Compliance, step by step
Achieve NIS-2 compliance – structured, practical, and sustainable
Achieve NIS-2 compliance in 5 steps
NIS-2 compliance is not an isolated project within a single department, but a cross-functional, organisation-wide process.
It encompasses applicable legal requirements, technical security measures, organisational processes, and the people within the organisation.
Only when all areas work together can the requirements of the NIS-2 Directive be implemented sustainably.
We support you from the initial assessment through to the implementation of NIS-2 measures – in a practical, structured, and sustainable way.
In the following, we guide you step by step through the NIS-2 compliance process.
Step 1: assess NIS-2 applicability
Understand which NIS-2 obligations apply to your organisation
Is your organisation subject to NIS-2?
Find out in just a few minutes whether your organisation is subject to the requirements of the NIS-2 Directive.
The free tool from our partner SKW Schwarz evaluates your input and indicates whether any action is required.
Legal advise on NIS-2
The legal interpretation of your applicability results is crucial for determining your next steps.
Our partners at SKW Schwarz analyse your situation individually, answer your questions, and provide a reliable legal assessment of your NIS-2 status.
Step 2: determine your NIS-2 maturity
Assess how effectively your current security posture aligns with NIS-2 requirements
A successful implementation of the NIS-2 Directive starts with transparency: Where does your organisation stand today?
With our structured approach, you can determine your current maturity level, understand the requirements of the NIS-2 Implementation Act (NIS2UmsCG), and lay the foundation for a robust NIS-2 compliance roadmap.
Whether through a self-assessment, a workshop, or targeted training for management, we meet you exactly where you are.
Assess NIS-2 maturity
Self assessment tool
With our NIS-2 self-assessment tool, you can systematically analyze the current state of your information security. 39 targeted questions on implementation and evidence collection automatically determine your maturity level in the context of NIS-2 requirements.
Benefits:
- Clear overview of your NIS-2 status
- Identify areas that require action
- Foundation for your NIS-2 compliance strategy
- Free tool download
NIS-2 starter workshop
Understand requirements, develop roadmap
The NIS-2 Starter Workshop equips management and other decision-makers with hands-on insights into the regulatory requirements and shows clear, actionable steps to achieve NIS-2 compliance.
Benefits:
- Overview of your organisation, including customers and service providers
- Detailed review of the requirements of the NIS2 Implementation Act (NIS2UmsCG)
- Analysis of affected areas and legal assessment
- Legal obligations and potential consequences
- Effort estimation, prioritisation, and development of a realistic NIS-2 roadmap
NIS-2 training for executive management
Gain a clear understanding of responsibilities and potential liability risks
Execuritve management bears specific responsibilities under NIS-2 compliance.
Our practical training (in-person, virtual, or e-learning) conveys obligations, liability risks, and organisational measures in a clear and actionable manner.
Benefits:
- Understanding of personal responsibility
Overview of reporting obligations and documentation requirements
Confidence in interactions with supervisory authorities
Strengthening of governance structures
Step 3: perform a NIS-2 gap analysis
Identify gaps in compliance and prioritise the necessary measures
After determining your maturity level, the next crucial step follows:
With a structured NIS-2 gap analysis, we identify specific discrepancies between your current security posture and the legal requirements of the NIS-2 Directive.
This provides a clear prioritisation of the measures needed to achieve NIS-2 compliance.
BSI cyber risk check
Standardised analysis based on the BSI Cyber Risk Check – ideal for small and medium-sized enterprises to systematically assess NIS-2 requirements.
Security check
Quick and concise NIS-2 gap analysis. Focusing on key compliance requirements and providing prioritised recommendations for action.
Gap analysis enterprise
Comprehensive security analysis, emphasising risk management, governance, and demonstrable compliance.
Step 4: implement NIS-2 measures effectively
Identify the technical and organisational actions that need to be taken immediately
Address the gaps identified in your gap analysis with practical, prioritised actions. Our approach comprehensively covers all aspects of NIS-2 compliance – technical, organisational, and process-related.
| Summary of concrete and practical actions | |
|---|---|
| Implement NIS-2 policies – establish clear guidelines and an ISMS structure. | |
| Active Directory – manage identities and permissions securely. | |
| Entra / M365 – secure Microsoft environments effectively. | |
| Backup and resilience – reliably protect and restore data | |
| Incident response prosesses – handle security incidents quickly and systematically. | |
| Security consulting – targeted advice for individual requirements. | |
| Awareness and training – Mitarbeiter und Führungskräfte sensibilisieren. | |
| Supplier contracts – ensure security and compliance requirements across the supply chain. |
Step 5: future-proof your NIS-2 compliance
Ensure your processes, policies, and controls continue to operate effectively
After closing the gaps identified in the gap analysis, the focus shifts to embedding compliance permanently within your organisation. We support you in ensuring that security and compliance measures are not only implemented, but continuously maintained and actively lived throughout the company.
| Concrete offers at a glance | |
|---|---|
| ISO support– permanently implement policies, processes, and responsibilities | |
| Continuous scans – continuously identify and remediate vulnerabilities | |
| Incident response retainer – rapid, structured response to security incidents | |
| Threat Insights newsletter – receive updates on current threats and recommended actions | |
| Security and compliance – long-term integration into processes, policies, and organisational culture |
Implement NIS-2 in a structured and secure way
During an introductory discussion, we help you understand your current position and guide you through the next steps – from determining applicability to embedding long-term compliance.e.
Holistic and fully modular
From legal, technical, and organisational aspects to training, we provide support wherever it’s needed – whether across the entire NIS-2 process or for selected areas. Our modular approach allows us to adapt flexibly to your specific needs, independent of industry, resources, or regulatory requirements.
Technical expertise in practice
We go beyond theory: from vulnerability scans and Active Directory to Entra and targeted penetration tests, we thoroughly analyse your IT systems. Our team identifies structural and security gaps and provides practical, implementable solutions.
ISO and cybersecurity expertise
With more than 20 years of experience advising on ISO 27001, TISAX®, KRITIS, and NIS-2 – and conducting audits for TÜV Nord CERT – we provide practical, implementable solutions that create real value, drawing on our own experience as a certified SME.
A clear, structured roadmap
We take you through each step – from evaluating your maturity level and prioritising actions to setting clear milestones. Our modular, scalable approach ensures the roadmap fits organisations of all sizes and requirements.
Häufig gestellte Fragen zur NIS2-Compliance
SMEs benefit most from a clear and pragmatic roadmap. Key steps include:
- Assess whether the organisation falls under NIS‑2
- Define roles and responsibilities
- Conduct a risk assessment
- Implement security measures according to the EU Implementing Regulation
- Establish incident reporting processes
- Train the management team
- Evaluate the supply chain
- Complete the registration with the national authority
Yes. The number of employees is only one criterion. Other factors include:
- Whether the organisation operates in a regulated sector
- Annual turnover or balance sheet total above EUR 10 million
- Operation of critical infrastructure
Even smaller companies can fall under NIS‑2 if they meet sector or financial thresholds.
NIS‑2 consulting helps organisations implement the requirements efficiently and with minimal internal effort. Typical services include:
- Determining whether the organisation is in scope
- Conducting a gap analysis
- Developing an action plan
- Building a lightweight ISMS
- Supporting registration and reporting processes
- Coaching the management team
- Assessing supply chain risks
Coaching is ideal for SMEs without dedicated security teams. It typically covers:
- Step‑by‑step guidance through the compliance process
- Templates for risk assessments, policies and procedures
- Audit preparation
- Incident and crisis exercise scenarios
- Management training
All individuals who are legally appointed to manage the organisation - regardless of their functional area - must be trained. Executives located outside the EU may also require training if the organisation provides services within the EU.
No. However, NIS‑2 requires a comprehensive risk management approach, which is similar to an ISMS in many aspects. For SMEs, a lightweight, pragmatic ISMS is usually sufficient, as long as it covers the entire organisation.
The reporting deadlines are clearly defined:
- Early warning: within 24 hours of becoming aware of the incident
- Incident notification: within 72 hours
- Final report: within one month
The reporting deadline starts when the organisation becomes aware of the incident, not when the incident occurs. If an incident happens over the weekend but is discovered on Monday, the 24‑hour period begins on Monday.
Yes. Organisations must provide IP address ranges that are clearly attributable to them. This typically refers to static IP ranges, not individual dynamic addresses.
Large cloud providers such as Microsoft Azure, Amazon Web Services (AWS) and Google Cloud are often referred to as hyperscalers. They operate globally distributed data centres and provide IT resources at massive scale.
They are relevant for NIS‑2 because many organisations — including SMEs — rely on them for IT services. This makes them part of the supply chain, which must be assessed under NIS‑2. While hyperscalers are not automatically NIS‑2‑certified, they provide extensive security documentation and certifications that support your own compliance.
Yes. Several providers offer ready‑made scenarios and exercise concepts. For SMEs, compact and realistic exercises that combine technical and organisational aspects are particularly effective.
Yes. If an incident has cross‑border effects, organisations must report it to the relevant authorities in each affected country. Reports must be submitted where the incident occurred and where its impact is felt.
Additional services you may be interested in
We work with you to design your company-specific ISMS in accordance with NIS-2, establish the necessary processes and guidelines and anchor them in the company. Request support now!
Learn which companies are affected by the NIS-2 Directive, what obligations apply, and how NIS-2 differs from KRITIS, ISO 27001, and TISAX®.
![NIS-2 Umsetzung: Praxisleitfaden zur rechtssicheren Compliance [inkl. Checkliste]](/sites/hvs/files/styles/landscape_small/public/2025-12/praxisleitfaden_zur_rechtssicheren_compliance_inkl_checkliste_0.png.webp?itok=0DpruGl7)
Practical guide to NIS2 implementation covering scope assessment, maturity levels, ISMS, key requirements and a comprehensive compliance checklist.