submissions: data you enter in compliance requirement forms","files":"Uploaded files: evidence documents you upload to the platform","technical":"Technical data: IP address, browser type, and access timestamps in server logs"},"purpose":{"heading":"Purpose and Legal Basis","p1":"We process your data for the following purposes:","items":{"contract":"Providing the NIS2 compliance platform (Art. 6(1)(b) GDPR - performance of a contract)","auth":"User authentication and account management (Art. 6(1)(b) GDPR)","security":"Ensuring the security and integrity of our platform (Art. 6(1)(f) GDPR - legitimate interest)","legal":"Compliance with legal obligations (Art. 6(1)(c) GDPR)"}},"processors":{"heading":"Subverwerkers","p1":"Wij gebruiken de volgende derde partijen om het platform te beheren:","hetzner":"Hetzner Online GmbH (Falkenstein/Neurenberg, Duitsland): hosting van applicatieservers en PostgreSQL-database","google":"Google (OAuth): authenticatie, verwerkt uw naam en e-mailadres voor het inloggen","aws":"Amazon Web Services (S3): bestandsopslag, slaat door u geüploade bewijsdocumenten op","resend":"Resend: transactionele e-mail, levert notificatie- en uitnodigings-e-mails","xai":"xAI: AI-ondersteund invullen van formulieren, verwerkt bedrijfsinformatie voor concept-formulieren"},"analytics":{"heading":"Analytics","p1":"We use Umami for website analytics. Umami is self-hosted on our own infrastructure. It does not collect personal data, does not use cookies, and does not track individual users. All data is aggregated and anonymous. No consent is required for this type of analytics."},"cookies":{"heading":"Cookies","p1":"This website only uses technically necessary cookies:","session":"Session cookie (NextAuth): required for authentication - expires when you sign out or after the session timeout","locale":"Locale cookie (next-intl): stores your language preference (EN/DE)","p2":"We do not use tracking cookies, advertising cookies, or any third-party cookies. No cookie consent banner is needed because only technically necessary cookies are set."},"rights":{"heading":"Your Rights (Art. 15-21 GDPR)","p1":"You have the following rights regarding your personal data:","access":"Right of access (Art. 15): request information about what data we store","rectification":"Right to rectification (Art. 16): correct inaccurate data","erasure":"Right to erasure (Art. 17): request deletion of your data","restriction":"Right to restriction (Art. 18): restrict processing of your data","portability":"Right to data portability (Art. 20): receive your data in a machine-readable format","objection":"Right to object (Art. 21): object to processing based on legitimate interest","p2":"To exercise any of these rights, contact us at contact@nisd2.eu."},"authority":{"heading":"Right to Lodge a Complaint","p1":"You have the right to lodge a complaint with a supervisory authority. The competent authority for Köln is:","name":"Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)","url":"https://www.ldi.nrw.de"},"encryption":{"heading":"SSL/TLS Encryption","p1":"This website uses SSL/TLS encryption for security reasons and to protect the transmission of personal data and other confidential content. You can recognize an encrypted connection by the \"https://\" prefix and the lock icon in your browser's address bar."},"retention":{"heading":"Data Retention","p1":"Your data is stored as long as your account is active and necessary for the purposes described above. Compliance data (form submissions, evidence, audit trail) is retained for the legally required period. When you delete your account, personal data is removed. Anonymized audit trail entries may be retained."},"changes":{"heading":"Changes to This Policy","p1":"We may update this privacy policy from time to time. The current version is always available on this page. Last updated: February 2025."}},"avv":{"meta":{"title":"Data Processing Agreement (DPA / AVV) - Art. 28 GDPR","description":"Data processing agreement under Art. 28 GDPR for customers of the NISD2.eu platform. Signed individually on request."},"title":"Data Processing Agreement (AVV / DPA)","subtitle":"Agreement under Art. 28 GDPR for customers of the NISD2.eu platform.","intro":{"heading":"What this is","p1":"When you use the NISD2.eu platform, we process personal data on your behalf (e.g. names of your employees in compliance forms, evidence you upload). Art. 28 GDPR requires a written data processing agreement (DPA, in German AVV) between you as controller and us as processor.","p2":"On request, we provide a DPA and sign it individually for your organisation - typically within one business day."},"scope":{"heading":"Contents of the DPA","p1":"The DPA we provide meets Art. 28 GDPR requirements and includes:","items":{"subject":"Subject and duration of processing","purpose":"Nature and purpose of processing, types of data, categories of data subjects","instructions":"Processor acts only on documented instructions","confidentiality":"Confidentiality obligations of personnel","toms":"Technical and organisational measures (Art. 32 GDPR) - see TOMs document","subprocessors":"List of sub-processors and approval procedure","rights":"Assistance with data subject rights (Art. 15-22 GDPR)","audit":"Audit rights of the controller","deletion":"Deletion or return of data on termination","liability":"Liability and cooperation obligations"}},"request":{"heading":"Request a DPA","p1":"Send an email to contact@nisd2.eu with the following information:","items":{"company":"Full company name and registered address","register":"Commercial register number (if applicable)","represented":"Authorised representative","contact":"Data protection contact person"},"p2":"We typically return the signed DPA within one business day by email. A signed paper copy by post is available on request.","emailLabel":"Request DPA by email","emailHref":"mailto:contact@nisd2.eu?subject=DPA%20request%20NISD2.eu"},"subprocessors":{"heading":"Sub-processors","p1":"The following sub-processors are used to operate the platform:","items":{"hetzner":"Hetzner Online GmbH (Falkenstein/Nuremberg, Germany) - hosting of application servers and database","aws":"Amazon Web Services EMEA SARL - storage of uploaded evidence documents (S3, EU region)","google":"Google Ireland Limited - OAuth authentication","resend":"Resend, Inc. (USA) - delivery of transactional emails","xai":"xAI Corp. (USA) - AI-assisted form prefill (optional, can be disabled)"},"p2":"Changes to the sub-processor list will be announced in advance. You have the right to object to changes."},"toms":{"heading":"Technical and organisational measures","p1":"The technical and organisational measures relevant to this DPA under Art. 32 GDPR are described in our TOMs document.","linkLabel":"View TOMs document","linkHref":"/toms"}},"toms":{"meta":{"title":"Technical and Organisational Measures (TOMs) - Art. 32 GDPR","description":"Technical and organisational measures of the NISD2.eu platform under Art. 32 GDPR. Hetzner Germany hosting, TLS, audit trail with SHA-256 chaining, multi-tenant isolation, RBAC."},"title":"Technical and Organisational Measures (TOMs)","subtitle":"Measures under Art. 32 GDPR ensuring the security of personal data processing on the NISD2.eu platform.","lastUpdated":"Last updated: April 2026.","intro":{"heading":"Overview","p1":"This document describes the technical and organisational measures actually implemented by Kardashev Catalyst UG (haftungsbeschränkt) as operator of the NISD2.eu platform. It is an honest inventory, not a wish list - we list only what is already in place.","p2":"The measures are aligned with IT-Grundschutz (BSI) and will be extended as the platform grows."},"hosting":{"heading":"Hosting in the EU","p1":"Production processing of personal data takes place exclusively within the EU:","items":{"appServers":"Application servers and PostgreSQL database: Hetzner Online GmbH, data centre Falkenstein/Nuremberg, Germany","fileStorage":"Storage of uploaded evidence documents: AWS S3, EU region","noUSTransfer":"No production data processing outside the EU. US sub-services (Resend for transactional email, xAI for optional AI prefill) only process the data necessary for their function."}},"pseudonymization":{"heading":"Encryption (Art. 32(1)(a) GDPR)","items":{"transit":"Transport encryption: TLS for all connections to the platform (HTTPS)","rest":"Encryption at rest: AWS S3 server-side encryption (AES256, set explicitly on every upload via PutObject); PostgreSQL data on Hetzner infrastructure","secrets":"Credentials and API keys are managed via server environment variables, not stored in source or databases"}},"confidentiality":{"heading":"Confidentiality (Art. 32(1)(b) GDPR)","p1":"Measures ensuring confidentiality:","items":{"physical":"Physical access control: data centres of the hosting providers (Hetzner, AWS) hold ISO 27001 certifications","auth":"Authentication: exclusively via Google OAuth 2.0; no passwords stored on the platform. MFA for users is provided through their Google account","rbac":"Role-based permissions: admin, reviewer, member; enforced in the application layer via tRPC middleware","separation":"Multi-tenant isolation: every data-bearing query filters at the database layer on the company ID of the authenticated user; no shared data pools between customers","secrets":"No plaintext passwords on the platform - authentication is exclusively OAuth-based"}},"integrity":{"heading":"Integrity (Art. 32(1)(b) GDPR)","items":{"input":"Input control: audit trail of all mutations capturing user ID, action, entity type, timestamp, IP address, user agent, and before/after values","checksum":"Audit trail tamper detection: every audit row carries a SHA-256 checksum over its contents so changes to a row are detectable","transfer":"Transfer control: data transmission only via TLS; all authenticated endpoints require a valid session","evidenceHash":"Evidence documents: storage location and metadata are written on upload; an optional client-supplied SHA-256 hash can be stored alongside the file","signoff":"Sign-off mechanism: at the moment of approval, the requirement state is snapshotted into a sign-off history table whose entries form a SHA-256 chain (each entry's checksum covers the previous one) - tampering with the history is detectable end-to-end"}},"availability":{"heading":"Availability (Art. 32(1)(b) GDPR)","items":{"backup":"Database backups according to the Hetzner Cloud service defaults; details on the current backup configuration are available on request","redundancy":"Storage of evidence documents in AWS S3 with the object durability guarantees provided by AWS","rateLimit":"Rate limiting on login attempts, public endpoints (applicability check, supplier portal), and resource-heavy authenticated endpoints (PDF exports, certificate generation)","uploadLimit":"Uploaded files are limited to 50 MB per file"}},"evaluation":{"heading":"Procedure for regular review (Art. 32(1)(d) GDPR)","items":{"review":"These TOMs are reviewed when triggered by an event and at least once per year","patch":"Updates of dependencies and security-relevant libraries: Dependabot is enabled to surface security patches and version updates as pull requests on a weekly cadence","incident":"Reporting obligations: personal data breaches will be reported to the competent supervisory authority within 72 hours per Art. 33 GDPR","code":"Development practice: code changes go through pull requests; TypeScript strict-mode type checks are enforced; targeted automated tests cover security-critical logic (e.g. applicability classification)"}},"subprocessors":{"heading":"Sub-processors","p1":"All sub-processors are bound by Art. 28 GDPR contracts. The full list is in the DPA document.","linkLabel":"See full sub-processor list (DPA)","linkHref":"/avv"},"contact":{"heading":"Data protection contact","p1":"Questions about these TOMs or our data processing should be sent to:","email":"contact@nisd2.eu"}},"terms":{"meta":{"title":"Terms of Service - NISD2.eu","description":"Terms of service for the NISD2.eu NIS2 compliance platform. Information on usage scope, liability, and data protection."},"title":"Terms of Service","subtitle":"Please read these terms carefully before using the NISD2.eu platform.","lastUpdated":"Last updated: February 2026.","scope":{"heading":"1. Scope of Service","p1":"NISD2.eu (\"Platform\") is a compliance management tool operated by Simon Orzel (\"Provider\"). The Platform provides structured workflows, forms, document management, and tracking features to support organizations in managing their NIS2/BSIG compliance obligations.","p2":"The Platform is exclusively a support tool for areas that are within the customer's sole responsibility. The Provider does not assume any responsibility for a specific compliance result or success."},"noLegalAdvice":{"heading":"2. No Legal Advice","p1":"The Platform does not constitute legal advice, legal counsel, or any form of professional legal service. Content provided on the Platform - including requirement descriptions, guidance text, form fields, and informational pages - is for general informational purposes only.","p2":"The Platform is not a substitute for qualified legal, regulatory, or professional advice. Users should consult with qualified professionals for advice specific to their situation.","p3":"No attorney-client relationship or professional advisory relationship is created between the Provider and users of the Platform."},"customerResponsibility":{"heading":"3. Customer Responsibility","p1":"The customer is solely responsible for:","items":{"accuracy":"The accuracy, completeness, and truthfulness of all data entered into the Platform","applicability":"Determining whether specific requirements, measures, or obligations apply to their organization","compliance":"Achieving and maintaining compliance with NIS2, BSIG, and all other applicable laws and regulations","decisions":"All compliance decisions made based on or in connection with the use of the Platform","review":"Having qualified professionals review their compliance documentation where appropriate"},"p2":"The Platform validates the completeness of form submissions, not the correctness or legal sufficiency of the content provided by the customer."},"noGuarantee":{"heading":"4. No Guarantee of Compliance Outcomes","p1":"The Provider does not guarantee or warrant that:","items":{"audit":"Use of the Platform will result in passing any audit, inspection, or regulatory review","compliant":"Information or workflows provided through the Platform are complete, accurate, or suitable for any specific organization's compliance needs","penalty":"Use of the Platform will prevent fines, penalties, or enforcement actions by regulatory authorities","requirements":"The Platform covers all requirements that may apply to a specific organization"},"p2":"The Provider does not assume any guarantees, not even with regard to certain characteristics or properties of the service. Results provided by the Platform rely on customer inputs, assumptions, and individual circumstances."},"liability":{"heading":"5. Limitation of Liability","p1":"The Provider's liability is limited to cases of willful intent and gross negligence. For minor negligence involving essential contractual obligations, liability is limited to foreseeable, contract-typical damages up to the total fees paid by the customer in the twelve (12) months preceding the event giving rise to the claim.","p2":"The Provider is not liable for indirect damages, consequential damages, loss of profit, loss of data, loss of savings, regulatory fines imposed on the customer, or business interruption, to the extent permitted by applicable law.","p3":"The limitations above do not apply to liability for personal injury or liability under the German Product Liability Act (Produkthaftungsgesetz)."},"indemnification":{"heading":"6. Indemnification","p1":"The customer agrees to indemnify and hold the Provider harmless from any third-party claims, damages, losses, or expenses arising from:","items":{"misuse":"The customer's use of the Platform in violation of these terms","data":"Inaccurate, incomplete, or misleading data provided by the customer","claims":"Claims related to the customer's compliance status or regulatory obligations"}},"ip":{"heading":"7. Intellectual Property and Data","p1":"All Platform content, including software, requirement structures, form designs, guidance text, and workflows, is the intellectual property of the Provider.","p2":"All data entered by the customer into the Platform remains the property of the customer. The Provider processes customer data solely for the purpose of providing the service, in accordance with the Privacy Policy."},"availability":{"heading":"8. Service Availability","p1":"The Provider endeavors to maintain Platform availability but does not guarantee uninterrupted or error-free operation. Scheduled maintenance and unforeseen outages may occur. The Provider is not liable for any damages resulting from service interruptions."},"changes":{"heading":"9. Changes to These Terms","p1":"The Provider may update these terms from time to time. Material changes will be communicated to registered users. Continued use of the Platform after changes take effect constitutes acceptance of the updated terms."},"governing":{"heading":"10. Governing Law and Jurisdiction","p1":"These terms are governed by the laws of the Federal Republic of Germany. The exclusive place of jurisdiction for all disputes arising from or in connection with these terms is Cologne (Köln), Germany, to the extent permitted by law."},"severability":{"heading":"11. Severability","p1":"If any provision of these terms is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. The invalid provision shall be replaced by a valid provision that most closely reflects the economic intent of the original."},"contact":{"heading":"12. Contact","p1":"For questions about these terms, please contact:","name":"Simon Orzel","address":"Trierer Str. 6, 50676 Cologne, Germany","emailLabel":"Email","email":"contact@nisd2.eu"}},"whatIsNis2":{"meta":{"title":"What is NIS2? - EU Directive 2022/2555 Explained","description":"Complete overview of the EU NIS2 Directive: timeline, affected sectors, size thresholds, and key obligations for essential and important entities."},"title":"What is NIS2?","subtitle":"EU Directive 2022/2555 on cybersecurity - the most significant overhaul of EU-wide cybersecurity regulation since 2016.","overview":{"heading":"Overview","p1":"The NIS2 Directive (Directive (EU) 2022/2555) is the European Union's updated framework for achieving a high common level of cybersecurity across all Member States. It replaces the original NIS Directive from 2016.","p2":"NIS2 dramatically expands the scope of EU cybersecurity regulation - from approximately 10,000 entities under NIS1 to an estimated 160,000 across Europe. In Germany alone, roughly 29,500 companies are affected.","p3":"The directive mandates harmonized risk management measures, incident reporting obligations, and supply chain security requirements. It introduces personal liability for management and significantly higher penalties for non-compliance."},"timeline":{"heading":"Key Dates","items":{"published":{"date":"27 December 2022","event":"NIS2 Directive published in the EU Official Journal"},"inForce":{"date":"16 January 2023","event":"NIS2 enters into force at EU level"},"transposition":{"date":"17 October 2024","event":"Deadline for Member States to transpose into national law"},"registries":{"date":"17 April 2025","event":"Deadline for Member States to establish entity registries"},"review":{"date":"17 October 2027","event":"European Commission reviews the directive's functioning"}},"seeFullTimeline":"See full NIS2 timeline"},"nis1VsNis2":{"heading":"NIS1 vs NIS2","headers":{"aspect":"Aspect","nis1":"NIS1 (2016)","nis2":"NIS2 (2022)"},"rows":{"scope":{"aspect":"Scope","nis1":"~10,000 entities in the EU","nis2":"~160,000 entities in the EU"},"sectors":{"aspect":"Sectors","nis1":"7 sectors","nis2":"18 sectors (11 highly critical + 7 other critical)"},"classification":{"aspect":"Entity classification","nis1":"Operators of essential services (OES) + digital service providers","nis2":"Essential entities + Important entities (size-based)"},"penalties":{"aspect":"Penalties","nis1":"Set by Member States, varied widely","nis2":"Harmonized: up to EUR 10M or 2% of global turnover"},"management":{"aspect":"Management liability","nis1":"Not addressed","nis2":"Personal liability for management bodies"},"reporting":{"aspect":"Incident reporting","nis1":"Without undue delay","nis2":"Strict 24h / 72h / 1 month cascade"},"supplyChain":{"aspect":"Supply chain","nis1":"Not addressed","nis2":"Mandatory supply chain security assessment"},"supervision":{"aspect":"Supervision","nis1":"Left to Member States","nis2":"Proactive (essential) + reactive (important)"}}},"sectors":{"heading":"18 Affected Sectors","annexI":{"heading":"Annex I - Sectors of High Criticality","description":"Large entities in these sectors are classified as essential (essential entities). Medium entities are classified as important.","items":{"energy":"Energy (electricity, district heating/cooling, oil, gas, hydrogen)","transport":"Transport (air, rail, water, road)","banking":"Banking","financial":"Financial market infrastructures","health":"Health (hospitals, pharma, medical devices, reference labs)","water":"Drinking water","wastewater":"Wastewater","digital":"Digital infrastructure (DNS, TLD, cloud, data centres, CDN, telecom)","ict":"ICT service management - B2B (MSP, MSSP)","publicAdmin":"Public administration","space":"Space"}},"annexII":{"heading":"Annex II - Other Critical Sectors","description":"Entities in these sectors are classified as important, regardless of whether they are medium or large.","items":{"postal":"Postal and courier services","waste":"Waste management","chemicals":"Chemicals (manufacturing, production, distribution)","food":"Food (wholesale, industrial production, processing)","manufacturing":"Manufacturing (medical devices, electronics, electrical equipment, machinery, motor vehicles, other transport)","digitalProviders":"Digital providers (online marketplaces, search engines, social networks)","research":"Research organizations"}}},"sizeThresholds":{"heading":"Size Thresholds","description":"NIS2 uses the EU SME definition. Classification is determined by employee count OR financial metrics (both turnover AND balance sheet must be exceeded for the financial test).","headers":{"size":"Size","employees":"Employees","financial":"Financial Threshold","scope":"NIS2 Scope"},"rows":{"large":{"size":"Large","employees":"≥ 250","financial":"> EUR 50M turnover AND > EUR 43M balance sheet","scope":"In scope"},"medium":{"size":"Medium","employees":"≥ 50 (and < 250)","financial":"> EUR 10M turnover AND > EUR 10M balance sheet","scope":"In scope"},"small":{"size":"Small","employees":"< 50","financial":"≤ EUR 10M turnover AND ≤ EUR 10M balance sheet","scope":"Generally out of scope"}},"note":"Certain entity types are in scope regardless of size - including DNS providers, TLD registries, qualified trust service providers, KRITIS operators, and sole providers of essential services."},"obligations":{"heading":"Key Obligations at a Glance","items":{"risk":"Implement 10 mandatory cybersecurity risk management measures","reporting":"Report significant incidents within 24h / 72h / 1 month","management":"Management must approve, oversee, and be trained on cybersecurity","supplyChain":"Assess and manage cybersecurity risks in the supply chain","registration":"Register with the national competent authority","audit":"Maintain evidence of compliance (audits for KRITIS operators every 3 years)"}}},"nis2InGermany":{"meta":{"title":"NIS2 in Germany 2026: Deadlines, Fines & BSIG Guide","description":"NIS2 in Germany explained: NIS2UmsuCG status, BSI registration deadline, essential vs important entities, fines up to €10M, management liability, supervision."},"title":"NIS2 in Germany","subtitle":"Germany transposed the NIS2 Directive into national law through the NIS2UmsuCG, overhauling the Federal Cybersecurity Act (BSIG). All obligations apply since 6 December 2025.","timeline":{"heading":"German Timeline","items":{"euPublished":{"date":"27 Dec 2022","event":"NIS2 Directive published in the EU Official Journal"},"euForce":{"date":"16 Jan 2023","event":"NIS2 enters into force at EU level"},"euDeadline":{"date":"17 Oct 2024","event":"EU transposition deadline (Germany missed it)"},"bundestag":{"date":"13 Nov 2025","event":"Bundestag passes NIS2UmsuCG"},"bundesrat":{"date":"21 Nov 2025","event":"Bundesrat approves"},"published":{"date":"5 Dec 2025","event":"Published in Bundesgesetzblatt"},"inForce":{"date":"6 Dec 2025","event":"New BSIG enters into force - all obligations apply immediately"},"portal":{"date":"6 Jan 2026","event":"BSI registration portal goes live"},"registration":{"date":"6 Mar 2026","event":"Deadline for BSI registration"},"kritisAudit":{"date":"~2028","event":"KRITIS operators: first evidence of compliance due"}},"noTransition":"There is no transition period. Risk management measures, incident reporting, and management liability applied from the day the law entered into force.","seeFullTimeline":"See full NIS2 timeline"},"categories":{"heading":"Entity Categories","description":"Germany uses different terminology than the EU directive. Approximately 29,500 companies in Germany are affected.","headers":{"euTerm":"EU Term","germanTerm":"German Term","abbreviation":"Abbreviation"},"rows":{"essential":{"eu":"Essential entity","de":"Besonders wichtige Einrichtung","abbr":"bwE"},"important":{"eu":"Important entity","de":"Wichtige Einrichtung","abbr":"wE"},"kritis":{"eu":"Critical infrastructure operator","de":"Betreiber kritischer Anlagen","abbr":"KRITIS"}},"hierarchy":"The hierarchy: KRITIS ⊂ essential entities ⊂ all NIS2 entities. KRITIS operators are automatically classified as essential entities."},"penalties":{"heading":"Penalties","byCategory":{"heading":"By Entity Category","headers":{"category":"Category","maxFine":"Maximum Fine","turnover":"Turnover-Based Alternative"},"rows":{"bwe":{"category":"Essential entities","fine":"EUR 10,000,000","turnover":"2% of worldwide annual group turnover"},"we":{"category":"Important entities","fine":"EUR 7,000,000","turnover":"1.4% of worldwide annual group turnover"}}},"byViolation":{"heading":"By Violation Type","headers":{"violation":"Violation","maxFine":"Maximum Fine"},"rows":{"measures":{"violation":"Failure to implement cybersecurity measures (§30)","fine":"EUR 10M / EUR 7M"},"incidents":{"violation":"Failure to report incidents (§31)","fine":"EUR 10M / EUR 7M"},"bsiDirectives":{"violation":"Non-compliance with BSI directives","fine":"EUR 10M / EUR 7M"},"kritisComponents":{"violation":"KRITIS: failure in critical component reporting","fine":"EUR 5,000,000"},"kritisAudit":{"violation":"KRITIS: failure in audit evidence procedures","fine":"EUR 2,000,000"},"registration":{"violation":"Registration violations, failure to notify BSI","fine":"EUR 500,000"},"obstruction":{"violation":"Obstruction of BSI inspections","fine":"EUR 500,000"},"contact":{"violation":"Contact accessibility failures","fine":"EUR 100,000"}}}},"managementLiability":{"heading":"Management Liability (Section 38 BSIG)","description":"One of the most impactful provisions of the German implementation. Management bodies are personally liable for cybersecurity compliance.","duties":{"heading":"Three Core Duties","approval":{"title":"Approval (Billigung)","description":"Management must formally approve cybersecurity risk management measures per Section 30 BSIG."},"oversight":{"title":"Oversight (Überwachung)","description":"Active monitoring of implementation - not passive awareness. Management must verify that measures are actually being implemented."},"training":{"title":"Training (Schulung)","description":"Mandatory personal participation in cybersecurity training at minimum every 3 years. This duty cannot be delegated."}},"liability":"Executives are personally liable to their own company when they culpably violate these duties. Delegation of operational tasks is permitted, but strategic responsibility and oversight remain with management. Management cannot claim lack of technical knowledge as defense.","waiver":"Section 38 BSIG explicitly prohibits contractual liability waivers by shareholders that are disproportionate to existing uncertainty regarding rights."},"registration":{"heading":"BSI Registration","description":"All entities classified as essential or important entities must register with the BSI.","deadline":"Deadline: 6 March 2026 (3 months after the BSIG entered into force).","process":"Registration uses a two-step process: first create an account via Mein Unternehmenskonto (MUK/ELSTER), then register via the BSI portal (live since 6 January 2026).","selfId":"Registration is a self-identification obligation - no notification from BSI. Companies must determine themselves whether they are in scope. The BSI can also order a company to register if it determines the company falls within scope."},"supervision":{"heading":"Supervision Model","headers":{"aspect":"Aspect","bwe":"Essential","we":"Important"},"rows":{"approach":{"aspect":"Supervision","bwe":"Proactive (ex-ante) - BSI can audit at any time","we":"Reactive (ex-post) - only on evidence of non-compliance"},"fines":{"aspect":"Maximum fine","bwe":"EUR 10M or 2% global turnover","we":"EUR 7M or 1.4% global turnover"},"audit":{"aspect":"Audit requirements","bwe":"Risk-based spot checks by BSI","we":"Only on justified suspicion"},"kritisAudit":{"aspect":"KRITIS audit cycle","bwe":"Every 3 years (if KRITIS operator)","we":"N/A"}}}},"features":{"meta":{"title":"NIS2 Compliance Software: Free Platform: Features","description":"Free NIS2 compliance software with all 49 BSIG requirements, deadline tracking, audit trail, management liability protection. EU-wide, no lock-in."},"title":"Platform Features","subtitle":"Step-by-step through every NIS2 requirement. No compliance background needed, just start and we guide you to the finish line.","badges":{"tenMeasures":"10 Measures","traceable":"Traceable","requirements":"Requirements","measures":"§ 30 Measures","assistedPrefill":"Assisted Prefill","tenPhases":"10 Phases","granular":"Granular","exportAnytime":"Export Anytime","dataStaysForever":"Data Stays Forever","date":"Date","event":"Event"},"guided":{"heading":"Guided Step-by-Step Process","p1":"You don't need to understand NIS2 to get compliant. The platform walks you through every requirement one by one, with clear instructions and structured forms.","p2":"This is not a generic GRC tool. Every requirement maps directly to the BSIG, broken into the 10 mandatory measures of Section 30 and the entity categories of Sections 28-29.","p3":"Just answer the questions, upload your evidence, and move on. When you're done, you have a complete, audit-ready compliance record."},"liability":{"heading":"Management Liability Protection","p1":"Section 38 BSIG makes management personally liable for cybersecurity compliance. Three duties apply: approval, oversight, and training. These cannot be delegated away.","p2":"NISD2.eu structures compliance so that management can demonstrate they fulfilled all three duties. Every approval is logged with timestamp and user identity, creating the evidence trail that Section 38 demands.","p3":"If the BSI audits your company, you need proof that management approved measures, oversaw implementation, and completed training. This platform generates that proof as a byproduct of normal use."},"requirements":{"heading":"49 Structured BSIG Requirements","p1":"The 10 mandatory measures of Section 30 BSIG are broken down into 49 concrete, actionable requirements - each with its own structured form.","p2":"Every requirement is a form. Every form field maps to a specific compliance obligation. Fill in the form, and you have documented your compliance. No ambiguity, no guesswork.","p3":"Forms support text, selections, multi-select, dates, and file uploads for evidence. AI-assisted prefill helps you draft responses based on your company profile, then you refine and approve."},"deadlines":{"heading":"Deadline Tracking & Escalation","p1":"NIS2 compliance is not a one-time project. BSI registration, incident reporting cascades (24h / 72h / 1 month), KRITIS audit cycles, and training renewals all have hard deadlines with real penalties.","p2":"The platform tracks every deadline across your compliance lifecycle. Notifications escalate through 10 phases - from early reminders to critical alerts - so nothing falls through the cracks.","p3":"Granular permissions control who gets notified for what. Assign responsibility per requirement, per module, per team member. The right person gets the right alert at the right time."},"modules":{"heading":"12 Operational Security Modules","p1":"Beyond the core compliance forms, NISD2.eu includes 12 operational modules that mirror the ongoing security operations the BSIG requires:","items":{"assets":"Asset Management - inventory of all critical systems and infrastructure","risks":"Risk Register - structured risk assessments with likelihood and impact scoring","incidents":"Incident Management - detection, response, and BSI reporting workflows","suppliers":"Supplier Management - supply chain security assessments and monitoring","policies":"Policy Management - document lifecycle for security policies","training":"Training Records - track mandatory cybersecurity training per employee","access":"Access Control - role-based access management and reviews","crypto":"Cryptography Register - encryption usage and key management records","continuity":"Business Continuity - disaster recovery plans and test documentation","vulnerability":"Vulnerability Management - tracking and remediation workflows","network":"Network Security - architecture documentation and segmentation records","monitoring":"Security Monitoring - log management and detection system records","communication":"Secured Communications - MFA deployment and secure channel documentation"},"p2":"Each module is purpose-built for NIS2 - not adapted from a generic GRC template. Data flows between modules: an asset referenced in a risk assessment links to the same asset in your incident report."},"auditTrail":{"heading":"Permanent Audit Trail & Long-Term Data","p1":"Every action in the platform is logged: who changed what, when, and what the previous value was. Every entry is checksummed (SHA-256) for tamper evidence.","p2":"All compliance data lives in structured forms that can be exported at any time - for BSI audits, internal reviews, or legal proceedings. The complete history of your compliance posture is always available.","p3":"Compliance only grows. New requirements get added, regulations evolve, your company changes. NISD2.eu is built on a first-principles data architecture: your compliance data stays here permanently. You never re-enter data. When regulations update, your existing documentation carries forward - you only fill in what changed.","p4":"This is not a spreadsheet you lose or a consultant's report that sits on a shelf. It is a living, versioned, auditable record of everything your company has done for NIS2 compliance - from day one, forever."}},"nis2Requirements":{"meta":{"title":"NIS2 Requirements - 10 Mandatory Measures & Audits","description":"NIS2 requirements explained: 10 mandatory risk management measures, incident reporting cascade, audit obligations, and supply chain security."},"title":"NIS2 Requirements","subtitle":"What affected entities must implement: 10 mandatory cybersecurity measures, a strict incident reporting cascade, and evidence-based compliance.","measures":{"heading":"10 Mandatory Risk Management Measures (Section 30 BSIG / Article 21)","description":"All essential and important entities must implement these measures. There is no transition period - these obligations apply since 6 December 2025 in Germany.","items":{"m1":{"title":"Risk analysis and information security policies","description":"Establish and maintain policies for risk analysis and information systems security. Conduct regular risk assessments covering all critical systems and processes."},"m2":{"title":"Incident handling","description":"Implement procedures for preventing, detecting, identifying, containing, mitigating, and responding to security incidents."},"m3":{"title":"Business continuity and crisis management","description":"Backup management, disaster recovery planning, and crisis management procedures to ensure operational resilience."},"m4":{"title":"Supply chain security","description":"Security measures for relationships with direct suppliers and service providers. Includes assessment of all suppliers' cybersecurity practices and contractual security requirements."},"m5":{"title":"Security in acquisition, development, and maintenance","description":"Security in network and information system acquisition, development, and maintenance. Includes vulnerability handling and disclosure procedures."},"m6":{"title":"Effectiveness assessment","description":"Policies and procedures for assessing the effectiveness of cybersecurity risk management measures. Regular testing and evaluation of security controls."},"m7":{"title":"Cybersecurity training and cyber hygiene","description":"Basic cybersecurity training practices for all employees. Awareness programs covering phishing, social engineering, password management, and safe computing practices."},"m8":{"title":"Cryptography and encryption","description":"Policies and procedures on the use of cryptography and, where appropriate, encryption. Covers data at rest, data in transit, and key management."},"m9":{"title":"Personnel security, access control, and asset management","description":"Human resources security policies, access control mechanisms, and asset management procedures. Includes onboarding/offboarding, least-privilege access, and asset inventories."},"m10":{"title":"Multi-factor authentication and secured communications","description":"Use of MFA or continuous authentication solutions. Secured voice, video, and text communications. Secured emergency communication systems within the entity."}}},"incidentReporting":{"heading":"Incident Reporting Cascade","description":"All essential and important entities must report significant security incidents to the BSI using a three-stage cascade.","stages":{"s1":{"deadline":"24 hours","title":"Early warning (Frühwarnung)","description":"Report whether the incident is suspected to be caused by unlawful or malicious acts, and whether it could have cross-border impact."},"s2":{"deadline":"72 hours","title":"Updated notification (Aktualisierte Meldung)","description":"Severity assessment, impact assessment, indicators of compromise, and initial root cause analysis if available."},"s3":{"deadline":"1 month","title":"Final report (Abschlussmeldung)","description":"Detailed description of the incident, confirmed root cause, mitigation measures taken, preventive steps implemented, and cross-border impact assessment."}},"significant":{"heading":"What counts as a \"significant\" incident?","p1":"A security incident qualifies as significant when it has caused or is capable of causing severe operational disruption or financial losses for the entity.","p2":"It also qualifies when it has affected or is capable of affecting other natural or legal persons by causing considerable material or immaterial damage."}},"auditRequirements":{"heading":"Audit and Evidence Requirements","kritis":{"heading":"KRITIS Operators","description":"Must demonstrate compliance through audits, inspections, or certifications every 3 years. Must include attack detection systems in their measures. Initial evidence deadline set by BSI at registration (~2028)."},"bwe":{"heading":"Essential entities (non-KRITIS)","description":"No regular mandatory audit cycle, but must maintain comprehensive documentation. BSI may conduct proactive spot checks and order evidence at any time using risk-based selection."},"we":{"heading":"Important entities","description":"Must document implementation of all required measures. BSI inspections are reactive only - triggered by incidents or justified suspicion of non-compliance."},"evidence":{"heading":"Acceptable Evidence","items":{"audits":"Internal or external audit reports","certifications":"Certifications (ISO 27001, BSI IT-Grundschutz, etc.)","documentation":"Comprehensive documentation of risk assessments, implemented measures, and effectiveness reviews"},"note":"ISO 27001 or IT-Grundschutz certification supports but does not guarantee NIS2 compliance - the BSIG requirements may go beyond standard certification scope."}},"supplyChain":{"heading":"Supply Chain Security","description":"NIS2 introduces mandatory supply chain security obligations. Entities must:","items":{"assess":"Assess the cybersecurity practices of all direct suppliers and service providers","contractual":"Include cybersecurity requirements in supplier contracts","monitor":"Monitor and review supplier security posture on an ongoing basis","coordinate":"Coordinate vulnerability disclosure with suppliers","risk":"Consider the overall quality of products and practices of suppliers, including their secure development procedures"}}},"ceoLiability":{"meta":{"title":"NIS2 Management Liability - §38 BSIG Personal Responsibility","description":"Under §38 BSIG, CEOs and managing directors are personally liable for NIS2 cybersecurity failures. Learn what the three core duties are, what fines apply, and how to protect yourself from personal liability."},"title":"NIS2 Management Liability","subtitle":"§38 BSIG makes CEOs and managing directors personally liable for cybersecurity failures - a first in German law.","overview":{"p1":"§38 BSIG introduces something unprecedented in German cybersecurity regulation: personal liability for management. The Geschäftsführung of every company subject to NIS2 - whether GmbH, AG, or KG - is now personally responsible for ensuring cybersecurity measures are implemented, overseen, and maintained. This is not delegable to the IT department.","p2":"This is entirely new. Under the original NIS1 framework (the previous IT-Sicherheitsgesetz), liability rested with the company as a legal entity. §38 BSIG changes the game: individual managing directors can now be held liable with their personal assets if they fail to fulfill their cybersecurity duties. The law explicitly references Geschäftsleiter - the people who sign on behalf of the company.","p3":"The law defines three core duties for management: approval (Billigung) of cybersecurity measures, oversight (Überwachung) of their implementation, and personal training (Schulung) in cybersecurity. Failing any one of these creates personal liability exposure - even if the company itself has implemented reasonable measures."},"duties":{"heading":"Three Core Duties","description":"§38(1) BSIG defines three obligations that management must fulfill personally. These cannot be delegated to employees, consultants, or external service providers.","items":{"approval":{"title":"Approval (Billigung)","description":"Management must formally approve the cybersecurity risk management measures required under §30 BSIG. This means reviewing and signing off on the company's information security policies, risk assessments, and treatment plans. A verbal 'go ahead' is not sufficient - you need documented, traceable approval with timestamps and signatures."},"oversight":{"title":"Oversight (Überwachung)","description":"Management must actively oversee the implementation of approved measures. This means regular status reviews, progress tracking, and escalation handling. You must be able to demonstrate that you monitored whether measures were actually implemented - not just that you approved them and walked away. Quarterly management reviews are the minimum defensible frequency."},"training":{"title":"Training (Schulung)","description":"Management must personally complete cybersecurity training to develop sufficient knowledge to evaluate risks and measures. This is not the general employee awareness training from §30(2)(9) - it is a separate obligation specifically for Geschäftsleiter. The training must be adequate to understand the company's risk profile, the measures in place, and the residual risks accepted."}}},"consequences":{"heading":"What Happens When You Fail","description":"The BSIG establishes a tiered enforcement regime. The BSI can issue orders, impose fines, and in severe cases, prohibit management from exercising their duties. Here are the specific consequences for common violations.","items":{"noMeasures":{"violation":"No cybersecurity measures implemented","consequence":"Fines up to €10 million or 2% of global annual turnover (whichever is higher) under §65 BSIG for essential entities. For wichtige Einrichtungen: up to €7 million or 1.4% of turnover. Management faces personal liability claims from the company for damages resulting from the violation."},"noReporting":{"violation":"Incident not reported to BSI","consequence":"§32 BSIG requires initial notification within 24 hours, follow-up within 72 hours, and final report within one month. Missing these deadlines triggers enforcement action. If management was aware of an incident and failed to ensure reporting, personal liability applies under §38 for oversight failure."},"noTraining":{"violation":"Management hasn't completed training","consequence":"Direct violation of §38(1) BSIG. This is the easiest violation for the BSI to prove - either you have training records or you don't. It also undermines your defense on all other points: how can you claim adequate oversight if you lack the training to evaluate what you're overseeing?"},"noOversight":{"violation":"No active oversight of implementation","consequence":"If measures were approved but management cannot demonstrate ongoing oversight (review meetings, status reports, escalation records), the approval alone is insufficient. The law requires all three duties. Approving without overseeing is like signing a contract without reading it - you're still on the hook."}}},"misconceptions":{"heading":"Common Misconceptions","description":"In conversations with German Mittelstand companies, we encounter the same misunderstandings repeatedly. All of them create false security.","items":{"delegate":{"myth":"I can delegate this to the IT department","reality":"You can delegate execution, but not responsibility. §38 BSIG explicitly names Geschäftsleiter - not IT managers, not CISOs, not external consultants. You must personally approve, oversee, and be trained. Your IT team implements; you approve and monitor. The distinction matters in court."},"insurance":{"myth":"D&O insurance covers NIS2 liability","reality":"Most D&O policies exclude regulatory fines and penalties. Even where civil liability claims are covered, insurers can deny claims if management knowingly failed to comply with statutory duties. Check your policy's exclusion clauses - 'failure to comply with mandatory regulations' is a standard exclusion in German D&O policies."},"ignorance":{"myth":"I'm not technical - I can't be held responsible","reality":"§38(3) BSIG imposes the training obligation precisely to eliminate this defense. The law assumes that after completing adequate cybersecurity training, management has sufficient knowledge to fulfill their duties. 'I don't understand technology' is not a defense - it's proof of a training violation."},"waiver":{"myth":"Shareholders can waive my liability","reality":"§38(2) BSIG explicitly states that claims for damages arising from violations of §30 BSIG duties cannot be waived by shareholders, nor can they be settled in a manner that is disproportionate to the company's financial situation. This overrides the normal GmbHG §43 rules. The Gesellschafterversammlung cannot release you from NIS2 liability."},"smallCompany":{"myth":"We're too small for anyone to care","reality":"The NIS2 scope threshold starts at 50 employees and €10 million turnover. If you meet these thresholds in a covered sector, you are subject to the full regime - including §38 management liability. The BSI has already begun requesting registration from companies in this size range. Size is not a defense; it's a scoping criterion, and you're in scope."}}},"personalRisk":{"heading":"The Personal Risk","description":"Understanding the unique nature of NIS2 management liability under German law.","liableToCompany":"Here's what catches most managing directors off guard: under §38 BSIG, you are liable to your own company. If the company suffers damage because you failed to implement, oversee, or be trained on cybersecurity measures, the company (or its insolvency administrator, or its shareholders) can claim damages from you personally. This is an internal liability - your own organization can sue you.","cannotWaive":"§38(2) BSIG contains a provision without precedent in German corporate cybersecurity law: shareholders cannot waive or settle these liability claims if doing so would be disproportionate to the company's financial situation. In practical terms, if the company goes bankrupt due to a cyber incident, the insolvency administrator will come after your personal assets - and the shareholders cannot have waived that right in advance.","cannotClaimIgnorance":"The training obligation in §38(3) BSIG is not optional professional development - it is a legal prerequisite that removes ignorance as a defense. Once the law requires you to be trained, your failure to obtain that training is itself a violation. You cannot claim you didn't understand the risks when the law required you to learn about them."},"steps":{"heading":"Three Steps to Protect Yourself","description":"The good news: fulfilling your §38 BSIG duties is straightforward if you approach it systematically. These three steps create the documented trail that protects you.","items":{"step1":{"title":"Formally approve cybersecurity measures","description":"Review the risk assessment, security policies, and treatment plans prepared under §30 BSIG. Sign off with your name, date, and role. Store the approval in an auditable system - not in an email inbox. This creates the documented evidence that you fulfilled your Billigung duty. Repeat whenever measures are materially changed."},"step2":{"title":"Establish oversight processes","description":"Schedule quarterly management reviews of cybersecurity status. Review implementation progress, open risks, incident reports, and effectiveness metrics. Document attendance, decisions, and action items. This creates the continuous trail proving your Überwachung duty - not just a one-time approval, but ongoing engagement."},"step3":{"title":"Complete cybersecurity training","description":"Complete a training program that covers your company's threat landscape, the §30 BSIG measures, incident reporting obligations, and your personal duties under §38. Document the training: provider, date, content covered, certificate if available. Refresh annually. This eliminates the ignorance defense gap and fulfills your Schulung duty."}}},"ctaCard":{"heading":"Demonstrate Your Compliance","description":"The NIS2 compliance platform tracks management approvals, oversight activities, and training completion - creating the auditable evidence trail that protects you personally under §38 BSIG."},"cta":"Start Your NIS2 Compliance Process"},"grundschutz":{"meta":{"title":"NIS2 and IT-Grundschutz - The Direct Path to Compliance","description":"§44(2) BSIG allows German companies to prove NIS2 compliance through IT-Grundschutz implementation. Understand the legal chain from NIS2 Directive to BSIG to CIR 2024/2690 to BSI Grundschutz - and why this is the fastest path."},"title":"NIS2 and IT-Grundschutz","subtitle":"§44(2) BSIG provides a legal shortcut: implementing IT-Grundschutz is recognized as sufficient proof of NIS2 compliance in Germany.","overview":{"heading":"The Legal Chain","p1":"German companies have a unique advantage over their European peers when it comes to NIS2 compliance. While companies in France, Italy, or the Netherlands must work directly from the NIS2 Directive and the EU Implementing Regulation, German companies can leverage IT-Grundschutz - a well-established, BSI-maintained methodology that has been the standard for information security in Germany for over 25 years.","p2":"§44(2) BSIG provides the legal shortcut: companies that implement IT-Grundschutz can use this as evidence of NIS2 compliance. This is not informal guidance - it is codified in the Federal Cybersecurity Act. The BSI itself develops and maintains both the Grundschutz framework and the NIS2 enforcement regime, ensuring alignment by design.","p3":"This page maps the entire legal chain from the EU NIS2 Directive through German transposition to the practical implementation methodology. Understanding this chain is essential for any compliance lead: it tells you exactly which requirements come from where, why they exist, and how to satisfy them with documented evidence."},"chain":{"heading":"From EU Directive to German Practice","description":"NIS2 compliance in Germany follows a four-layer legal chain. Each layer adds specificity, from high-level objectives down to concrete implementation guidance.","items":{"nis2":{"title":"NIS2 Directive","description":"EU Directive 2022/2555 - the EU-wide cybersecurity framework"},"bsig":{"title":"BSIG","description":"German Federal Cybersecurity Act - transposes NIS2 into German law"},"cir":{"title":"CIR 2024/2690","description":"EU Implementing Regulation - defines the technical minimum measures"},"grundschutz":{"title":"IT-Grundschutz","description":"BSI methodology - the established German framework for implementing these measures"}}},"section44":{"heading":"§44(2) BSIG: Grundschutz Equals Compliance","description":"The legal shortcut most companies don't know about.","p1":"§44(2) BSIG states that compliance with the requirements of §30 BSIG can be demonstrated through implementation of recognized standards - and explicitly references IT-Grundschutz as such a standard. This means that if you implement Grundschutz according to BSI-200-1 through BSI-200-4 methodology, you have a legally recognized basis for claiming NIS2 compliance. This is not a 'get out of jail free' card - you still need evidence - but it gives you a clear, BSI-approved methodology to follow.","p2":"In practice, this means you don't need to interpret the NIS2 Directive or CIR 2024/2690 from scratch. The Grundschutz Kompendium already maps the technical requirements to specific Bausteine (modules) and Anforderungen (requirements). When the BSI audits your NIS2 compliance, they are auditing against a methodology they themselves created - not against an abstract EU directive. This alignment eliminates the interpretation gap that plagues companies in other EU member states.","p3":"For BSI auditors, Grundschutz implementation is familiar territory. They have been auditing Grundschutz for decades. This means audit efficiency: the auditors know exactly what evidence to expect, the terminology is standardized, and the methodology is documented in German. Compare this to defending an ad-hoc compliance approach against the English-language CIR - the practical advantage is significant."},"cir":{"heading":"CIR 2024/2690: The EU Technical Baseline","description":"The Commission Implementing Regulation that defines the technical minimum every EU member state must enforce.","p1":"CIR 2024/2690 (Commission Implementing Regulation) was published on October 17, 2024 and establishes the technical and methodological requirements for NIS2 compliance across the EU. It applies directly - no transposition needed - and defines the minimum measures that all essential and important entities must implement. This is the floor, not the ceiling.","p2":"The CIR specifically covers DNS service providers, TLD name registries, cloud computing services, data center providers, content delivery networks, managed services, managed security services, online marketplaces, online search engines, social networking platforms, and trust service providers. However, the BSIG extends these technical requirements to all NIS2-covered sectors in Germany, making the CIR's technical measures the de facto standard for everyone.","p3":"The Grundschutz Kompendium covers every requirement in the CIR and goes further. Where the CIR says 'implement access control,' Grundschutz specifies exactly how - through modules like ORP.4 (Identity and Access Management) with step-by-step implementation guidance. This is why §44(2) BSIG recognizes Grundschutz: it is a superset of CIR requirements, not just an equivalent."},"comparison":{"heading":"IT-Grundschutz vs ISO 27001 for NIS2","description":"Both are recognized information security frameworks, but for NIS2 compliance in Germany, they are not equivalent.","items":{"recognition":{"title":"BSI Recognition","description":"IT-Grundschutz is explicitly referenced in §44(2) BSIG as a recognized standard for demonstrating NIS2 compliance. ISO 27001 certification may support your case, but it is not specifically named in the law. When the BSI is both the framework author and the enforcement authority, alignment matters."},"coverage":{"title":"Requirements Coverage","description":"Grundschutz covers 100% of CIR 2024/2690 requirements through its Kompendium modules. ISO 27001 covers information security management broadly but does not specifically address all BSIG §30 measures - particularly the NIS2-specific incident reporting timelines, supply chain requirements, and management liability obligations. You would need ISO 27001 plus additional gap-filling."},"language":{"title":"Language & Methodology","description":"Grundschutz is developed in German, by the BSI, for German organizations. The terminology matches the BSIG exactly. ISO 27001 is an international standard published in English, with different terminology and a less prescriptive methodology. For a 100-person German Mittelstand company, Grundschutz's concrete, German-language implementation guidance is significantly more practical than ISO 27001's abstract control objectives."}}},"benefits":{"heading":"Why This Matters for Your Company","description":"For mid-market German companies, the Grundschutz pathway offers three concrete advantages over alternative compliance approaches.","items":{"audit":{"title":"Audit Advantage","description":"When the BSI audits your NIS2 compliance, presenting Grundschutz-structured evidence means the auditor speaks your language. The methodology, documentation structure, and evidence expectations are standardized. This translates to faster audits, fewer misunderstandings, and clearer outcomes."},"alignment":{"title":"BSI Alignment","description":"The BSI publishes the Grundschutz Kompendium, enforces NIS2 compliance, and audits your implementation. Using their own methodology ensures that your interpretation of requirements matches theirs. There is no interpretation gap - the same organization that defines the rules also provides the playbook."},"certainty":{"title":"Legal Certainty","description":"§44(2) BSIG gives Grundschutz implementation explicit legal standing as proof of compliance. This is the strongest legal position available: you are following the methodology recognized by the law itself. If challenged, you can point to a specific statutory provision that validates your approach - not just industry best practice or consultant opinion."}}},"ctaCard":{"heading":"Built on the Grundschutz Framework","description":"The platform structures all 49 BSIG requirements according to IT-Grundschutz methodology, with evidence templates and audit-ready documentation that follows the BSI's own structure."},"cta":"Start Your NIS2 Compliance Process"},"costs":{"meta":{"title":"NIS2 Implementation Costs - What It Actually Takes","description":"Honest breakdown of NIS2 compliance costs for mid-market German companies. Compare consultants, enterprise GRC platforms, US compliance tools, and DIY approaches. Realistic budgets for 100-person companies."},"title":"NIS2 Implementation Costs","subtitle":"An honest breakdown of what NIS2 compliance actually costs for a mid-market German company - because nobody else publishes real numbers.","overview":{"heading":"The Cost Transparency Gap","p1":"Search for 'NIS2 implementation costs' and you'll find consultant websites that say 'it depends' and enterprise vendors who hide pricing behind sales calls. This is by design - opacity benefits sellers. For a 100-person German company trying to budget for compliance, this is useless. You need real numbers to make real decisions.","p2":"Here's an honest breakdown based on market rates in Germany as of 2026. These numbers assume a company with 50-250 employees, basic IT infrastructure (Office 365, a few line-of-business applications, standard network), no existing ISMS, and no dedicated security staff. If you already have ISO 27001 or Grundschutz, your costs will be significantly lower."},"approaches":{"heading":"Four Ways to Get Compliant","prosLabel":"Advantages","consLabel":"Disadvantages","consultants":{"title":"Management Consultants","price":"€150K-500K","description":"Big Four or specialized cybersecurity consultancies (KPMG, Deloitte, PwC, or boutique firms like HiSolutions or Secunet). They assess your current state, write policies, implement measures, and prepare you for audit. Typical engagement: 6-12 months.","pros":["Deep expertise and regulatory knowledge","Handle complexity - appropriate for KRITIS operators","Provide defensible external validation"],"cons":["Prohibitively expensive for most mid-market companies","Knowledge leaves when the consultants leave","Often over-engineer solutions beyond what the law requires","Long engagement timelines - 6+ months is common"]},"enterprise":{"title":"Enterprise GRC Platforms","price":"€100K+/year","description":"Platforms like ServiceNow GRC, SAP GRC, or Archer. Built for large enterprises with dedicated GRC teams. Powerful but complex, requiring implementation projects and ongoing administration. Often sold with mandatory professional services.","pros":["Comprehensive functionality for large organizations","Integration with enterprise IT ecosystems","Established vendor support and longevity"],"cons":["Licensing costs alone exceed €100K/year","Implementation projects cost another €50K-200K","Require dedicated GRC staff to operate","Massively over-scoped for a 100-person company"]},"usPlatforms":{"title":"US Compliance Platforms","price":"€7,500+/year","description":"Platforms like Vanta, Drata, or Secureframe. Designed for SOC 2 and ISO 27001 compliance, primarily serving US tech startups. Some have added NIS2 as a framework option, but coverage is superficial - they don't understand BSIG, Grundschutz, or BSI registration.","pros":["Modern UI and good user experience","Automated evidence collection via cloud integrations","Reasonable pricing compared to enterprise solutions"],"cons":["NIS2 coverage is a checkbox addition, not the core product","No understanding of BSIG specifics (§38 management liability, §32 reporting)","No Grundschutz alignment - you lose the §44(2) advantage","Support and documentation in English only","BSI auditors won't recognize the framework structure"]},"diy":{"title":"Internal / DIY","price":"€20K-80K","description":"Build your own compliance using spreadsheets, document templates, and internal staff time. The cheapest option in direct costs, but the most expensive in hidden costs: learning curve, risk of non-compliance, and no external validation.","pros":["Lowest direct cost","Full control over the process","Internal knowledge retention"],"cons":["Massive time investment - 200-500 hours of staff time","High risk of gaps that only surface during BSI audit","No structured methodology or progress tracking","Spreadsheet-based evidence is hard to maintain and audit","No way to prove implementation timeline to BSI"]}},"breakdown":{"heading":"Realistic Costs for a 100-Person Company","description":"Regardless of approach, these are the cost categories every NIS2-affected company faces. Numbers assume a 100-person company in a regulated sector with no existing ISMS.","headers":{"item":"Cost Item","oneTime":"One-Time","annual":"Annual"},"rows":{"assessment":{"item":"Gap assessment & scoping","oneTime":"€5,000-15,000","annual":"-"},"documentation":{"item":"Policy & documentation","oneTime":"€10,000-30,000","annual":"€2,000-5,000"},"technical":{"item":"Technical measures","oneTime":"€15,000-50,000","annual":"€5,000-15,000"},"training":{"item":"Employee training","oneTime":"€3,000-8,000","annual":"€3,000-8,000"},"maintenance":{"item":"Ongoing compliance mgmt","oneTime":"-","annual":"€10,000-25,000"},"total":{"item":"Total","oneTime":"€33,000-103,000","annual":"€20,000-53,000"}}},"nisd2Approach":{"heading":"The NISD2.eu Approach","description":"The platform eliminates the most expensive parts of NIS2 compliance: interpretation, documentation structure, and evidence management.","items":["49 BSIG requirements pre-structured according to Grundschutz methodology - no gap assessment needed to know what's required","Built-in form pipeline generates audit-ready documentation as you fill in company-specific details - no policy writing from scratch","Management approval workflows with timestamped sign-offs create §38 BSIG evidence automatically - no separate tracking needed","Progress tracking across all 13 compliance modules with evidence uploads - replaces spreadsheets with an auditable system"]},"cta":{"heading":"See What NIS2 Compliance Looks Like","description":"Explore the platform, see the requirement structure, and understand exactly what NIS2 compliance involves for your company - before making any investment decisions.","button":"Start Your NIS2 Compliance Process"}},"mission":{"meta":{"title":"Halve Europe's NIS2 Bill - Our Mission","description":"NIS2 will cost European businesses €31.2 billion every year. Here is the breakdown - and our plan to halve it."},"badge":"Our Mission","title":"Halve Europe's NIS2 bill.","subtitle":"The €31 billion problem, and our plan to fix it.","problem":{"heading":"The €31 billion problem","p1":"NIS2 will cost European businesses €31.2 billion every year (Frontier Economics, 2023). That is 0.31% of every regulated company's revenue. Forever.","p2":"Most of that is not security. It is friction. Translation, interpretation, paperwork, audit prep - work that has to happen at every company because nobody made it once for everybody."},"breakdown":{"heading":"What the €31.2 billion is made of","description":"Frontier Economics' breakdown of EU-wide NIS2 compliance cost across the four cost categories.","footnote":"Source: Frontier Economics, Assessing the Economic Impact of EU Initiatives on Cybersecurity, July 2023.","items":{"staff":{"label":"Staff (compliance + security hires)","value":"€14B"},"consultants":{"label":"Consultants & advisory","value":"€8B"},"software":{"label":"Software (compliance + security tools)","value":"€5B"},"hardware":{"label":"Hardware (firewalls, gateways, appliances)","value":"€4B"}}},"plan":{"heading":"How we will halve it","p1":"We do not cut hardware. We do not cut security tools. Those are real and necessary.","p2":"We cut the friction. The translation work, the interpretation work, the paperwork - done once, structured, free, shared with everyone."},"savings":{"heading":"Where the €16 billion saving comes from","description":"Four levers, four cost pools. Together they halve the bill.","total":"€16.5B saved per year","items":{"consultants":{"label":"Replace consultant interpretation","value":"€6B saved"},"internal":{"label":"Compress internal effort","value":"€5B saved"},"evidence":{"label":"Standardize evidence (audit + supplier + over-engineering)","value":"€4B saved"},"software":{"label":"Eliminate compliance software bloat","value":"€1.5B saved"}}},"tactics":{"heading":"How each cut actually works","description":"Most NIS2 cost is not security work - it is coordination work that gets duplicated at every company. We do that work once, with one strict standard, and share the result. Each card below names the cost that disappears, not the feature that does the work.","items":{"consultants":{"heading":"Replace consultant interpretation","amount":"€6B saved","principle":"Consultants get paid to translate the law. We translate it once.","tactics":["No per-country consulting fees. We use IT-Grundschutz and CIR 2024/2690 as the default - the strictest standard in the EU. Meet ours, meet every member state. No separate engagement for German BSIG, French transposition, Italian implementation.","No per-sector premium. We do not maintain 13 sector variants. One strict standard already covers every sector's controls - simpler for us, cheaper for the buyer.","No 'what does this article mean' billable hours. The interpretation work that consultants charge for is done once on the platform, in plain language, for every BSIG requirement.","No paying for opinion-of-law behind a paywall. The open NIS2/BSIG dataset (in development) lets any auditor verify the interpretation directly - no vendor opacity to pay around."]},"internal":{"heading":"Compress internal effort","amount":"€5B saved","principle":"Most internal effort is paperwork done multiple times. Structured data is captured once.","tactics":["No interpretation phase. Companies currently spend internal staff time figuring out what NIS2 requires of them. The platform delivers the requirements pre-structured.","No copy-paste between systems. Compliance data is currently maintained in spreadsheets, policies, and supplier registers separately. The platform captures each fact once and surfaces it where it is needed.","No separate documentation pass. Compliance work and the documentation of it are currently two passes. On the platform, the audit trail records work as it happens.","No manual deadline scheduler. The BSIG cascade (24h/72h/1m incident reports, registration renewals, training cycles) currently requires manual tracking. The platform tracks it automatically."]},"evidence":{"heading":"Standardize evidence","amount":"€4B saved","principle":"The same evidence currently gets re-built per audit, per supplier, per regulator.","tactics":["No 10 questionnaires per supplier. A supplier serving 10 NIS2 customers currently fills 10 different security questionnaires. With the NIS2 Supplier Profile - an open standard, GRC-platform-agnostic - they fill one. The biggest single saving in this bucket.","No incident report drafting under deadline pressure. The 24h/72h/1m reports follow BSI-format-ready templates instead of being written from scratch when the clock is running.","No separate audit prep cycle. Audit-ready evidence is generated continuously as work happens, not assembled in a panic the month before.","No over-engineering markup. Consultants over-scope to bill more hours. The platform constrains to 'appropriate and proportionate' (§30(1) BSIG) - companies do not pay for unnecessary controls."]},"software":{"heading":"Eliminate compliance software bloat","amount":"€1.5B saved","principle":"We replace the NIS2 slice of compliance software - not the security tools, and not those tools' other frameworks.","tactics":["No NIS2 module fees on enterprise GRC suites. Companies using ServiceNow GRC, Archer, or MetricStream currently pay for the NIS2 portion. We replace that slice. The rest of those tools stays where it is.","No NIS2 add-on on US compliance platforms. Vanta, Drata, and Secureframe charge for their NIS2 framework module. Replaced for NIS2 specifically. Their SOC 2 and ISO 27001 modules are unaffected.","Hardware, SIEM, EDR, encryption, and firewalls stay. Those are operational security and necessary. The platform does not replace them and does not pretend to."]}}},"free":{"heading":"What we provide","description":"The core platform is free today and we intend to keep it that way. Some advanced features may eventually carry a cost - the principle is that NIS2 compliance should be significantly cheaper than the consultant-driven status quo, not zero on every line item. And we do not lock you in: open dataset, exportable evidence, GRC-platform-agnostic supplier profile.","items":["The core NIS2 compliance platform covering every BSIG requirement","Plain-language guidance for every requirement","The NIS2 Supplier Profile - open standard, GRC-platform-agnostic","Video tutorials for each NIS2 entity category","NIS2 Management Training portal: structured course with dictionary, quizzes, and progress tracking","Cybersecurity awareness training videos","Incident reporting templates and 24h / 72h / 1 month workflows","Audit-ready evidence trails, generated as you work","Notifications and deadline tracking for the BSIG cascade","The open NIS2 / BSIG requirements dataset (in development)","No lock-in: open dataset, exportable evidence, no proprietary formats"]},"paid":{"heading":"Where we charge","p1":"Training courses for management and staff. Guided consultancy for company-specific decisions: risk treatment trade-offs, supplier negotiations, complex incident response. Premium features as they develop. Self-host licensing for entities that need to run the platform internally.","p2":"The core compliance platform stays free. The open dataset stays open. The principle is that the bill should be cut, not shifted to us."},"cta":{"heading":"Start now","description":"Check if NIS2 applies to you, or jump straight into the platform.","checkButton":"Check NIS2 applicability","platformButton":"Start your free platform"}},"smeGuide":{"meta":{"title":"NIS2 Implementation for Mid-Market Companies - Practical Guide","description":"Step-by-step NIS2 implementation guide for German Mittelstand companies with 50-250 employees. 12-week roadmap, role assignments, common mistakes, and practical advice from BSIG to BSI audit readiness."},"badge":"Mittelstand / SME","title":"NIS2 Implementation for Mid-Market Companies","subtitle":"A practical 12-week implementation roadmap for German companies with 50-250 employees - no security team required.","overview":{"heading":"You're Affected. Now What?","p1":"An estimated 29,500 companies in Germany fall under NIS2 scope. If you have more than 50 employees and operate in a covered sector - waste management, food production, manufacturing, energy, transport, health, digital infrastructure - you are almost certainly one of them. The BSIG entered force on December 6, 2025, and the BSI registration deadline was March 6, 2026.","p2":"Here's what most consultants won't tell you: for a mid-market company with basic IT, NIS2 compliance is manageable. It is not a 6-month, six-figure project. Most of the 49 BSIG requirements are write-once documentation - policies, risk assessments, procedures. Only a handful require ongoing operational processes. The law demands 'appropriate' measures proportional to your risk - not Fortune 500 security infrastructure.","p3":"This guide gives you the practical plan: a 12-week roadmap, the roles you need (all part-time, all existing staff), the common mistakes that trip up companies your size, and the priority order for tackling the 10 mandatory measures under §30 BSIG. No theory, no fear-mongering - just the steps."},"audience":{"heading":"Who This Guide Is For","description":"This guide is written specifically for mid-market German companies encountering NIS2 for the first time.","items":{"size":"Companies with 50-250 employees in NIS2 sectors","limitedIt":"Limited IT staff - maybe 2-5 people, not a security team","noCompliance":"No dedicated compliance department or GRC experience","firstTime":"First time dealing with NIS2, BSIG, or BSI registration"}},"roadmap":{"heading":"Implementation Roadmap","phases":{"foundation":{"title":"Foundation","weeks":"Weeks 1-2","description":"Establish the organizational foundation: register with the BSI, assign responsibilities, and brief management on their personal liability under §38 BSIG. This phase is about getting the right people engaged and the scope defined.","actions":["BSI registration via Mein Unternehmenskonto + BSI portal","Appoint compliance lead (part-time role, not a new hire)","Management briefing on §38 BSIG duties and personal liability","Set up compliance platform and invite team members","Initial scope: identify which entity category applies (essential or important)"]},"risk":{"title":"Risk Assessment","weeks":"Weeks 3-4","description":"Build your asset inventory and conduct the initial risk assessment. This is the foundation everything else builds on - §30(1) BSIG measure 1. Use the BSI-200-3 risk analysis methodology: identify assets, identify threats, assess likelihood and impact, decide on treatment.","actions":["Build asset inventory - group identical assets (e.g., '45 laptops' = 1 entry)","Identify and categorize suppliers with access to your systems","Conduct initial risk assessment: likelihood × impact for each asset","Document risk treatment decisions: accept, mitigate, transfer, or avoid","Map risks to BSIG measures - which controls address which risks"]},"controls":{"title":"Controls & Documentation","weeks":"Weeks 5-8","description":"Document your security controls and procedures. This is the largest phase by volume but most requirements are write-once policies. Focus on documenting what you already do (most companies have informal processes) and filling genuine gaps.","actions":["Write or adopt security policies (information security, access control, incident response)","Document cryptography usage and key management approach","Set up incident response process with 24h/72h/1m cascade","Review access control: least privilege, onboarding/offboarding procedures","Document business continuity and backup procedures","Implement or document MFA for critical systems"]},"evidence":{"title":"Evidence & Audit Readiness","weeks":"Weeks 9-12","description":"Close the loop: management approvals, training completion, evidence collection, and a first effectiveness check. This phase transforms your documented measures into auditable compliance evidence.","actions":["Management formally approves all cybersecurity measures (§38 duty)","Complete mandatory management cybersecurity training","Upload evidence documents: screenshots, configs, policy sign-offs","Run first effectiveness assessment - are controls actually working?","Export compliance report for internal review"]}}},"roles":{"heading":"Roles You Need","description":"You don't need to hire anyone. These are part-time responsibilities assigned to existing staff.","items":{"complianceLead":{"title":"Compliance Lead (4-8 hours/week)","description":"Drives the process, fills out requirement forms, coordinates with IT and management. Usually the IT manager, quality manager, or operations lead."},"itContact":{"title":"IT Contact (2-4 hours/week)","description":"Provides technical input: asset details, network architecture, encryption status, access controls. Your admin or IT manager."},"managementSponsor":{"title":"Management Sponsor (1-2 hours/week)","description":"Reviews and approves measures, completes training, demonstrates oversight. Required by §38 BSIG - cannot be delegated."},"externalAuditor":{"title":"External Auditor (optional)","description":"For KRITIS operators: required every 3 years. For essential and important entities: optional but recommended for the first compliance cycle to validate your work."}}},"mistakes":{"heading":"Common Mistakes","description":"What we see companies get wrong - and how to avoid it.","items":{"waiting":{"title":"Waiting for 'the final guidance'","description":"The law is in force since December 2025. The CIR defines the technical measures. There is no further guidance coming that would change what you need to do. Start now."},"overEngineering":{"title":"Over-engineering the solution","description":"A 100-person waste management company does not need a SOC or a SIEM. Match your controls to your actual risk profile. The BSIG requires 'appropriate' measures, not maximum measures."},"noManagement":{"title":"Treating it as an IT project","description":"§38 BSIG makes this a management responsibility. If the CEO isn't involved, you're already non-compliant. Schedule the management briefing in week 1."},"ignoreSupplyChain":{"title":"Ignoring supply chain security","description":"NIS2 explicitly requires assessing your suppliers' cybersecurity. This catches many companies off guard. Start documenting supplier relationships early."},"paperOnly":{"title":"Paper compliance without real measures","description":"Writing policies nobody reads doesn't count. The BSI can request evidence that measures are actually implemented and effective. Build real processes, not just documents."}}},"ctaCard":{"heading":"Start Your Implementation Today","description":"The platform walks you through all 49 BSIG requirements in the order they should be implemented, with structured forms, evidence uploads, and management sign-off workflows - exactly what a mid-market company needs to get compliant without hiring a consultant."},"cta":"Start Your NIS2 Compliance Process"},"checklist":{"meta":{"title":"NIS2 Requirements Checklist - All §30 BSIG Obligations Explained","description":"Complete checklist of the 10 mandatory NIS2 cybersecurity measures under §30 BSIG. For each measure: what's required, what evidence you need, and how much effort to expect. Prioritized implementation order for German companies."},"title":"NIS2 Requirements Checklist","subtitle":"All 10 mandatory cybersecurity measures under §30 BSIG - what each requires, what evidence the BSI expects, and the practical priority order for implementation.","overview":{"p1":"§30 BSIG defines 10 mandatory cybersecurity measures that every NIS2-affected company in Germany must implement. These measures are not optional and not negotiable - they apply to all essential and important entities regardless of size or sector. The CIR 2024/2690 adds technical detail to each measure.","p2":"Use this checklist to assess your current state against each measure, identify gaps, and plan your implementation. For each measure, we list the key requirements and the evidence the BSI would expect in an audit. Work through them in the priority order at the bottom - they build on each other, so sequence matters."},"howToUse":{"heading":"How to Use This Checklist","items":{"i1":"Work through each measure in order - they build on each other","i2":"For each requirement, document your current state and identify gaps","i3":"Focus on evidence: for every requirement, ask 'how would we prove this to the BSI?'"}},"measures":{"heading":"10 Mandatory Measures (§30 BSIG)","description":"Each measure below maps to §30(2) BSIG and is further specified by CIR 2024/2690. The effort rating reflects a typical 100-person company starting from scratch.","keyRequirements":"Key Requirements","evidenceNeeded":"Evidence Needed","items":{"m1":{"title":"Risk Analysis & Information Security Policies","description":"§30(2)(1) BSIG - Establish risk analysis processes and information security policies. This is the foundation: without a risk assessment, you cannot justify any other measure. The BSI expects a methodical approach (BSI-200-3 recommended), not ad-hoc risk lists.","requirements":["Establish an information security management framework","Conduct regular risk assessments covering all critical assets","Define risk acceptance criteria and treatment procedures","Maintain and review security policies at least annually"],"evidence":["Documented risk assessment with asset inventory","Information security policy signed by management","Risk treatment plan with assigned owners"],"effort":"High - foundational, do this first"},"m2":{"title":"Incident Handling","description":"§30(2)(2) BSIG - Establish processes for detecting, managing, and reporting security incidents. §32 BSIG defines strict reporting timelines: initial notification to BSI within 24 hours, follow-up within 72 hours, final report within one month. You need processes that can meet these deadlines at 2 AM on a Sunday.","requirements":["Define incident detection, classification, and escalation procedures","Establish 24h/72h/1m reporting cascade to BSI per §32 BSIG","Assign incident response roles and contact chains","Implement post-incident review and lessons-learned process"],"evidence":["Incident response plan with defined roles and responsibilities","BSI reporting templates and communication procedures","Incident log with classification, timeline, and resolution records"],"effort":"High - critical, and requires tested processes not just documentation"},"m3":{"title":"Business Continuity & Crisis Management","description":"§30(2)(3) BSIG - Ensure continuity of critical services during and after security incidents. This covers backup management, disaster recovery, and crisis management. The CIR requires documented recovery time objectives (RTO) and recovery point objectives (RPO) for critical systems.","requirements":["Identify critical business processes and their IT dependencies","Define RTO and RPO for critical systems","Implement and test backup procedures","Establish crisis management and communication procedures"],"evidence":["Business continuity plan with RTO/RPO per critical system","Backup procedures with documented test results","Crisis communication plan with emergency contacts"],"effort":"Medium - leverages your existing backup infrastructure"},"m4":{"title":"Supply Chain Security","description":"§30(2)(4) BSIG - Assess and manage cybersecurity risks in the supply chain. NIS2 recognizes that your security is only as strong as your weakest supplier. You must assess suppliers who have access to your systems, data, or network - and include security requirements in contracts.","requirements":["Inventory all suppliers with access to systems, data, or network","Assess cybersecurity posture of critical suppliers","Include cybersecurity requirements in supplier contracts","Monitor supplier security posture on an ongoing basis"],"evidence":["Supplier inventory with risk categorization","Supplier assessment questionnaires or audit results","Contract clauses referencing cybersecurity requirements"],"effort":"Medium - time-consuming to gather supplier data initially"},"m5":{"title":"Security in Network & System Procurement","description":"§30(2)(5) BSIG - Include security considerations in procurement, development, and maintenance of IT systems. This means security requirements in procurement specs, vulnerability handling procedures, and secure configuration baselines for new systems.","requirements":["Define security requirements for IT procurement","Establish vulnerability handling and disclosure procedures","Implement secure configuration baselines for new systems","Include security reviews in system acceptance testing"],"evidence":["Procurement guidelines with security requirements","Vulnerability management process documentation","Secure configuration standards per system type"],"effort":"Medium - mostly documentation if you already have procurement processes"},"m6":{"title":"Effectiveness Assessment","description":"§30(2)(6) BSIG - Evaluate the effectiveness of cybersecurity risk management measures. This is the audit loop: you must regularly check whether your measures actually work, not just whether they exist. KPIs, internal audits, and corrective action processes are required.","requirements":["Define metrics and KPIs for cybersecurity effectiveness","Conduct regular internal audits or assessments","Implement corrective action procedures for identified gaps","Report effectiveness results to management"],"evidence":["Effectiveness assessment reports with KPI measurements","Internal audit plan and completed audit reports","Corrective action log with resolution tracking"],"effort":"Medium - requires the other measures to be in place first"},"m7":{"title":"Cybersecurity Training & Awareness","description":"§30(2)(7) BSIG - Implement cybersecurity training and awareness programs. This covers all employees (annual awareness training), IT staff (role-specific technical training), and management (§38 BSIG obligation). The scope is broader than most companies expect.","requirements":["Provide annual cybersecurity awareness training for all employees","Deliver role-specific training for IT and security staff","Ensure management completes §38 BSIG cybersecurity training","Track training completion and maintain records"],"evidence":["Training plan with target groups and frequencies","Training completion records with dates and attendee lists","Management training certificates per §38 BSIG"],"effort":"Low - many providers offer off-the-shelf training packages"},"m8":{"title":"Cryptography & Encryption","description":"§30(2)(8) BSIG - Implement appropriate cryptography and encryption measures. Document what encryption you use, where, and why. The CIR requires encryption for data at rest and in transit where appropriate, plus key management procedures.","requirements":["Inventory encryption usage across systems and data flows","Implement encryption for data at rest and in transit","Establish key management procedures (generation, storage, rotation, revocation)","Define cryptographic algorithm standards aligned with BSI TR-02102"],"evidence":["Cryptography policy with algorithm standards","Encryption inventory: what's encrypted, where, with what","Key management procedures documentation"],"effort":"Low to Medium - mostly documenting what you already use"},"m9":{"title":"Access Control & Asset Management","description":"§30(2)(9) BSIG - Implement access control, identity management, and asset management measures. This combines who can access what (least privilege, role-based access) with what you have (asset inventory). The asset inventory from measure 1 feeds directly into this.","requirements":["Implement role-based access control with least privilege principle","Establish onboarding/offboarding procedures for access provisioning","Maintain asset inventory covering hardware, software, and data","Implement privileged access management for administrative accounts"],"evidence":["Access control policy with role definitions","Onboarding/offboarding checklists with access review records","Asset inventory with assigned owners and classification"],"effort":"High - requires operational process changes, not just documentation"},"m10":{"title":"Multi-Factor Authentication & Secure Communication","description":"§30(2)(10) BSIG - Implement multi-factor authentication and secure communication measures. MFA is required for remote access, administrative access, and access to critical systems. Secure communication means encrypted email, messaging, and voice where confidential information is exchanged.","requirements":["Implement MFA for remote access, VPN, and administrative accounts","Deploy MFA for access to critical business applications","Establish secure communication channels for confidential information","Implement emergency access procedures when MFA is unavailable"],"evidence":["MFA deployment documentation with covered systems list","Secure communication policy and tool inventory","Emergency access procedures with break-glass documentation"],"effort":"Medium - technical implementation required if MFA is not yet deployed"}}},"priority":{"heading":"Priority Order","description":"Not all measures are equally urgent. This priority order reflects dependencies - later measures build on earlier ones - and enforcement risk. Start with what the BSI will ask for first.","tiers":{"t1":{"title":"Start immediately","description":"Measures 1 (risk analysis), 2 (incident handling), 9 (access control & assets). These are foundational - everything else builds on them."},"t2":{"title":"Weeks 3-6","description":"Measures 3 (continuity), 4 (supply chain), 7 (training). These require the asset inventory from measure 1."},"t3":{"title":"Weeks 7-12","description":"Measures 5 (procurement), 6 (effectiveness), 8 (crypto), 10 (MFA). These build on the controls established in tier 2."}}},"ctaCard":{"heading":"Track Your Progress","description":"The platform breaks each of these 10 measures into structured requirements with evidence uploads, management sign-offs, and progress tracking - so you always know exactly where you stand and what's left to do."},"cta":"Start Your NIS2 Compliance Process"},"registration":{"meta":{"title":"BSI NIS2 Registration: Deadline & Step-by-Step Guide","description":"BSI registration under §33 BSIG: who must register, deadlines, portal walkthrough. 30,000 NIS2 entities in Germany: most still missing. Avoid €500K fines."},"title":"NIS2 Registration Gap Analysis","subtitle":"The BSI estimated ~30,000 entities subject to NIS2 in Germany. The registration deadline passed on March 6, 2026. A significant portion of in-scope companies have still not registered - leaving them exposed to enforcement under §65 BSIG.","overview":{"p1":"§33 BSIG requires every entity that falls under NIS2 - whether essential or important entity - to register with the Bundesamt für Sicherheit in der Informationstechnik (BSI). This is not optional. The registration obligation exists independently of whether the company has implemented any cybersecurity measures. You must register first, then comply.","p2":"The BSI registration portal (muk.bsi.bund.de) went live on January 6, 2026 - one month after the BSIG entered into force. The registration deadline under §33 BSIG was March 6, 2026 (3 months after entry into force). Despite a clear legal obligation and a two-month window, a significant share of the estimated 29,000-30,000 in-scope entities did not register by the deadline. A G DATA survey found that 44% of affected companies were unaware of their NIS2 obligations entirely.","p3":"The registration gap is particularly concerning because registration is a precondition for the BSI's supervisory regime. Unregistered entities are not invisible - they are non-compliant by default. When the BSI begins systematic enforcement (which it has signalled for 2026), unregistered companies face penalties not just for missing cybersecurity measures, but for the registration violation itself - a separate offence under §65 BSIG."},"stats":{"heading":"Registration by the Numbers","description":"Current state of NIS2 registration in Germany based on BSI data and industry surveys.","items":{"estimated":{"value":"~29,000-30,000","label":"Estimated in-scope entities","detail":"BSI's own estimate of entities subject to NIS2 obligations under the NIS2UmsuCG, covering both essential and important entities."},"awareness":{"value":"44%","label":"Unaware of NIS2 obligations","detail":"G DATA survey (2024): 44% of German mid-market companies did not know NIS2 applied to them - before the law even entered into force."},"portalWindow":{"value":"2 months","label":"Registration window","detail":"BSI portal went live January 6, 2026. Registration deadline was March 6, 2026 - a two-month window for ~30,000 entities to register."},"deadline":{"value":"§33 BSIG","label":"Registration legal basis","detail":"Registration is required without undue delay (unverzüglich) after determining that the entity falls within scope. There is no grace period - the obligation is immediate upon the law taking effect."}}},"reasons":{"heading":"Why the Gap Exists","description":"Four structural factors explain why the majority of German NIS2 entities have not registered.","items":{"awareness":{"title":"Lack of awareness","description":"A G DATA survey conducted in 2024 found that 44% of German mid-market companies were unaware that NIS2 applied to them. The scoping criteria - 50+ employees or EUR 10 million turnover in 18 covered sectors - are not self-evident to companies that have never dealt with IT security regulation. Many companies in sectors like waste management, food production, and chemical manufacturing do not think of themselves as 'critical infrastructure'."},"complexity":{"title":"Scoping complexity","description":"Determining whether a company falls under NIS2 requires mapping the business against Annex I and II of the NIS2 Directive (transposed into §28 BSIG). The sector definitions reference NACE codes, turnover thresholds, and employee counts - but edge cases abound. Companies with mixed business lines, partial sector coverage, or group structures face genuine uncertainty about whether they are in scope."},"resources":{"title":"Resource constraints","description":"German Mittelstand companies in the 50-250 employee range typically lack dedicated compliance or information security staff. The person responsible for 'IT' is often also responsible for facilities, procurement, and everything else that involves a computer. NIS2 registration requires understanding regulatory text, classifying the company's sector, and navigating a government portal - tasks that fall outside normal operations."},"uncertainty":{"title":"Legislative uncertainty","description":"The NIS2UmsuCG went through multiple drafts and was delayed several times before final passage. Many companies adopted a 'wait and see' approach, expecting further changes or extended deadlines. This was a rational but incorrect bet - the law passed, the registration obligation is in force, and the BSI is not offering extensions."}}},"consequences":{"heading":"Consequences of Non-Registration","description":"Registration is not just administrative paperwork - failure to register is an independent violation with its own penalties.","items":{"fines":{"title":"Administrative fines","description":"§65 BSIG provides for fines of up to EUR 10 million or 2% of worldwide annual turnover for essential entities, and up to EUR 7 million or 1.4% for wichtige Einrichtungen. Non-registration is a separate violation from non-compliance with substantive security measures - meaning companies can face penalties for both."},"liability":{"title":"Management personal liability","description":"Under §38 BSIG, the Geschäftsleitung is personally responsible for ensuring compliance with NIS2 obligations - including registration. A managing director who fails to register the company is in personal breach of their statutory duties, creating exposure for personal liability claims from the company or its shareholders."},"enforcement":{"title":"Enforcement priority","description":"The BSI has indicated that it will prioritize enforcement against entities that have not registered, because non-registration signals complete non-compliance. A company that has registered but is working on measures demonstrates good faith. A company that has not even registered has no defense of ongoing implementation efforts."},"reputation":{"title":"Reputational and commercial impact","description":"NIS2 supply chain requirements (§30(2)(4) BSIG) mean that in-scope companies must assess the cybersecurity posture of their suppliers. An unregistered company cannot demonstrate NIS2 compliance to its customers - potentially losing contracts or being flagged in supply chain audits. This commercial pressure will accelerate as more companies implement supply chain due diligence."}}},"sources":{"heading":"Sources","items":["BSI - NIS2 registration statistics, public statements (2025)","G DATA CyberDefense - NIS2 awareness survey: 44% of mid-market companies unaware of obligations (2024)","G DATA CyberDefense - NIS2 awareness survey among German mid-market companies (2024)","BSIG - §33 (Registration obligation), §65 (Administrative fines), §38 (Management liability)","NIS2UmsuCG - Gesetz zur Umsetzung der NIS-2-Richtlinie (NIS2 Implementation Act)","BMI - Referentenentwürfe and parliamentary documentation for NIS2UmsuCG"]},"ctaCard":{"heading":"Register and Comply - Before the BSI Comes Knocking","description":"The platform walks you through BSI registration requirements and immediately starts building your compliance evidence trail - so you move from unregistered to audit-ready in a structured process."},"cta":"Start Your NIS2 Compliance Process"},"cir":{"meta":{"title":"CIR 2024/2690 - EU Implementing Regulation for NIS2 Technical Measures","description":"Commission Implementing Regulation (EU) 2024/2690 specifies the exact technical and methodological requirements for NIS2 entities. Published 17 October 2024, it applies directly across all EU member states without national transposition."},"title":"CIR 2024/2690 Implementation Guide","subtitle":"The EU Implementing Regulation that specifies exactly what technical and methodological measures NIS2 entities must implement - published in the Official Journal on 17 October 2024 and directly applicable across all member states.","overview":{"heading":"What Is CIR 2024/2690?","p1":"Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 was published in the Official Journal of the European Union (OJ L series, 2024/2690). It lays down rules for the application of Directive (EU) 2022/2555 (the NIS2 Directive) with regard to technical and methodological requirements of cybersecurity risk-management measures. Unlike the NIS2 Directive itself, this regulation does not require national transposition - it applies directly in all 27 member states from the date of its entry into force.","p2":"The CIR is the answer to the question every compliance officer asks: 'What exactly do we have to implement?' While §30 BSIG (the German transposition) lists 10 measure areas in broad terms, the CIR Annex breaks these down into specific, auditable technical and methodological requirements. It is the most granular official specification of NIS2 obligations available - more detailed than the Directive itself, more specific than the BSIG, and directly enforceable.","p3":"The regulation was developed in consultation with ENISA and the NIS Cooperation Group, drawing on existing frameworks including ISO/IEC 27001, ETSI EN 319 401, and national standards. It applies specifically to DNS service providers, TLD name registries, cloud computing service providers, ICT service management providers, managed security service providers, online marketplace providers, online search engine providers, social networking service platform providers, and trust service providers - though its technical requirements serve as a de facto benchmark for all NIS2 entities."},"scope":{"heading":"Entities Directly Covered","description":"The CIR applies mandatory requirements to the following entity types as defined in Article 1:","items":{"dns":"DNS service providers","tld":"TLD name registries","cloud":"Cloud computing service providers","managed":"ICT service management (managed services) and managed security service providers","marketplaces":"Online marketplace providers","social":"Social networking services platform providers","trust":"Trust service providers"}},"articles":{"heading":"Regulation Structure","description":"The CIR consists of 7 articles defining scope, definitions, and requirements, plus a detailed Annex containing the technical and methodological specifications.","items":{"a2":{"title":"Article 2 - Definitions","description":"Establishes definitions for 'network and information system security', 'significant incident', and other key terms. Aligns terminology with the NIS2 Directive while adding implementation-specific precision."},"a3":{"title":"Article 3 - Significance of incidents","description":"Defines when an incident is 'significant' - the threshold that triggers reporting obligations. An incident is significant if it causes financial loss exceeding EUR 500,000 or 5% of annual turnover, results in exfiltration of trade secrets, causes death or considerable damage to health, or meets entity-specific criteria defined in the Article."},"a4":{"title":"Article 4 - Recurring significant incidents","description":"Specifies that recurring incidents which individually do not meet the significance threshold may be aggregated and treated as a single significant incident if they collectively meet the criteria within a six-month period."},"a5":{"title":"Article 5 - Significant incidents for DNS and TLD registries","description":"Adds specific significance criteria for DNS service providers and TLD registries, including service availability below 99.9% for any period, incorrect DNS response rates, and compromise of integrity or confidentiality of stored domain registration data."},"a6":{"title":"Article 6 - Technical and methodological requirements","description":"The core article - requires covered entities to implement the technical and methodological requirements set out in the Annex. The measures must be 'appropriate and proportionate' to the risks, taking into account the entity's size, exposure, likelihood of incidents, and societal impact."},"a7":{"title":"Article 7 - Entry into force","description":"The regulation entered into force on the twentieth day following its publication in the Official Journal (published 17 October 2024). It applies directly in all member states without requiring national transposition."}}},"measures":{"heading":"The 10 Measure Areas (CIR Annex)","description":"The Annex organises technical and methodological requirements into 10 areas that mirror §30(2) BSIG. Each area contains detailed sub-requirements with specific implementation criteria.","items":{"policies":{"title":"Policy on the security of network and information systems","description":"Requires a documented security policy approved by management, reviewed at least annually, and updated after significant incidents or changes. Must define roles, responsibilities, and the framework for all subsequent measures. Must include a risk acceptance policy and evidence of management commitment."},"risk":{"title":"Risk management","description":"Requires a documented risk assessment methodology, risk identification covering all critical assets and processes, risk analysis with likelihood and impact assessment, risk treatment with documented decisions (accept, mitigate, transfer, avoid), and residual risk acceptance by management. Must be reviewed at planned intervals and after significant changes."},"incidents":{"title":"Incident handling","description":"Requires incident detection, classification, response, and recovery procedures. Must define roles and responsibilities for incident handling, establish communication channels, include post-incident analysis (lessons learned), and maintain incident logs. Detection must include monitoring for anomalies and known indicators of compromise."},"continuity":{"title":"Business continuity and crisis management","description":"Requires business impact analysis, continuity plans for critical services, backup and recovery procedures with tested restore capabilities, and crisis management procedures. Backup integrity must be verified regularly. Recovery time objectives must be defined and tested. Plans must be reviewed after incidents or significant changes."},"supply":{"title":"Supply chain security","description":"Requires a supply chain security policy, assessment of direct suppliers' cybersecurity practices, contractual security requirements for ICT products and services, and monitoring of supplier security posture over the contract lifecycle. Must consider supply chain-specific risks including those arising from the supplier's own supply chain."},"testing":{"title":"Security in acquisition, development, and maintenance","description":"Requires secure development lifecycle for in-house development, security requirements for acquired ICT products and services, configuration management, change management procedures, and security testing (including vulnerability scanning and penetration testing where appropriate). Must cover the full lifecycle from acquisition through decommissioning."},"crypto":{"title":"Cryptography","description":"Requires a policy on the use of cryptography, including selection of cryptographic algorithms and key lengths appropriate to the classification of data, key management procedures (generation, distribution, storage, rotation, revocation, destruction), and periodic review of cryptographic implementations against current best practices and known vulnerabilities."},"access":{"title":"Access control and asset management","description":"Requires an access control policy based on business and security requirements, identity management with unique user identification, access provisioning and de-provisioning procedures, privileged access management, and an asset inventory covering all network and information system components. Access rights must be reviewed at planned intervals."},"mfa":{"title":"Multi-factor authentication and secure communication","description":"Requires multi-factor authentication or continuous authentication for access to critical systems and remote access. Secure communication channels must be established for emergency and fallback scenarios. Voice, video, and text communications used for incident response must be secured against interception."},"communication":{"title":"Cybersecurity awareness and training","description":"Requires regular cybersecurity awareness programmes for all personnel, role-specific training for staff with security responsibilities, and management training on cybersecurity governance. Training must cover the entity's security policies, common threats, incident reporting procedures, and the personnel's specific responsibilities."}}},"relationship":{"heading":"CIR, NIS2 Directive, and BSIG - How They Fit Together","description":"Understanding the legal hierarchy is essential for compliance planning.","p1":"The NIS2 Directive (EU) 2022/2555 is the parent legislation - it establishes the framework, obligations, and enforcement regime at EU level. Member states were required to transpose it into national law by 17 October 2024. Germany's transposition is the NIS2UmsuCG, which amends the BSIG. The BSIG now contains all NIS2 obligations in German law, including §30 (cybersecurity measures) and §32 (incident reporting).","p2":"The CIR 2024/2690 is a directly applicable EU regulation - it does not require transposition and takes precedence over conflicting national provisions. Where the CIR specifies a technical requirement, that requirement applies directly, regardless of whether the BSIG addresses it. For the entity types listed in Article 1, the CIR is the primary compliance standard.","p3":"For entities NOT directly listed in CIR Article 1 but still subject to NIS2 (e.g., energy providers, healthcare, transport), the CIR serves as the most authoritative reference for what 'appropriate and proportionate' measures look like. German courts and the BSI are expected to reference the CIR's technical specifications when evaluating whether a company's measures meet the §30 BSIG standard - even if the CIR does not formally bind those entities."},"sources":{"heading":"Sources","items":["Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 - Official Journal of the European Union, OJ L 2024/2690","EUR-Lex - Full text of CIR 2024/2690 (CELEX: 32024R2690)","Directive (EU) 2022/2555 (NIS2 Directive) - Official Journal of the European Union","ENISA - Technical guidance on NIS2 implementation measures (2024)","secuvera GmbH - Analysis of CIR 2024/2690 requirements and mapping to ISO 27001 (2024)","BSIG - §30 (Risikomanagementmaßnahmen), §32 (Meldepflichten), as amended by NIS2UmsuCG"]},"ctaCard":{"heading":"Implement CIR Requirements Systematically","description":"The platform maps every CIR Annex requirement to structured tasks with evidence uploads, deadline tracking, and management sign-offs - turning a 30-page regulation into actionable compliance steps."},"cta":"Start Your NIS2 Compliance Process"},"isoMapping":{"meta":{"title":"ISO 27001 to NIS2 Gap Analysis - What Your ISMS Doesn't Cover","description":"ISO 27001:2022 covers approximately 70% of NIS2 requirements but misses critical areas: BSI registration, incident reporting timelines, management personal liability, and enhanced supply chain due diligence. Full mapping of §30(2) BSIG to ISO 27001 Annex A controls."},"title":"ISO 27001 to NIS2 Gap Analysis","subtitle":"An ISO 27001 certification covers roughly 70% of NIS2 technical requirements - but the remaining 30% includes the areas with the highest enforcement risk: registration, incident reporting timelines, and management personal liability.","overview":{"heading":"ISO 27001 Is a Head Start, Not a Finish Line","p1":"If your company holds an ISO 27001:2022 certification, you are ahead of most NIS2-affected entities. The ISMS framework, risk assessment methodology, and Annex A controls map well onto the ten cybersecurity measure areas defined in §30(2) BSIG. The BSI has explicitly acknowledged that ISO 27001 certification demonstrates a mature security posture - but it has equally explicitly stated that certification alone does not equal NIS2 compliance.","p2":"The gap exists because NIS2 introduces obligations that ISO 27001 was never designed to address. ISO 27001 is a voluntary management system standard focused on information security within an organisation. NIS2 is a regulatory obligation focused on critical infrastructure resilience with government reporting, personal liability for management, and statutory penalties. These are fundamentally different compliance paradigms - one is about best practice, the other is about legal compliance.","p3":"ENISA's mapping guidance and analyses by DataGuard, secuvera, and the BSI itself consistently identify the same gaps. Understanding where ISO 27001 covers NIS2 - and where it does not - allows certified companies to build on their existing ISMS rather than starting from scratch, while ensuring they do not overlook the regulatory-specific requirements that carry the highest enforcement risk."},"overlap":{"heading":"Where ISO 27001 Already Covers NIS2","description":"These NIS2 requirement areas are substantially addressed by a well-implemented ISO 27001:2022 ISMS.","items":{"risk":{"title":"Risk management (§30(2)(1) BSIG)","detail":"ISO 27001 Clauses 6.1 and 8.2 require risk identification, analysis, evaluation, and treatment - precisely what §30(2)(1) demands. An existing ISMS risk assessment methodology, if properly maintained, meets this requirement. Ensure your risk register covers operational technology and supply chain risks specifically, not just information security risks."},"access":{"title":"Access control (§30(2)(5) BSIG)","detail":"ISO 27001 Annex A.5.15 through A.5.18 and A.8.2 through A.8.5 cover access control policy, user access provisioning, privileged access management, and information access restriction. This maps directly to §30(2)(5) BSIG requirements for access control to network and information systems."},"incident":{"title":"Incident handling (§30(2)(2) BSIG)","detail":"ISO 27001 Annex A.5.24 through A.5.28 cover incident management planning, assessment, response, and learning. The technical incident handling process required by NIS2 is well covered - though the reporting timelines and BSI notification are not part of ISO 27001 (see gaps below)."},"continuity":{"title":"Business continuity (§30(2)(3) BSIG)","detail":"ISO 27001 Annex A.5.29 and A.5.30 address information security during disruption and ICT readiness for business continuity. Combined with a proper BIA and tested recovery procedures, this covers the NIS2 continuity requirements substantially."},"crypto":{"title":"Cryptography (§30(2)(8) BSIG)","detail":"ISO 27001 Annex A.8.24 covers use of cryptography. A mature ISMS includes cryptographic policies, key management procedures, and algorithm selection standards that align with NIS2 cryptography requirements."},"supplier":{"title":"Supplier relationships (§30(2)(4) BSIG - partial)","detail":"ISO 27001 Annex A.5.19 through A.5.23 address information security in supplier relationships, including supplier assessment, service delivery monitoring, and change management. This provides a foundation but NIS2 requires more extensive supply chain due diligence (see gaps)."},"awareness":{"title":"Training and awareness (§30(2)(9) BSIG)","detail":"ISO 27001 Annex A.6.3 covers information security awareness, education, and training. This aligns with the general NIS2 training requirement, though NIS2 adds specific management training obligations under §38 BSIG that go beyond ISO 27001's scope."}}},"gaps":{"heading":"Critical Gaps - What ISO 27001 Does Not Cover","description":"These NIS2 requirements have no equivalent in ISO 27001 and must be addressed separately. They represent the highest enforcement risk for ISO-certified companies.","items":{"registration":{"title":"BSI registration obligation (§33 BSIG)","detail":"ISO 27001 has no concept of government registration. §33 BSIG requires every NIS2 entity to register with the BSI, providing entity information, sector classification, contact details, and IP ranges. This is a standalone regulatory obligation with its own penalty provisions - your ISO certification does not trigger or replace it."},"reporting":{"title":"Incident reporting timelines (§32 BSIG)","detail":"ISO 27001 requires incident response but sets no external reporting timelines. §32 BSIG mandates: early warning to BSI within 24 hours, incident notification within 72 hours, and final report within one month. These are statutory deadlines with separate penalties for non-compliance. Your ISMS incident process must be extended with BSI-specific reporting workflows."},"management":{"title":"Management personal liability (§38 BSIG)","detail":"ISO 27001 requires management commitment and leadership (Clause 5) but creates no personal legal liability. §38 BSIG makes Geschäftsleiter personally liable for failures in cybersecurity governance, including a non-waivable duty to approve measures, oversee implementation, and complete personal cybersecurity training. No ISO control addresses this."},"penalties":{"title":"Statutory penalty framework (§65 BSIG)","detail":"ISO 27001 non-compliance results in loss of certification - a reputational consequence. NIS2 non-compliance under §65 BSIG carries fines of up to EUR 10 million or 2% of global turnover for essential entities. The enforcement mechanism is fundamentally different: government penalties vs. voluntary certification status."},"supply":{"title":"Enhanced supply chain due diligence (§30(2)(4) BSIG)","detail":"While ISO 27001 Annex A.5.19-A.5.23 covers supplier security, NIS2 requires more granular supply chain risk assessment including evaluation of suppliers' own cybersecurity maturity, consideration of supply chain-specific vulnerabilities, and assessment of critical dependencies. The CIR 2024/2690 Annex specifies contractual security requirements and ongoing supplier monitoring that exceed ISO 27001's supplier management controls."},"governance":{"title":"NIS2-specific governance requirements","detail":"NIS2 requires specific governance structures including designated contact points for the BSI (§33 BSIG), participation in sector-specific CSIRTs, and compliance with BSI enforcement orders. These are regulatory governance requirements that sit outside the ISMS scope - they concern the relationship between the entity and government authorities, not internal security management."}}},"mapping":{"heading":"§30(2) BSIG to ISO 27001 Control Mapping","description":"Detailed mapping of each NIS2 measure area to the closest ISO 27001:2022 Annex A controls, with coverage assessment.","headers":{"nis2":"NIS2 / §30(2) BSIG Measure","iso":"ISO 27001:2022 Controls","coverage":"Coverage"},"rows":{"m1":{"nis2":"Risk analysis and security policies","iso":"Clause 6.1, 8.2; A.5.1","coverage":"full","coverageLabel":"Full"},"m2":{"nis2":"Incident handling","iso":"A.5.24-A.5.28","coverage":"partial","coverageLabel":"Partial - no BSI reporting timelines"},"m3":{"nis2":"Business continuity and crisis management","iso":"A.5.29, A.5.30","coverage":"full","coverageLabel":"Full"},"m4":{"nis2":"Supply chain security","iso":"A.5.19-A.5.23","coverage":"partial","coverageLabel":"Partial - enhanced due diligence missing"},"m5":{"nis2":"Security in acquisition, development, maintenance","iso":"A.8.25-A.8.31","coverage":"full","coverageLabel":"Full"},"m6":{"nis2":"Effectiveness evaluation","iso":"Clause 9.1, 9.2, 9.3; A.8.8","coverage":"full","coverageLabel":"Full"},"m7":{"nis2":"Cybersecurity training","iso":"A.6.3","coverage":"partial","coverageLabel":"Partial - §38 management training not covered"},"m8":{"nis2":"Cryptography","iso":"A.8.24","coverage":"full","coverageLabel":"Full"},"m9":{"nis2":"Access control and asset management","iso":"A.5.9-A.5.18; A.8.2-A.8.5","coverage":"full","coverageLabel":"Full"},"m10":{"nis2":"Multi-factor authentication and secure communication","iso":"A.8.5","coverage":"partial","coverageLabel":"Partial - MFA requirement more specific in NIS2"}}},"sources":{"heading":"Sources","items":["ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection - Information security management systems","BSIG - §30(2) (Risikomanagementmaßnahmen), §32 (Meldepflichten), §33 (Registrierung), §38 (Geschäftsleitung), §65 (Bußgeldvorschriften)","BSI - Guidance on relationship between ISO 27001 certification and NIS2 compliance","ENISA - NIS2 to ISO 27001 mapping guidance (2024)","DataGuard - ISO 27001 to NIS2 gap analysis and mapping (2024)","CIR (EU) 2024/2690 - Annex technical requirements and ISO 27001 references"]},"ctaCard":{"heading":"Close Your ISO-to-NIS2 Gaps","description":"The platform identifies exactly which NIS2 requirements your ISO 27001 certification already covers and which gaps remain - so you build on existing controls instead of starting from scratch."},"cta":"Start Your NIS2 Compliance Process"},"incidentReporting":{"meta":{"title":"NIS2 Incident Reporting: 24h / 72h / 1 Month Playbook","description":"NIS2 incident reporting under §32 BSIG implements Article 23 NIS2: early warning in 24 hours, incident notification in 72 hours, final report in 1 month."},"title":"NIS2 Incident Reporting Playbook","subtitle":"§32 BSIG transposes Art 23(4) NIS 2: three mandatory reports with fixed deadlines (24h, 72h, 1 month) plus two conditional reports (on request, if the incident is still ongoing). Missing a deadline is a separate violation, independent of the incident itself.","overview":{"heading":"Incident Reporting Under NIS2","p1":"§32 BSIG implements Article 23 of the NIS2 Directive. It establishes a mandatory reporting regime for significant security incidents. Every entity classified as a essential entity or important entity must report to the BSI when an incident meets the significance criteria. The cascade has three mandatory reports with fixed deadlines and two conditional reports, triggered on request or by an ongoing incident. The obligation cannot be delegated to a managed security service provider; the entity itself is responsible for timely reporting.","p2":"The reporting timelines are strict and begin when the entity becomes aware of the incident, not when the investigation is complete. This is a critical distinction: the 24-hour early warning must be submitted based on initial awareness, even if the full scope and impact are unknown. Waiting for complete information before reporting is itself a violation."},"timeline":{"heading":"Reporting Cascade per Art 23(4) NIS 2","description":"Three mandatory stages with fixed deadlines from the moment of awareness, plus up to two conditional reports (intermediate on the authority's request, progress report if the incident is still ongoing on the day the final report is due).","items":{"early":{"title":"Early Warning (Frühwarnung)","deadline":"Within 24 hours","description":"The initial notification to the BSI that a potentially significant incident has been detected. Must be submitted within 24 hours of becoming aware of the incident. The purpose is to enable the BSI to assess cross-sector impact and issue warnings to other entities if necessary.","contents":["Confirmation that a significant incident has occurred or is suspected","Whether the incident is suspected to be caused by unlawful or malicious acts","Whether the incident could have cross-border impact","Entity name, sector, and contact details for follow-up"]},"update":{"title":"Incident Notification (Meldung)","deadline":"Within 72 hours","description":"A more detailed notification updating the early warning with additional information gathered during the initial response. Must be submitted within 72 hours of awareness. Updates the BSI on the incident's nature, severity, and initial impact assessment.","contents":["Updated assessment of the incident's severity and impact","Indicators of compromise (IoCs) where available","Initial assessment of the nature and cause of the incident","Measures taken or planned to mitigate the incident","Cross-border impact assessment if applicable"]},"intermediate":{"title":"Intermediate Report (Zwischenbericht)","deadline":"On request","description":"Submitted on request from the BSI between the 72-hour notification and the final report. Status update on the current state of incident handling. Not automatic; triggered by the authority.","contents":["Current status of containment and remediation","New findings on cause, scope or impact","Adjustments to countermeasures","Updated damage assessment"]},"final":{"title":"Final Report (Abschlussbericht)","deadline":"1 month after the 72h notification","description":"A comprehensive final report submitted within one month of the 72-hour incident notification. Full documentation of the incident and the response.","contents":["Detailed description of the incident, including severity and impact","Root cause analysis - the type of threat or vulnerability that caused the incident","Measures applied and ongoing to mitigate the incident and its effects","Cross-border impact if applicable","Lessons learned and corrective actions planned or implemented"]},"progress":{"title":"Progress Report (Verlaufsbericht)","deadline":"If incident still ongoing","description":"If the incident is not yet resolved by the time the final report is due, the progress report replaces it. The subsequent final report is then due within one month of incident resolution.","contents":["Current status, since the incident is still ongoing","Containment measures implemented so far","Expected duration until incident resolution, where foreseeable","Plan for the eventual final report after incident resolution"]}}},"criteria":{"heading":"What Makes an Incident 'Significant'","description":"Not every security event triggers the §32 BSIG reporting obligation. An incident is significant if it meets one or more of the following criteria, as defined in Article 23(3) NIS2 Directive and specified further in CIR 2024/2690 Article 3.","items":{"disruption":{"title":"Service disruption","description":"The incident has caused or is capable of causing severe operational disruption to the services provided by the entity. For DNS providers and TLD registries, the CIR specifies thresholds including availability below 99.9% or incorrect DNS response delivery."},"financial":{"title":"Financial loss","description":"The incident has caused or is capable of causing financial loss to the entity. CIR 2024/2690 Article 3 specifies a threshold of EUR 500,000 or 5% of annual turnover - whichever is lower. This includes direct costs (remediation, forensics) and indirect costs (revenue loss, contractual penalties)."},"spread":{"title":"Impact on other entities","description":"The incident has caused or could cause considerable damage to other natural or legal persons. This includes incidents that propagate through supply chains, affect shared infrastructure, or expose data belonging to third parties."},"data":{"title":"Data breach","description":"The incident involves unauthorised access to, destruction of, or alteration of data. Note that NIS2 incident reporting under §32 BSIG is separate from and additional to GDPR breach notification under Art. 33/34 GDPR - both obligations may apply simultaneously."},"duration":{"title":"Extended outage","description":"The incident has caused or is expected to cause a prolonged disruption to the entity's services. The duration threshold is not fixed in the Directive but CIR 2024/2690 provides entity-specific criteria. Extended outages affecting critical services are presumed significant."}}},"fields":{"heading":"Required Reporting Fields","description":"The BSI reporting portal requires structured information. Having these fields prepared in advance significantly reduces the risk of missing the 24-hour deadline.","items":{"entity":{"title":"Entity identification","description":"Company name, BSI registration number, sector classification, NACE code, and designated contact point for incident coordination. This information should be pre-configured in your incident response plan - not looked up during a crisis."},"nature":{"title":"Incident nature and classification","description":"Type of incident (ransomware, DDoS, data breach, insider threat, supply chain compromise, etc.), affected systems and services, timeline of events from detection to current state, and initial severity classification."},"impact":{"title":"Impact assessment","description":"Number of affected users or customers, services disrupted, estimated financial impact, data categories affected (if any), and duration of disruption. For the early warning, estimates are acceptable - precision comes in the 72-hour notification and final report."},"crossBorder":{"title":"Cross-border impact","description":"Whether the incident affects or could affect entities or citizens in other EU member states. This triggers information sharing between national CSIRTs and may involve ENISA coordination. Must be assessed in both the early warning and subsequent notifications."},"measures":{"title":"Response measures","description":"Actions taken to contain, eradicate, and recover from the incident. Includes technical measures (isolation, patching, credential rotation), communication measures (customer notification, stakeholder briefing), and organisational measures (crisis team activation, external support engagement)."}}},"where":{"heading":"Where and How to Report","description":"Reporting is exclusively through the BSI's digital reporting portal.","p1":"All incident reports under §32 BSIG must be submitted via the BSI's official reporting portal. The BSI does not accept reports by email, telephone, or letter as a substitute for portal submission - though telephone contact with the BSI's incident response team (CERT-Bund) is appropriate for coordinating response to critical incidents in parallel with the formal report.","p2":"The reporting portal is available at the BSI's website under the NIS2 section. Access requires prior registration under §33 BSIG - which means unregistered entities face a compounded problem: they cannot file incident reports through the proper channel because they have not completed the prerequisite registration. This is another reason why BSI registration must not be delayed."},"penalties":{"heading":"Penalties for Reporting Failures","description":"Non-reporting is penalised independently of the incident itself. A company that suffers an incident and handles it well technically but fails to report faces separate enforcement action.","items":{"essential":{"amount":"Up to EUR 10,000,000 or 2% of turnover","label":"Essential entities","detail":"The higher of EUR 10 million or 2% of worldwide annual turnover of the preceding business year. This applies to essential entities in sectors listed in BSIG Annex 1 (energy, transport, banking, health, water, digital infrastructure, space, public administration)."},"important":{"amount":"Up to EUR 7,000,000 or 1.4% of turnover","label":"Important entities","detail":"The higher of EUR 7 million or 1.4% of worldwide annual turnover. This applies to important entities in sectors listed in BSIG Annex 2 (postal services, waste management, chemicals, food, manufacturing, digital providers, research)."},"management":{"amount":"Personal liability - §38 BSIG","label":"Management (Geschäftsleitung)","detail":"If management was aware of an incident and failed to ensure timely reporting, this constitutes a violation of the oversight duty under §38(1) BSIG. Management can be held personally liable to the company for damages arising from the reporting failure - separate from penalties imposed on the company itself."}}},"sources":{"heading":"Sources","items":["NIS2 Directive (EU) 2022/2555 - Article 23 (Reporting obligations)","BSIG - §32 (Meldepflichten bei erheblichen Sicherheitsvorfällen)","BSIG - §38 (Billigung, Überwachung, Schulung - Geschäftsleitung)","BSIG - §65 (Bußgeldvorschriften)","CIR (EU) 2024/2690 - Article 3 (Significance of incidents), Article 4 (Recurring incidents)","ENISA - Guidance on NIS2 incident reporting obligations and templates (2024)","BSI - NIS2 reporting portal documentation and FAQ"]},"ctaCard":{"heading":"Be Reporting-Ready Before the Incident Hits","description":"The platform pre-configures your BSI reporting fields, maintains an incident register with classification workflows, and tracks the 24h/72h/1-month deadlines - so you meet every obligation under pressure."},"cta":"Start Your NIS2 Compliance Process"},"euImplementation":{"meta":{"title":"NIS2 Implementation Status Across Europe - Transposition Tracker 2026","description":"The NIS2 Directive deadline was 17 October 2024. By early 2026, only 6-8 of 27 EU member states had fully transposed. Country-by-country status of implementing legislation, infringement proceedings, and what fragmented transposition means for cross-border companies."},"title":"NIS2 Implementation Across Europe","subtitle":"The transposition deadline was 17 October 2024. By early 2026, the majority of EU member states had missed it - triggering infringement proceedings and creating a fragmented compliance landscape across Europe.","overview":{"heading":"A Directive Deadline Missed by Most","p1":"Directive (EU) 2022/2555 - the NIS2 Directive - required all 27 EU member states to transpose its provisions into national law by 17 October 2024. This deadline was explicit, non-negotiable, and established more than two years in advance when the Directive was published on 27 December 2022. Despite this, the vast majority of member states failed to meet it.","p2":"As of March 2026, roughly half of the 27 member states have fully transposed the Directive into national law. Belgium was notably first, enacting its Loi NIS2 in April 2024 - six months before the deadline. Croatia, Hungary, Latvia, and Lithuania were among the early adopters. Italy enacted its national transposition (D.Lgs. 138/2024) in October 2024. Germany followed in late 2025 with the NIS2UmsuCG.","p3":"The European Commission launched infringement proceedings against member states that had not communicated full transposition measures by the deadline. By November 2024, the Commission had sent letters of formal notice to 23 member states. This is not unusual for EU directives - but the scale of non-transposition for a cybersecurity regulation affecting critical infrastructure raised concerns about the EU's collective cyber resilience posture."},"keyStats":{"transposed":{"value":"~6-8","label":"Member states fully transposed by early 2026"},"late":{"value":"23","label":"Member states receiving infringement letters (Nov 2024)"},"deadline":{"value":"17 Oct 2024","label":"Directive transposition deadline"}},"countries":{"heading":"Country-by-Country Implementation Status","description":"Status as of early 2026 based on European Commission transposition tracker, national legislative databases, and Wavestone NIS2 radar analysis.","headers":{"country":"Country","status":"Status","law":"Implementing Law","notes":"Notes"},"rows":{"de":{"country":"Germany","status":"Transposed","statusKey":"done","law":"NIS2UmsuCG (amending BSIG)","notes":"Passed after significant delays (November 2025, over a year late). Amends the BSI-Gesetz (BSIG) with new §§28-65 covering scope, measures, reporting, and penalties. BSI registration portal operational since January 6, 2026."},"at":{"country":"Austria","status":"Transposed","statusKey":"done","law":"NISG 2024 (Netz- und Informationssystemsicherheitsgesetz)","notes":"Austria adopted its NIS2 transposition law in 2024. Closely aligned with the German approach due to shared legal traditions and DACH coordination."},"be":{"country":"Belgium","status":"Transposed","statusKey":"done","law":"Loi NIS2 (April 2024)","notes":"First EU member state to transpose NIS2 - six months before the deadline. CCB (Centre for Cybersecurity Belgium) designated as national authority."},"hr":{"country":"Croatia","status":"Transposed","statusKey":"done","law":"Zakon o kibernetičkoj sigurnosti","notes":"Among the early adopters. National CERT (CERT.hr) and competent sectoral authorities designated."},"hu":{"country":"Hungary","status":"Transposed","statusKey":"done","law":"Government Decree 418/2024","notes":"Transposed through government decree rather than parliamentary legislation. NDGDM designated as national cybersecurity authority."},"it":{"country":"Italy","status":"Transposed","statusKey":"done","law":"D.Lgs. 138/2024","notes":"Decreto Legislativo adopted in October 2024. ACN (Agenzia per la Cybersicurezza Nazionale) is the competent authority. Registration portal launched."},"lv":{"country":"Latvia","status":"Transposed","statusKey":"done","law":"Amendments to the National Cyber Security Law","notes":"Transposed by amending existing cybersecurity legislation. CERT.LV continues as national CSIRT."},"lt":{"country":"Lithuania","status":"Transposed","statusKey":"done","law":"Kibernetinio saugumo įstatymas (amended)","notes":"Early adopter. Amendments to existing Cyber Security Law came into force in late 2024."},"fr":{"country":"France","status":"In progress","statusKey":"partial","law":"Projet de loi NIS2 (pending)","notes":"ANSSI published draft transposition text. Parliamentary process delayed by political instability in late 2024. Expected completion in 2026. ANSSI acting as de facto authority in the interim."},"nl":{"country":"Netherlands","status":"In progress","statusKey":"partial","law":"Cyberbeveiligingswet (Cbw) - in legislative process","notes":"Draft Cybersecurity Act (Cbw) published. Senate review ongoing as of early 2026. NCSC-NL designated as CSIRT, with sectoral authorities for specific sectors."},"pl":{"country":"Poland","status":"In progress","statusKey":"partial","law":"Amendment to KSC (Krajowy System Cyberbezpieczeństwa)","notes":"Draft amendments to the National Cybersecurity System Act published. Multiple rounds of public consultation. Delayed by scope discussions around public administration entities."},"es":{"country":"Spain","status":"In progress","statusKey":"partial","law":"Anteproyecto de Ley NIS2","notes":"Preliminary draft published. CCN-CERT and INCIBE share cybersecurity authority responsibilities. Legislative timeline uncertain as of early 2026."},"se":{"country":"Sweden","status":"In progress","statusKey":"partial","law":"Cybersäkerhetslagen (proposed)","notes":"Government inquiry (SOU) completed. Draft legislation under review. MSB (Myndigheten för samhällsskydd och beredskap) designated as coordinating authority."}}},"germany":{"heading":"Germany's Transposition - The BSIG Amendments","description":"Germany's NIS2 transposition went through a protracted legislative process before final passage.","p1":"Germany transposed NIS2 through the NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG), which amends the existing BSI-Gesetz (BSIG). The legislative process was delayed multiple times - the initial drafts circulated in mid-2023, but the law did not pass through the Bundestag (13 November 2025) and Bundesrat (21 November 2025) until over a year after the original October 2024 deadline.","p2":"The amended BSIG introduces a comprehensive NIS2 regime: §28 defines scope (essential and important entities), §30 establishes the 10 cybersecurity measure areas, §32 implements incident reporting with the three-stage timeline, §33 creates the BSI registration obligation, §38 introduces management personal liability, and §65 defines the penalty framework. The BSI serves as the national competent authority and CSIRT.","p3":"The BSI registration portal went live on January 6, 2026, enabling entities to fulfill their §33 registration obligation. The registration deadline passed on March 6, 2026. The BSI has published sector-specific guidance documents and FAQs, and has begun outreach to entities that may be in scope but have not registered. Enforcement - including periodic audits and on-site inspections for essential entities - is now active."},"challenges":{"heading":"Cross-Border Compliance Challenges","description":"The fragmented transposition creates practical challenges for companies operating across multiple EU member states.","items":{"fragmentation":{"title":"Regulatory fragmentation","description":"Companies operating in multiple member states face different national implementations of the same Directive. While the core obligations are harmonised, member states have exercised discretion on scope (which sub-sectors to include), penalty levels (within the Directive's minimum thresholds), and supervisory approaches. A company present in Germany, France, and the Netherlands may face three different regulatory timelines and registration procedures."},"definitions":{"title":"Divergent scope definitions","description":"The NIS2 Directive allows member states to extend scope beyond the minimum. Some countries (notably Belgium) have applied NIS2 to additional sectors. Others have applied different size thresholds or included public administration entities at varying levels. This makes pan-European scope assessment challenging - a company in scope in one country may not be in another."},"reporting":{"title":"Multiple reporting channels","description":"An incident at a company with operations in multiple member states may trigger reporting obligations in each country where the affected services are provided. Each national CSIRT has its own portal and procedures. While ENISA coordinates cross-border incident sharing, the entity must file with each relevant national authority independently."},"enforcement":{"title":"Uneven enforcement maturity","description":"Countries that transposed early (Belgium, Croatia, Hungary) have a head start in building supervisory capacity. Countries still in the legislative process have no functioning enforcement regime. This creates an uneven playing field - and a risk that enforcement will be concentrated in the most mature jurisdictions, creating compliance pressure based on geography rather than risk."}}},"sources":{"heading":"Sources","items":["Directive (EU) 2022/2555 - NIS2 Directive, Official Journal of the European Union (27 December 2022)","European Commission - NIS2 transposition tracker and infringement proceedings updates (2024-2025)","Wavestone - NIS2 Transposition Radar: country-by-country implementation status (2025)","NIS2UmsuCG - Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Stärkung der Cybersicherheit (Germany)","Loi NIS2 - Belgian NIS2 transposition law (April 2024)","D.Lgs. 138/2024 - Italian NIS2 transposition decree","ENISA - NIS2 implementation overview and cross-border coordination guidance (2025)","BMI/BSI - Parliamentary documentation and guidance on NIS2UmsuCG implementation"]},"relatedArticle":{"heading":"Operating in multiple EU countries?","description":"If your company has legal entities in more than one EU member state, you must register with each country's national authority separately. Read our guide covering all 28 authorities.","cta":"Read: NIS2 registration across multiple EU countries"},"ctaCard":{"heading":"Comply Where It Matters - Starting with Germany","description":"The platform implements the full BSIG requirement set - Germany's NIS2 transposition - with structured requirements, evidence management, and audit readiness. Built for German law, applicable across the EU."},"cta":"Start Your NIS2 Compliance Process"},"missedRegistration":{"meta":{"title":"Missed BSI NIS2 Registration? Immediate Steps","description":"Missed the NIS2 BSI registration deadline? 18,000 companies are in the same boat. Portal still open: register now, document, avoid €500K fines. Step-by-step."},"title":"You Missed the BSI Registration Deadline. Now What?","subtitle":"About 18,000 German companies missed the §33 BSIG registration deadline. The BSI portal is still open. Here is what matters now - and what actually happens if you act quickly.","shortAnswer":{"heading":"The Short Answer","p1":"Don't panic. You are not alone - and you are not too late to fix this. The BSI estimated that roughly 30,000 entities fall under NIS2 in Germany. The registration deadline passed on March 6, 2026, but a significant number of companies have still not registered. You are far from the only one in this position.","p2":"The registration portal under §33 BSIG is still open. You can register today. The BSI has signaled that it will prioritize enforcement against companies that ignore their obligations entirely - not against those who registered late but are acting in good faith. Late is better than never, and 'never' is the only truly dangerous option.","p3":"The key is to act now, document that you started, and begin the actual compliance work. A late registration with visible progress looks fundamentally different to a regulator than no registration at all."},"steps":{"heading":"Five Steps to Get Back on Track","description":"Follow this order. Each step builds on the previous one, and together they create a documented trail that shows the BSI you are taking compliance seriously.","items":{"check":{"title":"1. Confirm you are actually in scope","description":"Before you register, verify that NIS2 applies to your company. The criteria are in §28 BSIG: you need to operate in one of 18 listed sectors AND meet the size threshold (50+ employees or €10M+ annual revenue). If you are unsure, check the BSI's sector lists in Annex I and Annex II of the NIS2 Directive. Many companies assume they are out of scope when they are not - and vice versa. If you are genuinely uncertain, get a legal opinion before registering, but do not use uncertainty as an excuse to delay."},"register":{"title":"2. Register via the BSI portal immediately","description":"Go to the BSI's NIS2 registration portal and complete your registration under §33 BSIG. You will need: your company details, sector classification, contact person for cybersecurity matters, and IP address ranges for your critical systems. The registration itself takes about 30 minutes if you have your information ready. Do this today - every day you wait adds to the gap between the deadline and your registration date."},"document":{"title":"3. Document that you have started","description":"Create a written record - even a simple internal memo - that documents when you became aware of your NIS2 obligations, when you registered, and what steps you are taking. This creates a paper trail that demonstrates good faith. If the BSI ever asks why you were late, 'we identified the obligation, registered immediately, and began compliance work on [date]' is a strong answer."},"implement":{"title":"4. Begin actual compliance work","description":"Registration is just the first step - §30 BSIG requires you to implement cybersecurity risk management measures. Start with the foundations: asset inventory, risk assessment methodology, and incident reporting procedures. You do not need to be fully compliant overnight, but you need to be visibly working toward it. The BSI will look at trajectory, not just current state."},"legal":{"title":"5. Consider legal counsel if scope is unclear","description":"If your company sits near the threshold (close to 50 employees or €10M revenue), operates in a sector that could be interpreted multiple ways, or has a complex corporate structure, consult a lawyer specializing in IT regulation. The cost of a legal opinion (€2,000-5,000) is trivial compared to the cost of either non-compliance or unnecessary compliance. Some industry associations (like Bitkom or BDI) also offer NIS2 scope guidance for members."}}},"risks":{"heading":"What Are the Actual Risks of Late Registration?","description":"Being honest about the risks helps you make proportionate decisions. The consequences are real but not catastrophic - if you act now.","items":{"fines":{"title":"Administrative fines","description":"§65 BSIG provides for fines of up to €500,000 specifically for registration violations. In practice, the BSI has limited enforcement capacity and is focused on getting companies into the system, not punishing stragglers. A company that registers late and demonstrates active compliance efforts is unlikely to face the maximum penalty. A company that never registers is a different story."},"orders":{"title":"Compliance orders","description":"The BSI can issue binding compliance orders requiring you to register and implement specific measures within a set timeframe. Non-compliance with such an order escalates the legal situation significantly. Registering proactively - even late - avoids this escalation path entirely."},"liability":{"title":"Management personal liability","description":"§38 BSIG makes the Geschäftsführung personally liable for ensuring NIS2 compliance. If your company is in scope and you - as management - knowingly delayed registration, this creates personal exposure. The liability cannot be waived by shareholder resolution. Documenting that you acted as soon as you became aware is important protection."},"audit":{"title":"Increased scrutiny in future audits","description":"For essential entities, the BSI conducts periodic audits. A late registration will be visible in your compliance timeline. However, a well-documented catch-up process that shows systematic improvement is viewed very differently from a pattern of neglect. Auditors assess trajectory, not just the starting point."}}},"context":{"heading":"Why So Many Companies Missed the Deadline","p1":"The NIS2 registration gap is not primarily caused by negligence. The German legislative process was delayed repeatedly - the NIS2UmsuCG passed months after the original EU transposition deadline. Many companies reasonably waited for the German law to be finalized before taking action. Others were unaware they fell in scope because the sector definitions expanded dramatically compared to the old KRITIS regime.","p2":"The BSI itself acknowledged the scale of the registration gap publicly. The agency has taken a pragmatic stance: the priority is getting all 30,000 entities registered and into the compliance system, not punishing the first wave of late registrants. This pragmatism has limits - it applies to companies that are actively working toward compliance, not to those using the BSI's patience as an excuse to do nothing."},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"Is the BSI registration portal still open?","a":"Yes. The §33 BSIG registration portal remains open. There is no deadline after which you can no longer register - the obligation is ongoing. The deadline was when you should have registered, not when you could. Register now."},"q2":{"q":"What is the fine for late registration?","a":"§65 BSIG provides for fines of up to €500,000 for registration violations. However, fines are assessed on a case-by-case basis considering the severity, duration, and whether the company acted in good faith. A company that registers a few months late and shows active compliance efforts faces a very different risk profile than one that ignores the obligation entirely."},"q3":{"q":"Does late registration affect my other NIS2 obligations?","a":"No. Your obligations under §30 BSIG (cybersecurity measures), §32 (incident reporting), and §38 (management liability) exist independently of whether you have registered. Registration does not create the obligations - it fulfills one of them. The other obligations apply from the moment you meet the scope criteria, regardless of registration status."},"q4":{"q":"Can I register if I am not sure we are in scope?","a":"Yes, and the BSI recommends erring on the side of registration if you are uncertain. Registering when you turn out to be out of scope has no negative consequences - the registration can be corrected. Not registering when you are in scope carries real legal risk. When in doubt, register."},"q5":{"q":"What if we registered but have not started compliance work?","a":"Registration without compliance work is like filing a tax return but not paying the tax - you fulfilled one obligation but not the substantive ones. Start with §30 BSIG measures now: asset inventory, risk assessment, incident reporting procedures. The BSI expects registered entities to be actively working toward compliance, not just sitting on a registration number."}},"sources":{"heading":"Sources","items":["BSI - NIS2 registration statistics and public statements on enforcement approach (2025)","G DATA CyberDefense - NIS2 awareness survey: 44% of mid-market companies unaware of obligations (2024)","BSIG - §33 (Registration obligation), §65 (Administrative fines), §38 (Management liability)","NIS2UmsuCG - Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Stärkung der Cybersicherheit","BMI - Parliamentary documentation and guidance on NIS2UmsuCG implementation"]},"ctaCard":{"heading":"Register, Then Build Your Compliance Trail","description":"The platform guides you from registration through full §30 BSIG compliance - creating the documented evidence trail that shows the BSI you are taking this seriously."},"cta":"Start Your NIS2 Compliance Process"},"kritisComparison":{"meta":{"title":"NIS2 vs KRITIS - What Actually Changed for German Companies","description":"NIS2 does not replace KRITIS - it extends it. From 2,000 to 30,000 companies, new sectors, personal liability, tighter reporting. A clear comparison of what changed and what stayed the same."},"title":"NIS2 vs KRITIS: What Actually Changed","subtitle":"NIS2 does not replace KRITIS - it extends it dramatically. From roughly 2,000 operators to about 30,000 entities, seven new sectors, personal management liability, and tighter reporting deadlines.","overview":{"heading":"KRITIS Was the Warm-Up. NIS2 Is the Main Event.","p1":"If your company was already classified as KRITIS (Kritische Infrastruktur) under the old BSI-KritisV regime, you know what cybersecurity regulation looks like. You have dealt with BSI audits, incident reporting, and IT security measures. The good news: your existing work is not wasted. The challenging news: NIS2 raises the bar, broadens the scope, and adds obligations that did not exist before.","p2":"If your company was NOT previously KRITIS, this is likely your first encounter with mandatory cybersecurity regulation. NIS2 - transposed into German law through the amended BSIG - brings roughly 28,000 additional companies into the regulatory perimeter. Many of these companies have never reported an incident to a government agency, never been audited for IT security, and never thought of cybersecurity as a legal compliance topic."},"table":{"heading":"Side-by-Side Comparison","description":"How KRITIS and NIS2/BSIG differ across the eight areas that matter most for compliance planning.","headers":{"aspect":"Aspect","kritis":"KRITIS (BSI-KritisV)","nis2":"NIS2 / BSIG (new)"},"rows":{"scope":{"aspect":"Scope","kritis":"Approximately 2,000 operators of critical infrastructure in 10 sectors, identified by exceeding specific threshold values (e.g., 500,000 people served)","nis2":"Approximately 30,000 entities across 18 sectors, using a simple size threshold: 50+ employees or €10M+ annual revenue. Includes both 'essential' and 'important' categories"},"threshold":{"aspect":"Threshold model","kritis":"Sector-specific quantitative thresholds (e.g., 500,000 supplied persons for energy, 500,000 residents for water). Complex to calculate, many borderline cases","nis2":"Uniform size criteria: medium enterprise (50+ employees or €10M+ revenue) across all sectors. Much simpler to determine. Some sectors have additional criteria regardless of size"},"registration":{"aspect":"Registration","kritis":"Self-declaration to BSI with optional verification. No formal registration portal for most KRITIS operators initially","nis2":"Mandatory registration via BSI portal under §33 BSIG. Must provide entity details, sector classification, contact person, and IP ranges. Separate penalty provision for non-registration"},"reporting":{"aspect":"Incident reporting","kritis":"Significant incidents reported to BSI without strict timeline in earlier regulations. Later tightened but less structured than NIS2","nis2":"Three-stage mandatory reporting under §32 BSIG: early warning within 24 hours, incident notification within 72 hours, final report within one month. Each stage has defined content requirements"},"penalties":{"aspect":"Penalties","kritis":"Fines up to €100,000 for some violations. Limited enforcement in practice. Penalties rarely applied publicly","nis2":"Fines up to €10M or 2% of global annual turnover for essential entities, up to €7M or 1.4% for important entities. Separate fines for registration and reporting violations. Modeled on GDPR penalty structure"},"liability":{"aspect":"Management liability","kritis":"No specific personal liability provision for management. General corporate law duties applied","nis2":"§38 BSIG introduces explicit personal liability for Geschäftsführung. Management must approve cybersecurity measures, undergo training, and can be held personally liable for damages. Cannot be waived by shareholder resolution"},"audit":{"aspect":"Audit requirements","kritis":"Biennial evidence submission (§8a BSIG old). Primarily self-audit with BSI review of submitted evidence","nis2":"Essential entities: BSI can conduct proactive audits and on-site inspections. Important entities: reactive supervision (audits triggered by incidents or evidence of non-compliance). BSI has broader enforcement powers including binding instructions"},"supply":{"aspect":"Supply chain security","kritis":"Not a specific regulatory requirement under old KRITIS regime. Companies managed supplier risk on their own terms","nis2":"§30(2)(4) BSIG mandates supply chain security measures. Must assess supplier cybersecurity, include security requirements in contracts, and monitor supplier posture throughout the relationship. Applies to all in-scope entities"}}},"newSectors":{"heading":"Seven Newly In-Scope Sectors","description":"These sectors were not covered by the old KRITIS regime. Companies in these industries are dealing with mandatory cybersecurity regulation for the first time.","items":{"waste":{"title":"Waste management","detail":"Collection, treatment, and disposal of waste. Covered under NIS2 Annex II. Includes municipal waste services, hazardous waste processors, and recycling operations. Most waste companies have never dealt with cybersecurity regulation."},"food":{"title":"Food production and distribution","detail":"Food manufacturing, processing, and wholesale distribution. Covered under NIS2 Annex II. This extends beyond the retail food chain to include production facilities, cold chain logistics, and food safety systems."},"manufacturing":{"title":"Manufacturing of critical products","detail":"Manufacturing of medical devices, computers, electronics, optical products, electrical equipment, machinery, motor vehicles, and other transport equipment. Covered under NIS2 Annex II. A significant number of German Mittelstand companies fall into this category."},"postal":{"title":"Postal and courier services","detail":"Postal service providers and courier companies. Covered under NIS2 Annex II. Includes parcel delivery services, mail sorting operations, and logistics platforms that support last-mile delivery."},"chemicals":{"title":"Chemical production and distribution","detail":"Manufacturing, production, and distribution of chemicals. Covered under NIS2 Annex II. Overlaps significantly with existing safety regulation (Störfallverordnung) but adds cybersecurity-specific obligations."},"research":{"title":"Research organizations","detail":"Research institutions whose primary purpose is to carry out applied research or experimental development. Covered under NIS2 Annex II. Includes Fraunhofer institutes, Helmholtz centers, and private research organizations above the size threshold."},"digital":{"title":"Digital infrastructure and services","detail":"Expanded scope for digital providers: managed service providers, managed security service providers, online marketplaces, search engines, social networks, and data centers. Some were partially covered before - NIS2 broadens and clarifies the definitions significantly."}}},"unchanged":{"heading":"What Stayed the Same","items":["The BSI remains the central competent authority and national CSIRT for Germany","IT-Grundschutz remains the recommended methodology for implementing security measures (§44(2) BSIG)","The fundamental principle of 'appropriate and proportionate' measures - you must implement what is reasonable for your size and risk profile, not everything theoretically possible","The requirement to maintain an information security management system (ISMS) in some form - whether formally certified or structured around Grundschutz"]},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"We were already KRITIS - do we still need to do something new?","a":"Yes. Even if you were a fully compliant KRITIS operator, NIS2 adds new obligations: mandatory BSI registration via the §33 portal (if not already done), tighter incident reporting timelines (24h/72h/1 month cascade), explicit management liability under §38, and mandatory supply chain security measures. Your existing security measures likely cover most of the technical requirements, but the regulatory and governance obligations are new."},"q2":{"q":"What are the new sectors that were not in KRITIS?","a":"Seven sectors are newly in scope under NIS2 that were not covered by the old KRITIS regime: waste management, food production and distribution, manufacturing of critical products, postal and courier services, chemical production and distribution, research organizations, and expanded digital infrastructure and services. Companies in these sectors are dealing with mandatory cybersecurity regulation for the first time."},"q3":{"q":"Is NIS2 just KRITIS with a different name?","a":"No. NIS2 is a fundamentally broader and deeper regulatory regime. KRITIS covered approximately 2,000 operators with high thresholds. NIS2 covers approximately 30,000 entities with much lower thresholds. NIS2 adds personal management liability, mandatory registration, structured incident reporting timelines, supply chain obligations, and significantly higher penalties. Think of KRITIS as the pilot program - NIS2 is the full rollout."},"q4":{"q":"What is the biggest practical difference for companies?","a":"Management personal liability under §38 BSIG. Under KRITIS, cybersecurity was an IT department problem. Under NIS2, the Geschäftsführung is personally responsible for approving and overseeing cybersecurity measures, must undergo cybersecurity training, and can be held liable for damages resulting from non-compliance. This liability cannot be waived, even by shareholder resolution. This changes cybersecurity from an IT budget line to a board-level governance issue."}},"sources":{"heading":"Sources","items":["Directive (EU) 2022/2555 - NIS2 Directive, Annex I and Annex II (sector definitions)","BSIG - §28 (Scope and entity definitions), §30 (Cybersecurity measures), §32 (Incident reporting), §33 (Registration), §38 (Management liability), §65 (Penalties)","BSI-KritisV - Verordnung zur Bestimmung Kritischer Infrastrukturen (previous KRITIS threshold regulation)","BSI - NIS2 scope guidance and sector classification documentation (2025)","NIS2UmsuCG - Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Stärkung der Cybersicherheit"]},"ctaCard":{"heading":"From KRITIS to NIS2 - Close the Gaps","description":"The platform covers all NIS2/BSIG requirements, including the obligations that are new compared to the old KRITIS regime: registration tracking, management sign-offs, supply chain documentation, and the structured incident reporting cascade."},"cta":"Start Your NIS2 Compliance Process"},"glossary":{"meta":{"title":"NIS2 Terminology Glossary - Plain Language Definitions","description":"Every NIS2 and BSIG term explained in plain language. From Wesentliche Einrichtung to CSIRT - what the terms actually mean for your company."},"title":"NIS2 Terminology Glossary","subtitle":"Every term you will encounter during NIS2 compliance, explained in plain language. No jargon, no legalese - just what each term means and why it matters for your company.","intro":"NIS2 compliance comes with its own vocabulary - a mix of EU legal terminology, German administrative law, and cybersecurity jargon. This glossary explains each term the way you need to understand it: what it means in practice, not just what the letters stand for. Where a term has a commonly used German equivalent from the BSIG, we include it.","terms":{"wesentlicheEinrichtung":{"term":"Essential Entity","definition":"Companies in high-criticality sectors (Annex I of NIS2) above the size threshold. In Germany, these face the strictest requirements and highest penalties under §28 BSIG. Think: energy, transport, banking, health, water, digital infrastructure. Essential entities are subject to proactive BSI audits - the BSI can inspect you without a specific trigger.","german":"Besonders wichtige Einrichtung","legalRef":"§28(1) BSIG, NIS2 Directive Art. 3(1)"},"wichtigeEinrichtung":{"term":"Important Entity","definition":"Companies in other in-scope sectors (Annex II of NIS2) above the size threshold. Same core obligations as essential entities, but lower maximum penalties and reactive rather than proactive supervision - the BSI investigates if something goes wrong, not on a routine schedule. Think: waste, food, manufacturing, postal, chemicals, research.","german":"Wichtige Einrichtung","legalRef":"§28(2) BSIG, NIS2 Directive Art. 3(2)"},"bsig":{"term":"BSIG (BSI-Gesetz)","definition":"The German federal law governing the BSI (Federal Office for Information Security) and cybersecurity obligations. The NIS2UmsuCG amended the BSIG to include all NIS2 requirements. When someone says 'NIS2 compliance in Germany,' they mean compliance with the amended BSIG. This is the law that applies to you - not the NIS2 Directive itself.","german":"Gesetz über das Bundesamt für Sicherheit in der Informationstechnik","legalRef":"BSIG as amended by NIS2UmsuCG"},"nis2Directive":{"term":"NIS2 Directive","definition":"The EU-level legislation (Directive 2022/2555) that required all member states to implement cybersecurity regulation for critical and important entities. It sets the minimum requirements - each country then transposed it into national law. In Germany, this became the amended BSIG. You do not comply with the Directive directly; you comply with the BSIG.","legalRef":"Directive (EU) 2022/2555"},"cir2024":{"term":"CIR 2024/2690","definition":"The EU Implementing Regulation that specifies the exact technical and methodological requirements for NIS2 entities. Unlike the Directive, this applies directly in all member states without transposition. It details what 'appropriate cybersecurity measures' actually means in practice - think of it as the technical rulebook that fills in the details the Directive left open.","legalRef":"Commission Implementing Regulation (EU) 2024/2690"},"bsiRegistration":{"term":"BSI Registration","definition":"The mandatory registration of in-scope entities with the BSI via its online portal. Required by §33 BSIG with its own penalty provision. You provide your company details, sector classification, a cybersecurity contact person, and IP address ranges. This is a standalone legal obligation - completing it does not satisfy your other NIS2 requirements, but not completing it is its own violation.","german":"BSI-Registrierung","legalRef":"§33 BSIG"},"significantIncident":{"term":"Significant Incident","definition":"A cybersecurity event that actually disrupts your service, causes financial damage, or could spread to others. Not every phishing email - only events that cross specific severity thresholds trigger the mandatory BSI reporting cascade. The CIR 2024/2690 defines concrete thresholds: financial loss exceeding €500,000 or 5% of turnover, data exfiltration of trade secrets, or health impact.","german":"Erheblicher Sicherheitsvorfall","legalRef":"§32 BSIG, CIR 2024/2690 Art. 3"},"riskManagement":{"term":"Risk Management Measures","definition":"The ten categories of cybersecurity measures that all NIS2 entities must implement under §30 BSIG. These range from risk assessment and incident handling to supply chain security and cryptography. They must be 'appropriate and proportionate' to your size and risk profile - a 50-person waste company is not expected to implement the same controls as Deutsche Telekom.","german":"Risikomanagementmaßnahmen","legalRef":"§30(2) BSIG"},"supplyChainSecurity":{"term":"Supply Chain Security","definition":"The requirement to assess and manage cybersecurity risks in your supply chain - especially IT service providers, cloud providers, and any supplier with access to your systems or data. You must include security requirements in contracts, assess supplier practices, and monitor them over time. This is new compared to the old KRITIS regime.","german":"Sicherheit der Lieferkette","legalRef":"§30(2)(4) BSIG"},"managementLiability":{"term":"Management Liability","definition":"The personal liability of company management (Geschäftsführung) for NIS2 compliance under §38 BSIG. Management must approve cybersecurity measures, ensure their implementation, undergo cybersecurity training, and can be held personally liable for resulting damages. This liability cannot be waived - not even by shareholder resolution. This is the provision that moves cybersecurity from the IT department to the boardroom.","german":"Leitungsverantwortung","legalRef":"§38 BSIG"},"itGrundschutz":{"term":"IT-Grundschutz","definition":"The BSI's own cybersecurity methodology - a comprehensive framework of security modules (Bausteine) with step-by-step implementation guidance. §44(2) BSIG explicitly recognizes Grundschutz implementation as proof of NIS2 compliance. Since the BSI both publishes Grundschutz and enforces NIS2, using their methodology means you are audited against a standard the auditor knows inside out.","german":"IT-Grundschutz","legalRef":"§44(2) BSIG, BSI-Standards 200-1 through 200-4"},"auditTrail":{"term":"Audit Trail","definition":"A chronological record of who did what, when, and why in your compliance process. NIS2 requires evidence that measures are not just documented but actually implemented and maintained. An audit trail shows the BSI auditor that your policies are living documents, not shelf-ware - who approved a measure, when it was last reviewed, what changed."},"mfa":{"term":"Multi-Factor Authentication (MFA)","definition":"Authentication that requires two or more verification factors - typically something you know (password) and something you have (phone, hardware key). §30(2)(10) BSIG requires MFA for remote access, administrative access, and access to critical systems. If you are not already using MFA on your VPN, admin accounts, and email, this is one of the most concrete technical requirements to implement.","legalRef":"§30(2)(10) BSIG"},"section30":{"term":"§30 BSIG - Cybersecurity Measures","definition":"The central provision of NIS2 in German law. Lists ten categories of cybersecurity risk management measures that all in-scope entities must implement. Covers risk assessment, incident handling, business continuity, supply chain security, secure development, effectiveness assessment, training, cryptography, access control, and multi-factor authentication. The measures must be 'appropriate and proportionate' - not gold-plated, but genuine.","legalRef":"§30 BSIG"},"section32":{"term":"§32 BSIG - Incident Reporting","definition":"The mandatory three-stage incident reporting cascade. When a significant incident occurs: early warning to the BSI within 24 hours, detailed incident notification within 72 hours, final report within one month. Each stage has specific content requirements. Late or missing reports are separate violations with their own penalty provisions.","german":"Meldepflichten","legalRef":"§32 BSIG"},"section33":{"term":"§33 BSIG - Registration Obligation","definition":"The legal obligation for all in-scope entities to register with the BSI. You provide entity information, sector classification, cybersecurity contact details, and IP address ranges. Non-registration is a standalone violation punishable by fines up to €500,000 - separate from any penalties for failing to implement actual security measures.","german":"Registrierungspflicht","legalRef":"§33 BSIG"},"section38":{"term":"§38 BSIG - Management Responsibility","definition":"The provision that makes company management personally liable for NIS2 compliance. The Geschäftsführung must approve risk management measures, oversee their implementation, and complete cybersecurity training. Failure creates personal liability for damages - and this liability cannot be waived by shareholders. This is the paragraph that gets CEOs' attention.","german":"Billigung von Risikomanagementmaßnahmen","legalRef":"§38 BSIG"},"annex1":{"term":"NIS2 Annex I - High-Criticality Sectors","definition":"The list of sectors whose entities are classified as 'essential' (essential entities) when they meet the size threshold. Includes: energy (electricity, oil, gas, hydrogen, district heating), transport (air, rail, water, road), banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space.","legalRef":"NIS2 Directive Annex I, §28(1) BSIG"},"annex2":{"term":"NIS2 Annex II - Other Critical Sectors","definition":"The list of sectors whose entities are classified as 'important' (wichtige Einrichtungen) when they meet the size threshold. Includes: postal and courier services, waste management, chemical manufacturing and distribution, food production and distribution, manufacturing (medical devices, electronics, machinery, vehicles), digital providers (online marketplaces, search engines, social networks), and research organizations.","legalRef":"NIS2 Directive Annex II, §28(2) BSIG"},"csirt":{"term":"CSIRT (Computer Security Incident Response Team)","definition":"The national team responsible for receiving and responding to cybersecurity incident reports. In Germany, the BSI serves as the national CSIRT. When you report a significant incident under §32 BSIG, the BSI-CSIRT receives and processes your report. They can also provide technical assistance during incident response - they are not just a mailbox, but an operational resource.","german":"Computer-Notfallteam","legalRef":"NIS2 Directive Art. 10, §32 BSIG"},"kritis":{"term":"KRITIS (Critical Infrastructure)","definition":"Operators of critical facilities that exceed the thresholds defined in the BSI-KritisV regulation (typically 500,000 people served). KRITIS operators are automatically classified as essential entities and face additional obligations beyond standard NIS2: triennial evidence audits, mandatory attack detection systems, and stricter incident reporting deadlines.","german":"Kritische Infrastrukturen","legalRef":"BSI-KritisV, §28 BSIG"},"nis2umsucg":{"term":"NIS2UmsuCG","definition":"The NIS-2 Implementation and Cybersecurity Strengthening Act - Germany's national transposition of the NIS2 Directive. Adopted on 13 November 2025 and in force since 6 December 2025. It substantially amends the BSIG and brings all NIS2 obligations into German law. When German law refers to 'NIS2 compliance,' it means compliance with the BSIG as amended by NIS2UmsuCG.","german":"NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz","legalRef":"NIS2UmsuCG (BGBl. 2025)"},"naceCode":{"term":"NACE Code","definition":"The Statistical Classification of Economic Activities in the European Community (Nomenclature statistique des Activités économiques dans la Communauté Européenne). NIS2 and the BSIG use NACE codes to define which sectors and economic activities fall in scope. Your company's NACE code is the first thing the BSI checks when assessing applicability.","german":"NACE-Code","legalRef":"Regulation (EC) 1893/2006"},"muk":{"term":"MUK (Mein Unternehmenskonto)","definition":"Germany's central business account for federal administration services, authenticated via ELSTER certificates. A prerequisite for BSI registration: companies must first create a MUK account, then access the BSI registration portal through it. If you do not yet have a MUK account, you cannot register with the BSI - this is the first practical step before any compliance work begins.","german":"Mein Unternehmenskonto","legalRef":"OZG, ELSTER"}},"sources":{"heading":"Sources","items":["BSIG - Act on the Federal Office for Information Security (as amended by NIS2UmsuCG)","NIS2 Directive (EU) 2022/2555 - Official Journal of the European Union","Commission Implementing Regulation (EU) 2024/2690 - Official Journal of the European Union","BSI - IT-Grundschutz Standards BSI-200-1 through BSI-200-4","BSI - IT-Grundschutz Kompendium (current edition)"]},"ctaCard":{"heading":"From glossary to implementation","description":"The platform turns every term in this glossary into practice: registration, risk management, incident reporting, and audit trail - structured around the 49 BSIG requirements."},"cta":"Start NIS2 compliance"},"sectorWaste":{"meta":{"title":"NIS2 for Waste Management Companies - Compliance Guide","description":"Waste management is newly in scope under NIS2 Annex II. A practical guide for waste companies with 50+ employees: what the law requires, what your asset inventory looks like, and where to start."},"title":"NIS2 for Waste Management Companies","subtitle":"Your sector is newly in scope under NIS2 Annex II. If your waste management company has 50+ employees or €10M+ revenue, this is your practical guide to what the law requires and where to start.","badge":"Annex II - Important Entity","why":{"heading":"Why Does NIS2 Apply to Waste Companies?","p1":"Waste management was added to NIS2 because modern waste operations depend heavily on IT systems. Fleet management, route optimization, weighbridge systems, sorting plant controls, billing, and regulatory reporting all run on networked software. A ransomware attack that takes down a waste company's fleet management system does not just stop trucks - it creates a public health risk. Uncollected waste in a city of 200,000 people becomes a crisis within days.","p2":"The EU classified waste management under Annex II of the NIS2 Directive, which means waste companies meeting the size threshold (50+ employees or €10M+ annual revenue) are categorized as 'important entities' (wichtige Einrichtungen) under §28(2) BSIG. This means the full range of NIS2 obligations applies: BSI registration, cybersecurity risk management measures, incident reporting, supply chain security, and management liability.","p3":"Most waste companies have never dealt with cybersecurity regulation before. This is not a criticism - until NIS2, there was no legal reason to. But it does mean there is a steeper learning curve compared to sectors that were already under KRITIS. The good news: waste company IT environments are typically less complex than those in banking or energy, which means the compliance effort is proportionately smaller."},"assets":{"heading":"What Does a Waste Company's Asset Inventory Look Like?","description":"Every NIS2 entity must maintain an inventory of assets that support critical services. For a typical waste management company with 100-200 employees, the inventory is simpler than you might expect - usually 10 to 15 grouped entries.","items":{"fleet":{"title":"Fleet management and GPS","detail":"The software and systems that manage vehicle routing, GPS tracking, driver scheduling, and real-time route optimization. This is usually a cloud-hosted SaaS platform or on-premises server. If this goes down, trucks cannot be dispatched efficiently. Group all fleet management components as one asset entry."},"weighing":{"title":"Weighbridge and weighing systems","detail":"Electronic weighing systems at sites that record incoming and outgoing material weights for billing and regulatory compliance. Often connected to ERP systems. May include older industrial controllers. Group the weighbridge system (hardware + software) as one asset."},"erp":{"title":"ERP and billing system","detail":"The core business system handling customer management, contracts, billing, material tracking, and regulatory reporting. Commonly SAP Business One, DATEV, or sector-specific solutions like RECY or Wastebox. Compromise of this system affects revenue, customer data, and regulatory reporting. One asset entry."},"scada":{"title":"Sorting and processing plant controls","detail":"If your company operates sorting plants, composting facilities, or waste-to-energy plants, you likely have SCADA or industrial control systems managing the physical processes. These are often older systems with limited security features. They represent a distinct risk category because they control physical equipment. Group per facility."},"endpoints":{"title":"Endpoints and office IT","detail":"Laptops, desktops, and mobile devices used by office staff, dispatchers, and management. Standard office applications (Microsoft 365, email, document management). Grundschutz allows grouping identical devices: '45 standard Windows laptops' is one asset entry, not 45."},"network":{"title":"Network infrastructure","detail":"Routers, switches, firewalls, and VPN connections linking offices, depots, and plant sites. Include internet connections and any site-to-site links. If your company has multiple locations, each site's network can be a grouped entry. The network is what connects everything else - its compromise affects all other assets."}}},"priorities":{"heading":"Where to Start - Priority Order for Waste Companies","description":"You do not need to do everything at once. This priority order reflects what the BSI will look for first and what creates the most compliance value per hour of effort.","items":{"registration":{"title":"1. Register with the BSI","description":"Complete your §33 BSIG registration via the BSI portal. This is the most visible obligation and has its own penalty provision (up to €500,000). It takes about 30 minutes and immediately puts you on record as an entity that is engaging with its obligations. Do this before anything else."},"assets":{"title":"2. Build your asset inventory","description":"List the systems that support your waste collection, processing, and disposal services. Use the six categories above as a starting point. For each asset, note what it does, who manages it (internal or supplier), and what happens if it is unavailable for 24 hours. This inventory becomes the foundation for everything that follows."},"incidents":{"title":"3. Set up incident reporting","description":"Define what counts as a significant incident for your company and establish the process for reporting to the BSI within the required timelines (24h/72h/1 month). Designate who makes the reporting decision, who files the report, and how you reach them outside business hours. You do not need a security operations center - you need a clear phone tree and a documented process."},"access":{"title":"4. Review access controls","description":"Audit who has access to your critical systems - especially fleet management, ERP, and any plant control systems. Implement multi-factor authentication on remote access and administrative accounts. Remove access for former employees. This is often the area with the most low-hanging fruit: many waste companies have shared passwords, no MFA, and former employee accounts still active."},"suppliers":{"title":"5. Document supplier relationships","description":"Most waste companies outsource significant IT functions - cloud hosting, ERP maintenance, fleet management software. Document who these suppliers are, what access they have to your systems, and what security commitments they make. This is the beginning of your supply chain security process under §30(2)(4) BSIG. If your IT provider gets breached, your data and your services are at risk."}}},"specifics":{"heading":"What Makes Waste Companies Different","p1":"Waste companies have a unique risk profile. Unlike a software company where almost everything is digital, waste operations involve physical processes: trucks on roads, materials in motion, equipment at sites. A cyberattack on fleet management has immediate physical-world consequences. This operational technology dimension means your risk assessment should consider both IT systems and any industrial controls.","p2":"Most waste companies outsource heavily. Many operate with a small internal IT team (or no dedicated IT staff at all) and rely on external providers for everything from email to ERP to fleet management. Under NIS2, you can outsource operations but not accountability - §30 BSIG holds your company responsible for security measures even when a supplier delivers them. This makes supplier management your most important compliance lever.","p3":"The positive side: waste company IT environments are typically straightforward. A 100-person waste company has perhaps 6 to 10 distinct system groups, compared to 30 or more for a bank or hospital of similar size. This means the compliance effort is proportionate - you are looking at weeks of focused work, not a multi-year program. The BSI's 'appropriate and proportionate' standard works in your favor here."},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"Is our waste company actually in scope for NIS2?","a":"If your company operates in waste collection, treatment, or disposal and has 50 or more employees or €10M or more in annual revenue, you are almost certainly in scope as an important entity under NIS2 Annex II. The sector definition covers the full waste management chain. If you are close to the threshold, check whether connected group companies push you over the limit - NIS2 uses the EU SME definition which considers linked enterprises."},"q2":{"q":"We outsource all IT - does NIS2 still apply to us?","a":"Yes, fully. NIS2 applies to the entity that provides the waste management service, regardless of who manages the IT. You can outsource the work but not the legal responsibility (§30 BSIG). In practice, this means your IT provider becomes your most critical supplier: document the relationship, include cybersecurity requirements in the contract, and verify they have adequate security measures. If they get breached, your reporting obligation triggers - not theirs."},"q3":{"q":"What does an asset inventory look like for a waste company?","a":"Simpler than you think. A typical 100-person waste company has about 10 to 15 grouped asset entries: fleet management system, weighbridge system, ERP/billing, network infrastructure per site, standard endpoints (grouped - e.g., '45 Windows laptops'), email/collaboration (Microsoft 365), and possibly SCADA or sorting plant controls. Grundschutz explicitly allows grouping identical assets, so you do not need a line item for every laptop."},"q4":{"q":"How long does NIS2 compliance take for a company our size?","a":"For a 100-person waste company starting from scratch, expect 3 to 6 months to reach a solid baseline: BSI registration (week 1), asset inventory and risk assessment (weeks 2 to 6), incident reporting process (weeks 4 to 8), access control improvements (weeks 6 to 12), policy documentation (ongoing). You do not need to be perfect by day one - the BSI evaluates trajectory and good faith. After the initial setup, ongoing effort is mainly annual reviews and responding to incidents."}},"sources":{"heading":"Sources","items":["NIS2 Directive (EU) 2022/2555 - Annex II, Sector 4: Waste water and waste management","BSIG - §28 (Scope), §30 (Cybersecurity measures), §33 (Registration), §38 (Management liability)","BSI - Sector-specific NIS2 guidance and registration portal documentation (2025)","IT-Grundschutz Kompendium - OPS.1.2.5 (Fernwartung), IND.1 (Prozessleit- und Automatisierungstechnik)","BDE Bundesverband der Deutschen Entsorgungs-, Wasser- und Kreislaufwirtschaft - NIS2 position papers"]},"ctaCard":{"heading":"NIS2 Compliance for Waste Companies - Structured and Practical","description":"The platform walks you through every §30 BSIG requirement with sector-appropriate guidance: asset inventory templates, risk assessment workflows, supplier documentation, and incident reporting procedures sized for waste management operations."},"cta":"Start Your NIS2 Compliance Process"},"penalties":{"meta":{"title":"NIS2 Fines 2026: Up to €10M + Personal Liability","description":"NIS2 penalty tiers: up to €10M for essential entities, €7M for important, €500K for registration violations. Real examples and personal management liability."},"title":"NIS2 Penalties: What You Actually Risk","subtitle":"Four penalty tiers, concrete calculation examples for three company sizes, realistic enforcement scenarios, and the management personal liability that D&O insurance probably does not cover.","overview":{"heading":"The Penalty Framework Is Real - But Proportionate","p1":"NIS2 penalties are modeled on the GDPR penalty structure - designed to be large enough that companies cannot treat fines as a cost of doing business. The maximum amounts (up to €10M or 2% of global turnover) make headlines, but the reality for most mid-market companies is more nuanced. Fines are assessed based on the severity of the violation, the company's size, whether the company acted in good faith, and what corrective steps were taken.","p2":"That said, the penalty framework is not theoretical. The BSI has enforcement powers, the fines are codified in §65 BSIG, and management personal liability under §38 is a separate legal mechanism. Ignoring NIS2 is not a viable risk management strategy. Understanding the actual penalty structure helps you make proportionate decisions about compliance investment - neither panicking nor dismissing the risks."},"tiers":{"heading":"Four Penalty Tiers","description":"The BSIG establishes different maximum penalties depending on entity type and the nature of the violation.","items":{"essential":{"amount":"Up to €10,000,000 or 2% of global annual turnover","label":"Essential entities - cybersecurity measure violations","detail":"Applies to essential entities (Annex I sectors) that fail to implement adequate cybersecurity measures under §30 BSIG, fail to report significant incidents under §32, or otherwise violate substantive NIS2 obligations. The fine is the HIGHER of €10M or 2% of the previous fiscal year's global turnover."},"important":{"amount":"Up to €7,000,000 or 1.4% of global annual turnover","label":"Important entities - cybersecurity measure violations","detail":"Applies to wichtige Einrichtungen (important entities, Annex II sectors) for the same substantive violations. Lower ceiling reflects the NIS2 Directive's proportionality principle - important entities are in lower-criticality sectors. The fine is the HIGHER of €7M or 1.4% of the previous fiscal year's global turnover."},"registration":{"amount":"Up to €500,000","label":"Registration violations","detail":"Specific penalty for failing to register with the BSI under §33 BSIG or providing incorrect registration information. This is a standalone violation - you can be fined for non-registration even if your actual cybersecurity measures are adequate. The registration penalty applies to both essential and important entities."},"reporting":{"amount":"Up to €500,000","label":"Reporting violations","detail":"Specific penalty for failing to report significant incidents within the required timelines (24h early warning, 72h notification, 1 month final report) or for failing to provide required information during BSI investigations. Each reporting failure is a separate potential violation."}}},"examples":{"heading":"Concrete Calculation Examples","description":"What maximum penalties look like for companies of different sizes. The turnover-based calculation becomes relevant when it exceeds the fixed amount.","headers":{"company":"Company type","turnover":"Annual turnover","maxEssential":"Max fine (essential)","maxImportant":"Max fine (important)"},"rows":{"small":{"company":"Small mid-market","turnover":"€15,000,000","maxEssential":"€10,000,000 (fixed cap applies - 2% would be only €300,000)","maxImportant":"€7,000,000 (fixed cap applies - 1.4% would be only €210,000)"},"medium":{"company":"Medium mid-market","turnover":"€50,000,000","maxEssential":"€10,000,000 (fixed cap applies - 2% would be only €1,000,000)","maxImportant":"€7,000,000 (fixed cap applies - 1.4% would be only €700,000)"},"large":{"company":"Large enterprise","turnover":"€200,000,000","maxEssential":"€10,000,000 (fixed cap applies - 2% would be €4,000,000)","maxImportant":"€7,000,000 (fixed cap applies - 1.4% would be €2,800,000)"}}},"scenarios":{"heading":"Four Realistic Enforcement Scenarios","description":"What actually triggers BSI enforcement and what the consequences look like in practice.","items":{"lateRegistration":{"title":"Late or missing BSI registration","description":"Your company meets the NIS2 scope criteria but has not registered with the BSI under §33 BSIG. The BSI identifies you through sector databases, industry association membership lists, or commercial registers.","consequence":"The BSI issues a compliance order requiring registration within a set deadline. If you comply, the matter may end there - especially if you can show you were genuinely unaware. If you ignore the order, fines of up to €500,000 can be assessed. The registration gap also creates documentation that you were non-compliant from the start, which weakens your position on any other NIS2 violation."},"noIncidentReport":{"title":"Failure to report a significant incident","description":"Your company suffers a ransomware attack that disrupts services for 48 hours. You handle the technical response but do not report to the BSI. The incident becomes public through media coverage or customer complaints.","consequence":"Failure to file the initial early warning within 24 hours is a separate violation from failure to file the 72-hour notification and the final report - each is an independent penalty trigger. The BSI investigates and finds no report was filed. Beyond the fine (up to €500,000 per reporting failure), the non-reporting raises questions about your entire compliance posture, potentially triggering a broader audit."},"noRiskManagement":{"title":"No risk management process in place","description":"During a BSI audit (for essential entities) or following an incident (for important entities), the BSI finds that your company has no documented risk assessment, no asset inventory, and no cybersecurity measures beyond basic IT operations.","consequence":"This is the most serious substantive violation - a complete absence of §30 BSIG compliance. Maximum penalties apply (€10M/2% for essential, €7M/1.4% for important). In practice, the BSI would likely issue binding instructions first and impose penalties for non-compliance with those instructions. But the lack of any risk management process leaves no room for the 'we tried in good faith' defense."},"supplyChainGap":{"title":"Supply chain security gaps","description":"Your company outsources IT operations to a managed service provider. The provider suffers a data breach that exposes your customer data. The BSI investigates and finds no supplier security assessment, no contractual cybersecurity requirements, and no monitoring of the provider's security posture.","consequence":"You are responsible for your supply chain security under §30(2)(4) BSIG, regardless of where the breach occurred. The absence of supplier due diligence means you failed to implement required measures. This can trigger penalties under the cybersecurity measures framework (up to €10M/€7M depending on entity type), plus the incident itself triggers reporting obligations. If you also fail to report, penalties compound."}}},"managementLiability":{"heading":"Management Personal Liability - The Part Most People Miss","description":"Company fines are one thing. Personal liability for the Geschäftsführung is another.","p1":"§38 BSIG creates a personal liability mechanism for company management that is separate from the administrative fines against the company. The Geschäftsführung must approve the cybersecurity risk management measures, oversee their implementation, and complete cybersecurity training. If these duties are neglected and the company suffers damages as a result, the management can be held personally liable for those damages. This is a civil liability - the damages claim comes from the company (or its insolvency administrator) against the individual managers.","p2":"Critically, §38 BSIG states that this liability cannot be waived by shareholder resolution. Even in an owner-managed GmbH where the Geschäftsführer is also the sole shareholder, the liability exists. D&O insurance policies typically exclude regulatory fines and penalties, and coverage for NIS2-specific liability is an evolving area - check your specific policy rather than assuming coverage. The practical implication: NIS2 compliance is now a personal risk management issue for every Geschäftsführer, not just a corporate governance checkbox."},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"What is the maximum fine for my company?","a":"It depends on your entity classification. Essential entities (Annex I sectors): the higher of €10M or 2% of global annual turnover. Important entities (Annex II sectors): the higher of €7M or 1.4% of global annual turnover. For most mid-market companies (under €500M turnover), the fixed amount applies because 2% of turnover is less than €10M. Separate penalties of up to €500,000 apply for registration and reporting violations."},"q2":{"q":"Can I be personally fined as Geschäftsführer?","a":"The administrative fines under §65 BSIG are levied against the company, not the individual. However, §38 BSIG creates personal civil liability for damages resulting from failure to approve and oversee cybersecurity measures. This means you face personal liability for the company's losses - not a government fine, but potentially a damages claim. In an insolvency scenario, the insolvency administrator can pursue this claim against you personally."},"q3":{"q":"Does D&O insurance cover NIS2 penalties?","a":"Most D&O policies exclude regulatory fines and administrative penalties - these are typically uninsurable under German law. The civil liability under §38 BSIG (damages claims) may be covered by D&O insurance, depending on your policy terms. Review your specific policy and discuss NIS2 exposure with your broker. Do not assume coverage exists - ask for written confirmation of what is and is not covered."},"q4":{"q":"What triggers BSI enforcement?","a":"For essential entities: the BSI can conduct proactive audits and inspections without a specific trigger. For important entities: enforcement is typically reactive - triggered by a reported incident, third-party complaint, media coverage of a breach, or failure to register. The BSI also cross-references commercial register and sector databases to identify entities that should be registered but are not."},"q5":{"q":"Are penalties proportional to company size?","a":"Yes, by design. The percentage-of-turnover calculation ensures that penalties scale with company size. For a €15M-turnover company, the maximum essential entity fine is €10M (the fixed cap, since 2% is only €300,000). For a €600M company, the maximum is €12M (2% of turnover exceeds the €10M floor). Additionally, the BSI is required to consider proportionality when assessing penalties - company size, severity of the violation, duration, and good faith efforts all factor into the actual penalty amount."}},"sources":{"heading":"Sources","items":["BSIG - §38 (Management liability), §65 (Administrative fines and penalty framework)","NIS2 Directive (EU) 2022/2555 - Article 34 (Supervisory measures for essential entities), Article 35 (Supervisory measures for important entities), Article 36 (Penalties)","NIS2UmsuCG - Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Stärkung der Cybersicherheit","BMI - Parliamentary documentation on penalty framework design and proportionality considerations","GDV (Gesamtverband der Deutschen Versicherungswirtschaft) - D&O insurance coverage analysis for regulatory liability (2025)"]},"ctaCard":{"heading":"Avoid Penalties - Build a Defensible Compliance Record","description":"The platform creates an auditable trail of your NIS2 compliance work: management sign-offs, risk assessments, incident reporting readiness, and supplier documentation. When the BSI asks what you have done, you have evidence - not excuses."},"cta":"Start Your NIS2 Compliance Process"},"securityObligation":{"meta":{"title":"IT Security Obligation in Germany - NIS2 & BSIG Explained","description":"The new IT security obligation for German companies is called NIS2. If you have 50+ employees or 10M+ revenue in a critical sector, the BSIG applies to you. Here is what you need to know."},"title":"The New IT Security Obligation for German Companies","subtitle":"If you searched for 'IT Sicherheitspflicht', you are looking for NIS2. Since December 2025, the revised BSIG makes cybersecurity a legal obligation for roughly 29,500 German companies.","overview":{"heading":"NIS2 Is the IT Security Obligation You Have Been Hearing About","p1":"There is no standalone 'IT security obligation law' in Germany. What exists is the NIS2 Directive (EU 2022/2555), transposed into German law through the NIS2UmsuCG, which overhauled the Federal Cybersecurity Act (BSIG). This is the law that creates binding IT security obligations for companies in 18 critical sectors.","p2":"The BSIG entered into force on 6 December 2025. It requires affected companies to implement 10 specific cybersecurity risk management measures (Section 30 BSIG), register with the BSI, report significant incidents within strict timelines, and secure their supply chains. Management is personally liable under Section 38 BSIG for ensuring compliance.","p3":"If your company has 50 or more employees or exceeds 10 million euros in annual revenue and operates in one of the 18 NIS2 sectors, these obligations apply to you right now. The registration deadline was 6 March 2026. Implementation of all measures is required by 17 October 2026."},"check":{"heading":"Does This Apply to My Company?","description":"Four criteria determine whether your company falls under the BSIG. You need to meet the sector criterion AND at least one of the size criteria.","items":{"sector":{"title":"Sector","description":"Your company operates in one of 18 sectors: energy, transport, banking, health, water, digital infrastructure, ICT services, public administration, space, postal services, waste management, chemicals, food production, manufacturing, or digital providers."},"size":{"title":"Employee Count","description":"You have 50 or more employees. This follows the EU SME definition and includes all employees across the group, not just the German entity. Part-time employees count proportionally."},"revenue":{"title":"Annual Revenue","description":"Your annual turnover exceeds 10 million euros AND your balance sheet total exceeds 10 million euros. If you exceed either the employee OR the financial threshold, you are in scope."},"services":{"title":"Critical Services","description":"Some entity types are in scope regardless of size: DNS providers, TLD registries, qualified trust service providers, KRITIS operators, and sole providers of essential services in a region."}}},"steps":{"heading":"What You Need to Do","description":"The BSIG requires five concrete steps. Registration should already be done. The remaining measures must be implemented by October 2026.","items":{"register":{"title":"Register with the BSI","description":"Complete your registration via the BSI portal (muk.bsi.bund.de). This is a legal obligation under Section 33 BSIG with its own penalty of up to 500,000 euros. The portal has been live since January 2026, and the deadline was 6 March 2026. If you missed it, register immediately."},"assess":{"title":"Conduct a Risk Assessment","description":"Identify your critical IT assets, assess the risks to each, and document treatment decisions. Section 30 BSIG requires risk management measures that are proportionate to the risk exposure. You need an asset inventory and a structured risk assessment before you can implement measures."},"implement":{"title":"Implement 10 Security Measures","description":"Section 30 BSIG defines 10 mandatory areas: risk management policies, incident handling, business continuity, supply chain security, network security, vulnerability management, cybersecurity hygiene, cryptography, access control, and multi-factor authentication. Each area requires documented policies and evidence of implementation."},"report":{"title":"Set Up Incident Reporting","description":"Significant cybersecurity incidents must be reported to the BSI within 24 hours (initial early warning), 72 hours (full notification), and 1 month (final report). Define what a significant incident means for your company and establish a clear reporting chain before something happens."},"maintain":{"title":"Maintain Ongoing Compliance","description":"NIS2 is not a one-time project. You need annual risk assessment reviews, regular training for management (Section 38 BSIG requires personal participation), supplier reassessments, and continuous incident monitoring. The platform tracks all deadlines and escalates automatically."}}},"consequences":{"heading":"What Happens If You Do Nothing","p1":"The penalty framework is modeled on GDPR. Essential entities face fines of up to 10 million euros or 2% of global annual turnover. Important entities face up to 7 million euros or 1.4%. Registration violations alone carry fines of up to 500,000 euros. The BSI has enforcement powers and can order compliance or restrict operations.","p2":"Beyond fines, Section 38 BSIG creates personal liability for management. Executives must approve cybersecurity measures, oversee implementation, and complete training. They are liable to their own company for culpable violations. This liability cannot be waived by contract. Claiming you did not understand cybersecurity is explicitly not a defense."},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"Is NIS2 the same as the IT security obligation I keep hearing about?","a":"Yes. There is no separate 'IT Sicherheitspflicht' law. NIS2 is the EU directive that was transposed into German law as the revised BSIG via the NIS2UmsuCG. When people talk about new IT security obligations for German companies, they mean this law. It has been in force since 6 December 2025."},"q2":{"q":"We are a 60-person manufacturing company. Does this really apply to us?","a":"Very likely yes. Manufacturing is listed in NIS2 Annex II (covering medical devices, electronics, electrical equipment, machinery, motor vehicles, and other transport equipment manufacturing). With 60 employees, you exceed the 50-employee threshold. You would be classified as a 'important entity' under Section 28(2) BSIG, and all NIS2 obligations apply."},"q3":{"q":"The registration deadline has passed. What should we do?","a":"Register immediately. The BSI portal at muk.bsi.bund.de is still accepting registrations. Late registration is better than no registration. The fine for non-registration is up to 500,000 euros, but the BSI evaluates good faith. A company that registers a few weeks late and can show it was actively working on compliance is in a vastly better position than one that did nothing."},"q4":{"q":"Can our external IT provider handle NIS2 compliance for us?","a":"They can help implement the technical measures, but the legal obligation stays with your company. Section 30 BSIG explicitly states that you can outsource operations but not accountability. Your management remains personally liable under Section 38 BSIG. You need to document what your IT provider does, verify their security measures, and include them in your supplier management process."},"q5":{"q":"How much does NIS2 compliance cost for a mid-market company?","a":"For a 50 to 250 employee company, expect to spend between 20,000 and 80,000 euros in the first year, depending on your current security maturity. This includes risk assessment, policy documentation, technical improvements, and training. Companies that already have basic IT security measures in place are at the lower end. The ongoing annual cost drops significantly after the first year because most work is setup, not maintenance."}},"ctaCard":{"heading":"Find Out If NIS2 Applies to Your Company","description":"Answer a few questions about your sector, size, and services. The applicability check takes less than 2 minutes and tells you whether the BSIG obligations apply to you."},"cta":"Check If NIS2 Applies to You"},"bsiRegistration":{"meta":{"title":"BSI Registration Guide - Step-by-Step NIS2 Portal Walkthrough","description":"Practical step-by-step guide for registering your company with the BSI under Section 33 BSIG. What you need before starting, how the MUK portal works, and common mistakes to avoid."},"title":"BSI Registration: Step-by-Step Guide","subtitle":"Every NIS2 entity must register with the BSI under Section 33 BSIG. The portal has been live since January 2026. Here is exactly how to complete the process.","overview":{"p1":"Registration with the BSI is one of the most visible NIS2 obligations and has its own penalty provision of up to 500,000 euros. The process uses the 'Mein Unternehmenskonto' (MUK) portal, which requires ELSTER-based authentication. Most companies can complete the registration in 30 to 60 minutes, but you need to prepare several pieces of information beforehand.","p2":"The registration deadline was 6 March 2026 (three months after the BSIG entered into force). If you missed it, register as soon as possible. Late registration demonstrates good faith and is vastly better than no registration. The BSI can also proactively identify companies that should have registered and order them to do so."},"prep":{"heading":"What You Need Before Starting","description":"Gather these four items before you open the BSI portal. Having everything ready makes the process straightforward.","items":{"muk":{"title":"Mein Unternehmenskonto (MUK)","description":"You need an active MUK account at muk.bsi.bund.de. MUK is the federal government's business account system. If your company does not have one yet, create it first - this can take a few days because it requires ELSTER verification. Do not wait until the last minute."},"elster":{"title":"ELSTER Certificate","description":"MUK authentication uses your ELSTER business certificate - the same one you use for tax filings. If your tax advisor handles ELSTER for you, you will need either their help or your own ELSTER certificate. The person registering must be authorized to act on behalf of the company."},"data":{"title":"Company Data","description":"You will need: legal company name, registered address, tax number, commercial register number (Handelsregister), sector classification (which NIS2 sector you fall under), employee count, and annual revenue. Have your most recent annual report or financial statements available."},"contacts":{"title":"Contact Persons","description":"The BSI requires at least one designated contact person for cybersecurity matters. You need their name, role, email, and phone number. This person must be reachable - the BSI will use this contact for incident communication and compliance inquiries. Ideally, designate a primary and secondary contact."}}},"walkthrough":{"heading":"Registration Walkthrough","description":"Six steps from opening the portal to confirmed registration. The entire process takes 30 to 60 minutes if you have prepared everything.","items":{"s1":{"title":"Log in to MUK","description":"Go to muk.bsi.bund.de and log in with your ELSTER certificate. If this is your first time using MUK, you will need to create an account and link it to your ELSTER identity. Make sure your browser allows the ELSTER security plugin. Use Chrome or Edge for the best compatibility."},"s2":{"title":"Select NIS2 Registration","description":"Once logged in, navigate to the BSI registration service. Select 'NIS2-Registrierung' from the available services. The portal will guide you through the process with a multi-step form. You can save your progress and return later if needed."},"s3":{"title":"Enter Company Information","description":"Fill in your company details: legal name, address, registration number, tax ID, sector classification, and size category. The portal will ask you to self-classify as either 'essential entity' or 'important entity' based on your sector and size. If you are unsure, the portal provides guidance."},"s4":{"title":"Declare Services and Infrastructure","description":"Describe the services your company provides that fall under NIS2 scope. For example, a food production company would declare its production and distribution operations. List the Member States where you provide these services. If you operate only in Germany, select Germany only."},"s5":{"title":"Add Contact Persons","description":"Enter your designated contact person(s) for cybersecurity matters. Provide name, role, email, and phone for each contact. The BSI will use these contacts for incident communication, compliance inquiries, and any orders or inspections. Make sure the contact is someone who can actually respond - not a generic info@ email."},"s6":{"title":"Review and Submit","description":"Review all entered information carefully. Once submitted, you will receive a confirmation reference number. Save this number. The BSI may take several weeks to process your registration. You do not need to wait for confirmation before starting your compliance work - the obligation exists from the moment the law applies, not from the moment of registration."}}},"pitfalls":{"heading":"Common Mistakes to Avoid","items":["Starting without an ELSTER certificate - MUK requires ELSTER authentication, and getting a new certificate can take days. Check this first.","Using a personal ELSTER certificate instead of the company's business certificate. The registration must be tied to the legal entity, not an individual.","Misclassifying your entity category. If you are in an Annex I sector with 250+ employees, you are 'essential', not just 'important'. The wrong classification affects your supervision regime.","Entering a generic email address as the contact. The BSI will send time-sensitive incident communications to this address. Use a monitored mailbox with a named person behind it.","Waiting for the BSI to tell you to register. Registration is a self-identification obligation - the BSI does not send notifications. If you meet the criteria, you must register yourself.","Assuming registration equals compliance. Registration is step one of many. It does not satisfy the Section 30 security measures, Section 32 incident reporting, or Section 38 management obligations."]},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"I missed the registration deadline. Is it too late?","a":"No. Register immediately. The portal is still open and accepting registrations. Late registration is far better than no registration. The fine for non-registration is up to 500,000 euros, but the BSI considers the circumstances - a company that registers a few weeks late and shows good faith is in a very different position than one that ignores the obligation entirely."},"q2":{"q":"Can our tax advisor handle the registration for us?","a":"They can help with the ELSTER authentication, but the registration content requires company-specific information about your NIS2 sector, services, and infrastructure that your tax advisor likely does not have. The best approach is to prepare the data yourself and have your advisor assist with the MUK/ELSTER technical setup if needed."},"q3":{"q":"We are not sure if we classify as essential or important. What do we select?","a":"Essential entities (essential entities) are large companies (250+ employees or 50M+ turnover) in Annex I sectors, plus all KRITIS operators. Important entities (wichtige Einrichtungen) are medium companies (50-249 employees or 10-50M turnover) in Annex I sectors, or medium/large companies in Annex II sectors. If you are genuinely uncertain, the BSI portal provides classification guidance during the registration process."},"q4":{"q":"What happens after we register? Does the BSI contact us?","a":"You receive a confirmation reference number. The BSI may take several weeks to process the registration. For essential entities, the BSI may initiate proactive supervision (audits, inspections) at any time. For important entities, supervision is reactive - meaning the BSI only investigates if there is evidence of non-compliance or after an incident. In both cases, start implementing Section 30 measures immediately. Do not wait for the BSI to reach out."},"q5":{"q":"Do we need to register each branch or subsidiary separately?","a":"Each legal entity that independently meets the NIS2 scope criteria must register separately. A subsidiary that is a separate legal entity with 50+ employees in a NIS2 sector needs its own registration. However, branch offices of the same legal entity do not register separately - one registration covers the entire legal entity."}},"ctaCard":{"heading":"Track Your Registration and Next Steps","description":"Registration is step one. The platform guides you through the remaining 49 BSIG requirements with structured forms, deadline tracking, and automatic audit trail."},"cta":"Start Your NIS2 Compliance Process"},"whatToDo":{"meta":{"title":"NIS2 Applies to Us - What Now? A 4-Week Quick-Start Plan","description":"You have confirmed NIS2 applies to your company. Here is a realistic 4-week plan to get started: BSI registration, asset inventory, risk assessment, and incident reporting process."},"title":"NIS2 Applies to Us - What Now?","subtitle":"You have confirmed your company is in scope. Do not panic, do not hire a consultant for 100,000 euros. Here is a realistic 4-week plan to build the foundation.","tldr":{"heading":"The Short Version","p1":"NIS2 compliance is not a single project with a finish line. It is an ongoing operational practice, like accounting or quality management. But it has a clear starting point: register with the BSI, list your critical systems, assess the risks, and establish an incident reporting process. These four activities give you 80% of the foundation.","p2":"The biggest mistake companies make is treating NIS2 as an all-or-nothing effort. You do not need to be perfect by day one. The BSI evaluates trajectory and good faith. A company that has registered, started a risk assessment, and documented its first policies is in a fundamentally different position than one that has done nothing - even if neither is fully compliant yet."},"plan":{"heading":"4-Week Quick-Start Plan","description":"This plan assumes a 50 to 250 employee company with one person dedicating roughly 2 hours per day to NIS2. Adjust the timeline based on your team's availability.","items":{"w1":{"title":"Week 1 - Registration and Orientation","timeframe":"Days 1-5","actions":["Register with the BSI via muk.bsi.bund.de (if not done already). Takes 30-60 minutes with preparation.","Read Section 30 BSIG to understand the 10 mandatory security measures. This is 2 pages of legal text, not a textbook.","Identify who in your company will own NIS2 compliance. This does not need to be a new hire - it can be your IT manager, CISO, or quality manager.","Brief management on their personal liability under Section 38 BSIG. They need to know about the three duties: approval, oversight, and training.","Set up your compliance tracking - either a platform like NISD2.eu or at minimum a structured spreadsheet with the 10 measure categories."]},"w2":{"title":"Week 2 - Asset Inventory","timeframe":"Days 6-10","actions":["List all IT systems that support your critical business services. Think: ERP, email, production systems, network infrastructure, endpoints.","For each system, note: what it does, who manages it (internal or supplier), where it runs (on-premises, cloud, hybrid), and what happens if it is down for 24 hours.","Group identical assets - Grundschutz allows this. '45 standard Windows laptops' is one entry, not 45. Most mid-market companies have 10 to 20 grouped asset entries.","Identify your key IT suppliers: cloud providers, managed service providers, software vendors. Note what access they have to your systems.","Document everything in a structured format. This becomes the foundation for risk assessment, supplier management, and incident response."]},"w3":{"title":"Week 3 - Risk Assessment and Incident Process","timeframe":"Days 11-15","actions":["For each asset group, identify the main threats: ransomware, data breach, system failure, supplier compromise, human error.","Rate each risk by likelihood (how likely in the next 12 months) and impact (what happens to your business). Use a simple 3-level or 5-level scale.","Decide on treatment for each risk: accept, mitigate, transfer (insurance), or avoid. Document the rationale.","Define what counts as a significant incident for your company and write down the reporting process: who decides, who files the BSI report, how to reach them outside business hours.","Draft your first incident response checklist: detection, containment, BSI notification (24h), evidence preservation, full notification (72h), recovery, final report (1 month)."]},"w4":{"title":"Week 4 - Policies and Management Sign-Off","timeframe":"Days 16-20","actions":["Draft your cybersecurity policy - a 2 to 5 page document covering scope, responsibilities, key measures, and review cycle. This is not a 100-page manual.","Draft your access control policy: who gets access to what, how access is granted and revoked, MFA requirements for remote and admin access.","Schedule management training for Section 38 BSIG. Management must personally participate - this cannot be delegated. Training must cover the 10 Section 30 measures.","Get management to formally approve your risk management measures. This approval is a specific legal requirement under Section 38 BSIG. Document it with timestamp and signature.","Plan the next 3 months: supplier assessments, business continuity planning, detailed technical measures. The first 4 weeks build the foundation, months 2 to 6 fill in the details."]}}},"mistakes":{"heading":"The Four Most Common Mistakes","description":"Based on what we see from companies starting their NIS2 journey, these are the patterns that waste the most time and money.","items":{"waiting":{"title":"Waiting for Perfect Clarity","description":"Some companies postpone action because they are not 100% sure the law applies to them or they want to wait for more BSI guidance. The law is in force. The obligations apply. Start with registration and an asset inventory - these are useful regardless of how the regulatory details evolve."},"overscoping":{"title":"Trying to Do Everything at Once","description":"Companies that try to implement all 10 Section 30 measures simultaneously get overwhelmed and stall. Follow the priority order: register, inventory, risk assessment, incident process. Then layer in policies, access controls, supplier management, and training over the following months."},"noOwner":{"title":"No Clear Owner","description":"NIS2 compliance cannot be a side task that nobody owns. Designate one person who is responsible for driving the process. This does not mean they do everything themselves - it means there is someone who tracks progress, escalates blockers, and reports to management. Without an owner, nothing moves."},"perfectDocs":{"title":"Perfecting Documentation Before Starting","description":"A 3-page policy that exists today is worth more than a 30-page policy that will be finished 'next quarter.' Start with short, practical documents. You can refine them over time. The BSI wants to see that you have a process, not that you have perfect prose."}}},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"Do we need to hire a dedicated CISO for NIS2?","a":"Not necessarily. The BSIG requires that someone is responsible for cybersecurity, but it does not mandate a dedicated CISO role. For a 50 to 150 person company, this can be your IT manager, quality manager, or another technical leader who takes on NIS2 as a primary responsibility. What matters is that the person has authority to make decisions and direct access to management. For companies over 150 employees or in high-criticality sectors, a dedicated role becomes more practical."},"q2":{"q":"How much time per week does NIS2 compliance take after the initial setup?","a":"After the first 3 to 6 months of setup, ongoing NIS2 compliance for a mid-market company typically requires 4 to 8 hours per week from the responsible person. This covers monitoring, incident triage, supplier follow-ups, and periodic reviews. Annual activities like full risk reassessment and management training require additional focused time. Most of the work is not technical - it is documentation, process, and communication."},"q3":{"q":"Can we use ISO 27001 certification instead of NIS2 compliance?","a":"ISO 27001 covers significant overlap with NIS2, but it is not a direct substitute. Having ISO 27001 means you already have most of the management system in place (risk assessment, policies, access controls, incident management). You still need to satisfy NIS2-specific requirements: BSI registration, the specific incident reporting timelines (24h/72h/1 month), supply chain security as defined by Section 30(2)(4) BSIG, and management liability documentation under Section 38. An ISO 27001-certified company can typically reach NIS2 compliance in weeks rather than months."},"q4":{"q":"What if we get audited before we are fully compliant?","a":"For important entities (wichtige Einrichtungen), the BSI only audits reactively - meaning after an incident or evidence of non-compliance. For essential entities, proactive audits can happen. In either case, the BSI evaluates your overall posture, not just whether every requirement is perfectly met. A company that can show it has registered, started a risk assessment, is implementing measures, and has management engagement is in a defensible position. A company that has done nothing is not."},"q5":{"q":"Should we do this ourselves or hire a consultant?","a":"For a 50 to 250 person company, a combination works best. Use a structured platform or guide for the framework (this keeps costs under control and ensures nothing is missed), and bring in a consultant for specific topics where you lack expertise - typically risk assessment methodology, technical security measures, or legal review of policies. Avoid open-ended consulting engagements. Define the scope and deliverables upfront. The total cost for external support should be proportionate to your risk - typically 15,000 to 40,000 euros for the initial setup."}},"ctaCard":{"heading":"Start Your 4-Week Plan Today","description":"The platform structures the entire NIS2 process into manageable steps. Register, inventory your assets, assess risks, and build your incident reporting process - all guided, all tracked, all audit-ready."},"cta":"Start Your NIS2 Compliance Process"},"sectorFood":{"meta":{"title":"NIS2 for Food Production and Distribution - Compliance Guide","description":"Food production and distribution is in scope under NIS2 Annex II. A practical guide for food companies with 50+ employees: what the law requires, typical asset inventories, and where to start."},"badge":"Annex II - Important Entity","title":"NIS2 for Food Production and Distribution Companies","subtitle":"Food production, processing, and wholesale distribution are in scope under NIS2 Annex II. If your company has 50+ employees or exceeds 10M euros in revenue, this is your practical guide to what the BSIG requires.","why":{"heading":"Why Does NIS2 Apply to Food Companies?","p1":"Modern food production is deeply dependent on IT systems. ERP systems manage orders and invoicing. Production control systems (MES) schedule and monitor manufacturing lines. Cold chain monitoring systems track temperatures from production through delivery. Laboratory information systems manage quality testing. If ransomware takes out your ERP, you cannot ship. If your cold chain monitoring fails, you cannot prove product safety. That is why the EU classified food as a critical sector.","p2":"The EU placed food production, processing, and wholesale distribution under Annex II of the NIS2 Directive. Companies meeting the size threshold (50+ employees or over 10 million euros in annual revenue) are classified as 'wichtige Einrichtungen' (important entities) under Section 28(2) BSIG. This means the full set of NIS2 obligations applies: BSI registration, 10 cybersecurity risk management measures, incident reporting, supply chain security, and management liability.","p3":"Most food companies have not dealt with cybersecurity regulation before. Food safety regulations (HACCP, IFS, BRC) are familiar, but IT security obligations are new. The good news: if your company already runs a structured quality management system, many of the concepts transfer. Risk assessment, documentation, audits, corrective actions - the framework is similar, just applied to IT instead of production hygiene."},"assets":{"heading":"What Does a Food Company's Asset Inventory Look Like?","description":"Every NIS2 entity must maintain an inventory of assets that support critical services. For a typical food production company with 100 to 200 employees, expect 10 to 15 grouped entries.","items":{"erp":{"title":"ERP and order management","detail":"The core business system handling customer orders, invoicing, procurement, and inventory management. Commonly SAP Business One, Microsoft Dynamics, proALPHA, or sector-specific solutions like CSB-System. Compromise of this system stops order processing, shipping, and billing. One asset entry."},"production":{"title":"Production control (MES)","detail":"Manufacturing Execution Systems that schedule production runs, track batch numbers, and monitor line output. Often connected to ERP for demand-driven production. May include PLCs and SCADA components on production lines. If this goes down, production stops or runs blind. Group per production facility."},"coldChain":{"title":"Cold chain monitoring","detail":"Temperature and humidity monitoring systems for storage, transport, and retail display. These systems provide the continuous records required for HACCP compliance. Data loggers, sensors, and monitoring software - often cloud-based. Failure means you lose the proof chain for food safety. One grouped entry."},"logistics":{"title":"Logistics and delivery","detail":"Fleet management, route planning, delivery tracking, and warehouse management systems. May include handheld scanners for picking and loading. These systems ensure products move from production to customer. Disruption delays deliveries and can cause spoilage for temperature-sensitive products."},"lab":{"title":"Laboratory information system (LIMS)","detail":"Systems managing quality testing - microbiological analysis, chemical testing, sensory evaluation. LIMS tracks samples, results, and release decisions. If your lab system is compromised, you cannot verify product safety and may need to halt shipments until manual verification is complete."},"endpoints":{"title":"Endpoints and office IT","detail":"Laptops, desktops, and mobile devices used by office staff, quality managers, and logistics coordinators. Standard office applications, email, and document management. Grundschutz allows grouping: '50 standard Windows laptops' is one asset entry. Include network infrastructure (routers, switches, firewalls, Wi-Fi) as a separate grouped entry."}}},"priorities":{"heading":"Where to Start - Priority Order for Food Companies","description":"You do not need to do everything at once. This priority order reflects what creates the most compliance value per hour of effort.","items":{"registration":{"title":"1. Register with the BSI","description":"Complete your Section 33 BSIG registration via muk.bsi.bund.de. This takes about 30 to 60 minutes and immediately puts you on record. The penalty for non-registration is up to 500,000 euros. If the deadline has passed, register immediately."},"assets":{"title":"2. Build your asset inventory","description":"List the systems that support your food production, quality assurance, and distribution operations. Use the six categories above as a starting point. For each asset, note what it does, who manages it, and what happens if it is unavailable for 24 hours. Pay special attention to systems that affect food safety - these have the highest regulatory impact."},"incidents":{"title":"3. Set up incident reporting","description":"Define what a significant cybersecurity incident means for your company. A ransomware attack that stops production is clearly significant. A phishing email that was caught is not. Establish the reporting chain: who decides, who files the BSI report (24h/72h/1 month timelines), and how to reach them outside business hours."},"suppliers":{"title":"4. Document supplier relationships","description":"Food companies typically rely heavily on external IT - cloud-hosted ERP, cold chain monitoring SaaS, managed IT services. Document who these suppliers are, what access they have, and what security measures they commit to. Under Section 30(2)(4) BSIG, supply chain security is a mandatory measure. If your cloud ERP provider gets breached, it is your problem."},"access":{"title":"5. Review access controls","description":"Audit who has access to your critical systems - especially ERP, production control, and cold chain monitoring. Implement multi-factor authentication on remote access and admin accounts. Remove accounts for former employees. Many food companies have shared passwords for production terminals - document this and plan to fix it."}}},"specifics":{"heading":"What Makes Food Companies Different","p1":"Food companies sit at the intersection of IT security and food safety regulation. Your HACCP system, IFS or BRC certifications, and quality documentation already create a culture of documented processes, regular audits, and corrective actions. This is an advantage - the NIS2 framework uses very similar concepts. Risk assessment, control measures, monitoring, documentation, and periodic review are things your quality team already understands.","p2":"The unique risk for food companies is the connection between IT systems and food safety. If your cold chain monitoring system is compromised, you may not know whether products have been stored at safe temperatures. If your LIMS is manipulated, you may release unsafe products. If your ERP is down, you cannot trace a contaminated batch. These scenarios make IT security a food safety issue, not just an IT issue.","p3":"Most food companies outsource significant IT. Cloud-based ERP, SaaS cold chain monitoring, managed IT services - this is standard. Under NIS2, you own the accountability even when you outsource the operations. Your most important compliance activity is supplier management: documenting relationships, including security requirements in contracts, and verifying that suppliers maintain adequate security. Section 30 BSIG is clear - you cannot outsource responsibility."},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"We already have IFS/BRC certification. Does that cover NIS2?","a":"Not directly, but it gives you a significant head start. IFS and BRC require documented processes, risk assessments, corrective actions, and regular audits - the same framework NIS2 uses. What is missing is the IT-specific content: asset inventory of IT systems, cybersecurity risk assessment, incident reporting to the BSI, access control policies, and encryption documentation. Think of NIS2 as extending your quality management system to cover IT security."},"q2":{"q":"Our production runs on older machines with Windows 7. Is that a problem?","a":"Older operating systems on production equipment are common in food manufacturing and represent a real NIS2 risk. You do not necessarily need to replace the machines immediately, but you need to document the risk and implement compensating controls: network segmentation (isolate these machines from the internet and office network), restricted access, monitoring for unusual activity, and a plan for eventual upgrade or replacement. Document this in your risk assessment with a clear timeline."},"q3":{"q":"Is our cold chain monitoring system an 'asset' under NIS2?","a":"Yes, absolutely. Any system that supports the delivery of your critical services (food production and distribution) is an asset under NIS2. Cold chain monitoring is particularly important because it directly affects food safety. If the monitoring system fails or is compromised, you lose the ability to prove your products were stored safely. List it as an asset, assess the risks, and ensure your supplier (if it is cloud-based) meets adequate security standards."},"q4":{"q":"How long does NIS2 compliance take for a food company our size?","a":"For a 100 to 200 employee food production company starting from scratch, expect 3 to 6 months to reach a solid baseline. Companies with existing IFS/BRC certification can move faster because the process discipline already exists. The first month covers registration, asset inventory, and risk assessment. Months 2 and 3 cover incident process, access controls, and initial policies. Months 4 to 6 fill in supplier management, business continuity, and technical measures. After setup, ongoing effort is mainly annual reviews."}},"ctaCard":{"heading":"NIS2 Compliance for Food Companies - Structured and Practical","description":"The platform walks you through every Section 30 BSIG requirement with guidance sized for food production operations: asset inventory templates, risk assessment workflows, supplier documentation, and incident reporting procedures."},"cta":"Start Your NIS2 Compliance Process"},"sectorManufacturing":{"meta":{"title":"NIS2 for Manufacturing Companies - Compliance Guide","description":"Manufacturing is in scope under NIS2 Annex II. A practical guide for manufacturing companies with 50+ employees: OT/IT convergence, SCADA/MES security, and where to start with BSIG compliance."},"badge":"Annex II - Important Entity","title":"NIS2 for Manufacturing Companies","subtitle":"Manufacturing of medical devices, electronics, electrical equipment, machinery, and vehicles is in scope under NIS2 Annex II. If your company has 50+ employees, here is what the BSIG requires and how to handle the OT/IT challenge.","why":{"heading":"Why Does NIS2 Apply to Manufacturing?","p1":"Modern manufacturing depends on the convergence of IT and OT (operational technology). ERP systems drive production scheduling. MES platforms manage shop floor execution. SCADA systems control machinery and process automation. CAD/CAM systems define what gets built. When these systems are interconnected - and in most factories they are - a cyberattack on one can cascade across the entire production chain. A ransomware infection in the office network that reaches the MES can shut down production lines.","p2":"The EU classified manufacturing under Annex II of the NIS2 Directive, covering: medical device manufacturing, computer and electronics manufacturing, electrical equipment manufacturing, machinery and equipment manufacturing, motor vehicle manufacturing, and other transport equipment manufacturing. Companies meeting the size threshold (50+ employees or over 10 million euros annual revenue) are 'wichtige Einrichtungen' (important entities) under Section 28(2) BSIG.","p3":"Manufacturing has a unique challenge that most other NIS2 sectors do not face at the same scale: OT security. Production equipment often runs specialized operating systems, uses proprietary protocols, and has lifecycle constraints that make patching difficult. A CNC machine from 2015 may run Windows 7 Embedded and cannot be updated without the manufacturer's involvement. NIS2 does not ignore this reality - Section 30 BSIG requires measures that are 'proportionate' to the risk. But you must document the risks and the compensating controls."},"assets":{"heading":"What Does a Manufacturer's Asset Inventory Look Like?","description":"Manufacturing asset inventories typically span both IT and OT. For a company with 100 to 250 employees, expect 12 to 20 grouped entries across six categories.","items":{"mes":{"title":"Manufacturing Execution System (MES)","detail":"The system that manages shop floor operations: production scheduling, work order execution, quality tracking, and performance monitoring. Common systems include SAP ME, MPDV HYDRA, Forcam, or custom solutions. MES sits between ERP and the production floor. If it goes down, you lose production visibility and scheduling. One asset entry per facility."},"scada":{"title":"SCADA and industrial controls","detail":"Supervisory Control and Data Acquisition systems, PLCs (programmable logic controllers), HMIs (human-machine interfaces), and CNC controllers. These directly control physical production processes. Often running older operating systems with limited security capabilities. They represent the highest-impact risk because compromise can damage equipment or cause safety incidents. Group per production line or cell."},"erp":{"title":"ERP system","detail":"The core business system for order management, procurement, inventory, finance, and production planning. Commonly SAP, proALPHA, Microsoft Dynamics, or abas. ERP drives what gets produced and when. Compromise stops order processing, supplier payments, and customer deliveries. One asset entry."},"cad":{"title":"CAD/CAM and engineering","detail":"Computer-Aided Design and Computer-Aided Manufacturing systems: SolidWorks, AutoCAD, Siemens NX, CATIA, or similar. These contain your intellectual property - product designs, manufacturing processes, tolerances. A breach here can mean loss of trade secrets. Also includes PLM (Product Lifecycle Management) if used. One grouped entry."},"network":{"title":"Network infrastructure","detail":"The network connecting office IT, engineering, and the production floor. Critically includes the IT/OT boundary: firewalls, DMZ segments, and data diodes between the office network and the shop floor network. If your IT and OT networks are flat (no segmentation), this is your highest-priority risk. Include VPN and remote access for supplier maintenance."},"endpoints":{"title":"Endpoints and office IT","detail":"Laptops, desktops, and mobile devices for office staff, engineering, and production management. Standard office applications, email, collaboration tools. Grundschutz allows grouping: '80 standard Windows laptops' is one entry. Also include servers (file, print, application) as a separate grouped entry if significant."}}},"priorities":{"heading":"Where to Start - Priority Order for Manufacturers","description":"Focus on the actions that create the most compliance value first. OT security is critical but comes after the foundation is in place.","items":{"registration":{"title":"1. Register with the BSI","description":"Complete your Section 33 BSIG registration via muk.bsi.bund.de. This takes 30 to 60 minutes and puts you on record. The penalty for non-registration is up to 500,000 euros. If the deadline has passed, register immediately."},"assets":{"title":"2. Build your asset inventory (IT and OT)","description":"This is where manufacturing differs from other sectors. You need to inventory both IT systems (ERP, email, engineering) and OT systems (MES, SCADA, PLCs, CNC machines). For OT assets, document the operating system, firmware version, network connectivity, and whether the manufacturer provides security updates. This inventory is the foundation for everything that follows."},"otSecurity":{"title":"3. Assess and segment your OT network","description":"The single most impactful technical measure for manufacturers. If your office IT and production OT share a flat network, a ransomware infection in the office can reach your production controllers. Implement network segmentation: separate IT and OT into distinct network zones with a firewall between them. This is Grundschutz requirement IND.1 and the BSI's top recommendation for industrial environments."},"incidents":{"title":"4. Set up incident reporting","description":"Define what a significant incident means for your manufacturing operations. A ransomware attack that stops production lines is clearly significant. An attempted phishing email that was blocked is not. Establish the reporting chain, including who has authority to file the BSI report and how to reach them outside business hours. Test the process with a tabletop exercise."},"suppliers":{"title":"5. Document supplier relationships","description":"Manufacturing companies often have multiple OT suppliers with remote access to production systems for maintenance and updates. Document every supplier with access to your network, what they can reach, and what security measures they commit to. Remote maintenance connections to SCADA systems are a common attack vector - ensure these are properly secured and monitored."}}},"specifics":{"heading":"What Makes Manufacturing Different","p1":"The IT/OT convergence challenge defines manufacturing NIS2 compliance. Your office IT team understands patching, access controls, and network security. But production equipment operates on different rules: you cannot reboot a CNC machine during a production run to apply patches. PLCs may run firmware that has not been updated in years because the manufacturer has not released an update. SCADA systems may use proprietary protocols that standard IT security tools do not understand.","p2":"The solution is not to force IT security practices onto OT. It is to build a security model that respects the constraints. Network segmentation isolates OT from IT risks. Monitoring detects anomalies without requiring agents on controllers. Compensating controls (restricted physical access, dedicated maintenance networks, logging) provide protection where traditional IT controls are not feasible. Document everything - the BSI expects 'proportionate' measures, and documenting why you chose compensating controls over direct patching is a valid approach.","p3":"Manufacturing companies also face intellectual property risk that other sectors may not. CAD files, production processes, tolerances, and supplier specifications are valuable trade secrets. A breach that exposes these does not just create a compliance issue - it creates a competitive disadvantage. Access controls on engineering systems and encryption for design files should be prioritized alongside the OT segmentation work."},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"Our production machines run Windows 7 or older. Does NIS2 require us to upgrade?","a":"NIS2 does not mandate specific operating system versions. It requires 'appropriate and proportionate' risk management. For older OT systems, this means: document the risk (unsupported OS, no patches), implement compensating controls (network isolation, restricted access, monitoring), and plan for lifecycle replacement. The BSI expects you to acknowledge the risk and manage it, not to perform impossible upgrades on equipment that cannot be updated."},"q2":{"q":"Do we need to separate our IT and OT networks?","a":"Network segmentation between IT and OT is the single most impactful security measure for manufacturers, and it is strongly recommended by both the BSI (Grundschutz IND.1) and the CIR 2024/2690. If your networks are currently flat, this should be your top technical priority. At minimum, deploy a firewall between the office network and the production network, restrict traffic to only what is necessary, and log all cross-zone connections."},"q3":{"q":"Our machine supplier has remote access for maintenance. Is that a problem?","a":"Remote maintenance access is common and necessary, but it is a significant risk vector. Under NIS2, you must document this access, include security requirements in the supplier contract, and implement controls: dedicated VPN connections (not open ports), time-limited access (enabled only when needed), logging of all remote sessions, and multi-factor authentication. The supplier becomes part of your supply chain security assessment under Section 30(2)(4) BSIG."},"q4":{"q":"We are a Tier 2 automotive supplier. Does NIS2 apply even if our OEM has not asked about it?","a":"If you manufacture motor vehicles, parts, or transport equipment and have 50+ employees, NIS2 applies to you regardless of what your OEM customer requires. Manufacturing of motor vehicles and other transport equipment is explicitly listed in Annex II. In practice, automotive OEMs will increasingly require NIS2 compliance from their supply chain - TISAX already covers similar ground. Getting ahead of this requirement is strategically smart."}},"ctaCard":{"heading":"NIS2 Compliance for Manufacturing - Including OT Security","description":"The platform covers both IT and OT asset management, network segmentation documentation, supplier access tracking, and all 49 BSIG requirements with guidance sized for manufacturing operations."},"cta":"Start Your NIS2 Compliance Process"},"sectorHealth":{"meta":{"title":"NIS2 for Healthcare - Compliance Guide for Hospitals and Medical Facilities","description":"Healthcare is an Annex I essential entity under NIS2. A practical guide for hospitals, clinics, and medical facilities with 50+ employees: patient data protection, medical device security, and BSIG compliance."},"badge":"Annex I - Essential Entity","title":"NIS2 for Healthcare Organizations","subtitle":"Healthcare is classified under Annex I of NIS2, making hospitals and medical facilities essential entities with the highest compliance requirements. Here is your practical guide.","why":{"heading":"Why Does NIS2 Apply to Healthcare?","p1":"Healthcare was already one of the most targeted sectors for cyberattacks before NIS2. The combination of sensitive patient data, life-critical systems, and often outdated IT infrastructure makes hospitals and clinics attractive targets. The 2020 Duesseldorf University Hospital ransomware attack - which forced emergency room closures and patient diversions - demonstrated that cyberattacks on healthcare can directly threaten lives. NIS2 codifies what the sector already knows: IT security in healthcare is patient safety.","p2":"The EU classified health under Annex I (sectors of high criticality) of the NIS2 Directive, covering hospitals, reference laboratories, pharmaceutical manufacturing, and medical device manufacturers. Large healthcare entities (250+ employees) are classified as 'essential entities' under Section 28(1) BSIG. Medium entities (50-249 employees) are 'wichtige Einrichtungen' (important entities). Essential entities face proactive BSI supervision - the BSI can audit you at any time, without requiring evidence of non-compliance first.","p3":"Healthcare already operates under strict data protection rules (GDPR, patient confidentiality) and sector-specific regulation (KHZG, BSI KRITIS for larger hospitals). NIS2 adds a systematic cybersecurity management layer: not just protecting patient data, but securing the entire IT infrastructure that delivers care. If your HIS goes down, you cannot access patient records. If your PACS fails, radiology stops. If your medical devices are compromised, patient safety is at risk. NIS2 requires you to assess and manage all of these risks."},"assets":{"heading":"What Does a Healthcare Asset Inventory Look Like?","description":"Healthcare IT is complex. A mid-sized hospital or clinic group with 100 to 300 employees will typically have 15 to 25 grouped asset entries across six core categories.","items":{"his":{"title":"Hospital Information System (HIS/KIS)","detail":"The central clinical system: patient records, admissions, scheduling, clinical documentation, ordering, and billing. Systems like SAP IS-H, Dedalus ORBIS, Agfa HealthCare ORBIS, or iMedOne. This is the single most critical IT asset - if the HIS is down, clinical operations revert to paper and care quality drops immediately. One asset entry."},"pacs":{"title":"PACS and imaging systems","detail":"Picture Archiving and Communication Systems store and distribute medical images (X-ray, CT, MRI, ultrasound). Tightly integrated with the HIS via DICOM/HL7. Systems like Sectra, Agfa Enterprise Imaging, or Philips IntelliSpace. PACS stores massive amounts of data and is often connected to imaging modalities throughout the facility. Compromise can block radiology and diagnostics."},"medDevices":{"title":"Networked medical devices","detail":"Patient monitors, infusion pumps, ventilators, surgical robots, and diagnostic equipment connected to the hospital network. Many run embedded operating systems (Windows CE, Linux variants) with limited update capabilities. FDA/MDR certification constraints may prevent patching. Group by device type - for example, '35 patient monitors (Philips IntelliVue)' is one entry. These require special security treatment due to regulatory constraints."},"lab":{"title":"Laboratory information system (LIS)","detail":"Systems managing laboratory workflows: sample tracking, test ordering, result reporting, and quality control. Connected to analyzers and the HIS. LIS directly affects diagnostic turnaround times. If the LIS is compromised, lab results cannot be verified or communicated, potentially delaying treatment decisions."},"network":{"title":"Network infrastructure","detail":"The clinical network connecting HIS, PACS, medical devices, and administrative systems. Includes wired and wireless infrastructure, firewalls, network segmentation between clinical and administrative zones, and VPN for remote access. Network segmentation is critical in healthcare - medical devices, clinical systems, guest Wi-Fi, and administrative IT should be on separate network segments."},"endpoints":{"title":"Endpoints and administrative IT","detail":"Clinical workstations, nursing stations, office PCs, and mobile devices (tablets for ward rounds, smartphones). Standard office applications, email, and communication tools. Grundschutz allows grouping: '120 clinical workstations (thin clients)' is one entry. Include mobile device management (MDM) as a grouped asset if used for clinical communication."}}},"priorities":{"heading":"Where to Start - Priority Order for Healthcare","description":"Healthcare has unique urgency because of patient safety implications. Start with the foundation, then layer in the sector-specific requirements.","items":{"registration":{"title":"1. Register with the BSI","description":"Complete your Section 33 BSIG registration. Healthcare entities classified as essential face proactive BSI supervision, which means the BSI may audit you at any time. Being registered and demonstrating active compliance work puts you in a far better position than being discovered as unregistered during an audit."},"assets":{"title":"2. Build your asset inventory","description":"List all systems supporting clinical care, diagnostics, and administration. Pay special attention to networked medical devices - many healthcare organizations do not have a complete inventory of devices connected to their network. Walk the floors, check with biomedical engineering, and document what is connected. You cannot secure what you do not know exists."},"incidents":{"title":"3. Set up incident reporting","description":"Healthcare cybersecurity incidents can be life-threatening. Your incident response plan must account for clinical impact: which systems can operate in degraded mode, what manual fallback procedures exist, when to divert patients, and who makes those decisions. Establish the BSI reporting chain (24h/72h/1 month) and the internal clinical escalation chain in parallel."},"access":{"title":"4. Strengthen access controls","description":"Healthcare has a unique access control challenge: clinicians need fast access to patient data in time-critical situations, but broad access creates risk. Implement role-based access controls (RBAC) for the HIS, enforce MFA for remote access and administrative accounts, conduct quarterly access reviews, and ensure that departed staff have access revoked promptly. Emergency access procedures ('break glass') should be documented and audited."},"encryption":{"title":"5. Encrypt patient data","description":"Patient data is among the most sensitive data categories under both GDPR and NIS2. Implement encryption at rest for databases containing patient records and encryption in transit for all clinical data flows. PACS images, HL7/FHIR messages, and lab results should all travel encrypted. Document your encryption standards and key management procedures - this is a specific Section 30 requirement."}}},"specifics":{"heading":"What Makes Healthcare Different","p1":"Healthcare faces a tension between security and clinical workflow that no other sector experiences at the same intensity. A locked-down system that requires 30 seconds of authentication at each workstation costs time in an emergency department where seconds matter. NIS2 compliance in healthcare requires finding the right balance: strong security for administrative and remote access, streamlined but audited access for clinical workflows, and emergency override procedures that are logged and reviewed.","p2":"Networked medical devices are the sector's biggest unsolved challenge. A patient monitor from 2018 may run an embedded OS that the manufacturer no longer patches. FDA/MDR certification means you cannot modify the device's software without recertification. The answer is compensating controls: network segmentation (isolate medical devices on their own VLAN), traffic monitoring, restricted communication (devices only talk to the systems they need), and lifecycle planning. Document everything - the BSI understands the medical device constraint and evaluates compensating controls as valid.","p3":"Healthcare organizations that already participated in KRITIS (under the original BSI-KritisV) have a significant head start. The KRITIS requirements overlap substantially with NIS2. If you have KRITIS audit evidence, use it as the baseline and extend it to cover the additional NIS2 requirements: formal management liability documentation (Section 38), supply chain security assessment, and the specific incident reporting timelines. For non-KRITIS healthcare organizations, the NIS2 requirements are the first time you face structured cybersecurity regulation - start with the 4-week plan and adapt it for your clinical environment."},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"We are a hospital with 200 beds. Are we essential or important?","a":"Healthcare falls under Annex I (sectors of high criticality). If your hospital has 250 or more employees, you are classified as an essential entity. With fewer than 250 employees but more than 50, you are an important entity. If you are already classified as KRITIS (critical infrastructure), you are automatically essential regardless of size. Essential entities face proactive BSI supervision and the higher penalty tier (up to 10 million euros)."},"q2":{"q":"We cannot patch our medical devices. How do we comply with NIS2?","a":"NIS2 requires 'appropriate and proportionate' measures, not impossible ones. For medical devices that cannot be patched due to manufacturer or regulatory constraints: document the risk in your risk assessment, implement compensating controls (network segmentation, traffic monitoring, restricted communication), include the limitation in your supplier assessment for the device manufacturer, and maintain a lifecycle plan for eventual replacement. The BSI explicitly recognizes that OT and medical device environments require adapted security approaches."},"q3":{"q":"Does GDPR compliance already cover our NIS2 patient data obligations?","a":"GDPR covers data protection (privacy, consent, processing lawfulness), while NIS2 covers the security infrastructure that protects that data. They complement each other but do not substitute. Your GDPR compliance means you understand data flows and have processing records - that helps. NIS2 adds: systematic risk management for the IT systems processing that data, incident reporting to the BSI (not just the data protection authority), supply chain security for IT suppliers, and management liability for cybersecurity measures."},"q4":{"q":"How does NIS2 relate to KHZG (Hospital Future Act) funding?","a":"KHZG funded IT modernization in German hospitals, including IT security investments. If your hospital received KHZG funding for cybersecurity projects, those investments likely address some NIS2 requirements. However, KHZG was about investment, not about ongoing compliance management. NIS2 requires continuous risk management, regular reviews, incident reporting processes, and management oversight - these are operational practices, not one-time projects. Use your KHZG investments as the technical foundation and build the NIS2 management framework on top."}},"ctaCard":{"heading":"NIS2 Compliance for Healthcare - Protecting Patients and Data","description":"The platform covers all 49 BSIG requirements with guidance adapted for healthcare environments: HIS/PACS asset management, medical device risk documentation, clinical incident response, and patient data encryption tracking."},"cta":"Start Your NIS2 Compliance Process"},"sectorLogistics":{"meta":{"title":"NIS2 for Logistics and Transport Companies - Compliance Guide","description":"Transport and logistics is in scope under NIS2 Annex I. A practical guide for logistics companies with 50+ employees: TMS, fleet management, warehouse systems, and BSIG compliance."},"badge":"Annex I - Essential / Important Entity","title":"NIS2 for Logistics and Transport Companies","subtitle":"Transport is classified under Annex I of NIS2, covering road, rail, water, and air transport. If your logistics company has 50+ employees, here is what the BSIG requires and where to start.","why":{"heading":"Why Does NIS2 Apply to Logistics Companies?","p1":"Logistics is the backbone of the physical economy. A cyberattack that stops a major logistics provider does not just affect one company - it disrupts supply chains for dozens or hundreds of clients. The 2017 NotPetya attack cost Maersk alone over 300 million euros and disrupted global shipping for weeks. The EU classified transport under Annex I (sectors of high criticality) because logistics disruptions cascade through the entire economy.","p2":"NIS2 covers all transport modes: road freight, rail transport, inland waterways, maritime shipping, and air cargo. Companies meeting the size threshold (50+ employees or over 10 million euros in revenue) are in scope. Large companies (250+ employees) in Annex I sectors are classified as essential entities. Medium companies (50-249 employees) are important entities (wichtige Einrichtungen). Both face the full set of NIS2 obligations.","p3":"Modern logistics companies run on interconnected IT systems. Transport Management Systems (TMS) orchestrate shipments. Fleet management tracks vehicles in real time. Warehouse Management Systems (WMS) control inventory and picking. Telematics units in trucks transmit position, speed, temperature, and driver data. If any of these systems fail, operations stop or become dangerously inefficient. NIS2 requires you to identify these dependencies and manage the cybersecurity risks systematically."},"assets":{"heading":"What Does a Logistics Company's Asset Inventory Look Like?","description":"For a logistics company with 100 to 250 employees, expect 10 to 18 grouped asset entries across six categories. The exact mix depends on whether you operate road, rail, warehouse, or multimodal operations.","items":{"tms":{"title":"Transport Management System (TMS)","detail":"The central system for shipment planning, carrier management, route optimization, and freight billing. Common systems include SAP TM, Oracle Transportation Management, Transporeon, or CargoWise. If the TMS goes down, you cannot plan or dispatch shipments. One asset entry."},"fleet":{"title":"Fleet management and telematics","detail":"GPS tracking, vehicle diagnostics, driver hours logging (digital tachograph integration), fuel management, and route tracking. Telematics units in each vehicle transmit data continuously. Systems like Webfleet, Trimble, Samsara, or fleet-specific solutions. Compromise could mean loss of vehicle visibility, manipulation of driver records, or unauthorized tracking. Group as one asset."},"warehouse":{"title":"Warehouse Management System (WMS)","detail":"Inventory management, picking optimization, goods receipt and dispatch, and integration with TMS and ERP. May include barcode/RFID scanners, automated storage and retrieval systems, and conveyor controls. Systems like SAP EWM, Manhattan Associates, or Korber. If WMS fails, warehouse operations revert to manual processes at a fraction of normal throughput."},"erp":{"title":"ERP and finance system","detail":"Customer management, contract administration, invoicing, procurement, and financial reporting. Commonly SAP, Microsoft Dynamics, or Sage. In logistics, ERP often integrates tightly with TMS for billing and customer portals. Compromise affects revenue, customer relationships, and financial reporting. One asset entry."},"network":{"title":"Network infrastructure","detail":"The network connecting offices, warehouses, and vehicle telematics. Includes WAN links between locations, VPN connections for mobile workers and drivers, Wi-Fi in warehouses, and cellular connections for fleet telematics. Logistics companies often have distributed networks across many locations - each site's infrastructure should be documented. Group by site type."},"endpoints":{"title":"Endpoints and mobile devices","detail":"Office PCs, warehouse terminals, handheld scanners, driver tablets, and smartphones. Logistics has a higher proportion of mobile and ruggedized devices than most sectors. Include mobile device management (MDM) if used. Grundschutz allows grouping: '60 warehouse handheld scanners' is one entry. Also include driver tablets as a separate grouped entry."}}},"priorities":{"heading":"Where to Start - Priority Order for Logistics Companies","description":"Focus on the areas that create the most compliance value first. Logistics companies benefit from starting with the systems that directly control operations.","items":{"registration":{"title":"1. Register with the BSI","description":"Complete your Section 33 BSIG registration. Transport is an Annex I sector, so large companies face proactive BSI supervision. Registration takes 30 to 60 minutes via muk.bsi.bund.de. If the deadline has passed, register immediately - the penalty for non-registration is up to 500,000 euros."},"assets":{"title":"2. Build your asset inventory","description":"Map your TMS, fleet management, WMS, ERP, and supporting infrastructure. For each system, document what it does, where it runs, who manages it, and what happens if it is unavailable for 4 hours (logistics is time-sensitive). Pay special attention to telematics - dozens or hundreds of connected devices in the field represent a unique attack surface."},"incidents":{"title":"3. Set up incident reporting","description":"Logistics operates on tight schedules. A cyberattack that delays shipments by even a few hours can have contractual and financial consequences. Define what counts as a significant incident, establish the BSI reporting chain (24h/72h/1 month), and create internal escalation procedures that account for the 24/7 nature of logistics operations. Include weekend and night-shift scenarios."},"suppliers":{"title":"4. Document supplier relationships","description":"Logistics companies rely heavily on third-party IT: cloud-hosted TMS, telematics SaaS providers, EDI partners, and carrier platforms. Document every IT supplier, what data they access, and what security measures they commit to. Your TMS provider likely has more access to your operational data than any single employee. Include them in your supply chain security assessment under Section 30(2)(4) BSIG."},"access":{"title":"5. Review access controls","description":"Logistics has a distributed workforce: office staff, warehouse workers, drivers, and dispatchers - each needing different system access. Implement role-based access controls, enforce MFA for remote and administrative access, and ensure that driver and temporary worker accounts are deactivated promptly when employment ends. Shared accounts on warehouse terminals are common but should be replaced with individual logins where feasible."}}},"specifics":{"heading":"What Makes Logistics Companies Different","p1":"Logistics companies operate one of the most distributed IT environments of any sector. Assets are not in one building - they are spread across offices, warehouses, distribution centers, and hundreds of vehicles on the road. Every truck with a telematics unit is a connected endpoint. Every warehouse scanner is a device on your network. This distributed footprint makes traditional perimeter security less effective and increases the importance of device management, network segmentation, and identity-based access controls.","p2":"The time sensitivity of logistics creates a unique incident response challenge. In a manufacturing company, you might be able to tolerate a 24-hour system outage. In logistics, 4 hours of TMS downtime means missed delivery windows, contract penalties, and cascading delays. Your incident response plan needs to account for this: what manual fallback procedures exist? Can dispatchers route shipments by phone? Can warehouse operations continue with paper-based picking? These business continuity questions are as important as the technical recovery plan.","p3":"Logistics companies are also deeply integrated with their customers' and carriers' systems via EDI (Electronic Data Interchange), API connections, and shared platforms. A security breach at your company can propagate to customers through these connections, and vice versa. Your supply chain security assessment should cover not just your IT suppliers but also the electronic connections with your business partners. Securing these interfaces - proper authentication, encrypted transmission, input validation - is both a NIS2 requirement and a business protection measure."},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"We are a road freight company with 80 trucks. Are we essential or important?","a":"Road transport falls under Annex I (sectors of high criticality). If your company has 250 or more employees, you are an essential entity with proactive BSI supervision. With 50 to 249 employees, you are an important entity with reactive supervision. With 80 trucks, you likely have 100 to 150 employees (drivers, dispatchers, warehouse, office). Check your total headcount against the threshold - the full range of NIS2 obligations applies either way."},"q2":{"q":"Are our truck telematics units considered 'assets' under NIS2?","a":"Yes. Any system that supports your critical transport services is an asset. Telematics units transmit real-time location, speed, temperature (for refrigerated transport), and driver hours data. They are connected devices on your network. Group them as one asset entry - for example, '80 Webfleet telematics units' rather than 80 separate entries. The key risks are: unauthorized access to vehicle tracking data, manipulation of tachograph records, and potential use as a network entry point."},"q3":{"q":"We use a cloud-based TMS. Is that our problem or the provider's?","a":"Both, but the legal obligation is yours. Under Section 30 BSIG, you can outsource operations but not accountability. Your cloud TMS provider is a critical supplier under Section 30(2)(4). You must: document the provider in your supply chain security assessment, include cybersecurity requirements in the contract, verify the provider has adequate security measures (certifications, audit reports, incident notification commitments), and have a contingency plan if the provider suffers a breach or outage."},"q4":{"q":"How does NIS2 relate to the EU Mobility Data Act and digital tachograph regulations?","a":"NIS2, the Mobility Data Act, and tachograph regulations (EU 165/2014) are separate legal frameworks that overlap on data security. Tachograph regulations require tamper-proof recording of driver data. The Mobility Data Act addresses data sharing obligations. NIS2 adds the cybersecurity management layer: securing the IT systems that process and transmit this data. Compliance with NIS2 strengthens your position on all three because a well-secured IT environment protects the integrity of regulated data."}},"ctaCard":{"heading":"NIS2 Compliance for Logistics - From Fleet to Warehouse","description":"The platform covers all 49 BSIG requirements with guidance for logistics operations: fleet and telematics asset management, distributed network documentation, supplier security tracking, and incident reporting for time-critical operations."},"cta":"Start Your NIS2 Compliance Process"},"europeanStandard":{"meta":{"title":"The Strictest Common Denominator - True EU-Wide NIS2 Compliance","description":"Our platform combines the strictest requirements from the NIS2 Directive, CIR 2024/2690, and Germany's BSIG/Grundschutz into one unified compliance process. Comply once, be compliant everywhere in the EU."},"badge":"EU-Wide Compliance","title":"One platform. Every EU requirement. No gaps.","subtitle":"The EU created NIS2 to harmonize cybersecurity across Europe. Then 27 countries implemented it differently. We fixed that.","problem":{"heading":"The standardization that never was","p1":"NIS2 was supposed to be the great unifier - one directive to align cybersecurity requirements across all 27 EU member states. In practice, it did the opposite. The directive sets minimum requirements, and every country is free to go stricter. Most did. The result is a patchwork of national laws, each with its own interpretation, its own thresholds, and its own enforcement expectations.","p2":"Then the European Commission added CIR 2024/2690, an implementing regulation that specifies technical requirements for the most critical cross-border entities. It does not replace national law - it stacks on top of it. So now companies face three layers of requirements that overlap, contradict, and confuse in roughly equal measure.","p3":"If you operate in multiple EU countries, or if you simply want to know what \"NIS2 compliant\" actually means in concrete terms, you are on your own. There is no single source of truth. Until now."},"layers":{"heading":"Four layers of requirements","description":"To understand why NIS2 compliance is confusing, you need to understand the four layers that define what \"compliant\" actually means.","items":{"directive":{"title":"NIS2 Directive (EU 2022/2555)","description":"The EU-level directive that sets minimum cybersecurity requirements for essential and important entities. Deliberately vague on implementation details - it tells you what to achieve, not how to achieve it. Every member state must transpose it into national law, and they are explicitly allowed to go further."},"nationalLaw":{"title":"BSIG - German National Transposition","description":"Germany transposed NIS2 into the BSIG (BSI-Gesetz). It goes significantly beyond the directive's minimums: stricter incident reporting timelines, broader scope of affected entities, and explicit management liability under section 38. If you operate in Germany, the directive alone is not enough - the BSIG is what auditors enforce."},"cir":{"title":"CIR 2024/2690 - EU Implementing Regulation","description":"The Commission Implementing Regulation specifies detailed technical and methodological requirements for entities that provide cross-border services (DNS, cloud, CDN, data centers, and more). Unlike the directive, it is directly applicable - no national transposition needed. It adds granular requirements for risk management, incident handling, and supply chain security that go well beyond the directive's text."},"grundschutz":{"title":"IT-Grundschutz - BSI Implementation Methodology","description":"The BSI's IT-Grundschutz standards (BSI-200-1, 200-2, 200-3) define exactly how to implement the requirements in practice. Under section 44(2) BSIG, implementing Grundschutz is explicitly recognized as fulfilling NIS2 obligations in Germany. It is the most detailed and prescriptive layer - and the one that turns vague policy statements into concrete, auditable controls."}}},"approach":{"heading":"The strictest common denominator","p1":"Our platform does not pick one framework and hope for the best. For every compliance topic - risk management, incident reporting, access control, encryption, training, supply chain - we identify the strictest requirement across all three normative sources: the NIS2 Directive, the CIR 2024/2690, and the BSIG with IT-Grundschutz methodology.","p2":"Then we build that strictest version into the platform as the default. Every form, every workflow, every evidence requirement is designed to satisfy the highest bar. When you complete a requirement on our platform, you do not just meet the German standard or the EU minimum - you meet all of them simultaneously.","p3":"The result: comply once, be compliant everywhere. Whether you operate only in Germany, across the EU, or fall under the CIR's cross-border scope, your compliance posture holds up. No duplicate work, no gaps, no surprises during an audit in a different jurisdiction."},"comparison":{"heading":"Where the requirements diverge","description":"The table below shows how requirements differ across the three normative layers. Our platform implements the strictest column for each area - so you never have to figure out which standard applies to you.","colArea":"Compliance area","colDirective":"NIS2 Directive","colCir":"CIR 2024/2690","colBsig":"BSIG / Grundschutz","rows":{"riskManagement":{"area":"Risk management","directive":"\"Appropriate and proportionate\" measures, no prescribed methodology","cir":"Explicit risk assessment methodology with defined criteria, documented risk acceptance","bsig":"Full asset-based risk analysis per BSI-200-3, threat modeling per IT-Grundschutz Compendium, mandatory annual review"},"incidentReporting":{"area":"Incident reporting","directive":"Early warning within 24h, full notification within 72h","cir":"Same timelines, plus recurring incidents must be aggregated and reported as a pattern","bsig":"24h/72h plus mandatory reporting to BSI, management must be notified immediately, root cause analysis required"},"supplyChain":{"area":"Supply chain security","directive":"Consider supply chain risks, account for supplier vulnerabilities","cir":"Documented supplier assessment, contractual security requirements, periodic reassessment","bsig":"Supplier risk register linked to asset inventory, NIS2 registration status tracked, Grundschutz-level supplier auditing"},"encryption":{"area":"Encryption & cryptography","directive":"\"Where appropriate\" - use of cryptography and encryption","cir":"Cryptography policy required, key management documented, algorithm suitability assessed","bsig":"BSI Technical Guidelines (TR-02102) define approved algorithms, key lengths, and protocols - no room for interpretation"},"accessControl":{"area":"Access control","directive":"Policies for access control to network and information systems","cir":"Role-based access, privileged access management, regular access reviews","bsig":"Need-to-know principle, separation of duties, mandatory MFA for administrative access, documented RBAC with annual recertification"},"training":{"area":"Cybersecurity training","directive":"Regular training for management and all employees","cir":"Role-specific training, management must demonstrate competence in risk oversight","bsig":"Annual awareness training for all employees, role-specific training for IT staff, mandatory section 38 BSIG liability training for management"}}},"benefits":{"heading":"Why this approach wins","description":"Meeting the highest bar is not just about compliance - it is the only strategy that scales across jurisdictions, survives regulatory tightening, and eliminates ambiguity.","items":{"crossBorder":{"title":"Cross-border by default","description":"Operate in Germany, expand to France, serve clients in the Netherlands - your compliance holds up everywhere. No jurisdiction-specific rework, no second audit. One process covers all 27 member states because you already meet the strictest interpretation."},"noGuesswork":{"title":"Zero ambiguity","description":"The NIS2 Directive is deliberately vague. \"Appropriate measures\" means different things to different auditors. Our platform eliminates that ambiguity by defaulting to the most specific, most prescriptive requirement available. You never have to guess whether your interpretation is \"enough\"."},"futureProof":{"title":"Future-proof compliance","description":"Regulations only tighten. Countries that transposed NIS2 at the minimum level today will go stricter tomorrow. By already meeting the highest current standard, you are ahead of every future tightening - not scrambling to catch up."},"auditReady":{"title":"Audit-ready from day one","description":"BSI auditors expect Grundschutz-level evidence. ENISA assessments check CIR compliance. Our platform generates evidence that satisfies both, automatically. Assignments, sign-offs, deadlines, and audit trails are built into the workflow - they are the compliance process, not an afterthought."}}},"myth":{"heading":"\"Isn't the strictest standard the most work?\"","p1":"This is the most common objection - and it is wrong. The difference between meeting the NIS2 Directive's minimum requirements and meeting the BSIG/Grundschutz standard is not more data entry, more documents, or more busywork. It is more structure. The same information a company provides for a bare-minimum NIS2 checkbox exercise is the same information needed for a Grundschutz-level implementation.","p2":"The extra \"work\" is understanding: knowing which assets to document, how to structure a risk assessment, what constitutes adequate evidence. That is exactly what our platform handles for you. The forms guide you through the right questions. The workflows enforce the right process. The evidence is generated as you work.","p3":"In practice, a company using our platform spends no more time than one using a minimum-compliance checklist tool. The difference is that our output actually holds up in an audit - in any EU country, under any applicable regulation. The effort is identical. The result is incomparably better."},"faq":{"heading":"Frequently asked questions","q1":{"q":"Isn't this overkill for a company that only operates in one country?","a":"No. Even within a single country, you face multiple overlapping requirements: the national transposition, potentially the CIR if you provide cross-border services, and the practical expectations of your national auditor. Meeting the strictest common denominator means you never have to worry about which specific regulation applies to which part of your business. It is not overkill - it is the only approach that removes ambiguity entirely."},"q2":{"q":"What if my country has different requirements than Germany's BSIG?","a":"Every EU country transposed NIS2 at or above the directive's minimum. Germany's BSIG is among the strictest transpositions. If you meet BSIG-level requirements, you automatically exceed whatever your country requires. Think of it as a superset: the strictest national law plus the CIR plus the directive covers every possible interpretation any member state could enforce."},"q3":{"q":"Does the stricter approach cost more or take longer?","a":"No. The platform guides you through the same number of steps regardless. The difference is in how those steps are structured - our forms and workflows are designed to capture information at the level of detail that satisfies Grundschutz methodology. You are not doing more work; you are doing the same work more precisely. The time investment is comparable to any compliance tool, but the output is defensible across all EU jurisdictions."},"q4":{"q":"What about ISO 27001? Do I still need it?","a":"ISO 27001 is a management system standard, not a legal requirement. NIS2, BSIG, and CIR are legal obligations. There is significant overlap - if you comply with our platform's requirements, you have covered roughly 70-80% of ISO 27001's Annex A controls. But they serve different purposes: NIS2 compliance is mandatory and legally enforced, ISO 27001 certification is voluntary and market-driven. Our platform focuses on the legal obligations first. ISO 27001 alignment will follow as a future feature."},"q5":{"q":"How does CIR 2024/2690 relate to national law like the BSIG?","a":"The CIR is an EU implementing regulation - it applies directly in all member states without national transposition. It does not replace national law; it adds to it. For entities in scope of the CIR (primarily cross-border digital infrastructure providers), you must comply with both your national transposition (e.g., BSIG in Germany) and the CIR. Where they overlap, the stricter requirement applies. Where they do not overlap, both apply independently. Our platform handles this layering so you do not have to."}},"ctaCard":{"heading":"Comply everywhere. Set up once.","description":"Our platform implements the strictest common denominator of NIS2, CIR 2024/2690, and BSIG/Grundschutz. Complete your compliance process once and meet every EU requirement automatically - no duplicate work, no jurisdiction gaps, no audit surprises."},"cta":"Start your compliance process"},"entityTypes":{"meta":{"title":"NIS2 Entity Types: Important vs Essential vs KRITIS - What's the Difference?","description":"The compliance work is identical for all NIS2 entity types. The difference is supervision intensity and penalties. Learn what important, essential, and KRITIS mean for your company."},"title":"Important vs Essential vs KRITIS: The Same Work, Different Consequences","subtitle":"NIS2 defines three tiers of regulated entities. The security measures are identical across all three. What changes is how closely BSI watches you and how hard they hit if you fail.","overview":{"heading":"Three Tiers, One Set of Rules","p1":"The German NIS2 transposition (BSIG) classifies regulated entities into three categories: wichtige Einrichtungen (important entities), essential entities (essential entities), and Betreiber kritischer Anlagen (KRITIS operators). Many companies spend weeks trying to figure out which category they fall into before starting their compliance work.","p2":"Here is the key insight: it does not matter for the work itself. All three categories must implement the same 10 security measure categories defined in §30(2) BSIG. The same risk management. The same incident reporting. The same supply chain security. The same access controls. The same encryption policies. The same business continuity planning.","p3":"The differences are in supervision (how BSI monitors you), penalties (how much you pay if caught non-compliant), and three extra obligations that only apply to KRITIS operators. The compliance process you go through on NISD2 covers all three categories identically."},"classification":{"heading":"How Entities Are Classified","description":"Classification is based on company size, sector, and whether you operate critical infrastructure. Defined in §28 BSIG.","headers":{"criterion":"Criterion","important":"Important (Wichtig)","essential":"Essential (Besonders Wichtig)","kritis":"KRITIS"},"rows":{"size":{"criterion":"Company Size","important":"50+ employees OR >10M EUR revenue and >10M EUR balance sheet","essential":"250+ employees OR >50M EUR revenue and >43M EUR balance sheet","kritis":"Any size - determined by infrastructure thresholds (e.g. 500,000 people served)"},"sectors":{"criterion":"Sectors","important":"Annex I (energy, transport, finance, health, water, digital infra, space) + Annex II (postal, waste, chemicals, food, manufacturing, digital services, research)","essential":"Annex I sectors only (medium-sized entities in Annex I are classified as important, not essential)","kritis":"Subset of essential - only entities operating infrastructure whose failure would disrupt public supply"},"sizeIndependent":{"criterion":"Size-Independent Inclusions","important":"Non-qualified trust service providers, small telecom providers","essential":"Qualified trust services, TLD registries, DNS providers, large telecom providers","kritis":"Operators of critical installations as defined in BSI-KritisV (power grids, water treatment, hospitals, etc.)"}}},"edgeCases":{"heading":"Edge Cases: When Size Classification Is Not Obvious","description":"NIS2 uses the EU SME definition (Recommendation 2003/361/EC). The thresholds combine employees with financials in ways that catch many companies off guard.","intro":"The EU medium enterprise threshold is: 50+ employees OR (>€10M turnover AND >€10M balance sheet). Both financial criteria must be met simultaneously - high revenue alone is not enough. For essential entities, the large enterprise threshold is: 250+ employees OR (>€50M turnover AND >€43M balance sheet). These examples show how the rules apply in practice.","headers":{"scenario":"Scenario","employees":"Employees","turnover":"Turnover","balanceSheet":"Balance Sheet","sector":"Sector","result":"Classification"},"rows":{"e1":{"scenario":"High-revenue trading firm, small team","employees":"12","turnover":"€25M","balanceSheet":"€18M","sector":"Annex I - Banking","result":"Important - both financial thresholds exceeded (>€10M), employee count irrelevant"},"e2":{"scenario":"Large manufacturer, low margin","employees":"200","turnover":"€5M","balanceSheet":"€3M","sector":"Annex II - Manufacturing","result":"Important - employee count ≥50 is sufficient, revenue does not matter"},"e3":{"scenario":"SaaS startup, high revenue, tiny team","employees":"8","turnover":"€15M","balanceSheet":"€4M","sector":"Annex I - Digital infrastructure","result":"Not in scope - revenue exceeds €10M but balance sheet is below €10M. Need BOTH"},"e4":{"scenario":"Regional hospital","employees":"400","turnover":"€60M","balanceSheet":"€45M","sector":"Annex I - Health","result":"Essential - 250+ employees in Annex I sector. If >30,000 inpatient cases/year: KRITIS"},"e5":{"scenario":"Energy trader, asset-light","employees":"15","turnover":"€120M","balanceSheet":"€55M","sector":"Annex I - Energy","result":"Essential - both large financial thresholds exceeded (>€50M turnover AND >€43M balance sheet)"},"e6":{"scenario":"Waste management company","employees":"80","turnover":"€8M","balanceSheet":"€6M","sector":"Annex II - Waste","result":"Important - 80 employees ≥50 threshold, despite low revenue. NACE E.38 only (not remediation E.39)"},"e7":{"scenario":"Managed service provider (MSP)","employees":"45","turnover":"€12M","balanceSheet":"€11M","sector":"Annex I - ICT service management","result":"Important - below 50 employees but both financial thresholds exceeded. Also subject to CIR 2024/2690"},"e8":{"scenario":"Food processor, seasonal workforce","employees":"55 (annual average)","turnover":"€9M","balanceSheet":"€7M","sector":"Annex II - Food","result":"Important - headcount uses annual work units (Rec. 2003/361/EC Art. 5). Seasonal peaks count proportionally"},"e9":{"scenario":"Qualified trust service provider (qTSP)","employees":"3","turnover":"€500K","balanceSheet":"€200K","sector":"Annex I - Digital infrastructure","result":"Essential - size-independent under §28(1) BSIG. qTSPs are always essential regardless of size"},"e10":{"scenario":"Chemical distributor, large subsidiary","employees":"180","turnover":"€70M","balanceSheet":"€50M","sector":"Annex II - Chemicals","result":"Important - despite large financials, Annex II sectors max out at important. Only Annex I + large = essential"}},"legalBasis":"Size thresholds per EU Recommendation 2003/361/EC Art. 2, referenced by NIS2 Directive Art. 2(1). Employee count uses annual work units (Art. 5). Linked/partner enterprise rules (Annex Art. 3) may aggregate parent company headcount and financials. Sector classification per NIS2 Directive Annex I/II, transposed in BSIG §28 Anlage 1/2. Size-independent cases per §28(1) BSIG."},"sameWork":{"heading":"What Is Identical Across All Three Categories","p1":"The compliance obligations defined in §30(2) BSIG are the same for important, essential, and KRITIS. There is no lighter version for important entities and no heavier version for essential entities. The 10 security measure categories apply equally:","items":["Risk management policies and procedures (§30(2) Nr. 1)","Incident handling and reporting - 24h initial, 72h detailed, 1 month final report (§32)","Business continuity and disaster recovery (§30(2) Nr. 3)","Supply chain security (§30(2) Nr. 4)","Security in procurement, development, and maintenance (§30(2) Nr. 5)","Policies for evaluating the effectiveness of security measures (§30(2) Nr. 6)","Cybersecurity hygiene and training (§30(2) Nr. 7)","Cryptography and encryption policies (§30(2) Nr. 8)","Human resources security and access control (§30(2) Nr. 9)","Multi-factor authentication and secure communications (§30(2) Nr. 10)","Registration with BSI within 3 months (§33)","Management liability - personal responsibility for approving and monitoring security measures (§38)"],"p2":"This means the NISD2 platform covers all entity types with the same set of requirements. Whether you are an important food company or an essential energy provider, the compliance process is identical. You complete the same requirements, produce the same evidence, and meet the same standards."},"comparison":{"heading":"What Actually Differs","description":"The differences between entity types are about enforcement, not about what you need to do.","headers":{"obligation":"Obligation","important":"Important","essential":"Essential","kritis":"KRITIS"},"rows":{"measures":{"obligation":"10 Security Measures (§30)","important":"Required","essential":"Required","kritis":"Required"},"reporting":{"obligation":"Incident Reporting (§32)","important":"24h / 72h / 1 month","essential":"24h / 72h / 1 month","kritis":"24h / 72h / 1 month"},"registration":{"obligation":"BSI Registration (§33)","important":"Basic","essential":"Basic","kritis":"Enhanced - critical service, supply metrics, facility location, 24/7 contact"},"management":{"obligation":"Management Liability (§38)","important":"Personal liability","essential":"Personal liability","kritis":"Personal liability"},"supervision":{"obligation":"BSI Supervision","important":"Reactive only (§62) - BSI acts only when evidence of non-compliance exists","essential":"Proactive (§61) - BSI can audit at any time without cause","kritis":"Proactive + mandatory 3-year proof cycle (§39)"},"fineBase":{"obligation":"Maximum Fine (Base)","important":"7,000,000 EUR","essential":"10,000,000 EUR","kritis":"10,000,000 EUR"},"fineRevenue":{"obligation":"Maximum Fine (Revenue)","important":"1.4% of global turnover","essential":"2% of global turnover","kritis":"2% of global turnover"},"attackDetection":{"obligation":"Attack Detection Systems (§31)","important":"Not required","essential":"Not required","kritis":"Required - continuous SIEM/SOC capability"},"complianceProof":{"obligation":"Mandatory Compliance Proof (§39)","important":"Not required","essential":"Not required","kritis":"Required - every 3 years, submitted to BSI"}}},"kritisExtras":{"heading":"KRITIS: Three Additional Obligations","intro":"KRITIS operators - entities running infrastructure whose failure would disrupt public supply (power grids, water treatment, hospitals) - must meet three additional requirements beyond what important and essential entities must do.","items":{"attackDetection":{"title":"§31 - Attack Detection Systems (Angriffserkennungssysteme)","detail":"You need a system watching your network around the clock that can spot attacks in progress or detect that someone has already broken in. In practice, this means deploying a SIEM (Security Information and Event Management) - software that collects logs from every server, firewall, and endpoint, correlates them, and alerts on anomalies. It must use pattern matching AND anomaly detection, not just signatures. Most companies outsource this to a managed SOC (Security Operations Center) provider, which typically costs 5,000-15,000 EUR per month. Normal NIS2 entities can get by with basic monitoring - KRITIS operators explicitly cannot."},"enhancedRegistration":{"title":"§33(2) - Enhanced Registration with BSI","detail":"On top of the standard registration (name, sector, contact), KRITIS operators must tell BSI exactly what critical service they provide (e.g. 'drinking water supply for 200,000 people'), what critical components they use, the physical facility location, and a 24/7 contact person reachable at any hour. Supply metrics must be reported annually - BSI uses these to verify you still exceed the KRITIS threshold (defined in BSI-KritisV, e.g. 500,000 people served for water, 104 MW for power)."},"complianceProof":{"title":"§39 - Mandatory Compliance Proof Every 3 Years (Nachweispflicht)","detail":"Every 3 years, you must proactively submit audit results, security reports, or certifications to BSI proving compliance with all §30 measures and §31 attack detection. BSI does not have to come find you - you come to them. If BSI finds deficiencies, they issue binding remediation orders with deadlines and demand proof that you fixed the issues. Think of it as a mandatory ISO certification cycle, except the auditor is the government. First deadline: December 2028 (5 years for hospitals: December 2030)."}}},"takeaway":{"heading":"What This Means for Your Company","p1":"If you are a 50-250 employee company in Germany - the typical NISD2 user - you are almost certainly classified as a wichtige Einrichtung (important entity). Your manufacturing company, food processing business, or IT service provider falls into this category. The compliance work you need to do is exactly the same as what a large essential entity or even a KRITIS operator does. The only practical difference: BSI will not proactively audit you unless they have a reason to (an incident, a complaint, or a tip-off).","p2":"That is not a reason to do less. If BSI does audit you - reactively, after an incident - and finds you non-compliant, fines up to 7 million EUR or 1.4% of global turnover apply. And your management is personally liable under §38. The safest position is full compliance regardless of category. NISD2 gives you the same compliance process used by essential and KRITIS entities, because the requirements are identical."},"faq":{"heading":"Frequently Asked Questions","q1":{"q":"Can my company be both important and essential?","a":"No. The categories are mutually exclusive under §28 BSIG. If you meet the essential threshold (250+ employees or >50M revenue in an Annex I sector), you are essential. If you meet the important threshold but not the essential one, you are important. KRITIS is a subset of essential - KRITIS operators are automatically classified as essential with additional obligations on top."},"q2":{"q":"I am an important entity. Do I need to do less compliance work?","a":"No. The 10 security measure categories in §30(2) BSIG apply identically to both important and essential entities. The only difference is enforcement: BSI supervises essential entities proactively (random audits) and important entities reactively (only after evidence of non-compliance). But the measures themselves, the incident reporting timelines, and management liability are all the same."},"q3":{"q":"How do I know if I am KRITIS?","a":"KRITIS classification is defined in the BSI-KritisV regulation, based on specific supply thresholds: 500,000 people served for water, 104 MW installed capacity for power, 30,000 inpatient cases per year for hospitals, etc. If your infrastructure failure would not directly disrupt public supply at these scales, you are not KRITIS. Most mid-market companies are not KRITIS - they are important or essential entities."},"q4":{"q":"What happens if I get my entity classification wrong?","a":"Classification determines supervision intensity and penalty caps, not what you need to implement. If you implement all 10 measure categories (which NISD2 guides you through), you are compliant regardless of classification. The risk of misclassification is underestimating your supervision exposure - thinking BSI will not audit you when they actually can."},"q5":{"q":"Does the CIR 2024/2690 distinguish between important and essential entities?","a":"No. The CIR applies to specific entity types (cloud providers, DNS providers, managed service providers, etc.) regardless of whether they are classified as important or essential. The technical requirements in the CIR are identical for both categories."}},"sources":{"heading":"Legal Sources","items":["§28 BSIG - Entity classification (essential and important entities)","§30 BSIG - Risk management measures (10 categories, identical for all entity types)","§31 BSIG - Attack detection systems (KRITIS only)","§32 BSIG - Incident reporting obligations (identical timelines for all entity types)","§33 BSIG - Registration obligations (enhanced for KRITIS)","§38 BSIG - Management liability (identical for all entity types)","§39 BSIG - Compliance proof (KRITIS only, every 3 years)","§61 BSIG - Supervision of essential entities (proactive)","§62 BSIG - Supervision of important entities (reactive)","§65 BSIG - Penalties and fines","CIR 2024/2690 - EU implementing regulation (no entity type distinction)","BSI-KritisV - KRITIS threshold regulation"]},"ctaCard":{"heading":"One Platform, All Entity Types","description":"NISD2 implements the full set of NIS2/BSIG requirements - the same ones that apply to important, essential, and KRITIS entities. Complete your compliance once. The requirements are identical regardless of your classification."},"cta":"Start your compliance process"},"faq":{"meta":{"title":"NIS2 FAQ - Frequently Asked Questions About NIS2 Compliance in Germany","description":"Answers to the most common NIS2 questions: essential vs important entities, penalties, management liability, BSI registration, incident reporting, costs, and what German companies need to do now."},"title":"NIS2 Frequently Asked Questions","subtitle":"Clear answers to the questions German companies ask most about NIS2, the BSIG, and what compliance actually requires.","categories":{"basics":"NIS2 Basics","scope":"Scope & Applicability","frameworks":"NIS2 vs Other Frameworks","liability":"Management Liability","registration":"BSI Registration","incidents":"Incident Reporting","penalties":"Penalties & Fines","implementation":"Implementation"},"basics":{"q1":{"q":"What is the difference between NIS2 essential and important entities?","a":"Essential entities (essential entities) are companies in high-criticality sectors like energy, transport, banking, health, water, and digital infrastructure (NIS2 Annex I). Important entities (wichtige Einrichtungen) are in other critical sectors like waste management, food, manufacturing, postal, and chemicals (Annex II). The key differences: essential entities face higher maximum fines (€10M / 2% turnover vs €7M / 1.4%), proactive BSI audits (the BSI can inspect at any time without a trigger), and stricter supervision. Important entities are only audited reactively - after an incident or on evidence of non-compliance. Both must implement the same 10 cybersecurity measures under §30 BSIG."},"q2":{"q":"How many companies are affected by NIS2 in Germany?","a":"The BSI estimates approximately 29,500 companies in Germany fall under NIS2 scope. This is a massive expansion from the previous KRITIS regime, which covered only about 2,000 operators. The increase comes from lower size thresholds (50+ employees instead of hundreds of thousands of people served) and seven newly added sectors including waste management, food production, manufacturing, postal services, chemicals, research, and expanded digital services."},"q3":{"q":"When did NIS2 become law in Germany?","a":"The German NIS2 transposition law (NIS2UmsuCG) was passed by the Bundestag on 13 November 2025, approved by the Bundesrat on 21 November 2025, published in the Bundesgesetzblatt on 5 December 2025, and entered into force on 6 December 2025. The BSI registration portal went live on 6 January 2026, with the registration deadline on 6 March 2026. Germany missed the original EU transposition deadline of 17 October 2024 by over a year."},"q4":{"q":"Is there a transition period for NIS2 in Germany?","a":"No. There is no transition period. All obligations - risk management measures, incident reporting, management liability, and BSI registration - applied from the day the law entered into force on 6 December 2025. The BSI registration deadline was 6 March 2026 (3 months after entry into force). Companies that have not yet started compliance work are already technically non-compliant."},"q5":{"q":"Does NIS2 apply to small companies with fewer than 50 employees?","a":"Generally no. NIS2 uses the EU SME definition (Recommendation 2003/361/EC): companies need at least 50 employees OR more than €10M annual turnover AND €10M balance sheet to be in scope. Both financial thresholds must be met - high revenue alone is not enough if the balance sheet is below €10M. However, certain entity types are in scope regardless of size: DNS providers, TLD registries, qualified trust service providers, KRITIS operators, and sole providers of essential services in a region. If you are close to the 50-employee threshold, check whether linked group companies push you over the limit. See our entity types article for 10 real-world edge case examples."}},"scope":{"q1":{"q":"Which sectors are covered by NIS2?","a":"NIS2 covers 18 sectors in total. Annex I (high-criticality, essential entities): energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space. Annex II (other critical, important entities): postal and courier services, waste management, chemicals, food production and distribution, manufacturing (medical devices, electronics, machinery, vehicles), digital providers (marketplaces, search engines, social networks), and research organizations."},"q2":{"q":"What is the difference between NIS2 Annex I and Annex II sectors?","a":"Annex I lists 11 'sectors of high criticality' - companies here are classified as essential entities if they are large, or as important entities if medium-sized. Annex II lists 7 'other critical sectors' - companies here are classified as important entities regardless of whether they are medium or large. This means a chemical distributor with 180 employees, €70M revenue, and €50M balance sheet is still classified as important - not essential - because chemicals are Annex II. The practical difference: Annex I essential entities face proactive BSI audits, higher fines (€10M vs €7M), and stricter supervision. Annex II important entities face reactive supervision only."},"q3":{"q":"Does NIS2 apply to manufacturing companies?","a":"Yes, if you manufacture medical devices, computers, electronics, optical products, electrical equipment, machinery, motor vehicles, or other transport equipment and have 50+ employees or €10M+ revenue. Manufacturing is listed in NIS2 Annex II, making affected companies 'important entities' (wichtige Einrichtungen). A significant number of German Mittelstand companies fall into this category. All 10 cybersecurity measures under §30 BSIG apply."},"q4":{"q":"We outsource all IT to a managed service provider. Does NIS2 still apply?","a":"Yes, fully. NIS2 applies to the entity providing the regulated service, regardless of who manages the IT. You can outsource operations but not accountability (§30 BSIG). Your IT provider becomes your most critical supplier: document the relationship, include cybersecurity requirements in the contract, and verify their security measures. If they get breached, your reporting obligation triggers - not theirs. Management remains personally liable under §38 BSIG."},"q5":{"q":"Our company operates in multiple EU countries. Do we need to comply with each country's NIS2 law?","a":"Yes. An incident at a company with operations in multiple member states may trigger reporting obligations in each country where affected services are provided. By early 2026, only about 6-8 of 27 EU member states had fully transposed NIS2. Each country has its own registration portal and procedures. Germany's BSIG is among the most detailed implementations. For cross-border operations, comply with each national law where you provide services."}},"frameworks":{"q1":{"q":"What is the difference between NIS2 and KRITIS?","a":"NIS2 does not replace KRITIS - it extends it dramatically. KRITIS covered roughly 2,000 operators with high thresholds (e.g., 500,000 people served). NIS2 covers approximately 30,000 entities with much lower thresholds (50+ employees). NIS2 adds seven new sectors, personal management liability (§38 BSIG), mandatory BSI registration, structured incident reporting (24h/72h/1 month), and significantly higher penalties (up to €10M vs €100K). KRITIS operators are automatically classified as essential entities under NIS2."},"q2":{"q":"Does an ISO 27001 certification mean I'm NIS2 compliant?","a":"No. ISO 27001 covers approximately 70% of NIS2 technical requirements, but it misses the areas with the highest enforcement risk: BSI registration (§33), incident reporting timelines (24h/72h/1 month under §32), management personal liability (§38), enhanced supply chain due diligence, and the statutory penalty framework. ISO 27001 is a voluntary management standard; NIS2 is a legal obligation with government reporting and personal liability. Your ISO certification is a strong foundation, but you need gap-filling for the NIS2-specific regulatory requirements."},"q3":{"q":"What is IT-Grundschutz and why does it matter for NIS2?","a":"IT-Grundschutz is the BSI's own cybersecurity methodology - a comprehensive framework with step-by-step implementation guidance. §44(2) BSIG explicitly recognizes Grundschutz implementation as proof of NIS2 compliance. This is a legal shortcut: the BSI both publishes Grundschutz and enforces NIS2, so using their methodology means you are audited against a standard the auditor knows inside out. Grundschutz covers 100% of CIR 2024/2690 requirements and is more detailed than ISO 27001 for NIS2 purposes."},"q4":{"q":"What is CIR 2024/2690 and how does it relate to NIS2?","a":"CIR 2024/2690 is the EU Implementing Regulation published on 17 October 2024 that specifies the exact technical and methodological requirements for NIS2 compliance. Unlike the NIS2 Directive, it applies directly in all EU member states without national transposition. It answers the question 'what exactly do we have to implement?' by breaking the 10 measure areas into specific, auditable requirements. In Germany, the BSIG extends these technical requirements to all NIS2-covered sectors, making the CIR the de facto technical standard for everyone."}},"liability":{"q1":{"q":"What are the three management duties under §38 BSIG?","a":"§38 BSIG defines three personal duties for management (Geschäftsleitung) that cannot be delegated: (1) Approval (Billigung) - formally approve cybersecurity risk management measures with documented, traceable sign-off. (2) Oversight (Überwachung) - actively monitor implementation through regular status reviews, not passive awareness. (3) Training (Schulung) - personally complete cybersecurity training to develop sufficient knowledge to evaluate risks. Failing any one of these creates personal liability exposure - even if the company has implemented reasonable measures."},"q2":{"q":"Can I delegate NIS2 responsibility to my IT department?","a":"You can delegate execution, but not responsibility. §38 BSIG explicitly names Geschäftsleiter - not IT managers, CISOs, or external consultants. You must personally approve measures, oversee their implementation, and complete cybersecurity training. Your IT team implements; you approve and monitor. Claiming you delegated everything to IT is not a defense - it is proof of an oversight violation."},"q3":{"q":"Does D&O insurance cover NIS2 liability?","a":"Most D&O policies exclude regulatory fines and penalties - these are typically uninsurable under German law. The civil liability under §38 BSIG (damages claims from your own company) may be covered, depending on your policy terms. Insurers can also deny claims if management knowingly failed to comply with statutory duties. Check your specific policy's exclusion clauses - 'failure to comply with mandatory regulations' is a standard exclusion in German D&O policies. Do not assume coverage exists - ask for written confirmation."},"q4":{"q":"Can shareholders waive management liability for NIS2?","a":"No. §38(2) BSIG explicitly states that claims for damages arising from violations of §30 BSIG duties cannot be waived by shareholders, nor can they be settled in a manner that is disproportionate to the company's financial situation. This overrides the normal GmbHG §43 rules. Even in an owner-managed GmbH where the Geschäftsführer is the sole shareholder, the liability exists. If the company goes bankrupt due to a cyber incident, the insolvency administrator can come after your personal assets."},"q5":{"q":"I'm not technical - can I really be held liable for cybersecurity?","a":"Yes. §38(3) BSIG imposes the training obligation precisely to eliminate this defense. The law assumes that after completing adequate cybersecurity training, management has sufficient knowledge to fulfill their duties. 'I don't understand technology' is not a defense - it is proof of a training violation. The training does not require you to become an IT expert, but you must understand your company's risk profile and the measures in place."}},"registration":{"q1":{"q":"How do I register with the BSI for NIS2?","a":"Registration uses a two-step process: (1) Create an account via Mein Unternehmenskonto (MUK) using your ELSTER business certificate at muk.bsi.bund.de. (2) Log in and complete the NIS2 registration form, providing your company details, sector classification, contact person for cybersecurity matters, and IP address ranges. The process takes 30-60 minutes if you have everything prepared. You will need your ELSTER certificate, commercial register number, and a designated cybersecurity contact person."},"q2":{"q":"I missed the BSI registration deadline. Is it too late?","a":"No. The portal is still open - register immediately. The March 6, 2026 deadline has passed, but a significant number of the estimated 30,000 in-scope companies have still not registered. The BSI has signaled that it will prioritize enforcement against companies that ignore obligations entirely - not those who registered late but are acting in good faith. The fine for non-registration is up to €500,000, but the BSI considers circumstances. Late registration with visible compliance progress is fundamentally different from no registration at all."},"q3":{"q":"What is the fine for not registering with the BSI?","a":"§65 BSIG provides for fines of up to €500,000 specifically for registration violations. This is a standalone violation - separate from any penalties for failing to implement security measures. You can be fined for non-registration even if your actual cybersecurity measures are adequate. However, fines are assessed on a case-by-case basis considering severity, duration, and good faith."},"q4":{"q":"Can I register if I'm not sure my company is in scope?","a":"Yes, and the BSI recommends erring on the side of registration if you are uncertain. Registering when you turn out to be out of scope has no negative consequences - the registration can be corrected. Not registering when you are in scope carries real legal risk. When in doubt, register."},"q5":{"q":"Does BSI registration mean I'm NIS2 compliant?","a":"No. Registration fulfills one obligation (§33 BSIG) but does not satisfy the substantive requirements: cybersecurity measures (§30), incident reporting (§32), or management liability duties (§38). Think of registration like filing a tax return - you still have to pay the tax. After registering, you need to implement all 10 mandatory security measures, set up incident reporting processes, and ensure management fulfills their personal duties."}},"incidents":{"q1":{"q":"What is the NIS2 incident reporting timeline?","a":"NIS2 requires a three-stage reporting cascade to the BSI: (1) Early warning within 24 hours - confirm a significant incident has occurred, whether it is malicious, and whether it could have cross-border impact. (2) Incident notification within 72 hours - severity assessment, indicators of compromise, initial root cause analysis, and measures taken. (3) Final report within 1 month - detailed description, confirmed root cause, mitigation measures, and lessons learned. If the incident is still ongoing at the one-month mark, an interim report is required."},"q2":{"q":"What counts as a 'significant' incident under NIS2?","a":"An incident is significant if it: causes severe operational disruption to services, causes financial loss exceeding €500,000 or 5% of annual turnover, affects other natural or legal persons with considerable damage, involves unauthorized access or alteration of data, or causes an extended service outage. CIR 2024/2690 adds that recurring minor incidents can be aggregated and treated as significant if they collectively meet the criteria within a six-month period. Not every phishing email triggers reporting - only events crossing these severity thresholds."},"q3":{"q":"Where do I report NIS2 incidents?","a":"All incident reports must be submitted via the BSI's official reporting portal under the NIS2 section. The BSI does not accept reports by email, telephone, or letter as a substitute for portal submission. Access requires prior registration under §33 BSIG - which means unregistered entities face a compounded problem: they cannot file incident reports through the proper channel. Telephone contact with CERT-Bund is appropriate for coordinating response in parallel."},"q4":{"q":"What happens if I don't report an incident to the BSI?","a":"Failure to report is penalized independently of the incident itself. Each missing stage (24h, 72h, 1 month) is a separate violation with fines up to €500,000. For essential entities, the broader penalty framework (up to €10M) can also apply. If management was aware of an incident and failed to ensure reporting, this constitutes a personal oversight violation under §38 BSIG. Non-reporting also raises questions about your entire compliance posture, potentially triggering a broader BSI audit."},"q5":{"q":"Does NIS2 incident reporting replace GDPR breach notification?","a":"No. NIS2 incident reporting under §32 BSIG is separate from and additional to GDPR breach notification under Articles 33/34 GDPR. Both obligations may apply simultaneously to the same incident. If a cyberattack exposes personal data and disrupts services, you must report to the BSI under NIS2 AND to the data protection authority under GDPR. Different timelines, different authorities, different forms."}},"penalties":{"q1":{"q":"What is the maximum NIS2 fine for my company?","a":"It depends on your entity classification. Essential entities (Annex I sectors): the higher of €10M or 2% of global annual turnover. Important entities (Annex II sectors): the higher of €7M or 1.4% of global annual turnover. For most mid-market companies under €500M turnover, the fixed amount applies because the percentage is lower. Separate penalties of up to €500,000 apply for registration and reporting violations. Multiple violations can compound."},"q2":{"q":"Can I be personally fined as a managing director (Geschäftsführer)?","a":"The administrative fines under §65 BSIG are levied against the company, not the individual. However, §38 BSIG creates personal civil liability for damages resulting from failure to approve and oversee cybersecurity measures. This means you face personal liability for the company's losses - not a government fine, but potentially a damages claim from your own company. In an insolvency scenario, the insolvency administrator can pursue this claim against you personally."},"q3":{"q":"Are NIS2 penalties proportional to company size?","a":"Yes, by design. The percentage-of-turnover calculation ensures penalties scale with company size. For a €15M-turnover company, the maximum essential entity fine is €10M (the fixed cap, since 2% is only €300K). For a €600M company, the maximum is €12M (2% exceeds the €10M floor). The BSI is also required to consider proportionality: company size, severity, duration, and good faith efforts all factor into the actual penalty amount."},"q4":{"q":"What triggers BSI enforcement action?","a":"For essential entities: the BSI can conduct proactive audits and inspections without a specific trigger - risk-based spot checks. For important entities: enforcement is reactive - triggered by a reported incident, third-party complaint, media coverage of a breach, or failure to register. The BSI also cross-references commercial registers and sector databases to identify entities that should be registered but are not. The BSI has indicated it will prioritize companies that have not registered at all."},"q5":{"q":"How do NIS2 penalties compare to GDPR fines?","a":"NIS2 penalties are modeled on the GDPR structure. Maximum NIS2 fines (€10M / 2% turnover for essential entities) are comparable to GDPR Tier 1 fines (€10M / 2% turnover). GDPR Tier 2 fines go higher (€20M / 4%). The key difference: NIS2 adds personal management liability (§38 BSIG) which GDPR does not have. Also, NIS2 fines can compound - non-registration, non-reporting, and non-compliance with measures are separate violations with separate penalties."}},"implementation":{"q1":{"q":"How long does NIS2 compliance take for a mid-market company?","a":"For a company with 50-250 employees starting from scratch, expect 3-6 months to reach a solid baseline: BSI registration (week 1), asset inventory and risk assessment (weeks 2-6), incident reporting process (weeks 4-8), access control improvements (weeks 6-12), and policy documentation (ongoing). Most of the 49 BSIG requirements are write-once documentation - policies, risk assessments, procedures. Only a handful require ongoing operational processes. The BSI evaluates trajectory and good faith, not perfection on day one."},"q2":{"q":"How much does NIS2 compliance cost?","a":"For a 50-250 employee company: management consultants cost €150K-500K, enterprise GRC platforms €100K+/year, US compliance tools (Vanta, Drata) from €7,500/year but lack BSIG specifics, and DIY approaches €20K-80K in staff time. Realistic first-year costs for a 100-person company: gap assessment (€5K-15K), policy documentation (€10K-30K), technical measures (€15K-50K), training (€3K-8K), totaling €33K-103K one-time plus €20K-53K annually. Companies with existing security measures are at the lower end."},"q3":{"q":"What are the 10 mandatory NIS2 cybersecurity measures?","a":"§30(2) BSIG defines 10 mandatory measures: (1) Risk analysis and information security policies, (2) Incident handling, (3) Business continuity and crisis management, (4) Supply chain security, (5) Security in acquisition, development, and maintenance, (6) Effectiveness assessment, (7) Cybersecurity training and awareness, (8) Cryptography and encryption, (9) Personnel security, access control, and asset management, (10) Multi-factor authentication and secured communications. All essential and important entities must implement all 10 measures, proportionate to their risk profile."},"q4":{"q":"What does an asset inventory look like for a mid-market company?","a":"Simpler than you think. A typical 100-person company has about 10-15 grouped asset entries. IT-Grundschutz explicitly allows grouping identical assets: '45 Windows laptops' is one entry, not 45. Typical categories: ERP/billing system, email and collaboration (Microsoft 365), network infrastructure per site, standard endpoints (grouped), servers and databases, cloud services, and any operational technology. For waste companies add fleet management and weighbridge systems, for manufacturers add production line controls."},"q5":{"q":"Do I need to hire a CISO or security team for NIS2?","a":"No. For mid-market companies (50-250 employees), NIS2 compliance is manageable with existing staff in part-time roles: a compliance lead (4-8 hours/week, usually the IT manager or quality manager), an IT contact (2-4 hours/week), and a management sponsor (1-2 hours/week, required by §38 BSIG). The law requires 'appropriate and proportionate' measures - a 100-person waste company does not need a SOC or a SIEM. Match controls to your actual risk profile, not Fortune 500 infrastructure."},"q6":{"q":"What is the recommended priority order for implementing NIS2 measures?","a":"Start immediately with measures 1 (risk analysis), 2 (incident handling), and 9 (access control and assets) - these are foundational and everything else builds on them. Weeks 3-6: measures 3 (business continuity), 4 (supply chain), and 7 (training), which require the asset inventory from measure 1. Weeks 7-12: measures 5 (procurement security), 6 (effectiveness assessment), 8 (cryptography), and 10 (MFA). The sequence matters because later measures depend on earlier ones."}},"cta":"Start Your NIS2 Compliance Process"},"nis2Timeline":{"meta":{"title":"NIS2 Regulatory Timeline - NISD2.eu","description":"Live-updating timeline of NIS2 Directive, BSIG, CIR 2024/2690, and IT-Grundschutz developments across the EU and Germany."},"badge":"Live Timeline","title":"NIS2 Regulatory Timeline","subtitle":"Key milestones and latest developments across the NIS2 Directive, BSIG, CIR 2024/2690, IT-Grundschutz, and ENISA - automatically updated."},"gapAssessmentLanding":{"meta":{"title":"Free NIS2 Gap Assessment - How Ready Are You? | nisd2.eu","description":"116 questions across 15 domains. Find out exactly where your NIS2 gaps are, which ones create personal liability, and what to fix first. Free, no lock-in.","ogTitle":"Free NIS2 Gap Assessment - nisd2.eu","ogDescription":"116 questions. 15 domains. Find your NIS2 gaps. Free."},"badge":"Free Gap Assessment","title":"How Ready Are You for NIS2?","subtitle":"116 questions across 15 compliance domains. Find out exactly where your gaps are, which ones create personal liability, and what to fix first. Takes about 30 minutes per day over 5 days.","cta":"Start Your Gap Assessment","highlights":{"questions":{"title":"116 questions, 15 domains","description":"Covers every NIS2 obligation: governance, risk management, incident handling, business continuity, supply chain, training, access control, cryptography, and more."},"time":{"title":"~30 minutes per day","description":"Split into 5 days. Complete at your own pace. Progress is saved automatically. Stop and resume anytime."},"scoring":{"title":"Scored maturity per domain","description":"See exactly where you stand: Critical, Initial, Developing, Managed, or Optimized. Know which gaps to fix first based on legal risk."},"report":{"title":"Board-ready report","description":"Export a PDF showing your readiness score, priority gaps, and what creates personal liability. Built for the CEO to show the board."}},"structure":{"heading":"The 5-Day Structure","body":"Each day focuses on a different set of domains. Day 1 is for the CEO. Days 2-5 can be completed by whoever manages IT, HR, or procurement. One person can also do the whole thing.","day1":{"title":"Day 1: Scoping & Governance","description":"Are you in scope? Does your management understand their personal liability? Have you registered with the BSI? 26 questions."},"day2":{"title":"Day 2: Risk Management","description":"Do you know your assets, your risks, and your security policies? Do you have a risk register? 17 questions."},"day3":{"title":"Day 3: Incident & Business Continuity","description":"Can you detect, respond to, and report incidents within 24 hours? Do you have tested backups? 19 questions."},"day4":{"title":"Day 4: People, Suppliers & Access","description":"Are employees trained? Suppliers assessed? Access controlled? Physical security in place? 26 questions."},"day5":{"title":"Day 5: Technical Controls & Evidence","description":"Patching, cryptography, network security, effectiveness testing, and audit-ready documentation. 28 questions."}},"output":{"heading":"What You Get","body":"A maturity score per domain, an overall readiness percentage, and a prioritized list of gaps ranked by legal risk. Each gap shows whether it creates fine exposure or personal liability, and how long it takes to fix. The results link directly to the compliance platform so you can start closing gaps immediately."},"whoFor":{"heading":"Who Is This For","body":"Any company that knows it falls under NIS2 but hasn't started yet. Or any company that has started but wants to know how far along it actually is. The questions are written in plain language. No prior compliance knowledge required."},"ctaCard":{"heading":"Find Out Where You Stand","body":"Create a free account and start Day 1. No lock-in, no upsell. The assessment is free and the results are yours."}},"trainingCeo":{"meta":{"title":"Free NIS2 Management Training - Articles 20 + 21","description":"NIS2 management training covering Articles 20 + 21: risks, the 10 cybersecurity measures, and oversight. Meets the Art. 20(2) training duty. 47 lessons, free.","ogTitle":"NIS2 Management Training - Articles 20 + 21","ogDescription":"47 lessons. 4 hours. Articles 20 and 21 of the NIS2 Directive. Meets the Art. 20(2) training duty. Free."},"badge":"NIS2 Articles 20 + 21","title":"NIS2 Management Training","subtitle":"Everything the NIS2 Directive requires you to know as a member of the management body - structured, free, and built for the auditor's questions.","startCourse":"Start the course","viewOutline":"View course outline","downloadPdf":"Download PDF","lessonsLabel":"lessons","highlights":{"lessons":{"title":"47 lessons","description":"Structured around the BSI's three competence areas and the ten Article 21 measures"},"hours":{"title":"~4 hours","description":"Short lessons you can complete at your own pace, between meetings"},"quizzes":{"title":"Quizzes after every lesson","description":"Verify your understanding as you go - no final exam, no pressure"},"certificate":{"title":"Certificate of Completion","description":"Dated training evidence for the auditor - documents content covered and time spent"}},"whoFor":{"heading":"Who this is for","body":"If you sit on the leadership team of a company covered by NIS2 - as a CEO, managing director, executive board member, COO, CFO, or any role the law calls a \"member of the management body\" - this course is for you. Article 20(2) makes the training duty personal and non-delegable. You cannot send your CISO in your place."},"whatLearn":{"heading":"What you will learn","body":"The training must cover three competence areas: identifying risks, assessing the measures used to manage them, and understanding how those risks affect the services your company provides. This course covers all three, structured into {moduleCount} modules:"},"whyFree":{"heading":"Why is this free?","body":"No EU member state has established a state-backed certification authority for NIS2 training. Until official certification pathways exist, training documentation is the universal standard. We built this course so that every covered CEO in the EU can meet their Article 20(2) duty without paying a consultant. The platform is free. The certificate is free. No lock-in, no upsell wall."},"cta":{"heading":"Ready to meet your training duty?","body":"Create a free account and start with Lesson 0.1. Takes about four hours total.","button":"Start for free"},"testimonials":{"heading":"Stemmen uit de praktijk"}},"registrationPortals":{"meta":{"title":"NIS2 National Registration Portals - All EU Member States - NISD2.eu","description":"Complete list of NIS2 national registration platforms across the EU. Find your country's competent authority, registration portal, deadlines, and national law."},"badge":"EU-27 Registration","title":"NIS2 National Registration Portals","subtitle":"Each EU member state has its own NIS2 registration process, competent authority, and deadlines. Find the right portal for your country.","lastUpdated":"Last updated","headers":{"country":"Country","authority":"Competent Authority","portal":"Registration Portal","status":"Status","deadline":"Registration Deadline","law":"National Law","entryIntoForce":"Entry into Force"},"status":{"operational":"Operational","pre-registration":"Pre-Registration","planned":"Planned","not-yet-available":"Not Yet Available"},"countries":{"DE":"Germany","BE":"Belgium","IT":"Italy","FR":"France","AT":"Austria","CZ":"Czech Republic","DK":"Denmark","NL":"Netherlands","PL":"Poland","SE":"Sweden","HR":"Croatia","LT":"Lithuania","LV":"Latvia","GR":"Greece","SK":"Slovakia","RO":"Romania","FI":"Finland","EE":"Estonia","PT":"Portugal","ES":"Spain","HU":"Hungary","BG":"Bulgaria","CY":"Cyprus","IE":"Ireland","LU":"Luxembourg","MT":"Malta","SI":"Slovenia"},"noPortal":"Not yet available","noDeadline":"TBD","noLaw":"Not yet enacted","visitPortal":"Open Portal","visitAuthority":"Authority Website","operationalSection":"Operational Registration Portals","operationalDescription":"These countries have active registration platforms where entities can register now.","preRegSection":"Pre-Registration Available","preRegDescription":"These countries offer pre-registration or early notification. Full registration will follow.","plannedSection":"Registration Planned","plannedDescription":"National law enacted but registration portal not yet launched.","notAvailableSection":"Not Yet Available","notAvailableDescription":"National transposition still in progress. Registration details will follow.","directIdentification":"Entities are identified directly by the competent authority: no self-registration required.","sources":{"heading":"Sources","items":["ECSO NIS2 Directive Transposition Tracker (ecs-org.eu)","European Commission NIS2 Status (digital-strategy.ec.europa.eu)","Wavestone NIS2 Transposition Analysis","OpenKRITIS: NIS2 EU Member States (openkritis.de)","National competent authority websites (BSI, CCB, ACN, ANSSI, NUKIB, etc.)"]},"ctaCard":{"heading":"Start Your NIS2 Compliance in Germany","description":"The BSI registration deadline has passed. Start your BSIG compliance process now with our free platform."},"cta":"Start Free NIS2 Compliance"},"supplyChain":{"meta":{"title":"NIS2 for Suppliers - Supply Chain Compliance - NISD2.eu","description":"Your company is too small for NIS2? If you supply to NIS2-regulated companies, you still need to comply. Learn what Section 30 BSIG means for suppliers."},"badge":"Supply Chain","title":"NIS2 Compliance for Suppliers","subtitle":"Your company may not fall under NIS2 directly: but your customers do. And they will require you to prove cybersecurity compliance.","why":{"heading":"Why small suppliers are affected by NIS2","p1":"NIS2 (Section 30 BSIG, measure 4) explicitly requires regulated companies to secure their entire supply chain. This means every essential and important entity: roughly 29,500 companies in Germany alone: must contractually require cybersecurity standards from their suppliers.","p2":"If your company has fewer than 50 employees or falls below the revenue thresholds, you are not directly regulated by NIS2. But if you provide IT services, software, components, logistics, or any other service to a company that is regulated, you will face NIS2 requirements through your contracts.","p3":"This is not theoretical. Large companies are already updating their procurement terms, adding cybersecurity clauses, and requesting compliance evidence from suppliers. Companies that cannot demonstrate adequate security measures risk losing contracts to competitors who can."},"legalBasis":{"heading":"Section 30(2) No. 4 BSIG: Supply chain security","text":"Regulated entities must implement \"security measures in the supply chain, including security-related aspects of the relationships between each entity and its direct suppliers or service providers.\" This obligation flows down to every supplier in the chain."},"reasons":{"heading":"5 reasons your customers will require NIS2 compliance","description":"Even without direct regulation, these pressures will reach every supplier in the chain.","items":{"contracts":{"title":"Contractual requirements","description":"NIS2-regulated companies must include cybersecurity requirements in supplier contracts. Expect new clauses covering risk management, incident reporting, and access controls. Existing contracts will be renegotiated."},"audits":{"title":"Supplier audits and questionnaires","description":"Your customers will send security questionnaires and may conduct audits. Companies that use nisd2.eu can generate compliance evidence instantly: those without a system scramble for weeks."},"incidents":{"title":"Incident notification obligations","description":"If a security incident at your company affects a NIS2-regulated customer, they must report it to the BSI within 24 hours. They need you to have incident detection and reporting processes in place."},"reputation":{"title":"Competitive advantage","description":"When a regulated company chooses between two suppliers and one can demonstrate NIS2-aligned security while the other cannot: the choice is obvious. Compliance becomes a sales differentiator."},"insurance":{"title":"Cyber insurance requirements","description":"Cyber insurers increasingly require supply chain security evidence. Your customers' insurance policies may mandate that their suppliers meet minimum cybersecurity standards."}}},"requirements":{"heading":"What your customers will expect from you","description":"The most common requirements flowing down from NIS2 to suppliers.","items":{"riskManagement":{"title":"Risk assessment","detail":"Identify and document risks to systems you use for customer work. Doesn't need to be complex: a structured list with treatment plans is enough."},"accessControl":{"title":"Access control","detail":"Who can access customer data and systems? Role-based access, MFA for remote access, and documented user management."},"incidentReporting":{"title":"Incident handling","detail":"A documented process for detecting, responding to, and reporting security incidents. Your customer needs to know within hours, not weeks."},"businessContinuity":{"title":"Business continuity","detail":"What happens if your systems go down? Backup strategy, recovery procedures, and tested plans to continue delivering to your customers."},"documentation":{"title":"Policies and evidence","detail":"Written security policies, training records, and an audit trail proving you follow your own rules. This is what auditors actually check."}}},"steps":{"heading":"5 steps to get supply chain compliant","description":"A practical path for small companies that need to meet NIS2 supplier requirements.","items":{"check":{"title":"Check your exposure","description":"Use our free applicability check to confirm your NIS2 status. Even if you're not directly in scope, identify which of your customers are NIS2-regulated: those contracts will come with new requirements."},"gap":{"title":"Run a gap assessment","description":"Compare your current security practices against the 10 measures in Section 30 BSIG. Most small companies already do some of this informally: the gap is usually documentation, not practice."},"implement":{"title":"Implement the basics","description":"Start with the highest-impact items: access control, backup strategy, incident response process. The nisd2.eu platform walks you through each requirement with pre-built templates."},"evidence":{"title":"Build your evidence package","description":"When your customer sends a security questionnaire, you need answers ready. Policies, training records, risk assessments, and technical measures: all documented and exportable."},"maintain":{"title":"Review annually","description":"NIS2 compliance is not a one-time project. Schedule an annual review of your risks, update your policies, and refresh employee training. The platform tracks deadlines automatically."}}},"faqHeading":"Frequently asked questions","faq":{"q1":{"q":"Am I legally required to comply with NIS2 as a small supplier?","a":"Not directly: NIS2 applies to companies above the medium enterprise threshold (50+ employees or EUR 10M+ turnover). However, your NIS2-regulated customers are legally required to secure their supply chain (Section 30 BSIG). This creates a contractual obligation that flows down to you. You won't be fined by the BSI, but you may lose contracts."},"q2":{"q":"What happens if I don't comply?","a":"Your NIS2-regulated customers face fines up to EUR 10M or 2% of global turnover for supply chain security failures. They will either require you to comply or replace you with a supplier who can. The practical consequence is lost business, not a BSI fine."},"q3":{"q":"How much does supplier compliance cost?","a":"The nisd2.eu platform is free. For a small company (10-50 employees), the main cost is time: typically 2-4 weeks of part-time work to set up initial policies, risk assessments, and processes. Ongoing maintenance is a few hours per quarter."},"q4":{"q":"Can I use NIS2 compliance as a selling point?","a":"Absolutely. When you can demonstrate NIS2-aligned security practices with documented evidence, you become a preferred supplier. Some companies are already advertising NIS2 supply chain compliance as a competitive differentiator in RFPs and proposals."},"q5":{"q":"What if my customer hasn't asked yet?","a":"They will. The BSI registration deadline passed in March 2026 and over 18,000 companies are still catching up. As they implement NIS2, supply chain security is one of the 10 mandatory measures. Getting ahead of the request positions you as a proactive, trusted partner."}},"cta":{"heading":"Start your supply chain compliance: free","description":"The nisd2.eu platform guides you through every requirement, generates your evidence package, and keeps you audit-ready. No cost, no credit card.","checkButton":"Check applicability","startButton":"Start free compliance"}},"multiCountryReg":{"meta":{"title":"NIS2 Registration in Multiple EU Countries | Which Authority Do You Register With?","description":"If your company operates in more than one EU country, you must register with each country's NIS2 authority. Learn the rules and find every national authority in one place."},"badge":"Multi-Country NIS2","title":"NIS2 Registration Across Multiple EU Countries","subtitle":"Operating in more than one EU member state? You must register with each country's national authority, not just where your headquarters are located.","hannover":{"heading":"A question from Hannover Messe","p1":"During our visit to Hannover Messe, one of Europe's largest industrial trade fairs, we were asked a question that many cross-border businesses are grappling with: if your company operates in more than one EU country, where do you register for NIS2?","p2":"It's a genuinely complex question, and the answer catches many companies off guard. The rule is not tied to where you sell, it is tied to where you are genuinely operational as a legal entity."},"rule":{"heading":"Selling in a country is not the same as operating in a country","p1":"Many companies sell their products or services across the EU through a single legal entity registered in one country. In that case, registration with your home country's authority is sufficient, you are not \"established\" in every country you sell into.","p2":"However, if your company is fully operational in a country, meaning you have a registered legal presence, employees on the ground, and pay corporate tax there, then that country's NIS2 law applies to you as an entity established in that jurisdiction.","p3":"The NIS2 Directive requires each EU member state to transpose the directive into their own national law. That national law applies to entities established in that country. If you have subsidiaries or branches registered as legal entities in France, Germany, and the Netherlands, each of those legal entities is subject to that country's NIS2 legislation: and must register with that country's national authority."},"onestop":{"heading":"Exception: digital service providers use a one-stop-shop","description":"NIS2 Article 26 creates an important exception for specific digital service types: cloud computing providers, managed service providers, managed security service providers, data centre providers, content delivery networks, DNS service providers, online marketplaces, online search engines, and social networking platforms. These entities register in a single EU member state, the one where cybersecurity risk-management decisions are predominantly taken. If you operate one of these services, you do not need to register in every country where you are established. All other types of entities (manufacturers, food companies, energy suppliers, transport operators, hospitals, etc.) fall under the standard rule and must register in each country where they have a legal establishment."},"tax":{"heading":"The tax test","description":"A practical rule of thumb: if you pay corporate income tax in a country as a locally registered entity, you almost certainly need to register with that country's NIS2 authority. This covers subsidiaries, branches, and locally incorporated companies, not agents, distributors, or customers based in that country."},"authorities":{"heading":"NIS2 National Authorities: Complete List","description":"Every EU member state, plus EEA countries Norway and Iceland, has designated a national authority responsible for NIS2 registration and enforcement. Find yours below.","headers":{"country":"Country","authority":"National Authority"}},"practical":{"heading":"What this means in practice","p1":"For a company with operations in three EU countries, this means three separate registration processes, each with different timelines, forms, and technical requirements. Some countries have operational portals (Germany's BSI, France's ANSSI, Romania's DNSC launched registration in August 2025), while others are still in the process of establishing registration infrastructure.","p2":"The good news: registration is typically straightforward once you know which authority to contact and what information they require. The challenge is tracking multiple obligations across jurisdictions with different implementation timelines, as of mid-2025, only around 8 of 27 EU member states had fully completed NIS2 transposition.","p3":"Companies with operations across five or more EU countries should consider designating a compliance lead for each jurisdiction. Deadlines, annual reporting requirements, and incident notification windows vary by country and can diverge significantly from the baseline NIS2 directive."},"steps":{"heading":"How to approach multi-country NIS2 compliance","items":{"map":{"title":"Map your legal entities","description":"List every country where your company has a registered legal entity: subsidiary, branch, or local company. This is your compliance footprint, not your sales footprint."},"check":{"title":"Check each country's threshold","description":"NIS2 applies to medium and large entities (50+ employees or €10M+ turnover). Apply the threshold test per legal entity, not group-wide, a small subsidiary may fall below the threshold."},"register":{"title":"Register with each national authority","description":"Use the authority table above to find the correct registration contact in each country where you meet the threshold. Some countries require additional sector-specific registration."},"track":{"title":"Track country-specific deadlines","description":"Each country has its own implementation timeline and reporting deadlines. Set reminders per jurisdiction, do not assume all countries are aligned on timing."}}},"faq":{"heading":"Frequently asked questions","q1":{"q":"I have a sales office in Germany but my headquarters are in France, do I register with the BSI?","a":"It depends on how the German sales office is structured. If it is a registered GmbH or Zweigniederlassung (branch) that files its own tax return in Germany, you likely need to register with the BSI in addition to ANSSI in France. If it is simply a cost centre of the French parent with no separate legal status in Germany, French registration alone may suffice. Consult a lawyer familiar with NIS2 in both jurisdictions."},"q2":{"q":"Do I need to comply with different security requirements in each country?","a":"NIS2 sets a harmonized baseline, but each country's transposition can add stricter sector-specific requirements. In practice, implementing the NIS2 baseline, risk management, incident reporting, access control, supply chain security, will meet requirements in most EU countries. Check each country's national law for any additional obligations."},"q3":{"q":"What if a country hasn't finished transposing NIS2 yet?","a":"Some EU countries were late transposing the directive (the deadline was October 2024). Until national law is in force, registration may not yet be possible. Monitor the relevant national authority's website and register as soon as the process opens. Late transposition by the government does not reduce your eventual legal obligation."},"q4":{"q":"Can I register once at EU level and cover all countries?","a":"No. There is no single EU-level NIS2 registry. Each country operates its own registration system. This is one of the known complexities of the directive's decentralised implementation and creates significant compliance overhead for pan-European companies."}},"sources":{"heading":"Sources & References"},"ctaCard":{"heading":"Manage your NIS2 compliance across all jurisdictions","description":"The nisd2.eu platform helps you track obligations, manage evidence, and stay compliant, whether you operate in one country or ten."},"cta":"Start free compliance"},"changelog":{"meta":{"title":"Changelog - what has changed on NISD2.eu","description":"Curated changes to the NISD2.eu platform, CEO course, compliance documents, and content - not every commit. With RSS feed."},"title":"Changelog","subtitle":"Curated list of meaningful changes to the platform, course, and compliance documents. Not a full commit history - only what matters to users, buyers, and auditors.","empty":"No entries in this category.","tabs":{"all":"All","product":"Product","content":"Content","course":"Course","compliance":"Compliance","regulatory":"Regulatory"}},"openSource":{"meta":{"title":"Open Source - NISD2.eu","description":"We publish the data structures we work with on nisd2.eu under github.com/NISD2: typed Zod schemas, MIT licence for code and CC BY 4.0 for content."},"title":"Open Source","subtitle":"We publish the data structures we work with on nisd2.eu: so other consultants, GRC tools, and auditors can use them without paying anyone.","why":{"heading":"Why","p1":"NIS2 affects roughly 29,500 German companies and tens of thousands more across the EU. Most have no compliance budget. Closed-source compliance tooling charges €7,000 to €12,000 per year for a checklist over a public legal text.","p2":"The legal text belongs to everyone, the checklist that decomposes it should belong to everyone, and the only legitimate value capture is in the implementation work that follows. A single well-maintained, publicly auditable data base is more valuable than ten proprietary forks."},"repos":{"heading":"What we publish"},"gapAssessment":{"title":"NIS2 Gap Assessment: 116 questions, 15 domains","description":"A structured self-assessment as a typed Zod schema. Every question is anchored to a specific legal source (NIS2 Directive, BSIG, CIR 2024/2690, BSI IT-Grundschutz). Includes reference scoring logic and a Drizzle storage example for responses."},"supplierQuestionnaire":{"title":"NIS2 Supplier Questionnaire: 56 fields, 6 sections","description":"The questions a NIS2-regulated entity needs to ask its suppliers. Anchored to NIS2 Art. 21(2), CIR 2024/2690, ENISA TIG, BSI IT-Grundschutz, and GDPR Art. 28. With a visibleWhen mechanism that gates optional sections by service type."},"grcDataModel":{"title":"GRC Data Model: RoPA, DPA, TOMs, NIS2 ↔ GDPR mappings","description":"Relational data model for EU GRC. Records of Processing Activities, Data Processing Agreement clause checklists, Technical and Organisational Measures catalog, plus field-level mappings between NIS2 Art. 21 measure-areas and GDPR articles. Zod source of truth, npm subpath exports."},"euResources":{"title":"EU Compliance Resources: curated index","description":"Single-page index of regulations, guidance, national authorities, open-source schemas, and toolkits for EU compliance regimes (NIS2, GDPR, CRA, DORA, AI Act). License visible per entry. CC0 public domain: take it."},"viewOnGitHub":"View on GitHub","licence":{"heading":"Licence","p1":"Both repositories are dual-licensed: MIT for code (Zod schemas, helpers, examples), Creative Commons Attribution 4.0 (CC BY 4.0) for content (questions, descriptions, legal citations).","p2":"You may share, adapt, and use the content commercially as long as you credit nisd2.eu. Suggested attribution wording is in the LICENSE file in each repository."},"contribute":{"heading":"Contributing","p1":"Pull requests welcome: particularly corrections to legal citations (with a primary-source reference), additional language translations, sector-specific extensions (KRITIS, energy, healthcare), and national transposition deltas. For substantial changes please open an issue first."}},"status":{"meta":{"title":"Platform Status - NISD2.eu","description":"Current operational status of the NISD2.eu platform: application, database, reported incidents. Checked live on every page load."},"title":"Platform Status","subtitle":"Current operational status of nisd2.eu: application, database, and history of reported incidents.","lastChecked":"Last checked","overall":{"operational":"All systems operational","degraded":"Degraded operation","description":"Status is checked live when this page loads."},"components":{"heading":"Components","platform":"Application","database":"Database (PostgreSQL, Hetzner Falkenstein/Nuremberg)"},"componentState":{"ok":"Operational","error":"Degraded"},"incidents":{"heading":"Reported incidents","none":"No incidents reported.","active":"Active","resolved":"Resolved"},"contact":{"heading":"Incident melden","p1":"Ziet u een probleem dat hier niet staat? Neem contact op:"}},"sicherheit":{"meta":{"title":"Responsible Disclosure - NISD2.eu","description":"Beveiligingskwetsbaarheden melden in nisd2.eu. Ons openbaarmakingsproces, responstijden en contactgegevens."},"title":"Responsible Disclosure","subtitle":"Meld beveiligingskwetsbaarheden in ons platform op verantwoorde wijze.","intro":"Wij nemen beveiliging serieus. Als u een kwetsbaarheid ontdekt in nisd2.eu, willen we dat weten: voordat iemand anders er misbruik van kan maken.","howHeading":"Hoe te melden","howP1":"Stuur een e-mail met een beschrijving van de kwetsbaarheid, stappen om te reproduceren en mogelijke impact naar:","howP2":"Versleutel uw bericht als het gevoelige beveiligingsdetails bevat. Wij stellen onze PGP-sleutel op verzoek beschikbaar.","processHeading":"Ons proces","processItems":{"ack":"Bevestiging binnen 2 werkdagen","triage":"Eerste beoordeling binnen 5 werkdagen","patch":"Kritieke kwetsbaarheden krijgen voorrang boven al het andere werk; de termijn hangt af van ernst en complexiteit","notify":"Wij informeren u zodra de fix is uitgerold","credit":"Vermelding in onze changelog op verzoek (met uw toestemming)"},"scopeHeading":"In scope","scopeItems":{"app":"Webapplicatie op nisd2.eu en www.nisd2.eu","api":"API-endpoints","auth":"Authenticatie- en autorisatielogica","data":"Gegevensprivacy en ongeautoriseerde toegang tot klantgegevens"},"outScopeHeading":"Buiten scope","outScopeItems":{"social":"Social engineering of phishing gericht op onze medewerkers","dos":"Denial-of-service-aanvallen","thirdParty":"Kwetsbaarheden in diensten van derden (meld direct bij de leverancier)"},"policyHeading":"Onze toezeggingen","policyP1":"Wij zullen geen juridische stappen ondernemen tegen beveiligingsonderzoekers die dit beleid naleven. Wij behandelen uw melding vertrouwelijk en delen uw gegevens niet zonder uw toestemming.","contactHeading":"Contact","securityTxtLink":"Bekijk security.txt"},"vertrauen":{"meta":{"title":"Trust Center - NISD2.eu","description":"Alle beveiligings- en privacydocumenten op één plek: verwerkersovereenkomst, TOMs, subverwerkers, statuspagina, open source, openbaarmakingsbeleid."},"title":"Trust Center","subtitle":"Alle beveiligings-, privacy- en operationele documenten op één plek: voor uw inkoopteam, auditor of CISO.","intro":"nisd2.eu draait op EU-infrastructuur, is open source en publiceert zijn beveiligings- en privacydocumentatie transparant. Deze pagina brengt alles samen.","sections":{"legal":{"heading":"Juridische overeenkomsten","avv":{"title":"Verwerkersovereenkomst (AVG)","description":"AVG-conforme verwerkersovereenkomst voor alle betalende klanten."},"toms":{"title":"Technische en organisatorische maatregelen (TOMs)","description":"Gedocumenteerde beveiligingsmaatregelen conform Art. 32 AVG."},"datenschutz":{"title":"Privacybeleid","description":"Hoe wij persoonsgegevens verzamelen, verwerken en beschermen."}},"infrastructure":{"heading":"Infrastructuur & hosting","hosting":"Gehost in Duitsland: Hetzner Frankfurt/Neurenberg (ISO 27001 gecertificeerd)","subprocessors":{"title":"Lijst van subverwerkers","description":"Alle derde partijen die klantgegevens verwerken, met locatie en rechtsgrondslag."},"status":{"title":"Statuspagina","description":"Real-time platformstatus en incidenthistorie."}},"security":{"heading":"Beveiliging","openSource":{"title":"Open source","description":"De kerncode is openbaar inzichtelijk: beveiliging door transparantie, niet door obscuriteit."},"disclosure":{"title":"Responsible disclosure","description":"Ons proces voor het melden van beveiligingskwetsbaarheden."},"securityTxt":{"title":"security.txt","description":"Machineleesbare contactgegevens voor beveiligingsonderzoekers (RFC 9116)."}},"trust":{"heading":"Transparantie","changelog":{"title":"Changelog","description":"Openbaar logboek van alle platformupdates."},"corrections":{"title":"Correcties","description":"Wanneer wij fouten maken in onze inhoud, corrigeren wij deze openbaar."}}},"contact":"Vragen over beveiliging of privacy:","viewDoc":"Bekijken"},"subprozessoren":{"meta":{"title":"Subverwerkers - NISD2.eu","description":"Lijst van alle subverwerkers die klantgegevens verwerken als onderdeel van het nisd2.eu platform."},"title":"Subverwerkers","subtitle":"Alle derde partijen die klantgegevens verwerken als onderdeel van nisd2.eu.","intro":"Op grond van Art. 28 AVG informeren wij over alle subverwerkers die wij inzetten. Deze lijst wordt bijgewerkt bij wijzigingen.","lastUpdated":"Laatst bijgewerkt: mei 2026","tableHeaders":{"name":"Aanbieder","purpose":"Doel","location":"Locatie","basis":"Rechtsgrondslag"},"processors":{"hetzner":{"purpose":"Serverhosting, database"},"aws":{"purpose":"Bestands-/bewijsopslag (S3)"},"google":{"purpose":"OAuth-authenticatie"},"resend":{"purpose":"Transactionele e-mails"},"xai":{"purpose":"AI-ondersteund formulieren invullen (optioneel)"}},"basisEU":"EU-lidstaat","basisSCC":"EU-standaard contractuele bepalingen","noteHeading":"Opmerking over doorgifte aan derde landen","noteBody":"Resend Inc. en xAI Corp. zijn gevestigd in de Verenigde Staten. Doorgifte van persoonsgegevens vindt plaats op basis van EU-standaard contractuele bepalingen (SCC's) conform Art. 46 AVG. xAI wordt alleen gebruikt voor AI-ondersteund formulieren invullen en alleen wanneer de gebruiker deze functie actief gebruikt. Gebruikers worden transparant geïnformeerd over gegevensdeling in het platform.","changesHeading":"Wijzigingen","changesBody":"Wij informeren self-hostklanten bij wezenlijke wijzigingen in deze lijst minimaal 30 dagen van tevoren."}},"internalAudits":{"title":"Internal Audits","description":"Internal audit schedule, execution, and findings. Required by NIS2 Art. 21 effectiveness assessment.","helpText":"Schedule and document internal audits of your cybersecurity measures. Record scope, findings, and corrective actions. NIS2 requires regular assessment of whether security measures are effective.","add":"Add Audit","edit":"Edit Audit","empty":"No internal audits planned yet. Schedule your first audit.","deleteConfirm":"Are you sure you want to delete this audit?","actions":"Actions","status":{"planned":"Planned","in_progress":"In Progress","completed":"Completed","cancelled":"Cancelled"},"fields":{"title":"Title","auditArea":"Audit Area","scope":"Scope","status":"Status","scheduledDate":"Scheduled Date","completedAt":"Completed At","auditorName":"Auditor"},"fieldDescriptions":{"title":"Name of this internal audit (e.g., 'Q2 Access Control Audit', 'Annual NIS2 Compliance Review').","auditArea":"Security domain or control area being audited (e.g., access control, incident response, supply chain).","scope":"Define the boundaries of this audit: which systems, processes, departments, or controls are included.","status":"Current audit status: planned, in progress, completed, or cancelled.","scheduledDate":"Date when this audit is planned to begin.","completedAt":"Date when all audit activities and the final report were completed.","auditorName":"Name of the internal auditor or audit team lead conducting this assessment."}},"landing":{"title":"Halve Europe's NIS2 bill.","subtitle":"€31 billion every year. We're cutting it in half.","productLine":"Free NIS2 compliance for regulated companies and their suppliers.","badge":"NIS2 / BSIG - Deadline: March 2026","badgeTooltip":"The German BSIG (BSI-Gesetz) transposing the EU NIS2 Directive requires affected entities to implement all cybersecurity measures by March 2026. Non-compliance carries fines up to €10M or 2% of global turnover, and personal liability for managing directors.","cirBadge":"EU CIR 2024/2690 compliant","cirBadgeTooltip":"Commission Implementing Regulation (EU) 2024/2690 defines the strictest technical requirements for NIS2 compliance. It establishes the common baseline across all EU member states for DNS providers, TLD registries, cloud providers, data centres, CDNs, managed services, managed security services, online marketplaces, search engines, social networks, and trust service providers.","bsigBadge":"BSIG §30 | IT-Grundschutz defaults","bsigBadgeTooltip":"Built on the German BSIG §30 -- the strictest NIS2 transposition in the EU -- with IT-Grundschutz methodology defaults. Comply once, valid across 27 EU member states. §44(2) BSIG recognises Grundschutz implementation as NIS2 compliance.","checkApplicability":"Check if NIS2 applies to you","scheduleDemo":"Schedule a Demo","startTraining":"Free NIS2 CEO Training","signIn":"Sign in to start the process","stats":{"urgency":"160,000+ EU entities in scope · Fines up to €10M or 2% of global annual turnover (Art. 34 NIS2) · Management personally liable (Art. 20 NIS2)"},"nav":{"wiki":"Wiki","pricing":"Prijzen","about":"Over ons","cta":"Aan de slag"}},"kpis":{"title":"KPI Measurements","description":"Security performance metrics tracked over time. Demonstrates effectiveness per NIS2 Art. 21.","helpText":"Record security KPI measurements regularly (e.g., patch compliance rate, training completion %, mean time to detect). KPIs demonstrate to auditors that your security measures are effective and improving over time.","add":"Add Measurement","empty":"No KPI measurements yet. Record your first measurement.","status":{"green":"On Target","amber":"At Risk","red":"Below Target"},"fields":{"kpiName":"KPI Name","measuredAt":"Measured At","value":"Value","target":"Target","unit":"Unit","status":"Status","notes":"Notes"},"fieldDescriptions":{"kpiName":"Name of the security metric being measured (e.g., 'Patch compliance rate', 'Mean time to detect', 'Training completion %').","measuredAt":"Date when this measurement was taken.","value":"Enter the measured numeric value for this KPI.","target":"Enter the target value this KPI should meet or exceed.","unit":"Unit of measurement (e.g., %, hours, days, count).","status":"Select the status: green (on target), amber (at risk of missing target), or red (below target).","notes":"Additional context or explanation for this measurement, especially if status is amber or red."}},"managementReviews":{"title":"Management Reviews","description":"Management oversight meetings and strategic decisions. Required by NIS2 Art. 20(1).","helpText":"Document management review meetings where leadership evaluates cybersecurity posture. NIS2 Art. 20 makes management personally responsible for approving and overseeing cybersecurity measures. Record attendees, topics discussed, and decisions made.","add":"Add Review","edit":"Edit Review","empty":"No management reviews recorded yet. Schedule your first review.","deleteConfirm":"Are you sure you want to delete this review?","actions":"Actions","fields":{"title":"Title","reviewDate":"Review Date","decisions":"Decisions","actionItems":"Action Items","nextReviewDate":"Next Review Date"},"fieldDescriptions":{"title":"Title of the management review meeting (e.g., 'Q1 2025 Cybersecurity Review').","reviewDate":"Date when the management review meeting took place.","decisions":"Document key decisions made by management regarding cybersecurity posture, resource allocation, and risk acceptance.","actionItems":"List specific follow-up actions assigned during the review, including responsible parties and deadlines.","nextReviewDate":"Date when the next management review is scheduled. NIS2 Art. 20 requires ongoing management oversight."}},"methodology":{"title":"Risk Assessment Methodology","loading":"Loading methodology...","saved":"Methodology saved","saveFailed":"Failed to save methodology","edit":"Edit","save":"Save","cancel":"Cancel","methodologyName":"Methodology Name","likelihoodScale":"Likelihood Scale","impactScale":"Impact Scale","label":"Label","description":"Description","addLevel":"Add level","removeLevel":"Remove last","riskMatrix":"Risk Matrix","acceptanceThreshold":"Acceptance Threshold","thresholdHelp":"Risks with score ≤ {threshold} can be accepted without treatment","includesOt":"Methodology covers OT/ICS systems (§30(2) BSIG)","clickToSelect":"Click a cell to select likelihood × impact","selectedScore":"Selected score"},"notifications":{"title":"Notifications","description":"View and manage your notifications","empty":"No notifications","acknowledge":"Acknowledge","acknowledged":"Acknowledged","unread":"{count} unread","actions":"Actions","markRead":"Mark as read","markAllRead":"Mark all as read","fields":{"subject":"Subject","entityType":"Type","scheduledFor":"Scheduled For","status":"Status"}},"onboarding":{"title":"Welcome to NIS2 Compliance","subtitle":"Set up your organization to get started.","step":"Step {current} of {total}","steps":{"company":"Organization Details","team":"Key Personnel","ai":"AI Assistant"},"nav":{"back":"Back","next":"Next","skip":"Skip for Now","submit":"Create Organization"},"creating":"Setting up your organization...","createError":"Failed to create organization. Please try again.","mode":{"title":"You're all set!","subtitle":"How would you like to proceed?","guided":"Guided Setup","guidedDescription":"Walk through each compliance category step by step. Defaults are already applied - just review and customize.","manual":"Manual Setup","manualDescription":"Go straight to your dashboard and work at your own pace."}},"organization":{"title":"Organisatie instellen","description":"Registreer uw organisatie om de compliance-beoordeling te starten.","editTitle":"Organisatie-instellingen","editDescription":"Werk uw organisatiegegevens bij.","formTitle":"Organisatiegegevens","name":"Naam organisatie","namePlaceholder":"Acme B.V.","sector":"NIS2-sector","sectorPlaceholder":"Selecteer sector...","entityType":"Entiteitsclassificatie","entityTypeHelp":"Zoals gedefinieerd in BSIG 2025 §28","entityTypes":{"essential":"Essentiële entiteit","important":"Belangrijke entiteit","kritis":"KRITIS-operator"},"legalForm":"Rechtsvorm","legalFormPlaceholder":"bijv. B.V., N.V., V.O.F.","employees":"Aantal medewerkers","contactEmail":"E-mail compliance-contactpersoon","cisoName":"CISO / IT-beveiligingsfunctionaris","cisoNamePlaceholder":"Jan de Vries","cisoReportsTo":"CISO rapporteert aan","cisoReportsToPlaceholder":"bijv. CEO, Raad van Bestuur","bsiContactName":"BSI-contactpersoon","bsiContactNamePlaceholder":"Max Mustermann","bsiContactEmail":"BSI-contacte-mail","bsiContactPhone":"BSI-contacttelefoon","bsiRegistrationId":"BSI-registratie-ID","annualSecurityBudget":"Jaarlijks beveiligingsbudget (EUR)","primaryLocations":"Primaire locaties","primaryLocationsPlaceholder":"bijv. Amsterdam, Rotterdam","profileSection":"Beveiligingsprofiel","profileSectionDescription":"Deze velden worden gebruikt in meerdere NIS2-vereisten en vastgelegd in aftekenmomentopnamen.","submit":"Beoordeling starten","creating":"Uw organisatie instellen...","createError":"Aanmaken van organisatie mislukt. Probeer het opnieuw.","save":"Wijzigingen opslaan","saving":"Opslaan...","saved":"Wijzigingen succesvol opgeslagen.","saveError":"Opslaan van wijzigingen mislukt. Probeer het opnieuw.","sectors":{"energy":"Energie","transport":"Transport","banking":"Bankwezen","financial_market":"Financiële marktinfrastructuur","health":"Gezondheidszorg","drinking_water":"Drinkwater","waste_water":"Afvalwater","digital_infrastructure":"Digitale infrastructuur","ict_service_management":"ICT-dienstverlening (B2B)","public_administration":"Openbaar bestuur","space":"Ruimtevaart","postal_courier":"Post- en koeriersdiensten","waste_management":"Afvalbeheer","chemicals":"Chemische industrie","food":"Voedselproductie en -distributie","manufacturing":"Maakindustrie","digital_providers":"Digitale aanbieders","research":"Onderzoek"},"teamRoles":{"title":"Sleutelpersoneel","description":"U kunt teamleden nu uitnodigen of dit later doen via Instellingen. Elke persoon die u toevoegt wordt uitgenodigd en kan worden aangewezen als verantwoordelijke voor compliance-categorieën.","name":"Naam","email":"E-mail","role":"Rol","rolePlaceholder":"Selecteer rol...","addMember":"Teamlid toevoegen","removeMember":"Verwijderen","back":"Terug","skip":"Voorlopig overslaan","submit":"Doorgaan","roles":{"ceo":{"label":"CEO / Directeur","namePlaceholder":"Jan de Vries","emailPlaceholder":"ceo@bedrijf.nl"},"ciso":{"label":"CISO / IT-beveiligingsfunctionaris","namePlaceholder":"Petra Jansen","emailPlaceholder":"ciso@bedrijf.nl"},"cto":{"label":"CTO / Hoofd Engineering","namePlaceholder":"Alex Bakker","emailPlaceholder":"cto@bedrijf.nl"},"coo":{"label":"COO / Operationeel directeur","namePlaceholder":"Sam Visser","emailPlaceholder":"coo@bedrijf.nl"},"cpo":{"label":"CPO / Hoofd Inkoop","namePlaceholder":"Pat Smit","emailPlaceholder":"cpo@bedrijf.nl"},"hr_director":{"label":"HR-directeur","namePlaceholder":"Chris Mulder","emailPlaceholder":"hr@bedrijf.nl"},"legal":{"label":"Juridisch / Compliance-functionaris","namePlaceholder":"Morgan de Groot","emailPlaceholder":"legal@bedrijf.nl"},"dpo":{"label":"Functionaris voor Gegevensbescherming","namePlaceholder":"Robin van Dijk","emailPlaceholder":"avg@bedrijf.nl"}}}},"patches":{"title":"Patch Management","description":"Patch and vulnerability tracking per asset. Required by NIS2 Art. 21(2)(e).","helpText":"Track patches and known vulnerabilities for your registered assets. Record patch status (pending, applied, deferred), CVE references, and deadlines. NIS2 requires timely vulnerability handling and patch management.","add":"Add Patch Record","edit":"Edit Patch Record","empty":"No patch records yet. Add your first patch record.","deleteConfirm":"Are you sure you want to delete this patch record?","actions":"Actions","severity":{"critical":"Critical","high":"High","medium":"Medium","low":"Low"},"status":{"pending":"Pending","applied":"Applied","exception":"Exception","not_applicable":"Not Applicable"},"fields":{"patchIdentifier":"Patch ID","severity":"Severity","title":"Title","assetId":"Asset","status":"Status","releaseDate":"Release Date","appliedAt":"Applied At","exceptionReason":"Exception Reason"},"fieldDescriptions":{"patchIdentifier":"Vendor patch identifier or CVE number (e.g., 'KB5034441', 'CVE-2024-1234').","severity":"Select the severity rating of the vulnerability this patch addresses: critical, high, medium, or low.","title":"Brief description of what this patch fixes or the vulnerability it addresses.","assetId":"Select the asset from the asset register that this patch applies to.","status":"Current patch status: pending (not yet applied), applied, exception (risk-accepted deferral), or not applicable.","releaseDate":"Date when the vendor released this patch.","appliedAt":"Date when this patch was successfully applied to the target asset.","exceptionReason":"If status is Exception, provide the justification for deferring or not applying this patch."}},"policies":{"title":"Beleid","description":"Beveiligingsbeleid, procedures en richtlijnen met goedkeuringsbewaking. Basis van NIS2 Art. 21(1).","helpText":"Maak en beheer uw informatiebeveiligingsbeleid. Elk beleidsdocument volgt een levenscyclus: concept, beoordeling, goedgekeurd, gearchiveerd. Houd versiehistorie bij en zorg dat al het relevante personeel het huidige beleid erkent. NIS2 vereist gedocumenteerd beleid voor risicobeheer, toegangscontrole, versleuteling en meer.","add":"Beleid toevoegen","edit":"Beleid bewerken","empty":"Nog geen beleid. Maak uw eerste beleidsdocument aan.","deleteConfirm":"Weet u zeker dat u dit beleidsdocument wilt verwijderen?","actions":"Acties","status":{"draft":"Concept","approved":"Goedgekeurd","archived":"Gearchiveerd"},"fields":{"title":"Titel","type":"Type","version":"Versie","content":"Inhoud","status":"Status","effectiveFrom":"Geldig vanaf","reviewDue":"Beoordeling verplicht voor"},"fieldDescriptions":{"title":"Naam van het beleidsdocument (bijv. 'Informatiebeveiligingsbeleid', 'Toegangscontrolebeleid').","type":"Selecteer het type beleidsdocument (bijv. beleid, procedure, richtlijn, standaard).","version":"Versienummer van deze beleidsrevisie (bijv. 1.0, 2.1). Verhoog bij elke goedkeuringscyclus.","content":"Volledige tekstinhoud van het beleid. Neem reikwijdte, doelstellingen, verantwoordelijkheden en specifieke vereisten op.","status":"Huidige levenscyclusstatus: Concept (in voorbereiding), Goedgekeurd (actief en van kracht), of Gearchiveerd (vervangen).","effectiveFrom":"Datum waarop deze beleidsversie actief en afdwingbaar wordt.","reviewDue":"Datum waarop dit beleid herzien en bijgewerkt moet worden. NIS2 verwacht regelmatige beleidsreviews."}},"policyConfig":{"loading":"Beleidsconfiguratie laden...","saved":"Beleidsconfiguratie opgeslagen","saveFailed":"Opslaan beleidsconfiguratie mislukt","edit":"Bewerken","save":"Opslaan","cancel":"Annuleren","resetDefaults":"Standaardwaarden herstellen","crypto":{"title":"Cryptografiebeleid (BSI TR-02102)","algorithms":"Goedgekeurde & verboden algoritmen","algorithm":"Algoritme","keyLength":"Sleutellengte","category":"Categorie","status":"Status","approved":"Goedgekeurd","deprecated":"Verouderd","prohibited":"Verboden","symmetric":"Symmetrisch","hash":"Hash","asymmetric":"Asymmetrisch","keyExchange":"Sleuteluitwisseling","tls":"TLS-coderingsreeks","addAlgorithm":"Algoritme toevoegen","removeAlgorithm":"Verwijderen","minTlsVersion":"Minimale TLS-versie","keyRotation":"Sleutelrouteringsfrequentie (jaren)","triggerOnCompromise":"Directe rotatie activeren bij compromis","reviewCycle":"Reviewcyclus (jaren)","postQuantum":"Post-kwantum gereedheid overwogen"},"accessControl":{"title":"Toegangscontrolebeleid (CIR 11.1, ORP.4)","model":"Toegangscontrolemodel","rbac":"Rolgebaseerd (RBAC)","abac":"Kenmerkgebaseerd (ABAC)","hybrid":"Hybride (RBAC + ABAC)","reviewFrequency":"Frequentie toegangsreview","standardReview":"Standaardaccounts","privilegedReview":"Bevoorrechte accounts","deprovisioningSla":"SLA deprovisionering (uren)","sharedAccountPolicy":"Beleid gedeelde / generieke accounts","sharedProhibited":"Verboden – alleen unieke identificatoren (ORP.4.A3)","sharedDocumentedExceptions":"Gedocumenteerde uitzonderingen toegestaan (CIR 11.5.3)","authReviewCycle":"Authenticatiereviewcyclus (jaren)"},"procurement":{"title":"Veilige inkoop (CIR Art. 5)","threshold":"Drempelwaarde beveiligingsbeoordeling (EUR)","requiredClauses":"Verplichte contractclausules (CIR 5.1.4)","cybersecurityRequirements":"Cyberbeveiligingsvereisten (a)","trainingCertification":"Training & certificering (b)","backgroundChecks":"Achtergrondcontroles (c)","incidentNotification":"Verplichtingen incidentmelding (d)","auditRights":"Auditrechten (e)","vulnerabilityDisclosure":"Kwetsbaarheidsopenbaarmaking (f)","subcontractorFlowdown":"Doorstroom naar onderaannemers (g)","secureDecommissioning":"Veilige buitengebruikstelling (h)","customClauses":"Aangepaste contractclausules","clauseLabel":"Clausule","addClause":"Clausule toevoegen","evaluationCriteria":"Beveiligingsevaluatiecriteria","criterion":"Criterium","weight":"Gewicht (%)","addCriterion":"Criterium toevoegen","removeCriterion":"Verwijderen","reviewFrequency":"Reviewfrequentie"},"secureDev":{"title":"Veilige ontwikkeling & verharding (CIR Art. 6(2)-(3), CON.8)","sdlcFramework":"SDLC-raamwerk","owaspSamm":"OWASP SAMM","bsimm":"BSIMM","msSdl":"Microsoft SDL","custom":"Aangepast","hardeningBaseline":"Basisinstelling voor verharding","cis":"CIS Benchmarks","bsi":"BSI IT-Grundschutz","disaStig":"DISA STIG","testingRequirements":"Beveiligingstestingvereisten","sast":"Statisch applicatiebeveiligingstesten (SAST)","dast":"Dynamisch applicatiebeveiligingstesten (DAST)","sca":"Softwarecomponentanalyse (SCA)","pentest":"Penetratietesten","codeReview":"Codereview","environmentSegregation":"Omgevingsscheiding (dev/test/prod) - CIR 6(2)","reviewCycle":"Reviewcyclus (jaren)"},"patchMgmt":{"title":"Patchbeheer (CIR Art. 6(6), OPS.1.1.3)","patchSla":"Patch-SLA per ernst","severity":"Ernst","slaHours":"SLA (uren)","critical":"Kritiek","high":"Hoog","medium":"Gemiddeld","low":"Laag","reviewCycle":"Reviewcyclus (jaren)"},"items":{"progress":"{count} van {total} geconfigureerd","noItems":"Nog geen items.","goToRegister":"Naar register","viewAll":"Alles bekijken in register","encryptionAtRest":"Versleuteling in rust","encryptionInTransit":"Versleuteling in transit","cryptoImplementation":"Implementatie","notConfigured":"Niet geconfigureerd","selectAlgorithm":"Selecteer algoritme","accessAssignment":"Toegangscontrole per asset","policyModel":"Beleidsmodel","accessModel":"Toegangsmodel","accessModel_rbac":"Rolgebaseerd (RBAC)","accessModel_abac":"Kenmerkgebaseerd (ABAC)","accessModel_hybrid":"Hybride (RBAC + ABAC)","owner":"Eigenaar","accessMethod":"Toegangsmethode","privAccounts":"Bevoorrechte accounts","mfaMethod":"MFA-methode","noneMfa":"Geen","totp":"TOTP","hardwareKey":"Hardwaresleutel","ssoSaml":"SSO / SAML","pushNotification":"Pushmeldingen","asset":"Asset","supplier":"Leverancier","sla":"SLA","clausesTitle":"Clausules","clausesMet":"{count} van {total} clausules","riskLevel":"Risico","contractDates":"Contract","patchesOnTime":"Op tijd","patchesOverdue":"Achterstallig","noPatchSla":"Geen patch-SLA gedefinieerd","hoursLabel":"{count}u","daysLabel":"{count}d","slaTarget":"SLA: {sla}","maxRiskScore":"Max. risico: {score}"}},"pricing":{"meta":{"title":"Prijzen - NIS2-complianceplatform","description":"Twee manieren om het platform te gebruiken. Gehost op nis2.eu, voor altijd gratis. Self-hosting onder AGPL-3.0, eenmalig € 10.000 voor een levenslange licentie."},"title":"Prijzen","subtitle":"Twee manieren om het platform te gebruiken. Kies er één.","free":{"name":"Gehost op nis2.eu","description":"Het volledige platform, door ons beheerd op EU-infrastructuur.","price":"€ 0","priceSub":"voor altijd","cta":"Gratis starten","features":{"f1":"Alle 49 BSIG-vereisten stap voor stap","f2":"Bewijsupload en documentatie","f3":"PDF-export voor auditors en management","f4":"Volledig audittrail","f5":"Deadlinetracking en herinneringen","f6":"Begeleiding bij BSI-registratie","f7":"Onbeperkt aantal teamleden","f8":"Risico-, asset- en leveranciersregisters","f9":"AI-ondersteund formulieren invullen","f10":"Geen lock-in. Open Source datamodel. Altijd exporteerbaar."}},"selfHost":{"name":"Self-hosting","description":"Volledige broncode. Op uw eigen infrastructuur draaien, voor altijd.","price":"€ 10.000","priceSub":"eenmalig, levenslange licentie","cta":"Neem contact op","features":{"h1":"Volledige platformbroncode onder AGPL-3.0","h2":"Alle toekomstige updates inbegrepen","h3":"Op uw eigen infrastructuur, met uw eigen data","h4":"Vaste contactpersoon voor e-mail- en Signal-support"}},"consultantFootnote":"Heeft u een NIS2-adviseur nodig? Wij verbinden u kosteloos met getoetste specialisten.","consultantCta":"Adviseur aanvragen"},"portal":{"overview":"Overzicht","nis2":"NIS2","iso27001":"ISO 27001","dsgvo":"GDPR","aiact":"EU AI Act","cra":"Cyber Resilience Act","auditTrail":"Activiteitenlog","team":"Team","notifications":"Meldingen","organization":"Organisatie","defaultUser":"Gebruiker","signOut":"Afmelden","language":"Taal","english":"English","german":"Deutsch","dutch":"Nederlands","review":"Beoordeling","export":"Exporteren","progressLabel":"{completed} van {total} vereisten","trainingPortal":"Trainingsportaal","registers":"Registers","riskRegister":"Risicoregister","assets":"Assets","incidents":"Incidenten","suppliers":"Leveranciers","policies":"Beleid","training":"Training","exercises":"Nooddriloefeningen","managementReviews":"Mgmt-reviews","kpis":"Beveiligingsmetrieken","changes":"Wijzigingen","patches":"Beveiligingsupdates","vulnerabilities":"Kwetsbaarheden","internalAudits":"Zelfevaluaties","improvements":"Actiepunten","dashboard":"Dashboard","gapAssessment":"Gap-analyse","compliance":"Compliance","portal":"Portaal","auditReadiness":"Auditgereedheid","settings":"Instellingen","system":"Systeem","phaseRegistration":"Registratie","phaseFoundation":"Fundament","phaseControls":"Maatregelen","phaseOperations":"Operaties","phaseVerification":"Verificatie","phaseAdmin":"Beheer","blockedBy":"Voltooi eerst: {codes}"},"requirements":{"1_1":{"title":"Cyberbeveiligingstraining management","description":"Cyberbeveiligingstraining management"},"1_2":{"title":"Rollen en verantwoordelijkheden","description":"Rollen en verantwoordelijkheden"},"1_3":{"title":"Budgettoewijzing voor cyberbeveiliging","description":"Budgettoewijzing voor cyberbeveiliging"},"1_4":{"title":"Erkenning persoonlijke aansprakelijkheid","description":"Erkenning persoonlijke aansprakelijkheid"},"2_1":{"title":"Risicobeoordelingsmethodologie","description":"Risicobeoordelingsmethodologie"},"2_2":{"title":"Assetinventaris, reikwijdte & classificatie","description":"Assetinventaris, reikwijdte & classificatie"},"2_3":{"title":"Risicoregister & behandeling","description":"Risicoregister & behandeling"},"2_4":{"title":"Risicoaanvaarding & aftekening IS-beleid","description":"Risicoaanvaarding & aftekening IS-beleid"},"3_1":{"title":"Incidentresponsplan & team","description":"Incidentresponsplan & team"},"3_2":{"title":"Detectie, classificatie & logging","description":"Detectie, classificatie & logging"},"3_3":{"title":"BSI-melding (24u/72u/1m)","description":"BSI-melding (24u/72u/1m)"},"3_4":{"title":"Incidentresponsoefening","description":"Incidentresponsoefening"},"3_5":{"title":"Post-incidentreview & communicatie","description":"Post-incidentreview & communicatie"},"4_1":{"title":"Bedrijfsimpactanalyse & hersteldoelstellingen","description":"Bedrijfsimpactanalyse & hersteldoelstellingen"},"4_2":{"title":"Bedrijfscontinuïteits- & crisismanagementplan","description":"Bedrijfscontinuïteits- & crisismanagementplan"},"4_3":{"title":"Noodherstelplan","description":"Noodherstelplan"},"4_4":{"title":"Back-up & herstel","description":"Back-up & herstel"},"4_5":{"title":"BCP/DR-testen","description":"BCP/DR-testen"},"5_1":{"title":"Leveranciersregister & classificatie","description":"Leveranciersregister & classificatie"},"5_2":{"title":"Leveranciersbeveiliging in contracten","description":"Leveranciersbeveiliging in contracten"},"5_3":{"title":"Leveranciersbeoordeling & monitoring","description":"Leveranciersbeoordeling & monitoring"},"5_4":{"title":"Incidentmelding leveranciers","description":"Incidentmelding leveranciers"},"6_1":{"title":"Veilige inkoop","description":"Veilige inkoop"},"6_2":{"title":"Veilige ontwikkeling & configuratie","description":"Veilige ontwikkeling & configuratie"},"6_3":{"title":"Kwetsbaarheidsbeheer","description":"Kwetsbaarheidsbeheer"},"6_4":{"title":"Patchbeheer","description":"Patchbeheer"},"6_5":{"title":"Wijzigingsbeheer","description":"Wijzigingsbeheer"},"7_1":{"title":"Beveiligings-KPI's & metrieken","description":"Beveiligings-KPI's & metrieken"},"7_2":{"title":"Interne audit","description":"Interne audit"},"7_3":{"title":"Managementreview","description":"Managementreview"},"7_4":{"title":"Corrigerende maatregelen & continue verbetering","description":"Corrigerende maatregelen & continue verbetering"},"8_1":{"title":"IT-beveiligingsbeleid & aanvaardbaar gebruik","description":"IT-beveiligingsbeleid & aanvaardbaar gebruik"},"8_2":{"title":"Beveiligingsbewustzijnsprogramma","description":"Beveiligingsbewustzijnsprogramma"},"8_3":{"title":"Rolspecifieke & managementtraining","description":"Rolspecifieke & managementtraining"},"8_4":{"title":"Phishingsimulaties & effectiviteit training","description":"Phishingsimulaties & effectiviteit training"},"9_1":{"title":"Cryptografiebeleid & standaarden","description":"Cryptografiebeleid & standaarden"},"9_2":{"title":"Gegevensversleuteling","description":"Gegevensversleuteling"},"9_3":{"title":"Sleutel- & certificaatbeheer","description":"Sleutel- & certificaatbeheer"},"10_1":{"title":"Toegangscontrolebeleid & -model","description":"Toegangscontrolebeleid & -model"},"10_2":{"title":"Toegangstoewijzing per asset","description":"Toegangstoewijzing per asset"},"10_3":{"title":"Gebruikerslevenscyclus & PAM","description":"Gebruikerslevenscyclus & PAM"},"10_4":{"title":"Toegangsreviews","description":"Toegangsreviews"},"11_1":{"title":"Multi-factor authenticatie","description":"Multi-factor authenticatie"},"11_2":{"title":"Beveiligde & noodcommunicatie","description":"Beveiligde & noodcommunicatie"},"11_3":{"title":"Authenticatiestandaarden","description":"Authenticatiestandaarden"},"12_1":{"title":"NIS2-classificatie & reikwijdte","description":"NIS2-classificatie & reikwijdte"},"12_2":{"title":"BSI-registratie","description":"BSI-registratie"},"12_3":{"title":"Registratieonderhoud","description":"Registratieonderhoud"},"12_4":{"title":"Compliance-bewijs & KRITIS","description":"Compliance-bewijs & KRITIS"},"G-DPA_1":{"title":"Data Processing Agreements","description":"Maintain a register of every processor that handles personal data on your behalf, with a signed DPA covering the eight Art. 28(3) clauses."},"G-DPA_2":{"title":"Sub-processor Authorisation","description":"Track each processor's sub-processors and confirm prior authorisation per Art. 28(2)/(4)."},"G-ROP_1":{"title":"Records of Processing Activities","description":"Document every processing activity for each system that handles personal data — purpose, legal basis, recipients, retention, deletion (Art. 30)."},"G-TOM_1":{"title":"Technical and Organisational Measures","description":"Document the security measures protecting personal data — encryption, access control, backups, training (Art. 32)."},"G-BRC_1":{"title":"Personal Data Breach Response Process","description":"Establish written procedure for assessing and notifying the supervisory authority of personal data breaches within 72 hours (Art. 33)."},"G-BRC_2":{"title":"Personal Data Breach Documentation","description":"Internally document every personal data breach (notifiable or not) for supervisory-authority verification (Art. 33(5))."},"G-DSR_1":{"title":"Data Subject Rights Workflow","description":"Process for handling access, erasure, rectification, portability, restriction, and objection requests within one month (Art. 12-22)."},"IS-4_1":{"title":"Context van de organisatie","description":"Externe en interne kwesties bepalen die relevant zijn voor het doel van het ISMS en die de beoogde resultaten beïnvloeden."},"IS-4_2":{"title":"Behoeften van belanghebbenden","description":"Belanghebbenden identificeren (klanten, toezichthouders, medewerkers, leveranciers) en hun informatieveiligheidseisen vastleggen."},"IS-4_3":{"title":"ISMS-toepassingsgebied","description":"Grenzen van het ISMS documenteren: welke systemen, locaties en activiteiten zijn in- of uitgesloten en waarom."},"IS-5_1":{"title":"Leiderschap en betrokkenheid","description":"Het topmanagement moet betrokkenheid tonen: IS-beleid goedkeuren, ISMS-middelen borgen en beveiliging integreren in bedrijfsprocessen."},"IS-5_2":{"title":"Informatiebeveiligingsbeleid","description":"IS-beleid opstellen, documenteren en communiceren. Ondertekend door het topmanagement, met doelstellingen en verbeteringscommitment."},"IS-5_3":{"title":"Rollen, verantwoordelijkheden en bevoegdheden","description":"Verantwoordelijkheden voor ISMS-rollen (CISO, eigenaren van activa, proceseigenaren) toewijzen en communiceren."},"IS-6_1":{"title":"Risicobeoordelingsproces","description":"Gedocumenteerde risicobeoordelingsmethodologie definiëren en toepassen: identificatie, analyse, evaluatie en acceptatiecriteria."},"IS-6_2":{"title":"Informatiebeveiligingsdoelstellingen","description":"Meetbare IS-doelstellingen vaststellen die aansluiten bij het IS-beleid, plannen documenteren en voortgang bijhouden."},"IS-7_2":{"title":"Competentie","description":"Competentievereisten voor ISMS-relevante rollen bepalen, trainingen verzorgen en bewijs van competentie bewaren."},"IS-7_5":{"title":"Gedocumenteerde informatie","description":"Door ISO 27001 vereiste gedocumenteerde informatie aanmaken, onderhouden en de creatie, actualisering en bewaring ervan beheersen."},"IS-8_2":{"title":"Informatiebeveiligingsrisicobeoordeling","description":"Risicobeoordelingen uitvoeren op geplande intervallen of bij significante wijzigingen; resultaten vastleggen in een risicoregister."},"IS-8_3":{"title":"Informatiebeveiligingsrisicobehandeling","description":"Risicobehandelingsopties selecteren en implementeren; risicobehandelingsplan en Verklaring van Toepasselijkheid (SoA) opstellen."},"IS-9_1":{"title":"Monitoring, meting, analyse en evaluatie","description":"Vastleggen wat, hoe, wanneer en door wie wordt gemonitord en gemeten; resultaten analyseren en beoordelen tegen IS-doelstellingen."},"IS-9_2":{"title":"Interne audit","description":"Interne audits uitvoeren op geplande intervallen om te beoordelen of het ISMS aan de eisen voldoet en effectief is geïmplementeerd."},"IS-9_3":{"title":"Directiebeoordeling","description":"Het topmanagement beoordeelt het ISMS op geplande intervallen: auditresultaten, KPI's, incidenten, wijzigingen en verbetermogelijkheden."},"IS-10_1":{"title":"Voortdurende verbetering","description":"De geschiktheid, toereikendheid en effectiviteit van het ISMS voortdurend verbeteren."},"IS-10_2":{"title":"Non-conformiteit en corrigerende maatregelen","description":"Bij non-conformiteit: reageren, grondoorzaak onderzoeken, corrigerende maatregelen implementeren en de effectiviteit verifiëren."},"A_5_1":{"title":"Beleid voor informatiebeveiliging","description":"Informatiebeveiligingsbeleid definiëren, goedkeuren, publiceren en jaarlijks herzien voor alle relevante onderwerpen."},"A_5_2":{"title":"Rollen en verantwoordelijkheden voor informatiebeveiliging","description":"Rollen en verantwoordelijkheden voor informatiebeveiliging toewijzen en documenteren in de hele organisatie."},"A_5_3":{"title":"Functiescheiding","description":"Conflicterende taken en verantwoordelijkheden scheiden om kansen voor ongeautoriseerde wijziging van informatie te beperken."},"A_5_4":{"title":"Managementverantwoordelijkheden","description":"Het management moet van alle medewerkers verlangen dat zij informatiebeveiliging toepassen conform het vastgestelde beleid."},"A_5_5":{"title":"Contact met autoriteiten","description":"Passende contacten onderhouden met relevante autoriteiten (gegevensbeschermingsautoriteit, cyberveiligheidsagentschap, rechtshandhaving)."},"A_5_6":{"title":"Contact met speciale belangengroepen","description":"Lidmaatschap of contact onderhouden met speciale belangengroepen, beveiligingsforums en beroepsverenigingen."},"A_5_7":{"title":"Dreigingsinformatie","description":"Voor de organisatie relevante dreigingsinformatie verzamelen, analyseren en produceren om dreigingen te anticiperen en te bereiden."},"A_5_8":{"title":"Informatiebeveiliging in projectmanagement","description":"Informatiebeveiliging integreren in projectmanagement zodat beveiligingsrisico's worden aangepakt tijdens projecten."},"A_5_9":{"title":"Inventaris van informatie en bijbehorende activa","description":"Inventaris van informatie en bijbehorende activa met toegewezen eigenaarschap identificeren, documenteren en onderhouden."},"A_5_10":{"title":"Aanvaardbaar gebruik van informatie en activa","description":"Regels voor aanvaardbaar gebruik van informatie en activa documenteren en implementeren: apparaten, gegevensverwerking, verboden activiteiten."},"A_5_11":{"title":"Teruggave van activa","description":"Zekerstellen dat alle activa worden teruggegeven bij beëindiging of wijziging van arbeids- of contractverhoudingen."},"A_5_12":{"title":"Classificatie van informatie","description":"Informatie classificeren naar gevoeligheid (vertrouwelijk, intern, openbaar) voor passende bescherming."},"A_5_13":{"title":"Labeling van informatie","description":"Labelprocedure voor informatie ontwikkelen en implementeren conform het classificatieschema."},"A_5_14":{"title":"Informatieoverdracht","description":"Regels en procedures voor informatieoverdracht via alle kanalen vaststellen: e-mail, berichten, fysieke media en mondeling."},"A_5_15":{"title":"Toegangscontrole","description":"Toegangscontroleregelgeving definiëren en implementeren op basis van bedrijfs- en beveiligingsvereisten, met minimale toegangsrechten."},"A_5_16":{"title":"Identiteitsbeheer","description":"De volledige identiteitslevenscyclus (provisioning, wijzigingen, intrekking) voor alle gebruikers en serviceaccounts beheren."},"A_5_17":{"title":"Authenticatie-informatie","description":"Authenticatie-informatie (wachtwoorden, sleutels, tokens) beheren via een formeel proces incl. toewijzing, opslag en intrekking."},"A_5_18":{"title":"Toegangsrechten","description":"Toegangsrechten verlenen, herzien, wijzigen en intrekken conform het toegangscontrolebeleid."},"A_5_19":{"title":"Informatiebeveiliging in leveranciersrelaties","description":"Maatregelen identificeren en implementeren ter bescherming van activa die toegankelijk zijn voor leveranciers; vastleggen in leveranciersovereenkomsten."},"A_5_20":{"title":"IS-vereisten in leveranciersovereenkomsten","description":"Informatiebeveiligingseisen vaststellen en overeenkomen met elke leverancier die toegang heeft tot organisatie-informatie of deze verwerkt."},"A_5_21":{"title":"IS in de ICT-toeleveringsketen","description":"Processen definiëren en implementeren voor het beheren van IS-risico's in de ICT-producten- en dienstentoeleveringsketen."},"A_5_22":{"title":"Monitoring, beoordeling en wijzigingsbeheer van leveranciersdiensten","description":"IS-praktijken en dienstverlening van leveranciers regelmatig monitoren, beoordelen en wijzigingen beheren."},"A_5_23":{"title":"Informatiebeveiliging bij gebruik van clouddiensten","description":"Processen voor aanschaf, gebruik, beheer en beëindiging van clouddiensten vaststellen incl. beveiligingsvereisten en exitplannen."},"A_5_24":{"title":"Planning en voorbereiding van IS-incidentbeheer","description":"Incidentbeheer plannen en voorbereiden met gedefinieerde rollen, verantwoordelijkheden, procedures en communicatiekanalen."},"A_5_25":{"title":"Beoordeling en besluitvorming over IS-gebeurtenissen","description":"IS-gebeurtenissen beoordelen en op basis van een classificatieschema beslissen of ze als incident worden aangemerkt."},"A_5_26":{"title":"Reactie op informatiebeveiligingsincidenten","description":"Op incidenten reageren conform gedocumenteerde procedures; gestructureerd indammen, verwijderen en herstellen."},"A_5_27":{"title":"Leren van IS-incidenten","description":"Kennis uit incidenten gebruiken om de kans en impact van toekomstige incidenten te verminderen; maatregelen dienovereenkomstig bijwerken."},"A_5_28":{"title":"Bewijsverzameling","description":"Procedures definiëren en toepassen voor het identificeren, verzamelen, verkrijgen en bewaren van bewijs bij IS-incidenten."},"A_5_29":{"title":"Informatiebeveiliging tijdens verstoringen","description":"Plannen hoe IS bij verstoringen gehandhaafd blijft. Beveiligingsvereisten integreren in bedrijfscontinuïteitsplannen."},"A_5_30":{"title":"ICT-gereedheid voor bedrijfscontinuïteit","description":"ICT-gereedheid plannen, implementeren, onderhouden en testen op basis van bedrijfscontinuïteitsdoelstellingen."},"A_5_31":{"title":"Wettelijke, statutaire, regelgevende en contractuele vereisten","description":"Alle wettelijke, regelgevende en contractuele vereisten relevant voor IS identificeren, documenteren en actueel houden."},"A_5_32":{"title":"Intellectuele eigendomsrechten","description":"Procedures implementeren ter bescherming van intellectuele eigendomsrechten en naleving van softwarelicentievereisten."},"A_5_33":{"title":"Bescherming van registers","description":"Registers beschermen tegen verlies, vernietiging, vervalsing, ongeautoriseerde toegang en ongeautoriseerde openbaarmaking conform wettelijke vereisten."},"A_5_34":{"title":"Privacy en bescherming van persoonsgegevens","description":"Privacy- en persoonsdatavereisten identificeren en naleven conform toepasselijk recht (AVG)."},"A_5_35":{"title":"Onafhankelijke beoordeling van informatiebeveiliging","description":"De ISMS-aanpak en -implementatie onafhankelijk beoordelen op geplande intervallen of bij significante wijzigingen."},"A_5_36":{"title":"Naleving van IS-beleid en -normen","description":"Naleving van informatiebeveiligingsbeleid, -normen en -procedures regelmatig beoordelen; resultaten documenteren."},"A_5_37":{"title":"Gedocumenteerde bedrijfsprocedures","description":"Bedrijfsprocedures voor informatieverwerking documenteren, onderhouden en beschikbaar stellen."},"A_6_1":{"title":"Screening","description":"Achtergrondcontroles uitvoeren voor alle sollicitanten, proportioneel aan de gevoeligheid van de rol en wettelijke vereisten."},"A_6_2":{"title":"Arbeidsvoorwaarden","description":"Medewerkers en contractanten contractueel verplichten tot naleving van IS-beleid als arbeidsvoorwaarde."},"A_6_3":{"title":"IS-bewustzijn, opleiding en training","description":"Zorgen dat alle medewerkers bij indiensttreding en jaarlijks passende IS-bewustwordingstraining ontvangen."},"A_6_4":{"title":"Disciplinaire procedure","description":"Een formele, gecommuniceerde disciplinaire procedure hebben voor medewerkers die IS-overtredingen begaan."},"A_6_5":{"title":"Verantwoordelijkheden na beëindiging of wijziging van dienstverband","description":"IS-verantwoordelijkheden die na beëindiging van het dienstverband gelden definiëren en handhaven (vertrouwelijkheid, teruggave activa)."},"A_6_6":{"title":"Vertrouwelijkheids- of geheimhoudingsovereenkomsten","description":"Vertrouwelijkheidsvereisten identificeren, documenteren en regelmatig herzien; NDA's gebruiken met medewerkers, contractanten en relevante derden."},"A_6_7":{"title":"Thuiswerken","description":"Beveiligingsmaatregelen voor thuiswerken definiëren en implementeren: netwerkbeveiliging, fysieke beveiliging en apparatuurbeveiliging."},"A_6_8":{"title":"Melding van IS-gebeurtenissen","description":"Een duidelijk, eenvoudig te gebruiken mechanisme bieden voor medewerkers om beveiligingsgebeurtenissen en zwakheden te melden."},"A_7_1":{"title":"Fysieke beveiligingsperimeters","description":"Fysieke beveiligingsperimeters definiëren en implementeren ter bescherming van gevoelige gebieden met informatie en verwerkingsfaciliteiten."},"A_7_2":{"title":"Fysieke toegang","description":"Beveiligde gebieden voorzien van passende toegangscontroles zodat alleen geautoriseerde personen toegang krijgen."},"A_7_3":{"title":"Beveiliging van kantoren, ruimten en faciliteiten","description":"Fysieke beveiliging toepassen op kantoren, ruimten en faciliteiten, proportioneel aan de gevoeligheid van de aldaar verwerkte informatie."},"A_7_4":{"title":"Fysieke beveiligingsbewaking","description":"Gebouwen monitoren op ongeautoriseerde fysieke toegang via alarmen, CCTV, bewakers of andere passende middelen."},"A_7_5":{"title":"Bescherming tegen fysieke en omgevingsbedreigingen","description":"Bescherming bieden tegen fysieke en omgevingsbedreigingen zoals brand, overstroming, aardbeving en opzettelijke beschadiging."},"A_7_6":{"title":"Werken in beveiligde gebieden","description":"Procedures definiëren en toepassen voor werken in beveiligde gebieden om ongeautoriseerde toegang, fotograferen of data-exfiltratie te voorkomen."},"A_7_7":{"title":"Clean-desk- en clean-screenbeleid","description":"Clean-deskbeleid voor papieren en verwijderbare media en clean-screenbeleid voor informatieverwerking toepassen."},"A_7_8":{"title":"Plaatsing en bescherming van apparatuur","description":"Apparatuur plaatsen en beschermen om risico's van omgevingsbedreigingen, ongeautoriseerde toegang en interferentie te verminderen."},"A_7_9":{"title":"Beveiliging van activa buiten het terrein","description":"Maatregelen toepassen voor activa die buiten het terrein worden meegenomen, proportioneel aan de risico's van extern gebruik."},"A_7_10":{"title":"Opslagmedia","description":"Opslagmedia beheren gedurende de volledige levenscyclus: aanschaf, gebruik, transport, verwijdering en sanering."},"A_7_11":{"title":"Nutsvoorzieningen","description":"Informatieverwerking beschermen tegen stroomuitval en andere verstoringen door defecte nutsvoorzieningen."},"A_7_12":{"title":"Kabelbeveiliging","description":"Stroom- en telecommunicatiekabels beschermen tegen afluisteren, interferentie of beschadiging."},"A_7_13":{"title":"Apparatuuronderhoud","description":"Apparatuur correct onderhouden voor continue beschikbaarheid en integriteit van informatieverwerking."},"A_7_14":{"title":"Veilige verwijdering of hergebruik van apparatuur","description":"Vóór verwijdering of hergebruik verifiëren dat alle gevoelige gegevens en licentiesoftware zijn verwijderd of overschreven."},"A_8_1":{"title":"Gebruikersapparatuur","description":"Informatie op en verwerkt door gebruikersapparatuur (laptops, telefoons) beschermen via een eindpuntbeveiligingsbeleid."},"A_8_2":{"title":"Bevoorrechte toegangsrechten","description":"De toewijzing en het gebruik van bevoorrechte toegangsrechten op alle systemen beperken en zorgvuldig beheren."},"A_8_3":{"title":"Beperking van informatietoegang","description":"Toegang tot informatie en systemen beperken tot wat nodig is voor de rol van elke gebruiker, met minimale rechten."},"A_8_4":{"title":"Toegang tot broncode","description":"Toegang tot programmabroncode en bijbehorende tools beperken tot geautoriseerde personen; versiebeheer toepassen."},"A_8_5":{"title":"Veilige authenticatie","description":"Veilige authenticatietechnologieën en -procedures implementeren inclusief MFA voor gevoelige systemen en alle externe toegang."},"A_8_6":{"title":"Capaciteitsbeheer","description":"Resourcegebruik en -prognoses monitoren en aanpassen om de vereiste systeemcapaciteit en -prestaties te borgen."},"A_8_7":{"title":"Bescherming tegen malware","description":"Malwarebeschermingsmaatregelen implementeren (EDR, AV, codeondertekening, e-mailfiltering) ondersteund door gebruikersbewustzijn."},"A_8_8":{"title":"Beheer van technische kwetsbaarheden","description":"Technische kwetsbaarheden op alle systemen tijdig identificeren, beoordelen en verhelpen."},"A_8_9":{"title":"Configuratiebeheer","description":"Configuraties (inclusief beveiligingsconfiguraties) voor hardware, software en clouddiensten opstellen, documenteren en onderhouden."},"A_8_10":{"title":"Verwijdering van informatie","description":"Informatie verwijderen wanneer deze niet meer nodig is, conform wettelijke, contractuele en bedrijfsvereisten."},"A_8_11":{"title":"Datamaskering","description":"Datamaskering, pseudonimisering of anonimisering gebruiken ter bescherming van persoonsgegevens in niet-productieomgevingen."},"A_8_12":{"title":"Preventie van gegevenslekken","description":"Maatregelen voor preventie van gegevenslekken toepassen op systemen, netwerken en eindpunten die gevoelige informatie verwerken."},"A_8_13":{"title":"Back-up van informatie","description":"Back-upkopieën van informatie, software en systeemimages maken en regelmatig testen conform een back-upbeleid."},"A_8_14":{"title":"Redundantie van informatieverwerking","description":"Voldoende redundantie implementeren in informatieverwerking om aan beschikbaarheidsvereisten te voldoen."},"A_8_15":{"title":"Logging","description":"Logbestanden van gebruikersactiviteiten, uitzonderingen, fouten en beveiligingsgebeurtenissen aanmaken, beschermen en bewaren voor gedefinieerde perioden."},"A_8_16":{"title":"Monitoringactiviteiten","description":"Netwerken, systemen en applicaties monitoren om afwijkend gedrag en potentiële beveiligingsgebeurtenissen te detecteren."},"A_8_17":{"title":"Klokkensynchronisatie","description":"Klokken van alle informatieverwerking synchroniseren met een goedgekeurde tijdbron voor logcorrelatie en forensisch onderzoek."},"A_8_18":{"title":"Gebruik van bevoorrechte hulpprogramma's","description":"Gebruik van hulpprogramma's die systeem- en applicatiecontroles kunnen omzeilen, beheersen en beperken."},"A_8_19":{"title":"Installatie van software op operationele systemen","description":"Procedures implementeren voor het beheren van softwareinstallatie op operationele systemen door geautoriseerde personen."},"A_8_20":{"title":"Netwerkbeveiliging","description":"Netwerken en netwerkapparaten beveiligen ter bescherming van informatie in systemen en applicaties."},"A_8_21":{"title":"Beveiliging van netwerkdiensten","description":"Beveiligingsmechanismen voor netwerkdiensten inclusief cloudnetwerken identificeren, implementeren en monitoren."},"A_8_22":{"title":"Netwerksegmentatie","description":"Groepen informatiediensten, gebruikers en informatiesystemen binnen het netwerk segmenteren."},"A_8_23":{"title":"Webfiltering","description":"Toegang tot externe websites beheren om blootstelling aan schadelijke inhoud te verminderen."},"A_8_24":{"title":"Gebruik van cryptografie","description":"Cryptografiebeleid definiëren en implementeren met goedgekeurde algoritmen, sleutelbeheer en versleutelingsvereisten."},"A_8_25":{"title":"Veilige ontwikkelingslevenscyclus","description":"Regels voor veilige ontwikkeling van software en systemen gedurende de gehele ontwikkelingslevenscyclus vaststellen en toepassen."},"A_8_26":{"title":"Beveiligingsvereisten voor applicaties","description":"IS-vereisten voor applicatieontwikkeling en -inkoop identificeren, specificeren en goedkeuren."},"A_8_27":{"title":"Veilige systeemarchitectuur en engineeringprincipes","description":"Veilige engineeringprincipes voor alle ontwikkelings- en systeemtechniekactiviteiten vaststellen, documenteren en toepassen."},"A_8_28":{"title":"Veilig coderen","description":"Veilige coderingsprincipes toepassen bij softwareontwikkeling om veelvoorkomende kwetsbaarheden te voorkomen (OWASP Top 10, injectie, XSS)."},"A_8_29":{"title":"Beveiligingstesten in ontwikkeling en acceptatie","description":"Beveiligingstestprocessen definiëren en implementeren in de ontwikkelingslevenscyclus en bij acceptatietesten."},"A_8_30":{"title":"Uitbestede ontwikkeling","description":"Uitbestede systeemontwikkelingsactiviteiten toezicht houden en monitoren om te zorgen dat beveiligingsvereisten worden nagekomen."},"A_8_31":{"title":"Scheiding van ontwikkel-, test- en productieomgevingen","description":"Ontwikkel-, test- en productieomgevingen scheiden om het risico van ongeautoriseerde toegang tot of wijzigingen in het productiesysteem te beperken."},"A_8_32":{"title":"Wijzigingsbeheer","description":"Wijzigingen in informatieverwerking en systemen beheren via een formeel wijzigingsbeheerproces."},"A_8_33":{"title":"Testinformatie","description":"Testinformatie beschermen en beheren; nooit live productiedata gebruiken in testomgevingen zonder passende maatregelen."},"A_8_34":{"title":"Bescherming van IS bij audittesten","description":"Auditvereisten en -activiteiten voor verificatie van operationele systemen plannen en afstemmen om verstoringen te minimaliseren."}},"review":{"title":"Review Dashboard","pending":"Pending Review","approved":"Approved","rejected":"Rejected","company":"Company","framework":"Framework","requirement":"Requirement","category":"Category","submittedAt":"Submitted","evidenceCount":"Evidence","viewSubmission":"Review","approveButton":"Approve","rejectButton":"Reject","feedbackLabel":"Feedback","feedbackPlaceholder":"Explain what needs to change...","feedbackRequired":"Feedback is required for rejection","approveConfirm":"Submission approved","rejectConfirm":"Submission rejected with feedback","noSubmissions":"No submissions pending review","formData":"Submitted Form Data","evidenceFiles":"Evidence Files","companyInfo":"Company Information","requirementInfo":"Requirement Details","reviewHistory":"Review History","reviewedBy":"Reviewed by","signOut":"Sign out","feedbackFromReviewer":"Reviewer Feedback","downloadEvidence":"Download","noFormData":"No form data submitted","noEvidence":"No evidence files uploaded","stats":"{pending} pending, {approved} approved, {rejected} rejected","confirmRejection":"Confirm Rejection","cancel":"Cancel","notReviewable":"Status: {status} - not reviewable.","signOffDetails":"Sign-Off Details","signedOffAs":"Signed off as","signedOffDate":"Signed off on","templateVersion":"Template version","operationalData":"Operational data"},"risks":{"title":"Risicoregister","description":"Gedocumenteerde risico's met waarschijnlijkheid, impact en behandelbeslissingen. Kernvereiste van NIS2 Art. 21(2)(a).","helpText":"Identificeer dreigingen voor uw informatiesystemen, beoordeel de waarschijnlijkheid en impact (schaal 1-5) en documenteer hoe u elk risico behandelt (mitigeren, accepteren, overdragen of vermijden). De risicoscore wordt automatisch berekend. Risico's met een hoge score (15+) vereisen gedocumenteerde behandelplannen.","add":"Risico toevoegen","addRisk":"Risico toevoegen","edit":"Risico bewerken","empty":"Nog geen risico's geregistreerd. Voeg uw eerste risico toe om risicobeheer te starten.","deleteConfirm":"Weet u zeker dat u dit risico wilt verwijderen?","actions":"Acties","score":"Risicoscore","cancel":"Annuleren","save":"Opslaan","treatment":{"mitigate":"Mitigeren","accept":"Accepteren","transfer":"Overdragen","avoid":"Vermijden"},"fields":{"title":"Titel","description":"Beschrijving","category":"Categorie","likelihood":"Waarschijnlijkheid","impact":"Impact","riskScore":"Risicoscore","treatment":"Behandeling","treatmentDescription":"Beschrijving behandeling","residualLikelihood":"Resterende waarschijnlijkheid","residualImpact":"Resterende impact","riskOwner":"Risico-eigenaar","nextReviewDate":"Datum volgende beoordeling"},"fieldDescriptions":{"title":"Korte beschrijvende naam voor dit risico (bijv. 'Ransomware-aanval op ERP-systeem').","description":"Gedetailleerde beschrijving van het risicoscenario, inclusief dreigingsactoren, kwetsbaarheden en potentiële gevolgen.","category":"Selecteer de risicocategorie (bijv. cyber, operationeel, compliance, toeleveringsketen).","likelihood":"Beoordeel de kans dat dit risico zich realiseert op basis van uw geconfigureerde methodologieschaal.","impact":"Beoordeel de potentiële bedrijfsimpact als dit risico zich realiseert op basis van uw geconfigureerde methodologieschaal.","riskScore":"Automatisch berekend als waarschijnlijkheid vermenigvuldigd met impact. Scores van 15+ vereisen een gedocumenteerd behandelplan.","treatment":"Selecteer hoe dit risico wordt behandeld: mitigeren, accepteren, overdragen (bijv. verzekering) of vermijden.","treatmentDescription":"Beschrijf de specifieke geplande acties om de gekozen behandelstrategie te implementeren.","residualLikelihood":"Verwachte waarschijnlijkheid nadat behandelmaatregelen zijn toegepast (schaal 1-5).","residualImpact":"Verwachte impact nadat behandelmaatregelen zijn toegepast (schaal 1-5).","riskOwner":"Voer de persoon of rol in die verantwoordelijk is voor het monitoren en beheren van dit risico.","nextReviewDate":"Datum waarop deze risicobeoordeling herzien en bijgewerkt moet worden."},"linkedAssets":{"title":"Gekoppelde assets","link":"Asset koppelen","empty":"Geen assets gekoppeld aan dit risico.","unlink":"Ontkoppelen","selectAsset":"Selecteer een asset om te koppelen","alreadyLinked":"Al gekoppeld"},"addRiskToAsset":"Risico toevoegen aan deze asset","selectThreat":"Selecteer BSI-dreiging...","searchThreats":"Dreigingen zoeken...","noThreatsFound":"Geen dreigingen gevonden.","customThreat":"Aangepaste dreiging","noRisksYet":"Nog geen risico's geregistreerd.","noAssetsYet":"Geen assets geregistreerd. Voeg eerst assets toe in stap 2.2.","assetsNoRisks":"Assets zonder risico's","unlinkedRisks":"Risico's niet gekoppeld aan een asset","riskAssessment":"Risicobeoordeling","treatmentMeasures":"Behandelmaatregelen","addMeasure":"Maatregel toevoegen","measureAction":"Actie","measureActionPlaceholder":"Beschrijf de behandelmaatregel...","acceptRisk":"Risico accepteren","riskAccepted":"Risico geaccepteerd op {date}","acceptedRisks":"Geaccepteerd / Onder drempelwaarde","risksAboveThreshold":"{count} risico's boven acceptatiedrempel (>{threshold})","initialScore":"Initieel","residualScore":"Resterend","belowThreshold":"Onder drempelwaarde","setResidual":"Resterende score instellen","updateResidual":"Resterende score bijwerken","treatmentStatus":{"not_started":"Niet gestart","in_progress":"In behandeling","completed":"Voltooid"},"critical":"Kritiek","ot":"OT","riskCount":"{count, plural, one {# risico} other {# risico's}}"},"settings":{"title":"Settings","description":"Manage your organization's platform settings.","aiDataSharing":{"title":"AI Data Sharing","description":"Control what organization data is shared with the AI assistant when generating compliance guidance. Personal data (emails, phone numbers, individual names) is never sent.","none":{"label":"No company data","description":"Only field names, types, and requirement title are sent. Guidance is generic.","preview":"Sent: field definitions, requirement title, legal reference"},"basic":{"label":"Non-sensitive only","description":"Adds sector, entity type, and legal form for more relevant guidance.","preview":"Sent: above + sector, sub-sector, entity type, legal form"},"full":{"label":"Full context","description":"Includes company name and size metrics for the most tailored guidance.","preview":"Sent: above + company name, employee count, annual revenue"}},"saved":"Settings saved","saveError":"Failed to save settings","saving":"Saving...","adminOnly":"Only admins can change settings."},"suppliers":{"title":"Leveranciersregister","description":"Externe leveranciers en hun cyberbeveiligingsrisicoprofielen. Vereist door NIS2 Art. 21(2)(d).","helpText":"Registreer alle ICT-leveranciers, cloudproviders en dienstverleners. Beoordeel het cyberbeveiligingsrisiconiveau van elke leverancier en houd beveiligingsclausules in contracten bij. NIS2 vereist dat u risico's in de toeleveringsketen beheert en de beveiligingshouding van leveranciers monitort.","add":"Leverancier toevoegen","edit":"Leverancier bewerken","empty":"Geen leveranciers geregistreerd. Voeg uw eerste leverancier toe om de toeleveringsketenbeveiliging bij te houden.","deleteConfirm":"Weet u zeker dat u deze leverancier wilt verwijderen?","actions":"Acties","critical":"Kritiek","nonCritical":"Niet-kritiek","riskLevel":{"critical":"Kritiek","high":"Hoog","medium":"Gemiddeld","low":"Laag"},"fields":{"name":"Naam leverancier","description":"Beschrijving","contactEmail":"E-mail contactpersoon","contactName":"Naam contactpersoon","riskLevel":"Risiconiveau","serviceType":"Type dienst","hasAccessToSystems":"Systeemtoegang","hasAccessToData":"Gegevenstoegang","isCritical":"Kritieke leverancier","contractStartDate":"Startdatum contract","contractEndDate":"Einddatum contract","hasSecurityClauses":"Beveiligingsclausules","hasIncidentNotificationClause":"Clausule incidentmelding","hasAuditRights":"Auditrechten","hasSubcontractorFlowDown":"Doorstroom naar onderaannemers","nis2RegistrationId":"NIS2-registratie-ID","hasSecurityCertification":"Beveiligingscertificering","securityCertificationType":"Type certificering","contractSecurityClauses":"Beveiligingsclausules contract","auditFrequency":"Auditfrequentie","monitoringMethod":"Monitoringmethode","lastReviewDate":"Datum laatste beoordeling","dueDiligenceProcess":"Due diligence-proces","relationshipType":"GDPR Relationship Type","processesPersonalData":"Processes Personal Data","processesOnlyOnInstructions":"Processes Only on Documented Instructions","assistsWithDataSubjectRights":"Assists with Data Subject Rights","internationalTransfer":"Transfers Data Outside EEA","transferMechanism":"Transfer Mechanism"},"auditFrequency":{"annual":"Jaarlijks","biennial":"Tweejaarlijks","on_change":"Bij wijziging"},"relationshipType":{"processor":"Processor (Art. 28)","joint_controller":"Joint Controller (Art. 26)","separate_controller":"Separate Controller","internal":"Internal / Intra-group"},"transferMechanism":{"adequacy":"Adequacy Decision (Art. 45)","sccs":"Standard Contractual Clauses (Art. 46)","bcr":"Binding Corporate Rules (Art. 47)","derogation":"Derogation (Art. 49)","none":"No Transfer"},"fieldDescriptions":{"name":"Wettelijke naam of handelsnaam van de leveranciersorganisatie.","description":"Korte beschrijving van de diensten of producten die deze leverancier aan uw organisatie levert.","contactEmail":"Primair e-mailadres voor beveiligingsgerelateerde communicatie met deze leverancier.","contactName":"Naam van de primaire beveiligings- of accountcontactpersoon bij deze leverancier.","riskLevel":"Beoordeeld cyberbeveiligingsrisiconiveau op basis van toegang, kritikaliteit en beveiligingshouding van de leverancier.","serviceType":"Type geleverde dienst (bijv. cloudhosting, beheerde beveiliging, softwareontwikkeling, hardware).","hasAccessToSystems":"Inschakelen als deze leverancier directe of externe toegang heeft tot uw IT/OT-systemen.","hasAccessToData":"Inschakelen als deze leverancier gegevens van uw organisatie verwerkt, opslaat of toegang heeft tot uw gegevens.","isCritical":"Inschakelen als onderbreking van de diensten van deze leverancier direct impact heeft op uw essentiële diensten onder NIS2.","contractStartDate":"Datum waarop het contract met deze leverancier van kracht werd.","contractEndDate":"Datum waarop het contract afloopt of verlengd moet worden.","hasSecurityClauses":"Inschakelen als het contract specifieke cyberbeveiligingsvereisten en verplichtingen bevat.","hasIncidentNotificationClause":"Inschakelen als het contract vereist dat de leverancier u op de hoogte stelt van beveiligingsincidenten binnen een bepaalde termijn.","hasAuditRights":"Inschakelen als het contract u het recht geeft de beveiligingspraktijken van de leverancier te auditeren.","hasSubcontractorFlowDown":"Inschakelen als beveiligingsvereisten contractueel worden doorgestuurd naar de onderaannemers van de leverancier.","nis2RegistrationId":"Als deze leverancier NIS2-gereguleerd is, voer dan zijn BSI-registratienummer in. Hiermee kunt u verwijzen naar zijn compliancestatus.","hasSecurityCertification":"Inschakelen als deze leverancier een erkende beveiligingscertificering bezit (ISO 27001, SOC 2, BSI C5, enz.).","securityCertificationType":"Type certificering (bijv. ISO 27001, SOC 2 Type II, BSI C5, TISAX).","contractSecurityClauses":"Specifieke beveiligingsclausules in het contract van deze leverancier (SLA's, auditrechten, incidentmelding, gegevensverwerking, beëindigingsverplichtingen).","auditFrequency":"Hoe vaak deze leverancier wordt geauditeerd op beveiligingsnaleving.","monitoringMethod":"Hoe de beveiligingshouding van deze leverancier wordt gemonitord (bijv. vragenlijst, SecurityScorecard, SOC 2-review).","lastReviewDate":"Datum van de meest recente beveiligingsbeoordeling van deze leverancier.","dueDiligenceProcess":"Due diligence uitgevoerd bij het opnemen van deze leverancier (bijv. vragenlijst, certificaatcontrole, referentiegesprek).","relationshipType":"Under GDPR: is this supplier a processor (Art. 28), joint controller (Art. 26), separate controller, or internal? Drives which contract obligations apply.","processesPersonalData":"Enable if any personal data flows to or through this supplier (triggers GDPR-specific contract obligations).","processesOnlyOnInstructions":"Art. 28(3)(a) — the processor only processes personal data on documented instructions from the controller.","assistsWithDataSubjectRights":"Art. 28(3)(e) — the processor assists you in responding to data subject requests (access, deletion, portability).","internationalTransfer":"Enable if personal data is transferred outside the European Economic Area (EEA).","transferMechanism":"Legal mechanism for the cross-border transfer: adequacy decision, SCCs, binding corporate rules, or derogation."},"addRiskToSupplier":"Risico toevoegen aan deze leverancier","suppliersNoRisks":"Leveranciers zonder risico's","unlinkedRisks":"Risico's niet gekoppeld aan een leverancier","noSuppliersYet":"Geen leveranciers geregistreerd. Voeg eerst leveranciers toe in stap 5.1.","supplierRiskAssessment":"Leveranciersrisicobeoordeling"},"supplierPortal":{"marketing":{"eyebrow":"NIS2 Leveranciersportaal","headline1":"Vul de uniforme NIS2-leveranciersvragenlijst eenmalig in.","headline2":"Deel hem met elke klant.","intro":"Gestructureerd conform de ENISA NIS2 Technical Implementation Guidance v1.0 (juni 2025). Elke vraag verwijst naar een specifiek lid van CIR 2024/2690, BSIG §30 of BSI IT-Grundschutz. Één vragenlijst. Één standaard. Uw gegevens blijven overdraagbaar — geen lock-in, altijd als JSON exporteerbaar.","ctaCreate":"Maak uw leveranciersprofiel aan","ctaEntity":"Bent u een NIS2-entiteit?","anchorBadge":"Gestructureerd conform ENISA NIS2 Technical Implementation Guidance v1.0 (juni 2025) §5","bsiQuote":"Wir begrüßen aktuelle Vorstöße der Wirtschaft, einen einheitlichen Fragenkatalog für Lieferanten zu erarbeiten.","bsiAttribution":"— BSI NIS-2 FAQ (Lieferketten und Sicherheit). Het leveranciersportaal is dat initiatief — een uniforme vragenlijst uit de private sector, gestructureerd conform de canonieke EU-taxonomie (ENISA TIG §5), zodat elke NIS2-gereguleerde entiteit aan CIR §5.1.4 kan voldoen met één bron.","benefit1Title":"Één vragenlijst, elke klant","benefit1Body":"Beantwoord de BSI/CIR-vragen eenmalig. Elke klant die u uitnodigt ziet dezelfde gecheckte antwoorden — geen op maat gemaakte beveiligingsvragenlijsten meer per relatie.","benefit2Title":"Verankerd in ENISA TIG v1.0","benefit2Body":"Elke sectietitel en elk veld verwijst naar een specifiek lid van ENISA's NIS2 Technical Implementation Guidance (juni 2025) plus het onderliggende CIR 2024/2690-artikel. Auditors herkennen de taxonomie. Klanten vertrouwen de structuur. Geen verzonnen categorieën.","benefit3Title":"Klanten informeren over incidenten op assetniveau","benefit3Body":"Wanneer een asset die u beheert een beveiligingsincident heeft, informeert u de getroffen klant met één klik. Elke klant ziet alleen zijn eigen assets en zijn eigen meldingen. Ze voldoen aan hun NIS2 §30 verplichting voor leveranciersmonitoring door uw update te lezen.","benefit4Title":"Bilateraal en privé. Geen openbaar profiel.","benefit4Body":"Gebouwd in Nederland, gehost in de EU, conform BSI Grundschutz-standaarden. Uw gegevens worden alleen gedeeld met de klanten die u expliciet uitnodigt — geen openbare URL, geen zoekmachineindexering. Klanten hebben toegang via een privé magic link zonder platform-account.","footerHeadline":"Start binnen twee minuten.","footerBody":"Meld u aan met Google. Vul uw bedrijfsnaam en primair domein in. Beantwoord de vragenlijst op uw eigen tempo. Nodig uw klanten uit wanneer u er klaar voor bent.","footerCta":"Maak uw leveranciersprofiel aan"},"questionnaire":{"title":"BSI / CIR Leveranciersvragenlijst","intro":"Elke vraag verwijst naar een specifiek lid van CIR 2024/2690 — de bindende EU-verordening onder NIS2 — of naar BSI IT-Grundschutz. Vul het eenmalig in; elke klant die zich aanmeldt ziet dezelfde antwoorden.","save":"Concept opslaan","submit":"Aftekenen en publiceren","submitting":"Opslaan…","saved":"Opgeslagen","saveError":"Kon niet opslaan — probeer het opnieuw.","submitError":"Kon niet aftekenen — los eerst de validatiefouten op.","savedAt":"Laatst opgeslagen {time}","sectionIdentity":"Identiteit (CIR §5.2 / ENISA TIG §5.2 leveranciersregister)","sectionIncidentContact":"Incidentcontact voor klanten","sectionType":"Type dienst","sectionContract":"Verplichte contractclausules (CIR / ENISA TIG §5.1.4)","sectionBaseline":"Cyberbeveiligingspraktijken (NIS2 Art. 21(2) / ENISA TIG §5.1.2)","sectionContractTips":"Aanvullende contractclausules (ENISA TIG §5.1.4 TIPS)","sectionSaas":"SaaS-technische details","sectionOnPrem":"On-premise softwaretechnische details","sectionProServices":"Details professionele diensten","sectionManaged":"Details beheerde diensten"},"fields":{"legalName":"Wettelijke naam","registeredAddress":"Geregistreerd adres","country":"Land","securityContactName":"Naam beveiligingscontact","primaryDomain":"Primair domein","tagline":"Tagline (één regel, klantgericht)","description":"Publieke beschrijving (uitgebreider)","incidentContactEmail":"E-mail incidentcontact","incidentContactPhone":"Telefoon incidentcontact (24/7)","incidentSlaHours":"SLA incidentmelding (uren)","serviceDescription":"Beschrijving geleverde diensten","dataProcessingLocations":"Landen/regio's waar klantgegevens worden verwerkt","bsiRegistrationId":"BSI-registratie-ID (alleen als uw bedrijf zelf NIS2-gereguleerd is)","isSaas":"Wij leveren SaaS / gehoste diensten","isOnPrem":"Wij leveren on-premise software","isProfessionalServices":"Wij leveren professionele diensten / consultancy","isManagedService":"Wij leveren beheerde diensten / MSP","hasIsms":"Gedocumenteerd Informatiebeveiligingsbeheersysteem (ISMS)","hasIso27001OrEquivalent":"ISO 27001, BSI Grundschutz of gelijkwaardige certificering","staffSecurityTraining":"Jaarlijkse beveiligingsbewustzijnstraining voor alle medewerkers","backgroundChecks":"Achtergrondcontroles voor medewerkers met toegang tot klantgegevens","vulnerabilityHandling":"Gedocumenteerd kwetsbaarheidsbeheer en patchproces","acceptRightToAudit":"Klantauditrecht accepteren (of auditrapporten verstrekken)","hasSubprocessors":"Gebruik van subverwerkers / sub-leveranciers","subprocessorList":"Lijst van subverwerkers","dataReturnOnTermination":"Toezegging om klantgegevens bij beëindiging te retourneren / vernietigen","dpaAvailable":"Standaard verwerkersovereenkomst (DPA) beschikbaar","securityPolicyReviewedAnnually":"Beveiligingsbeleid minimaal jaarlijks herzien","hasIncidentResponsePlan":"Gedocumenteerd incidentresponsplan","hasBusinessContinuityPlan":"Gedocumenteerd bedrijfscontinuïteits- / noodherstelplan","hasCryptographyPolicy":"Gedocumenteerd cryptografiebeleid","hasPrivilegedAccessMgmt":"Bevoorrecht toegangsbeheer (PAM) voor intern personeel","mfaEnforcedInternal":"MFA verplicht voor alle interne beheer- / bevoorrechte accounts","hasAssetInventory":"Inventaris van informatie-assets bijhouden","hasPenetrationTestingProgram":"Jaarlijks of tweejaarlijks penetratietestprogramma","pastBreachesDisclosed":"Wij melden eerdere meldingsplichtige cyberbeveiligingsincidenten op verzoek van klanten","incidentAssistanceCommitment":"Incidentondersteuning aan klanten bieden zonder / tegen vooraf bepaalde kosten","cooperateWithAuthorities":"Volledig meewerken met bevoegde autoriteiten (BSI, ENISA, nationale CSIRT's)","notifyMaterialChanges":"Klanten informeren over wezenlijke wijzigingen die de dienstverlening beïnvloeden","notifyOnLocationChange":"Klanten vooraf informeren als gegevensverwerkingslocaties wijzigen","hasExitPlan":"Gedocumenteerde exitstrategie met verplichte overgangsperiode","saasHostingRegion":"Hostingregio","saasEncryptionAtRest":"Versleuteling in rust","saasEncryptionInTransit":"Versleuteling in transit (TLS ≥ 1.2)","saasMfaEnforced":"MFA verplicht voor alle beheeraccounts","saasRtoHours":"Hersteltijddoelstelling (RTO) in uren","onPremSbomProvided":"Software Bill of Materials (SBOM) verstrekken","onPremSignedReleases":"Releases zijn cryptografisch ondertekend","onPremVulnerabilityDisclosurePolicy":"Gepubliceerd beleid voor kwetsbaarheidsopenbaarmaking","onPremPatchSlaCriticalHours":"Patch-SLA voor kritieke CVE's (uren)","proServicesBackgroundCheckScope":"Reikwijdte achtergrondcontrole","proServicesNdaInPlace":"NDA van kracht met alle consultants","proServicesCustomerPremisesPolicy":"Gedocumenteerd gedragsbeleid op klantlocatie","managedPrivilegedAccessMgmt":"Bevoorrecht toegangsbeheer (PAM) aanwezig","managedSessionRecording":"Beheersessies worden opgenomen","managedOnCall24x7":"24/7 wachtdienst"},"fieldDescriptions":{"legalName":"Vereist door CIR 2024/2690 §5.2(a) — leveranciersregistratieveld.","registeredAddress":"Vereist door CIR 2024/2690 §5.2(a) — leveranciersregistratieveld.","country":"ISO 3166-1 alpha-2-code, bijv. NL, DE, BE.","securityContactName":"Vereist door CIR 2024/2690 §5.1.4(d) — incidentmeldingsketen.","serviceDescription":"Vereist door ENISA TIG §5.2(b) + §5.1.4 TIPS — duidelijke en volledige beschrijving van de ICT-producten en -diensten die u levert. Één alinea.","dataProcessingLocations":"Vereist door ENISA TIG §5.1.4 TIPS — vermeld elk land/regio waar klantgegevens worden gegenereerd, verwerkt of opgeslagen. Komma-gescheiden.","bsiRegistrationId":"Optioneel. ENISA TIG §5.1.2 — als uw bedrijf zelf een NIS2-gereguleerde entiteit is met een BSI-registratie, kunnen uw klanten dit gebruiken om te voldoen aan hun §5.1.2 leveranciersselectiecriteria.","isSaas":"Bepaalt welke technische vragen u hierna ziet. Selecteer alles wat van toepassing is.","isOnPrem":"Software die uw klanten op hun eigen hardware installeren.","isProfessionalServices":"Consultancy, implementatie, training, auditwerk.","isManagedService":"De IT van de klant onder contract beheren (MSP, MSSP).","hasIsms":"Vereist door CIR 2024/2690 §5.1.2(a) — cyberbeveiligingspraktijken van leveranciers.","hasIso27001OrEquivalent":"Vereist door CIR 2024/2690 §5.1.2(b). Upload het certificaat via het tabblad Certificeringen.","staffSecurityTraining":"Vereist door CIR 2024/2690 §5.1.4(b) — bewustzijn, vaardigheden en training.","backgroundChecks":"Vereist door CIR 2024/2690 §5.1.4(c) — verificatie van achtergrond van personeel.","vulnerabilityHandling":"Vereist door CIR 2024/2690 §5.1.4(f) — kwetsbaarheden die een risico vormen afhandelen.","acceptRightToAudit":"Vereist door CIR 2024/2690 §5.1.4(e) — recht op audit of het ontvangen van auditrapporten.","hasSubprocessors":"Vereist door CIR 2024/2690 §5.1.4(g) — uitbestedingsvereisten.","subprocessorList":"Vermeld de subverwerkers en wat zij voor u doen. CIR 2024/2690 §5.1.4(g).","dataReturnOnTermination":"Vereist door CIR 2024/2690 §5.1.4(h) — ophalen en vernietigen van informatie bij beëindiging.","dpaAvailable":"AVG Art. 28 — schriftelijke verwerkersovereenkomst.","securityPolicyReviewedAnnually":"Vereist door CIR 2024/2690 §5.1.1(c) — beveiligingsbeleid moet regelmatig worden herzien en bijgewerkt.","hasIncidentResponsePlan":"Vereist door CIR 2024/2690 §5.1.3 / NIS2 Art. 21(2)(b) — gedocumenteerde incidentafhandelingsprocedures.","hasBusinessContinuityPlan":"Vereist door CIR 2024/2690 §5.1.5 / NIS2 Art. 21(2)(c) — bedrijfscontinuïteit en crisismanagement.","hasCryptographyPolicy":"Vereist door CIR 2024/2690 §5.1.6 / NIS2 Art. 21(2)(h) — beleid en procedures voor het gebruik van cryptografie.","hasPrivilegedAccessMgmt":"Vereist door CIR 2024/2690 §5.1.7 / NIS2 Art. 21(2)(i) — toegangscontrolebeleid voor bevoorrechte accounts.","mfaEnforcedInternal":"Vereist door NIS2 Art. 21(2)(j) — multi-factor authenticatie voor accounts met verhoogde rechten.","hasAssetInventory":"Vereist door CIR 2024/2690 §5.1.8 / NIS2 Art. 21(2)(i) — assetbeheer.","hasPenetrationTestingProgram":"Vereist door CIR 2024/2690 §5.1.12 — testen van cyberbeveiligingsrisicobeheermaatregelen.","pastBreachesDisclosed":"ENISA TIG §5.1.2 — selectiecriteria vereisen dat entiteiten 'de geschiedenis van de leverancier met betrekking tot cyberbeveiligingsincidenten en -inbreuken' in overweging nemen.","incidentAssistanceCommitment":"ENISA TIG §5.1.4 TIPS — verplichting van de leverancier om de klant te ondersteunen zonder/tegen vooraf bepaalde kosten bij een cyberincident veroorzaakt door het ICT-product of de dienst.","cooperateWithAuthorities":"ENISA TIG §5.1.4 TIPS — verplichting van de leverancier om volledig samen te werken met bevoegde autoriteiten tijdens inspecties, audits en incidentafhandeling.","notifyMaterialChanges":"ENISA TIG §5.1.4 TIPS — melding van ontwikkelingen die een wezenlijke invloed kunnen hebben op het vermogen van de leverancier om de ICT-producten of -diensten effectief te leveren.","notifyOnLocationChange":"ENISA TIG §5.1.4 TIPS — de klant vooraf informeren als gegevensverwerkingslocaties gaan wijzigen.","hasExitPlan":"ENISA TIG §5.1.4 TIPS — exitstrategie met een verplichte adequate overgangsperiode, IP-bepalingen en leveranciersverantwoordelijkheden tijdens de exitperiode.","saasHostingRegion":"BSI IT-Grundschutz OPS.2.2 Cloud-Nutzung — waar klantgegevens worden opgeslagen.","saasEncryptionAtRest":"BSI IT-Grundschutz OPS.2.2.A11. AES-256 of gelijkwaardig.","saasEncryptionInTransit":"BSI IT-Grundschutz OPS.2.2.A11. TLS 1.2 minimaal, TLS 1.3 voorkeur.","saasMfaEnforced":"BSI IT-Grundschutz ORP.4.A23 — tweede-factor authenticatie voor bevoorrechte accounts.","saasRtoHours":"BSI IT-Grundschutz DER.4 — maximaal getolereerde uitvaltijd voor klantenservice.","onPremSbomProvided":"CRA / NIS2 transparantie in toeleveringsketen. Formaat: CycloneDX of SPDX.","onPremSignedReleases":"BSI IT-Grundschutz CON.8 Software-Entwicklung — ondertekende releases voorkomen manipulatie van de toeleveringsketen.","onPremVulnerabilityDisclosurePolicy":"BSI IT-Grundschutz CON.10. Publiek security.txt of contactpunt voor kwetsbaarheidsrapportages.","onPremPatchSlaCriticalHours":"Tijd van CVE-openbaarmaking tot beschikbaarheid van patch voor kritieke kwetsbaarheden.","proServicesBackgroundCheckScope":"BSI IT-Grundschutz ORP.2.A14 — screening van personeel voor gevoelige rollen.","proServicesNdaInPlace":"BSI IT-Grundschutz ORP.2.A2 — geheimhoudingsovereenkomsten met alle consultants.","proServicesCustomerPremisesPolicy":"BSI IT-Grundschutz ORP.3.A4 — beveiligingsbewustzijn op klantlocatie.","managedPrivilegedAccessMgmt":"BSI IT-Grundschutz ORP.4.A26 — PAM voor administratieve externe toegang.","managedSessionRecording":"BSI IT-Grundschutz OPS.1.2.5.A11 — opgenomen sessies voor onderhoud op afstand.","managedOnCall24x7":"BSI IT-Grundschutz DER.2.1 — dekking voor incidentdetectie en -respons."}},"team":{"pageTitle":"Team","pageDescription":"Manage team members and invitations","members":{"title":"Members","description":"{count, plural, one {# member} other {# members}} in your company","name":"Name","email":"Email","role":"Role","you":"you","assignedCategories":"Assigned Categories","complianceRole":"Assign Role"},"invites":{"title":"Pending Invites","description":"{count, plural, one {# pending invitation} other {# pending invitations}}","email":"Email","expires":"Expires","linkCopied":"Link copied"},"invite":{"title":"Invite Member","description":"Enter an email address to generate an invite link","email":"Email","emailPlaceholder":"colleague@company.com","complianceRole":"Compliance Role","complianceRolePlaceholder":"Select role (optional)","submit":"Invite","submitting":"Inviting..."},"assignRole":{"label":"Assign Role","placeholder":"Select role...","success":"Role assigned successfully","noCategories":"No categories for this role"},"remove":{"success":"Member removed"},"revoke":{"success":"Invite revoked"},"inline":{"sent":"Invite sent to {email}","linkCopied":"Link copied"},"invalidTitle":"Invalid Invite","invalidDescription":"This invite link is invalid or has already been used.","usedTitle":"Invite Already Used","usedDescription":"This invite has already been accepted or revoked.","expiredTitle":"Invite Expired","expiredDescription":"This invite link has expired. Ask your admin for a new one.","accept":{"joinTitle":"Join {company}","joinDescription":"You've been invited to join as {role}.","signInDescription":"Je bent uitgenodigd om als {role} deel te nemen. Meld je aan of registreer je om door te gaan.","signInToAccept":"Aanmelden en deelnemen","alreadyMemberTitle":"Already a Member","alreadyMemberDescription":"You are already a member of a company. You cannot join another one.","goToDashboard":"Go to Dashboard","wrongAccountTitle":"Wrong Account","wrongAccountDescription":"This invite was sent to {inviteEmail}. You're signed in as {userEmail}.","signOutRetry":"Sign out and try again","joining":"Joining...","acceptInvite":"Accept Invite","joined":"Joined {company}"},"roles":{"ceo":"CEO / Managing Director","ciso":"CISO / IT Security Officer","cto":"CTO / Head of Engineering","coo":"COO / Operations Director","cpo":"CPO / Procurement Lead","hr_director":"HR Director","legal":"Legal / Compliance Officer","dpo":"Data Protection Officer"}},"training":{"title":"Training Records","description":"Employee and management cybersecurity training records. Required by NIS2 Art. 21(2)(g) and BSIG §38(3).","helpText":"Record all cybersecurity training completions. NIS2 mandates regular awareness training for all employees and specific training for management (BSIG §38(3) - personal liability). Track who completed what training and when.","add":"Add Training","edit":"Edit Training","empty":"No training records yet. Add your first training record.","deleteConfirm":"Are you sure you want to delete this training record?","actions":"Actions","yes":"Yes","no":"No","participants":"Participants","selectParticipants":"Select participants","noParticipants":"Select at least one participant","inviteNew":"Invite new member","certificate":"Training Certificate","certificateHint":"Upload certificate or proof of completion (PDF, image)","uploadingCert":"Uploading...","certUploaded":"Certificate uploaded","certUploadFailed":"Upload failed","removeCert":"Remove","managementTraining":"Management Training (§38 BSIG)","managementHint":"Auto-detected from role. Override if needed.","batchCreated":"{count} training records created","saveTraining":"Save Training","fields":{"title":"Title","trainingType":"Training Type","description":"Description","participantName":"Participant","participantRole":"Role","isManagement":"Management Training","providerName":"Provider","trainerName":"Trainer","startedAt":"Started","completedAt":"Completed","durationMinutes":"Duration (min)","nextTrainingDue":"Next Training Due"},"fieldDescriptions":{"title":"Name of the training course or session (e.g., 'Annual Cybersecurity Awareness', 'Incident Response Workshop').","trainingType":"Select the type of training (e.g., awareness, technical, management, incident response).","description":"Brief description of the training content, objectives, and target audience.","participantName":"Full name of the person who attended or completed this training.","participantRole":"Job title or role of the participant within the organization.","isManagement":"Enable if this is management-level training. BSIG Section 38(3) requires specific cybersecurity training for management with personal liability.","providerName":"Name of the training provider or organization delivering the training.","trainerName":"Name of the individual instructor or facilitator.","startedAt":"Date when the participant started this training.","completedAt":"Date when the participant successfully completed this training.","durationMinutes":"Total duration of the training session in minutes.","nextTrainingDue":"Date when this participant's next refresher or follow-up training is due."}},"trainingPortal":{"title":"Trainingsportaal","courses":"Cursussen","courseOverview":"Cursusoverzicht","lesson":"Les","lessons":"Lessen","module":"Module","progress":"Voortgang","completed":"Afgerond","inProgress":"Bezig","notStarted":"Nog niet gestart","comingSoon":"Binnenkort beschikbaar","startCourse":"Cursus starten","continueCourse":"Doorgaan","viewCourse":"Cursus bekijken","nextLesson":"Volgende les","previousLesson":"Vorige les","completeLesson":"Markeer als voltooid","lessonCompleted":"Les voltooid","textView":"Tekst","videoView":"Video","dictionary":"Begrippen","definedTerms":"Kernbegrippen","vocabularyWords":"Woordenschat","quiz":{"title":"Quiz","question":"Vraag","of":"van","submit":"Antwoorden indienen","retry":"Opnieuw proberen","score":"Uw score","passed":"Geslaagd!","failed":"Niet geslaagd","passMessage":"U behaalde {score}%. U kunt doorgaan naar de volgende les.","failMessage":"U behaalde {score}%. U heeft {required}% nodig om te slagen. Bekijk de les opnieuw en probeer het nog eens.","explanation":"Toelichting","nextLesson":"Volgende les","correct":"Juist","incorrect":"Onjuist"},"progressLabel":"{completed} van {total} lessen voltooid","estimatedTime":"{minutes} min leestijd"},"vulnerabilities":{"title":"Vulnerability Management","description":"Track discovered vulnerabilities through their lifecycle. Required by CIR 2024/2690 Art. 6.10.","helpText":"Log vulnerabilities found through scans, pentests, or advisories. Track triage, treatment decisions, and resolution. CIR requires vulnerability handling as a separate documented process from patch management.","add":"Add Vulnerability","edit":"Edit Vulnerability","empty":"No vulnerabilities recorded yet. Add your first vulnerability.","deleteConfirm":"Are you sure you want to delete this vulnerability?","actions":"Actions","severity":{"critical":"Critical","high":"High","medium":"Medium","low":"Low"},"status":{"discovered":"Discovered","assessed":"Assessed","treating":"Treating","resolved":"Resolved","accepted":"Accepted","mitigated":"Mitigated"},"source":{"vulnerability_scan":"Vulnerability Scan","pentest":"Penetration Test","bug_bounty":"Bug Bounty","vendor_advisory":"Vendor Advisory","internal_review":"Internal Review"},"fields":{"cveId":"CVE ID","title":"Title","description":"Description","severity":"Severity","cvssScore":"CVSS Score","source":"Source","assetId":"Asset","status":"Status","discoveredAt":"Discovered","treatmentNote":"Treatment","acceptanceReason":"Acceptance Reason","resolvedAt":"Resolved"},"fieldDescriptions":{"cveId":"CVE identifier if available (e.g., CVE-2024-1234). Leave empty for internally discovered vulnerabilities without a CVE.","title":"Brief description of the vulnerability (e.g., 'SQL injection in login form', 'Outdated TLS 1.0 on web server').","description":"Detailed description: affected components, versions, potential impact, and exploitation conditions.","severity":"CVSS-based severity rating: critical, high, medium, or low.","cvssScore":"Optional numeric CVSS score (0.0-10.0) for precise prioritization.","source":"How this vulnerability was discovered: scan, pentest, bug bounty, vendor advisory, or internal review.","assetId":"Asset affected by this vulnerability, if applicable. Select from the asset register.","status":"Current lifecycle status: discovered, assessed, treating, resolved, accepted (risk), or mitigated (compensating control).","discoveredAt":"Date when the vulnerability was first identified.","treatmentNote":"What is being done to address this vulnerability (patch, configuration change, compensating control, etc.).","acceptanceReason":"If accepting the risk, document the justification per CIR 6.6.2. Required for status 'Accepted'.","resolvedAt":"Date when the vulnerability was resolved, accepted, or mitigated."}}},"now":"$undefined","timeZone":"UTC","children":"$L32"}]