Information Security Officer (ISO/CISO). Management is liable, ISO acts authorized.

Clearly defined area: all business processes, IT systems, locations falling under ISMS protection. For NIS2-affected: usually entire company.

Building an ISMS under NIS2: 10-Week Plan for SMEs

Q: Do I need ISO 27001 certification?

No, NIS2 only requires 'equivalent structures'. But certification reduces audit risk + is marketing benefit. Cost 15-50k EUR.

Q: Standards other than ISO 27001?

BSI IT-Grundschutz (DE), CIS Controls (USA, SME-friendly), NIST CSF (USA, EU-compatible), TISAX (automotive).

Q: Fine risk for ISMS gaps?

§ 60 BSIG: up to €10M / 2%. Plus § 38 BSIG executive liability for gross negligence.

As of: 02 May 2026 · Last review: 02 May 2026· Category: NIS2

Practitioner note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information, please consult a licensed attorney.

TL;DR

NIS2 requires ISMS-equivalent structures — Section 30 (1) BSIG
ISO 27001:2022 as the gold standard, not mandatory
10-week build realistic for SMEs
12 mandatory policies + 22 mandatory templates
Annual internal audit mandatory

1. Legal Basis: NIS2 vs. ISO 27001

Aspect	NIS2 (Section 30 BSIG)	ISO 27001:2022
Mandatory status	statutory (for in-scope entities)	voluntary
Measures	10 areas (subsection 2)	93 controls (Annex A)
Risk assessment	required (subsection 1)	clause 6.1.2
Certification	not required	possible
Fine	EUR 10 million / 2%	no

Practice recommendation: build an ISO 27001-compliant ISMS; certification optional.

2. Defining the ISMS Scope

Scope definition:

Which processes: all / only critical / specific
Which locations
Which IT systems
Which subsidiaries

Recommendation for SMEs subject to NIS2: the entire company in scope.

3. Risk Analysis + Treatment Plan

Asset inventory: all IT assets, data classes, business processes
Threat analysis: typical threats per asset (ransomware, data breach, outage)
Vulnerability assessment: current protection level
Risk score: likelihood of occurrence × impact
Treatment options: reduce / accept / transfer / avoid
Statement of Applicability (SoA): which controls are applicable

4. 12 Mandatory Policies

Information Security Policy (top-level)
Acceptable Use Policy
Access Control Policy
Cryptographic Controls Policy
Backup + Recovery Policy
Patch Management Policy
Incident Management Policy
Supplier Management Policy
Mobile Device + BYOD Policy
Clear Desk + Clear Screen Policy
Password Policy
Physical Security Policy

5. Internal Audit + Management Review

Annual internal audit: full ISMS scope, performed by an independent internal auditor (or external)
Annual management review: management reviews the audit report, incidents and risk changes
Continuous improvement: CAPA process (corrective + preventive actions)

6. 10-Week Roadmap

Week	Activity
1	Appoint ISMS officer, define scope
2-3	Asset inventory + risk analysis
4	Risk treatment plan + SoA
5-7	Draft and approve 12 policies
8	Awareness training + onboarding
9	Internal audit preparation + execution
10	Management review + communication

22 mandatory templates (policies + work instructions + audit templates) in the NIS2 Kit.

Frequently asked questions

Do I need ISO 27001 certification?

No, NIS2 only requires equivalent structures. Certification, however, reduces audit risk and is a marketing benefit. Cost: EUR 15,000-50,000.

Who leads the ISMS?

The Information Security Officer (ISO/CISO). Management remains liable; the ISO acts under authorisation.

What is the scope?

A clearly defined area: all business processes, IT systems and locations falling under ISMS protection. For NIS2-affected organisations: usually the entire company.

Standards other than ISO 27001?

BSI IT-Grundschutz (DE), CIS Controls (US, SME-friendly), NIST CSF (US, EU-compatible), TISAX (automotive).

How often to audit?

Internal audit annually. With ISO certification: surveillance audit annually, recertification every 3 years.

Fine risk for ISMS gaps?

Section 60 BSIG: up to EUR 10 million or 2%. Plus Section 38 BSIG executive liability for gross negligence.

Sources

As of: 02 May 2026

BSIG 2025 (consolidated version) — Section 30, Section 38, Section 60 BSIG (as of: 02 May 2026)
NIS2 Implementation Act — BGBl. 2025 I No. 301 (as of: 02 May 2026; in force 06 December 2025)
Directive (EU) 2022/2555 (NIS2) — Art. 21 (EUR-Lex DE) (as of: 02 May 2026)
BSI — NIS-2 FAQ for regulated entities

Tools & self-tests

NIS2 Readiness Check Assess your NIS2 maturity in 10 minutes. Fining Calculator Estimate the potential fine exposure for your organisation. NIS2 Self-Test Are we in scope? Check thresholds and sector classification. NIS2 Mandatory Measures Audit 10 mandatory measures under Section 30 BSIG with maturity rating.