NIS2 Compliance Kit

Essential entity: ≥ 250 employees or > EUR 50 million revenue / > EUR 43 million balance sheet — fine up to EUR 10 million / 2% revenue.

Important entity: ≥ 50 employees / > EUR 10 million revenue — fine up to EUR 7 million / 1.4%.

The 18 sectors:

• Essential (Annex I): Energy · Transport · Banking · Financial market infrastructure · Health · Drinking water · Wastewater · Digital infrastructure (DNS, TLD, cloud, data centres, internet exchange points, CDN, trust services) · ICT service management (B2B) · Public administration · Space
• Important (Annex II): Postal/courier · Waste management · Chemicals · Food production/trade · Manufacturing (medical devices, computer/electronics, machinery, vehicles, other transport) · Digital providers (marketplaces, search engines, social networks) · Research

Also covered: companies that are the sole provider of an essential service or critical for other entities — regardless of size. Quick check with our NIS2 readiness check.

Basis (EUR 990 net) — You have internal compliance staff (DPO/CISO/HR lead) who can adapt and implement all documents themselves. No employee e-learning required.

Plus (EUR 1,290 net) — most popular — You want to train employees interactively (e.g. to fulfil the AI literacy obligation under Art. 4 EU AI Act or the Section 12 AGG protective measures for the liability privilege). Includes a ready-made e-learning module with quiz and attendance certificate.

Komplett (EUR 1,490 net) — You want to run the trainings internally and repeatedly (e.g. for new hires) without booking an external trainer every time. Additionally includes the Trainer Pack: PowerPoint slides with notes, trainer handbook and quiz pool.

72 editable templates covering the full NIS2 / BSIG cybersecurity scope: ISMS handbook (§ 30 BSIG), risk management framework, incident-response playbook (24h / 72h / 1-month staged report under § 32 BSIG), supply-chain risk register, business continuity plan, encryption / MFA policies, access control matrix, awareness training programme, executive liability evidence pack (§ 38 BSIG).

Yes. After purchase you receive a download link containing all personalised professional templates. The files belong to you completely — you can store, integrate, edit and archive them. No cloud dependency, no per-device license activation, no internet connection required for use.

You receive all updates of the kit as long as the kit is maintained in its current major version. Updates arrive when authorities (BSI, ENISA) publish new guidance, new case law is published, or known follow-up phases of a regulation kick in. If a substantially new regulation supersedes the existing one, a new major version emerges — existing customers receive a 50% discount. Details in Terms § 7.

If a template content is provably legally incorrect (proven by a lawyer's letter or authority statement), we refund the purchase price. Deadline: 60 days from delivery. Details in Terms § 8.

NIS2 covers "essential" (KRITIS, energy, water, transport, finance, health, digital infra) and "important" (B2B IT, postal, waste, chemicals, food, manufacturing, research) sectors. Size thresholds: 50+ employees OR EUR 10M+ turnover for "important", or 250+ / EUR 50M+ for "essential". § 30 BSIG (DE): in force since 06.12.2025. Even sub-threshold companies are often covered as suppliers (Art. 21(2)(d)).

§ 38 BSIG: management bodies are personally liable for cybersecurity risk management. They must approve risk-management measures, oversee implementation, and undergo training. Fines: up to EUR 10 million or 2% of worldwide turnover for essential entities, EUR 7 million or 1.4% for important entities.

Three-stage report under § 32 BSIG / Art. 23 NIS2: 24-hour early warning, 72-hour incident notification with initial assessment, one-month final report with root cause analysis. The kit includes a ready-to-use incident-response playbook and BSI report templates.

ISO 27001 covers approximately 80% of Art. 21 NIS2 / § 30 BSIG technical-organisational measures. NIS2-specific requirements beyond ISO 27001: incident reporting workflows, supply-chain risk management (Art. 21(2)(d)), executive training duty (§ 38), the BSI register (§ 33 BSIG). Mapping workbook included.

Not automatically, but under group consolidation: the employee and turnover thresholds apply group-wide (§ 28(4) BSIG). Result: many subsidiary GmbHs qualify as "important entities" even if they would fall below 50 employees on a stand-alone basis. A separate BSI registration is required for each affected unit.

Yes, effectively. § 30(2) No. 10 BSIG requires "multi-factor authentication or continuous authentication solutions". BSI recommendation: all administrator accounts plus all external access paths (VPN, cloud) protected by MFA. For pure office workstation use (no remote access, no elevated privileges), a risk-based justification is defensible.

BSIG does not specify a frequency. BSI recommendation (Management Body Guidance 2024): upon appointment plus annual refresher. Industry standard: semi-annual training for management of essential entities, annual for important entities. Online training with knowledge test and certificate satisfies the requirement under § 38(3) BSIG.

An acknowledgement filed with BSI via the "Mein Unternehmenskonto" portal within 24 hours of becoming aware of a significant incident. Contents: initial assessment only, not the full report. The definition of "significant incident" is technically specified in Commission Implementing Regulation (EU) 2024/2690 (number of affected users, damage thresholds, etc.).

Yes. The client remains fully responsible. Mandatory: supply-chain security under § 30(2) No. 5 BSIG — contractual cybersecurity clauses, mandatory incident notification by the service provider to the client, right-to-audit. Cloud providers are separately subject to NIS2 (with their own BSI registration).

At minimum: incident notification (pass-through of the 24-hour duty), right to audit/pentest, minimum security standards, right-to-audit, emergency contact interface. BSI has published model clauses in the NIS2 guidance document "Cybersecurity in the Supply Chain".

Three different regimes: NIS2 is a statutory obligation (BSIG); ISO 27001 is a voluntary certification (international standard); TISAX is an automotive-sector special standard. Overlap: ISO 27001 and TISAX cover many NIS2 requirements. Mapping: the NIS2 Kit includes a crosswalk table.

DORA (Digital Operational Resilience Act, Regulation (EU) 2022/2554) is lex specialis for financial entities. Entities falling under DORA are excluded from NIS2 (Art. 4 NIS2 Directive). Practice: banks, insurers, payment service providers → DORA. Non-financial subsidiaries of a banking group → possibly NIS2.

Yes, possible. Sanctioned offences are breaches of duty — missing risk management measures under § 30 BSIG, missing management body approval under § 38, missing registration. Even without concrete damage. BSI supervises on a non-event-triggered basis.

Administrative fines are imposed on the entity. HOWEVER: § 38(2) BSIG refers to corporate-law rules (§ 43 GmbHG / § 93 AktG) for the management body's internal personal liability towards the entity. If the company pays a fine and the breach of duty is attributable to the managing director, the company may seek recourse against the director's private assets under corporate law. D&O insurance does not necessarily respond in cases of gross negligence.

§ 30 BSIG requires "concepts for assessing effectiveness". An external audit certification is not strictly mandatory but practically useful. ISO 27001 certification covers a large part of the requirements. A pentest requirement is not explicitly written into the law, but is a BSI recommendation.

BSIG does not specify a concrete retention period. Industry standard: minimum 12 months, 36 months in case of incidents. Note the GDPR conflict: logs containing personal data are subject to Art. 5(1)(e) GDPR (storage limitation). Anonymisation/pseudonymisation is recommended for long-term retention.