NIS2 Roadmap for managing directors
The prioritised steps. Your personal time: ~3 hours per year: everything else is delegable.
You do not have to work through the steps by hand. The free platform guides you through exactly this roadmap, drafts most of the evidence for you, and keeps sign-offs and deadlines in view. You review and approve. Open source, no lock-in.
The roadmap
Check thresholds (employees, revenue, sector) to confirm whether your entity is classified as 'essential' or 'important'.
You register with the NIS2 authority of every EU Member State you operate in: not only Germany. 'Operate in' means physical establishment: your own company, a branch, an office, or your own employees on the ground in that country. Cross-border sales alone do not count. Example: a German GmbH with a Vienna office registers with the BSI (DE) and the NIS-Stelle (AT).
The one obligation that cannot be delegated. Demonstrate sufficient knowledge of cybersecurity risk management.
Complete list of the systems, applications, and data your operations depend on: and the risks against each. Both are the foundation for every other NIS2 obligation and the first thing an auditor asks to see. In the NISD2 platform, your IT lead and CISO build and maintain the inventory and risk register, and the incident reporting workflow (24h / 72h / 1 month under §32 BSIG) is wired in automatically.
Inventory of your direct suppliers, linked to your asset register (which supplier runs which system). Continuous cybersecurity risk management: not a one-shot questionnaire: per-supplier security posture, incident notifications received via their supplier portal, risk scoring. The platform ships with the NIS2-anchored standard questionnaire (open source, MIT + CC BY 4.0) and maintains the inventory.
The ten measure areas under NIS2 Art. 21: incident handling, business continuity (backups, recovery), training, access control, cryptography, vulnerability and patch management, network security, monitoring, supplier contracts, communications. The platform covers all ten with templates, automatic evidence capture, and a full audit trail; you sign off the annual summary.
- 1× training (~2 hours, one-time)
- 5× document sign-offs (~40 minutes total)
- Annual refresh recommended
Total: ~3 hours per year.
Everything else is handled by your IT lead or CISO.
This page is structured guidance based on NIS2, BSIG, CIR 2024/2690, and ENISA TIG. It does not constitute legal advice. Your IT lead or CISO handles the operational work.