For managing directors

NIS2 Roadmap for managing directors

The prioritised steps. Your personal time: ~3 hours per year: everything else is delegable.

Simon OrzelSimon Orzel·Continuously reviewed
The whole path, in the platform

You do not have to work through the steps by hand. The free platform guides you through exactly this roadmap, drafts most of the evidence for you, and keeps sign-offs and deadlines in view. You review and approve. Open source, no lock-in.

Start in the platform
Before you read further Are you actually in scope of NIS2? The 2-minute check is free, no login.
Check applicability

The roadmap

1
Check applicabilitydelegable

Check thresholds (employees, revenue, sector) to confirm whether your entity is classified as 'essential' or 'important'.

Owner: Managing director
§28 BSIG2 minutesnow2-minute check, no login
2
Register with your national NIS2 authoritydelegable

You register with the NIS2 authority of every EU Member State you operate in: not only Germany. 'Operate in' means physical establishment: your own company, a branch, an office, or your own employees on the ground in that country. Cross-border sales alone do not count. Example: a German GmbH with a Vienna office registers with the BSI (DE) and the NIS-Stelle (AT).

Owner: IT lead files, managing director signs
NIS2 Art. 27 · §33 BSIG (DE)~1 hour per country + national identity setup (e.g. ELSTER in DE: 5 to 10 working days)National deadlines apply: DE: 06.03.2026 passed; obligation continuesSee authorities by country
3
Complete the management trainingpersonal · non-delegable

The one obligation that cannot be delegated. Demonstrate sufficient knowledge of cybersecurity risk management.

Owner: Managing director, personally
§38(3) BSIG~2 hours initial · annual refresh recommendedbefore first auditStart the free MD course
4
Asset inventory and risk registerdelegable

Complete list of the systems, applications, and data your operations depend on: and the risks against each. Both are the foundation for every other NIS2 obligation and the first thing an auditor asks to see. In the NISD2 platform, your IT lead and CISO build and maintain the inventory and risk register, and the incident reporting workflow (24h / 72h / 1 month under §32 BSIG) is wired in automatically.

Owner: IT lead produces, managing director signs (§38(1) BSIG)
§30(2) BSIG · NIS2 Art. 21(2)(a)~1 day initial pass · maintained ongoing, signed off yearlyQ1Build asset and risk register in the platform
5
Supplier inventory and supplier risk managementdelegable

Inventory of your direct suppliers, linked to your asset register (which supplier runs which system). Continuous cybersecurity risk management: not a one-shot questionnaire: per-supplier security posture, incident notifications received via their supplier portal, risk scoring. The platform ships with the NIS2-anchored standard questionnaire (open source, MIT + CC BY 4.0) and maintains the inventory.

Owner: Procurement / IT produces, managing director signs
§30(2)(4) BSIG · NIS2 Art. 21(2)(d)~½ day initial pass · maintained ongoingQ1 to Q2Build supplier inventory in the platform
6
Implement the rest of NIS2delegable

The ten measure areas under NIS2 Art. 21: incident handling, business continuity (backups, recovery), training, access control, cryptography, vulnerability and patch management, network security, monitoring, supplier contracts, communications. The platform covers all ten with templates, automatic evidence capture, and a full audit trail; you sign off the annual summary.

Owner: IT lead / CISO implements, managing director signs off yearly
§30(2) Nr. 1 to 10 BSIG · NIS2 Art. 21ongoing, alongside normal IT workQ2 onwardsSee platform features
Your personal minimum
  • 1× training (~2 hours, one-time)
  • 5× document sign-offs (~40 minutes total)
  • Annual refresh recommended

Total: ~3 hours per year.

Everything else is handled by your IT lead or CISO.

Ready to run it as a guided journey?
Start in the platform
Prefer a human to guide you? You now know the steps. If you would rather not run the implementation alone, we go through it with you. A 30-minute call once a week, point by point, you stay in control. No lock-in.
See guided implementation

This page is structured guidance based on NIS2, BSIG, CIR 2024/2690, and ENISA TIG. It does not constitute legal advice. Your IT lead or CISO handles the operational work.

Sources and transparency
NIS2 Directive (EU) 2022/2555 · BSIG (as of 06.12.2025) · CIR 2024/2690 · ENISA Technical Implementation Guidance v1.0
Open-source tooling (MIT + CC BY 4.0) · Hosted in Germany · GDPR-compliant