Lista zmian
Wyselekcjonowana lista istotnych zmian na platformie, w kursie i dokumentach zgodności. Nie pełna historia commitów - tylko to, co ma znaczenie dla użytkowników, kupujących i audytorów.
June 2026
Six new entries on the NIS 2 timeline: the NIS Cooperation Group agreed common Article 23 incident-reporting templates, plus three ENISA publications (EUCC cryptographic mechanisms v3, competence requirements for CRA notified bodies, SBOM Adoption 2026), the AG KRITIS statement on the draft KRITIS-Verordnung, and Hungary's national first-audit deadline of 30 June 2026 (not an EU-wide deadline). On the registration portals, Portugal's MyCiber platform is now operational.
The completion certificate for the NIS 2 management course was reworked into a cover page with a module-grouped curriculum appendix. The identifier shown is now the learner's verified email address rather than a company name.
Two new entries on the NIS 2 timeline: Cyber Europe 2026 (ENISA, 10-11 June, first EU-wide test of the EU Cyber Blueprint with rail and maritime as the scenario) and the BSI-Magazin 2026/01 of 11 June with NIS-2 and BSIG as the cover feature. On the registration portals: Luxembourg's Act of 5 May 2026 sets a two-month self-registration window that closes 10 July 2026.
New public tool at /strukturanalyse: three universal steps walk from sector selection to a first description of the Informationsverbund per BSI-200-2. Complements the risk assessment and sets the foundation for later asset and Schutzbedarf layers.
New tool at /risikobewertung: a Schutzbedarfsfeststellung per BSI-200-2 that separates Schutzbedarf from Absicherungsvariante (Basis, Standard, Kern), documents damage scenarios per Grundwert, renders a radar view, and exports a PDF. Inputs are factual (sector, data categories, dependencies); mapping into a protection tier happens server-side.
Cleanup on the public marketing surfaces: tightened the homepage hero (dropped the fear line, accented NIS2 in colour), folded /pitch and /mission into /about with redirects, shared MarketingHero across six landing pages, and shipped 41 per-page Open Graph images for the highest-traffic routes.
New landing at /sicherheitsfragebogen with its own domain (sicherheitsfragebogen.de). Mirrors four sections and 59 questions from the schema, previews three sample questions live from the data format, and routes sign-in and the authenticated supplier portal back to nisd2.eu.
New wiki page on §30 BSIG (cybersecurity risk-management measures), linked to EU Implementing Regulation 2024/2690. The 27-country EU implementation tracker is now visible. In the supplier portal, 34 previously missing fields were filled in and a service-type sub-page added.
Platform admins can now create gap assessments on behalf of customers and share them via a password-protected URL. Adds a guided workflow for workshops and first calls alongside the self-service gap tool.
The full platform is now open source at github.com/NISD2/open-isms (AGPL-3.0). Eight packages are extracted into a workspace structure (schemas, UI, tRPC, training and content packages) including a reference app with docker-compose. The licence choice decouples compliance workloads from the hosting side and makes every change to the standard auditable.
Alongside the OSS public flip, a focused hardening pass: improvements to authentication, session revocation, audit logging, cron authentication, and secret scanning in CI. June also brought seven dependency security updates via Dependabot.
Several related changes: ten new per-country briefings (IT, ES, BE, SE, FI, DK, IE, PT, PL, CZ) and a 27-country EU implementation tracker under /wiki/zeit-und-status. Facts verified against primary sources (retsinformation.dk, finlex.fi, ISAP Sejm, NÚKIB, samsik.dk) and data corrections propagated through registration portals and the applicability check. Two new fundamentals pages (NIS 2 in five minutes for the management body, NIS 2 vs NIS 1) and a new Datenschutz-vs-Datensicherheit section in the CEO course (Lesson 1.1) plus parallel Article 33 GDPR reporting clock in Lesson 3.9. Wiki hub redesigned, wiki layout widened to match the navbar, search no longer shows scheduled-but-not-yet-live pages.
May 2026
Two new events on the NIS 2 timeline. ENISA published the third NIS360 report on 28 May 2026 assessing maturity and criticality across all Annex I sectors; eight sectors sit in the risk zone (including health, maritime, public administration). On 26 May 2026 the German Interior Ministry released the referral draft of the new Verordnung zur Bestimmung kritischer Anlagen (consultation deadline 16 June 2026).
The NIS 2 supplier questionnaire is now available as a public page at /nis2-lieferanten-fragebogen. It can be downloaded as PDF or DOCX and forwarded to suppliers with no sign-in required. Complements the supply-chain content page and the authenticated supplier portal.
Sign-ups using known disposable-email domains are silently rejected. The domain list is maintained from a public source, with a local override file for cases the external list does not yet cover. Cleans up the user base; existing accounts are unaffected.
Factual corrections across the public info pages following a footer fact-check, plus a clean-up of em-dashes across the DE and EN copy. Pure readability and accuracy work; no new claims.
Updated entries for the Dutch Cyberbeveiligingswet (Eerste Kamer phase), Luxembourg's NIS 2 Act of 5 May 2026, and the Commission's CJEU referral of 7 member states for failure to transpose the CER Directive. National portal list brought up to verified state.
The pricing page is live. Two options: the platform stays free and open source, plus a one-off EUR 10k lifetime sovereign tier for organisations that need a self-hosted licence with source handover. No artificial tier ladders or comparison-table padding.
Inside the portal, routine dialogs (risk scale, asset linking, supplier requests) are now side sheets instead of modals. Page headers stick on scroll, cards and tables have subtle shadow and motion, and forms have been polished. A bug that exposed the literal [categorySlug] in breadcrumbs is fixed.
Compliance requirements that mandate management training (e.g. §38(3) BSIG, NIS 2 Art 20) now surface a direct CTA to the free CEO course as an immediately available solution.
Four new public pages document security posture, system status, sub-processors, and the platform's trust model. The status page intentionally avoids fabricated uptime numbers and instead describes the actual operating reality. A security.txt is now served under /.well-known/security.txt.
The public GRC data-model package now includes the six mandatory ISMS clauses (4-10) and Annex A as structured requirements, plus seven satisfaction pairs against NIS 2 and GDPR. The model can now serve as a shared substrate for multi-framework compliance.
Two new entries in the regulatory timeline. On 19 May 2026 the European Commission published its draft Guidelines on the classification of high-risk AI systems under Article 6 of the AI Act; consultation runs until 23 June 2026, and the guidelines clarify that critical-infrastructure high-risk classification is triggered by a CER (Directive 2022/2557) designation, not by NIS 2 essential-entity status. The BMI/BKA Bundeslagebild Cybercrime 2025 from 12 May 2026 was also added (about 335,000 cases and EUR 202.4 billion in economic damage), providing the political backdrop for the BSI's emerging NIS 2 audit phase.
Three new entries in the regulatory timeline. On 13 May 2026 the BSI–Mecklenburg-Vorpommern cybersecurity cooperation was added (the BSI now cooperates with twelve federal states). The BSI Geschäftsleitungs-Schulung guidance v1.0 (published 17 April 2026) was backfilled — it sets the supervisor's expectations for §38(3) BSIG management training organisation, content, and self-check. On 19 May 2026 the Dutch Senate (Eerste Kamer) opened the written input phase on the Cyberbeveiligingswet (NIS 2 transposition).
An 8-lesson tabletop exercise for management bodies covering the typical NIS 2 decisions during a crisis: ransomware entry, customer notification under §35 BSIG, the 24-hour early warning, supply-chain impact, and recovery. Available in German and English.
A new free course on the Cyber Resilience Act (Regulation 2024/2847) with focus on Software Bill of Materials (SBOM) — requirements, formats (SPDX, CycloneDX), and manufacturer obligations for digital products. The course library now also includes a course switcher so multiple courses are accessible side by side.
A new public page compares 145 GRC/ISMS platforms for the European market — pricing, category (SMB, mid-market, enterprise), regional availability, open-source status, and data-export portability. The dataset is the result of six weeks of market research; each entry links to the vendor's own page so claims remain verifiable.
Every NIS 2 requirement in the compliance portal now carries a structured reference to the relevant Annex passage of EU Implementing Regulation 2024/2690 (CIR). Auditors and compliance advisors can navigate directly from a requirement to its EU legal source.
Three new entries in the regulatory timeline. On 7 May 2026 BSI and the Federal Ministry for Transport published the first joint report on IT security of public EV charging infrastructure, sitting at the intersection of the NIS 2 transport and energy sectors. On 11 May the BSI Cybersecurity Monitor 2026 was released with consumer survey data. On 12 May BSI and Italy's ACN co-published the G7 minimum-elements guideline "SBOM for AI", directly relevant to the NIS 2 supply-chain duty under Art 21(2)(d) and to the AI Act compliance pathway.
Learners enrolled in the free CEO course now receive a single daily bundled reminder of open lessons, each followed by a short comprehension question. The reminder series can be unsubscribed per course; separate opt-outs cover the daily deadline emails and the weekly compliance digest. Every transactional email now carries a visible unsubscribe link.
Two regulatory timeline additions. Luxembourg transposed NIS 2 via the Act of 5 May 2026, in force since 10 May 2026, with the ILR self-registration portal live. On 29 April 2026 the European Commission referred Bulgaria, France, Luxembourg, the Netherlands, Poland, Spain and Sweden to the CJEU for failing to transpose CER, requesting financial sanctions. First major CJEU enforcement action under the CER/NIS 2 package.
NIS 2 content pages now consistently use the EU directive terminology ("wesentliche Einrichtungen", "essential entities", "essentiële entiteiten") rather than the BSIG transposition wording ("besonders wichtige Einrichtungen"). The BSIG term remains as a cross-reference in the glossary and the EU-vs-BSIG terminology table.
Signing off a requirement now automatically credits every linked requirement across NIS 2, GDPR, EU AI Act, and Cyber Resilience Act whose evidence shares the same underlying artefact (same incident record, same supplier register, same risk methodology). 16 pairs are tagged 'equivalent' and chain transitively; 22 'overlapping' pairs grant credit one hop only.
The compliance portal now covers four EU frameworks: NIS 2, GDPR, EU AI Act (10 categories, 24 requirements anchored to Regulation 2024/1689), and EU Cyber Resilience Act (10 categories, 21 requirements anchored to Regulation 2024/2847). 27 cross-framework satisfaction pairs link related obligations so a single sign-off can satisfy multiple regimes at once.
On 7 May 2026 the Council of the EU and the European Parliament reached provisional political agreement on the AI Act Digital Omnibus. Annex III high-risk obligations delayed to 2 December 2027, Annex I embedded high-risk to 2 August 2028, watermarking under Art 50(2) deferred to 2 December 2026. New Art 5 prohibition on AI generating non-consensual intimate imagery and CSAM. Tracked in the regulatory timeline.
The public /nis2-meldepflicht page now documents the complete Article 23 NIS 2 reporting cascade as five distinct stages: 24-hour early warning, 72-hour incident notification, intermediate report on request, 1-month final report, and progress report when the incident is still ongoing. Each stage cites its directive article.
Public info pages now use locale-specific path slugs routed through next-intl's pathnames feature. Sitemap and hreflang headers are emitted automatically so search engines index the correct URL per locale. No action required from existing users.
On 4 May 2026, BSI together with CISO Bund and the Federal Ministry for Digital Affairs and State Modernization launched CyberGovSecure — the cross-departmental framework to implement NIS 2 cybersecurity measures across all German federal authorities. Tracked in the regulatory timeline.
The `asset_supplier_offering` table and `asset_service_type` enum (saas / on_prem / pro_services / managed) now live in the OSS package alongside `asset` and `supplier` — they used to sit in the app repo despite FK-ing into two package tables. Pure code relocation, zero database migration diff.
New reference page at /nis2-documents lists the documents and records NIS 2 (Directive 2022/2555) and Implementing Regulation 2024/2690 require — with article reference, CIR annex section, and the platform module that maintains the document as live data. 42 documents across 14 topic areas.
The GRC data layer (49 NIS 2 requirements, 7 GDPR requirements, 11 cross-framework pairs, Drizzle schemas for suppliers / assets / risks / incidents) is now a standalone MIT-licensed package on GitHub and npm. REFERENCE.md surfaces every entry, every pair, every mapping in one document. The platform itself uses the same package.
The platform now covers GDPR alongside NIS 2. 11 GDPR↔NIS 2 satisfaction pairs are wired: a sign-off on a NIS 2 requirement automatically closes the overlapping GDPR requirement (or vice versa). GDPR sidebar groups, Art. 28 fields on supplier / asset / incident, and seeded onboarding data are included.
Five high-impression pages (penalties, incident reporting, registration, missed registration, NIS 2 in Germany) were retitled with sharper queries — no more brand suffix. New: /llms.txt listing core content for LLM crawlers, complemented by Article / Breadcrumb / FAQ JSON-LD on key info pages.
The language switcher inside the training portal stopped persisting locale on some routes. Fixed.
April 2026
New public page at /training/nis2-ceo/outline shows all 47 lessons with module structure and time estimates — no account or OAuth required. Indexed in the sitemap for both locales.
New one-pager at /5-schritte (DE) and /5-steps (EN): the five NIS2 duties a managing director cannot personally delegate, in order. Step 4 links straight to the gap assessment.
The self-attestation was replaced with direct links to the relevant national authority for DE, AT, BE, FR, IT, and NL. We no longer claim whether a company falls under NIS2 — only the authority answers that bindingly.
Internal security review completed. Hardening applied across authenticated endpoints, the account-creation flow, and content loaders. No customer action required.
New /status page publicly shows platform status and past incidents.
Standard disclosure endpoint at /.well-known/security.txt for security researchers: contact, preferred languages, canonical URL, expiry.
Two repositories under github.com/NISD2: nis2-gap-assessment-schema (116 questions, 15 domains, Zod schema with scoring logic) and nis2-supply-chain-questionnaire-schema (56 fields, 6 sections). Dual-licensed (MIT for code, CC BY 4.0 for content). Every question and field is anchored to a specific legal source.
New /changelog page documents visible changes to the platform, course, and compliance documents - curated, not every commit. Filterable by category (product, content, course, compliance, regulatory) with monthly headers.
Landing page now shows the full NIS2 fine ceiling: up to €10M or 2% of global group turnover, whichever is higher. Previously only the €10M figure was shown.
New public documents at /avv and /toms. Audit log now captures IP address and user agent on every authenticated mutation. AWS S3 sets AES256 server-side encryption explicitly on every upload. Dependabot is enabled. Impressum extended with EUID, § 18(2) MStV responsibility, and EU online dispute resolution.
Landing page now shows the full EU legal chain as badges: NIS2 directive → BSIG → CIR 2024/2690 → IT-Grundschutz. New /corrections page publicly documents when we correct content — transparency over silent edits.
Dedicated /about page with managing director Simon Orzel and COO Cory Sales. Clear responsibilities and backgrounds — visible in the top navigation.
The NIS2 CEO course is now also available in Dutch — complete translation of all 47 lessons.
Full German localisation of the CEO course: 329 dictionary terms, 47 lesson titles, 45 quizzes — with proper umlauts, BSIG terminology, and article format.
Public NIS2 gap assessment with 116 structured questions across 15 domains, designed for a 5-day completion. PDF export of results available.
Dutch NIS2 transposition tracked in /nis2-timeline. Also: ENISA NCAF 2.0 update and NL registration portal status refreshed.
Consolidated overview of all national NIS2 registration portals across the EU with status, direct links, and per-country instructions.
CEO course participants receive a citable HTML certificate on completion, printable as PDF.
CIR badge replaced with BSIG § 30 + IT-Grundschutz on the landing page — more precise anchoring in the German transposition.
February 2026
Requirements can now be satisfied through operational modules (asset inventory, risk register, suppliers, incidents) rather than separate forms — the platform itself is the evidence.